-
Notifications
You must be signed in to change notification settings - Fork 68
106 lines (91 loc) · 3.04 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
on:
push:
branches: [main]
workflow_dispatch: {}
permissions:
contents: write
pull-requests: write
id-token: write
name: release-latest
jobs:
release_please:
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release.outputs.release_created }}
steps:
- id: release
uses: googleapis/release-please-action@v4
with:
target-branch: main
build:
needs: [release_please]
name: "Perform any build or bundling steps, as necessary."
uses: ./.github/workflows/build.yml
ssdlc:
needs: [release_please, build]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Node and dependencies
uses: mongodb-labs/drivers-github-tools/node/setup@v2
with:
ignore_install_scripts: true
- name: Load version and package info
uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2
with:
npm_package_name: kerberos
- name: actions/compress_sign_and_upload
uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: us-east-1
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: kerberos
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
sign_native: true
- name: Copy sbom file to release assets
shell: bash
if: ${{ '' == '' }}
run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
# only used for mongodb-client-encryption
- name: Augment SBOM and copy to release assets
if: ${{ '' != '' }}
uses: mongodb-labs/drivers-github-tools/sbom@v2
with:
silk_asset_group: ''
sbom_file_name: sbom.json
- name: Generate authorized pub report
uses: mongodb-labs/drivers-github-tools/full-report@v2
with:
release_version: ${{ env.package_version }}
product_name: kerberos
sarif_report_target_ref: main
third_party_dependency_tool: n/a
dist_filenames: artifacts/*
token: ${{ github.token }}
sbom_file_name: sbom.json
- uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ env.package_version }}
product_name: kerberos
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
publish:
needs: [release_please, ssdlc, build]
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Node and dependencies
uses: mongodb-labs/drivers-github-tools/node/setup@v2
with:
ignore_install_scripts: true
- run: npm publish --provenance
if: ${{ needs.release_please.outputs.release_created }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}