synopsys.yaml

name: Black Duck Policy Check
on:
  pull_request_target:
  push:
    branches:
      - main
      - 'release-*'

jobs:
  security:
    if: github.repository == 'nutanix/docker-machine'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: "${{ github.event.pull_request.merge_commit_sha }}"

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: "^1.21"

      - name: Build Project
        run: make build

      - name: Black Duck Full Scan
        if: ${{ github.event_name != 'pull_request' }}
        uses: synopsys-sig/synopsys-action@v1.11.0
        with:
          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
          blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
          github_token: ${{ secrets.GITHUB_TOKEN }}
          blackduck_scan_full: true
          blackduck_scan_failure_severities: 'BLOCKER,CRITICAL'

      - name: Black Duck PR Scan
        if: ${{ github.event_name == 'pull_request' }}
        uses: synopsys-sig/synopsys-action@v1.11.0
        env:
          DETECT_PROJECT_VERSION_NAME: ${{ github.base_ref }}
        with:
          blackduck_url: ${{ secrets.BLACKDUCK_URL }}
          blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
          github_token: ${{ secrets.GITHUB_TOKEN }}
          blackduck_scan_full: false
          blackduck_prComment_enabled: true