diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml new file mode 100644 index 0000000..a045df1 --- /dev/null +++ b/.github/actions/setup/action.yml @@ -0,0 +1,15 @@ +name: Setup +description: 'Installs node, driver dependencies, and builds source' + +runs: + using: composite + steps: + - uses: actions/setup-node@v4 + with: + node-version: 'lts/*' + cache: 'npm' + registry-url: 'https://registry.npmjs.org' + - run: npm install -g npm@latest + shell: bash + - run: npm clean-install --ignore-scripts + shell: bash diff --git a/.github/actions/sign_and_upload_package/action.yml b/.github/actions/sign_and_upload_package/action.yml new file mode 100644 index 0000000..39814be --- /dev/null +++ b/.github/actions/sign_and_upload_package/action.yml @@ -0,0 +1,60 @@ +name: Sign and Upload Package +description: 'Signs native modules with garasign' + +inputs: + aws_role_arn: + description: 'AWS role input for drivers-github-tools/gpg-sign@v2' + required: true + aws_region_name: + description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' + required: true + aws_secret_id: + description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' + required: true + npm_package_name: + description: 'The name for the npm package this repository represents' + required: true + +runs: + using: composite + steps: + - uses: actions/download-artifact@v4 + + - name: Make signatures directory + shell: bash + run: mkdir artifacts + + - name: Set up drivers-github-tools + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_region_name: ${{ inputs.aws_region_name }} + aws_role_arn: ${{ inputs.aws_role_arn }} + aws_secret_id: ${{ inputs.aws_secret_id }} + + - name: Create detached signature + uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + with: + filenames: 'build-*/*.tar.gz' + env: + RELEASE_ASSETS: artifacts/ + + - name: Copy the tarballs to the artifacts directory + shell: bash + run: for filename in build-*/*.tar.gz; do cp ${filename} artifacts/; done + + - name: Display structure of downloaded files + shell: bash + run: ls -la artifacts/ + + - name: Get release version and release package file name + id: get_vars + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + + - name: "Upload release artifacts" + run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.* + shell: bash + env: + GH_TOKEN: ${{ github.token }} \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 25c60bd..e0025c2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,6 +5,11 @@ on: branches: [main] workflow_dispatch: {} +permissions: + contents: write + pull-requests: write + id-token: write + name: build jobs: @@ -61,21 +66,31 @@ jobs: retention-days: 1 compression-level: 0 - collect: + release_please: needs: [host_builds, container_builds] runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} steps: - - uses: actions/download-artifact@v4 - - - name: Display structure of downloaded files - run: ls -R + - id: release + uses: googleapis/release-please-action@v4 - - id: upload - name: Upload all prebuilds - uses: actions/upload-artifact@v4 - with: - name: all-build - path: '*.tar.gz' - if-no-files-found: 'error' - retention-days: 1 - compression-level: 0 + sign_and_upload: + needs: [release_please] + if: ${{ needs.release_please.outputs.release_created }} + runs-on: ubuntu-latest + environment: release + steps: + - uses: actions/checkout@v4 + - name: actions/sign_and_upload_package + uses: ./.github/actions/sign_and_upload_package + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: 'us-east-1' + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: 'mongodb-client-encryption' + - name: actions/setup + uses: ./.github/actions/setup + - run: npm publish --provenance + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..a3a12f4 --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1,3 @@ +{ + ".": "6.0.0" +} diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..2655c66 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,16 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "pull-request-title-pattern": "chore${scope}: release ${version} [skip-ci]", + "pull-request-header": "Please run the release_notes action before releasing to generate release highlights", + "packages": { + ".": { + "include-component-in-tag": false, + "changelog-path": "HISTORY.md", + "release-type": "node", + "bump-minor-pre-major": false, + "bump-patch-for-minor-pre-major": false, + "draft": false, + "prerelease": false + } + } +}