Fix CI builds to use secrets for NVD API key

[binkley]

In all cases, the NVD API key should be a secret for the build passed in by GitHub (${{ secrets.OWASP_NVD_API_KEY }}) and never appear in build log output. This should also work for local builds when using export OWASP_NVD_API_KEY=....

20m builds in CI for Earthly container vs 2m builds when calling Gradle or Maven directly is a clear sign the API key isn't getting passed into the container. (The extra time is for pulling down the CVE data files.)

See related discussion: https://github.com/earthly/earthly/issues/1470#issuecomment-2123352604

First acceptance criteria

Two cases:

• Pass the key as a secret from GitHub exposed as an environment variable within the workflow action. For Earthly, see https://docs.earthly.dev/docs/guides/build-args.
• For direct builds (no container), use the action environment for OWASP_NVD_API_KEY.

Second acceptance criteria

• Update to relevant wiki sections.
• This isn't just for an API key for DependencyCheck, and discussion should be in general covering build secret management for local and in CI.

See

• 466

[binkley]

Not done:

• Teach Earthly to use the GitHub secret for OWASP_NVD_API_KEY in CI builds.
• Teach Earthly to use the GitHub secret for OWASP_NVD_API_KEY in local builds.

Done:

• Teach direct builds without a container to use the OWASP_NVD_API_KEY environment variable for local builds.
• Teach direct builds without a container to use the OWASP_NVD_API_KEY environment variable for CI builds.

[binkley]

See discussion in https://github.com/earthly/earthly/issues/1470#issuecomment-2123421044 for passing secrets to Earthly.

[binkley]

Performance is improved using the NVD API key, but in Earthly still slow compared to directly calling Gradle or Maven.