From b5cbbbaa12a3b2e56fc24eda2a9969c82c08ad55 Mon Sep 17 00:00:00 2001
From: Damian Reeves <957246+DamianReeves@users.noreply.github.com>
Date: Fri, 4 Oct 2024 11:36:49 -0500
Subject: [PATCH] Update conditions on which scanning is run

---
 .github/workflows/ci-cd.yml | 108 ++++++++++++++++++------------------
 1 file changed, 54 insertions(+), 54 deletions(-)

diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
index 21eebf7..b551871 100644
--- a/.github/workflows/ci-cd.yml
+++ b/.github/workflows/ci-cd.yml
@@ -159,63 +159,63 @@ jobs:
 
   ############### SONATYPE SCAN ###############
   sonatype-scan:
-    if: always()
+    if: github.repository_owner == 'finos'
     needs: [ci]
     runs-on: ubuntu-latest
     steps:
-    - name: Cache scala dependencies
-      uses: coursier/cache-action@v6
-
-    - name: Get OUT cache
-      uses: actions/cache/restore@v4
-      with:
-        path: out/
-        key: ${{ runner.os }}-*
-        
-    - name: Copy Cache for SCA Scan
-      run: |
-        mkdir depCache/ #Create local copy of cache for Sonatype Scanner
-        cp -r /home/runner/.cache/coursier/ depCache/
-    # - name: Save resolvedIvyDeps.json
-    #   run: ./mill show __.resolvedIvyDeps > depCache/resolvedIvyDeps.json
-        
-    # - name: Upload Dependency Cache (optional)
-    #   uses: actions/upload-artifact@v4
-    #   with:
-    #     name: Dependency Cache
-    #     path: depCache/
-    
-    - name: Sonatype Lifecycle SCA Scan
-      uses: sonatype-nexus-community/iq-github-action@main
-      with:
-        username: ${{ secrets.SONATYPE_SCANNER_USERNAME }}
-        password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }}
-        serverUrl: ${{ env.SonatypeUrl }}
-        applicationId: ${{ env.SonatypeAppId }}
-        stage: ${{ env.SonatypeStage }}
-        target: ${{ env.SonatypeScanTarget }} ${{ env.ExcludeDirectory }}
-
-    - name: Retrieve Sonatype SBOM (SPDX)
-      if: always()
-      run: |
-        mkdir reports/
-        iqCredentials="${{ secrets.SONATYPE_SCANNER_USERNAME }}:${{ secrets.SONATYPE_SCANNER_PASSWORD }}"
-        echo 'Get internal app ID for public ID: '$SonatypeAppId
-        res=$(curl -u $iqCredentials --location $SonatypeUrl'api/v2/applications?publicId='$SonatypeAppId)
-        IFS='"' read -a array <<< "$res"
-        echo 'Internal app ID: '${array[5]}
-        internalID=${array[5]}
-        curl -u $iqCredentials --location $SonatypeUrl'api/v2/spdx/'$internalID'/stages/'$SonatypeStage -H 'Accept: application/xml' > reports/$SonatypeAppId.spdx.json
-        echo 'Sonatype SBOM (SPDX): '
-        cat reports/$SonatypeAppId.spdx.json
-        
-    - name: Upload Sonatype SBOM (SPDX)
-      if: always()
-      uses: actions/upload-artifact@v4
-      with:
-        name: ${{ env.SonatypeAppId }} Sonatype SBOM (SPDX) 
-        path: reports/
-  #############################################               
+      - name: Cache scala dependencies
+        uses: coursier/cache-action@v6
+
+      - name: Get OUT cache
+        uses: actions/cache/restore@v4
+        with:
+          path: out/
+          key: ${{ runner.os }}-*
+
+      - name: Copy Cache for SCA Scan
+        run: |
+          mkdir depCache/ #Create local copy of cache for Sonatype Scanner
+          cp -r /home/runner/.cache/coursier/ depCache/
+      # - name: Save resolvedIvyDeps.json
+      #   run: ./mill show __.resolvedIvyDeps > depCache/resolvedIvyDeps.json
+
+      # - name: Upload Dependency Cache (optional)
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: Dependency Cache
+      #     path: depCache/
+
+      - name: Sonatype Lifecycle SCA Scan
+        uses: sonatype-nexus-community/iq-github-action@main
+        with:
+          username: ${{ secrets.SONATYPE_SCANNER_USERNAME }}
+          password: ${{ secrets.SONATYPE_SCANNER_PASSWORD }}
+          serverUrl: ${{ env.SonatypeUrl }}
+          applicationId: ${{ env.SonatypeAppId }}
+          stage: ${{ env.SonatypeStage }}
+          target: ${{ env.SonatypeScanTarget }} ${{ env.ExcludeDirectory }}
+
+      - name: Retrieve Sonatype SBOM (SPDX)
+        if: always()
+        run: |
+          mkdir reports/
+          iqCredentials="${{ secrets.SONATYPE_SCANNER_USERNAME }}:${{ secrets.SONATYPE_SCANNER_PASSWORD }}"
+          echo 'Get internal app ID for public ID: '$SonatypeAppId
+          res=$(curl -u $iqCredentials --location $SonatypeUrl'api/v2/applications?publicId='$SonatypeAppId)
+          IFS='"' read -a array <<< "$res"
+          echo 'Internal app ID: '${array[5]}
+          internalID=${array[5]}
+          curl -u $iqCredentials --location $SonatypeUrl'api/v2/spdx/'$internalID'/stages/'$SonatypeStage -H 'Accept: application/xml' > reports/$SonatypeAppId.spdx.json
+          echo 'Sonatype SBOM (SPDX): '
+          cat reports/$SonatypeAppId.spdx.json
+
+      - name: Upload Sonatype SBOM (SPDX)
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.SonatypeAppId }} Sonatype SBOM (SPDX)
+          path: reports/
+  #############################################             
 
   cd:    
     needs: [sonatype-scan, ci]