From 2c0b2f5351b0e5d5f98e9431729c028dec077b48 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Fri, 28 Jun 2024 09:29:38 -0600 Subject: [PATCH] chore: ssdlc compliance flow (#29) --- .github/actions/setup/action.yml | 15 --- .../sign_and_upload_package/action.yml | 71 ------------ .github/workflows/build.yml | 9 +- .github/workflows/release_6.1.yml | 106 ++++++++++++++++++ 4 files changed, 111 insertions(+), 90 deletions(-) delete mode 100644 .github/actions/setup/action.yml delete mode 100644 .github/actions/sign_and_upload_package/action.yml create mode 100644 .github/workflows/release_6.1.yml diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml deleted file mode 100644 index a045df1..0000000 --- a/.github/actions/setup/action.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Setup -description: 'Installs node, driver dependencies, and builds source' - -runs: - using: composite - steps: - - uses: actions/setup-node@v4 - with: - node-version: 'lts/*' - cache: 'npm' - registry-url: 'https://registry.npmjs.org' - - run: npm install -g npm@latest - shell: bash - - run: npm clean-install --ignore-scripts - shell: bash diff --git a/.github/actions/sign_and_upload_package/action.yml b/.github/actions/sign_and_upload_package/action.yml deleted file mode 100644 index 8d7c948..0000000 --- a/.github/actions/sign_and_upload_package/action.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Sign and Upload Package -description: 'Signs native modules with garasign' - -inputs: - aws_role_arn: - description: 'AWS role input for drivers-github-tools/gpg-sign@v2' - required: true - aws_region_name: - description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' - required: true - aws_secret_id: - description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' - required: true - npm_package_name: - description: 'The name for the npm package this repository represents' - required: true - -runs: - using: composite - steps: - - uses: actions/download-artifact@v4 - - - name: Make signatures directory - shell: bash - run: mkdir artifacts - - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: ${{ inputs.aws_region_name }} - aws_role_arn: ${{ inputs.aws_role_arn }} - aws_secret_id: ${{ inputs.aws_secret_id }} - - - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: - filenames: 'build-*/*.tar.gz' - env: - RELEASE_ASSETS: artifacts/ - - - name: Copy the tarballs to the artifacts directory - shell: bash - run: for filename in build-*/*.tar.gz; do cp ${filename} artifacts/; done - - - run: npm pack - shell: bash - - - name: Get release version and release package file name - id: get_vars - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT" - - - name: Create detached signature for module - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: - filenames: ${{ steps.get_vars.outputs.package_file }} - env: - RELEASE_ASSETS: artifacts/ - - - name: Display structure of downloaded files - shell: bash - run: ls -la artifacts/ - - - name: "Upload release artifacts" - run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.* - shell: bash - env: - GH_TOKEN: ${{ github.token }} \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 908121f..765e02a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,9 +1,8 @@ on: - push: - branches: [main] pull_request: branches: [main] workflow_dispatch: {} + workflow_call: {} name: Build and Test @@ -86,8 +85,10 @@ jobs: environment: release steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: true - name: actions/sign_and_upload_package uses: ./.github/actions/sign_and_upload_package with: diff --git a/.github/workflows/release_6.1.yml b/.github/workflows/release_6.1.yml new file mode 100644 index 0000000..b64fe76 --- /dev/null +++ b/.github/workflows/release_6.1.yml @@ -0,0 +1,106 @@ +on: + push: + branches: ["6.1"] + workflow_dispatch: {} + +permissions: + contents: write + pull-requests: write + id-token: write + +name: release-6.1 + +jobs: + release_please: + runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + steps: + - id: release + uses: googleapis/release-please-action@v4 + with: + target-branch: 6.1 + + build: + needs: [release_please] + name: "Perform any build or bundling steps, as necessary." + uses: ./.github/workflows/build.yml + + ssdlc: + needs: [release_please, build] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: true + + - name: Load version and package info + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + with: + npm_package_name: mongodb-client-encryption + + - name: actions/compress_sign_and_upload + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: us-east-1 + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: mongodb-client-encryption + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + sign_native: true + + - name: Copy sbom file to release assets + shell: bash + if: ${{ 'mongodb-client-encryption-6.1' == '' }} + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + + # only used for mongodb-client-encryption + - name: Augment SBOM and copy to release assets + if: ${{ 'mongodb-client-encryption-6.1' != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: 'mongodb-client-encryption-6.1' + sbom_file_name: sbom.json + + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 + with: + release_version: ${{ env.package_version }} + product_name: mongodb-client-encryption + sarif_report_target_ref: 6.1 + third_party_dependency_tool: n/a + dist_filenames: artifacts/* + token: ${{ github.token }} + sbom_file_name: sbom.json + + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ env.package_version }} + product_name: mongodb-client-encryption + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + publish: + needs: [release_please, ssdlc, build] + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: true + + - run: npm publish --provenance --tag=alpha + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}