From 2a067fca47fc9a1461e7e230b4f0c2c3c4aaf8a5 Mon Sep 17 00:00:00 2001
From: Black Duck <tech-support@blackduck.com>
Date: Thu, 9 Apr 2026 15:52:13 +0000
Subject: [PATCH 1/4] Black Duck Security: Automatic pull request to commit
 blackducksca-workflow.yml

---
 .github/workflows/blackducksca-workflow.yml | 31 +++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 .github/workflows/blackducksca-workflow.yml

diff --git a/.github/workflows/blackducksca-workflow.yml b/.github/workflows/blackducksca-workflow.yml
new file mode 100644
index 0000000..7bbf63b
--- /dev/null
+++ b/.github/workflows/blackducksca-workflow.yml
@@ -0,0 +1,31 @@
+# Quickstart: Black Duck Security Scan Action with blackducksca:
+#     https://documentation.blackduck.com/bundle/bridge/page/documentation/t_github-blackduck-quickstart.html
+name: Black Duck Security Scan
+on:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+    branches:
+      - main
+      - master
+  workflow_dispatch: {}
+jobs:
+  blackducksca:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - name: Black Duck Security Scan
+        id: black-duck-security-scan
+        uses: blackduck-inc/black-duck-security-scan@v2
+        with:
+          blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }}
+          blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }}
+          blackducksca_scan_full: true
+          blackducksca_scan_failure_severities: 'NONE'
+          mark_build_status: success
+        env:
+          DETECT_PROJECT_VERSION_NAME: master
+        continue-on-error: true

From e8934904a03f57263282ade8156928dcdb9cd670 Mon Sep 17 00:00:00 2001
From: rjmohankumar <rjmohankumar>
Date: Fri, 17 Apr 2026 04:52:30 +0000
Subject: [PATCH 2/4] Add Python setup and dependency installation to Black
 Duck workflow

---
 .github/workflows/blackducksca-workflow.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/blackducksca-workflow.yml b/.github/workflows/blackducksca-workflow.yml
index 7bbf63b..e485d21 100644
--- a/.github/workflows/blackducksca-workflow.yml
+++ b/.github/workflows/blackducksca-workflow.yml
@@ -17,6 +17,14 @@ jobs:
     steps:
       - name: Checkout Source
         uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
       - name: Black Duck Security Scan
         id: black-duck-security-scan
         uses: blackduck-inc/black-duck-security-scan@v2

From 06fdc9035375d579e56be9461c7893c56e620b32 Mon Sep 17 00:00:00 2001
From: rjmohankumar <rjmohankumar>
Date: Fri, 17 Apr 2026 04:53:56 +0000
Subject: [PATCH 3/4] Fix Python version to 3.11 for compatibility with
 dependencies

---
 .github/workflows/blackducksca-workflow.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/blackducksca-workflow.yml b/.github/workflows/blackducksca-workflow.yml
index e485d21..db703c0 100644
--- a/.github/workflows/blackducksca-workflow.yml
+++ b/.github/workflows/blackducksca-workflow.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.x'
+          python-version: '3.11'
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip

From c240beeb246552c28d9f350fa3ac3fb5afc7ff28 Mon Sep 17 00:00:00 2001
From: rjmohankumar <59437265+rjmohankumar@users.noreply.github.com>
Date: Mon, 4 May 2026 07:50:48 +0000
Subject: [PATCH 4/4] fix: add GCP WIF auth for pip package installation

---
 .github/workflows/blackducksca-workflow.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/blackducksca-workflow.yml b/.github/workflows/blackducksca-workflow.yml
index db703c0..0ee7b00 100644
--- a/.github/workflows/blackducksca-workflow.yml
+++ b/.github/workflows/blackducksca-workflow.yml
@@ -14,6 +14,9 @@ on:
 jobs:
   blackducksca:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout Source
         uses: actions/checkout@v4
@@ -21,6 +24,20 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: '3.11'
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@v3
+        with:
+          token_format: access_token
+          workload_identity_provider: projects/66669732991/locations/global/workloadIdentityPools/workload-identity-pool-github/providers/workload-identity-pool-github
+          service_account: cicd-service-deploy@aip-services-dev.iam.gserviceaccount.com
+          audience: https://github.com/EmergenceAI
+          create_credentials_file: true
+      - name: Configure pip for Google Artifact Registry
+        env:
+          ACCESS_TOKEN: ${{ steps.auth.outputs.access_token }}
+        run: |
+          pip config set global.extra-index-url https://oauth2accesstoken:${ACCESS_TOKEN}@us-central1-python.pkg.dev/aip-artifacts-store/aipy/simple/
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip