chore(NODE-6212): generate sarif reports for releases #103

Workflow file for this run

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	workflow_dispatch: {}

	name: Build and Test

	permissions:
	contents: write
	pull-requests: write
	id-token: write

	jobs:
	host_builds:
	strategy:
	matrix:
	os: [macos-11, macos-latest, windows-2019]
	runs-on: ${{ matrix.os }}
	steps:
	- uses: actions/checkout@v4

	- name: Build ${{ matrix.os }} Prebuild
	run: node .github/scripts/libmongocrypt.mjs ${{ runner.os == 'Windows' && '--build' \|\| '' }}
	shell: bash

	- name: Test ${{ matrix.os }}
	shell: bash
	run: npm run test

	- id: upload
	name: Upload prebuild
	uses: actions/upload-artifact@v4
	with:
	name: build-${{ matrix.os }}
	path: prebuilds/
	if-no-files-found: 'error'
	retention-days: 1
	compression-level: 0

	container_builds:
	outputs:
	artifact_id: ${{ steps.upload.outputs.artifact-id }}
	runs-on: ubuntu-latest
	strategy:
	matrix:
	linux_arch: [s390x, arm64, amd64]
	steps:
	- uses: actions/checkout@v4

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Run Buildx
	run: \|
	docker buildx create --name builder --bootstrap --use
	docker buildx build --platform linux/${{ matrix.linux_arch }} --output type=local,dest=./prebuilds,platform-split=false -f ./.github/docker/Dockerfile.glibc .

	- id: upload
	name: Upload prebuild
	uses: actions/upload-artifact@v4
	with:
	name: build-linux-${{ matrix.linux_arch }}
	path: prebuilds/
	if-no-files-found: 'error'
	retention-days: 1
	compression-level: 0

	release_please:
	needs: [host_builds, container_builds]
	runs-on: ubuntu-latest
	outputs:
	release_created: ${{ steps.release.outputs.release_created }}
	steps:
	- id: release
	uses: googleapis/release-please-action@v4

	sign_and_upload:
	needs: [release_please]
	if: ${{ needs.release_please.outputs.release_created }}
	runs-on: ubuntu-latest
	environment: release
	steps:
	- uses: actions/checkout@v4
	- name: actions/setup
	uses: ./.github/actions/setup
	- name: actions/sign_and_upload_package
	uses: ./.github/actions/sign_and_upload_package
	with:
	aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
	aws_region_name: 'us-east-1'
	aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
	npm_package_name: 'mongodb-client-encryption'
	- run: npm publish --provenance
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

	generate_sarif_report:
	environment: release
	runs-on: ubuntu-latest
	needs: [release_please]
	permissions:
	# required for all workflows
	security-events: write
	id-token: write
	contents: write

	steps:
	- uses: actions/checkout@v4
	- name: Set up drivers-github-tools
	uses: mongodb-labs/drivers-github-tools/setup@v2
	with:
	aws_region_name: us-east-1
	aws_role_arn: ${{ secrets.aws_role_arn }}
	aws_secret_id: ${{ secrets.aws_secret_id }}

	- name: "Generate Sarif Report"
	# TODO: Use v2 once it has been re-tagged to include this action
	uses: mongodb-labs/drivers-github-tools/code-scanning-export@main
	with:
	ref: main
	output-file: sarif-report.json

	- name: Get release version and release package file name
	id: get_version
	shell: bash
	run: \|
	package_version=$(jq --raw-output '.version' package.json)
	echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"

	- name: actions/publish_asset_to_s3
	uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
	with:
	version: ${{ steps.get_version.outputs.package_version }}
	product_name: mongodb-client-encryption
	file: sarif-report.json
	dry_run: ${{ needs.release_please.outputs.release_created == '' }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(NODE-6212): generate sarif reports for releases #103

Workflow file

chore(NODE-6212): generate sarif reports for releases #103

Jobs

Run details

Workflow file for this run