Skip to content

chore: ssdlc compliance flow #10

chore: ssdlc compliance flow

chore: ssdlc compliance flow #10

Workflow file for this run

on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch: {}
name: Release
permissions:
contents: write
pull-requests: write
id-token: write
jobs:
release_please:
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release.outputs.release_created }}
steps:
- id: release
uses: googleapis/release-please-action@v4
build:
needs: [release_please]
name: "Build native code"
uses: ./.github/workflows/build.yml
ssdlc:
needs: [release_please, build]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Node and dependencies
uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node
- name: Load version and package info
uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node
with:
npm_package_name: mongodb-client-encryption
- name: actions/sign_and_upload_package
uses: ./.github/actions/sign_and_upload_package
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb-client-encryption'
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
filenames: 'build-*/*.tar.gz ${{ env.package_file }}'
artifact_directory: artifacts
- name: Copy sbom file to release assets
shell: bash
run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
- name: Generate authorized pub report
uses: mongodb-labs/drivers-github-tools/full-report@v2
with:
release_version: ${{ env.package_version }}
product_name: mongodb-client-encryption
sarif_report_target_ref: main
third_party_dependency_tool: Silk
# <package> and <package>.sig
dist_filenames: artifacts/*
token: ${{ github.token }}
sbom_file_name: sbom.json
- uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ env.package_version }}
product_name: mongodb-client-encryption
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
publish:
needs: [release_please, ssdlc, build]
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Node and dependencies
uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node
# - run: npm publish --provenance --tag=latest
# if: ${{ needs.release_please.outputs.release_created }}
# env:
# NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}