chore: adopt annotions and remove gosec from codeql and move templates to .github repo

.github/workflows/blackduck_scan.yaml

@@ -1,11 +1,11 @@
 name: Blackduck SCA Scan
 on:
-  #push:
-  #  branches: [ "main" ]
-  #pull_request:
-  #  branches: [ "main" ]
+  push:
+    branches: [ "main" ]
+  pull_request_target:
+    branches: [ "main" ]
   schedule:
-    - cron:  '5 0 * * 0'
+    - cron:  '15 1 * * 0'
   workflow_dispatch:
 
 permissions:
@@ -18,37 +18,9 @@
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: '${{ github.workspace }}/go.mod'
-          cache: false
-
-      - name: Get go environment for use with cache
-        run: |
-          echo "go_cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "go_modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
-      # This step will only reuse the go mod and build cache from main made during the Build,
-      # see push_ocm.yaml => "ocm-cli-latest" Job
-      # This means it never caches by itself and PRs cannot cause cache pollution / thrashing
-      # This is because we have huge storage requirements for our cache because of the mass of dependencies
-
-      - name: Restore / Reuse Cache from central build
-        id: cache-golang-restore
-        uses: actions/cache/restore@v4 # Only Restore, not build another cache (too big)
-        with:
-          path: |
-            ${{ env.go_cache }}
-            ${{ env.go_modcache }}
-          key: ${{ env.cache_name }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ hashFiles('**/go.mod') }}
-          restore-keys: |
-            ${{ env.cache_name }}-${{ runner.os }}-go-
-        env:
-          cache_name: ocm-cli-latest-go-cache # needs to be the same key in the end as in the build step
-
-      - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled)
-        if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
+
+      - name: Run Black Duck Full SCA Scan (Push, Manual Trigger or Schedule)
+        if: ${{ github.event_name != 'pull_request_target' }} 
         uses: blackduck-inc/black-duck-security-scan@v2.0.0
         env:
           DETECT_PROJECT_USER_GROUPS: opencomponentmodel
@@ -63,9 +35,9 @@
           blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
           blackducksca_scan_full: true
 
-      - name: Run Black Duck SCA Scan (Pull Request or Push)
-        if: github.event_name != 'workflow_dispatch'
-            # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false
+      - name: Run Black Duck SCA Scan (Pull Requests)
+        if: ${{ github.event_name == 'pull_request_target' }}
+           # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false
         uses: blackduck-inc/black-duck-security-scan@v2.0.0
         env:
           DETECT_PROJECT_USER_GROUPS: opencomponentmodel
@@ -77,4 +49,6 @@
           github_token: ${{ secrets.GITHUB_TOKEN }}
           blackducksca_url: ${{ secrets.BLACKDUCK_URL }}
           blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }}
+          blackducksca_scan_full: false
           blackducksca_prComment_enabled: true
+

.github/workflows/codeql.yml

@@ -93,12 +93,12 @@ jobs:
         with:
           category: "/language:${{matrix.language}}"
 
-  gosec:
-    permissions:
-      # Required to upload SARIF files
-      security-events: write
-      # only required for workflows in private repositories
-      contents: read
-    # call reusable workflow from central '.github' repo
-    uses: open-component-model/.github/.github/workflows/code-scan.yml@main
-    secrets: inherit
+  # gosec:
+  #   permissions:
+  #     # Required to upload SARIF files
+  #     security-events: write
+  #     # only required for workflows in private repositories
+  #     contents: read
+  #   # call reusable workflow from central '.github' repo
+  #   uses: open-component-model/.github/.github/workflows/code-scan.yml@main
+  #   secrets: inherit

.github/workflows/publish-image-main.yaml

@@ -9,7 +9,7 @@ on:
       - '**/*.mod'
       - '**/*.sum'
       - 'config/**'
-      - 'Dockefile'
+      - 'Dockerfile'
 jobs:
   docker_publish:
     runs-on: ubuntu-latest

api/v1alpha1/constants.go

@@ -19,7 +19,7 @@ package v1alpha1
 // Ocm credential config key for secrets.
 const (
 	// OCMCredentialConfigKey defines the secret key to look for in case a user provides an ocm credential config.
-	OCMCredentialConfigKey = ".ocmcredentialconfig" // #nosec G101 -- it isn't a credential
+	OCMCredentialConfigKey = ".ocmcredentialconfig" //nolint:gosec // G101 -- it isn't a credential
 	// OCMConfigKey defines the secret or configmap key to look for in case a user provides an ocm config.
 	OCMConfigKey = ".ocmconfig"
 	// OCMLabelDowngradable defines the secret.

test/utils/utils.go

@@ -236,7 +236,7 @@ func CheckOCMComponent(componentReference, ocmConfigPath string, options ...stri
 	}
 	c = append(c, componentReference)
 
-	cmd := exec.Command(c[0], c[1:]...) // #nosec G204 -- The argument list is constructed right above.
+	cmd := exec.Command(c[0], c[1:]...) //nolint:gosec // The argument list is constructed right above.
 	if _, err := utils.Run(cmd); err != nil {
 		return err
 	}
@@ -255,7 +255,7 @@ func GetOCMResourceImageRef(componentReference, resourceName, ocmConfigPath stri
 	}
 	c = append(c, "get", "resources", componentReference, resourceName, "-oJSON") // -oJSON is used to get the output in JSON format.
 
-	cmd := exec.Command(c[0], c[1:]...) // #nosec G204 -- The argument list is constructed right above.
+	cmd := exec.Command(c[0], c[1:]...) //nolint:gosec // The argument list is constructed right above.
 	output, err := utils.Run(cmd)
 	if err != nil {
 		return "", err