From 51244df6e1ccb3496d498ae9a4a34bcf7b4a6a2e Mon Sep 17 00:00:00 2001 From: Durran Jordan Date: Thu, 13 Jun 2024 19:21:28 +0200 Subject: [PATCH] chore(NODE-6160): sign and upload to releases (#9) Co-authored-by: Aditi Khare <106987683+aditi-khare-mongoDB@users.noreply.github.com> --- .github/actions/setup/action.yml | 15 ++++ .../sign_and_upload_package/action.yml | 71 +++++++++++++++++++ .github/workflows/build.yml | 43 +++++++---- 3 files changed, 115 insertions(+), 14 deletions(-) create mode 100644 .github/actions/setup/action.yml create mode 100644 .github/actions/sign_and_upload_package/action.yml diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml new file mode 100644 index 0000000..a045df1 --- /dev/null +++ b/.github/actions/setup/action.yml @@ -0,0 +1,15 @@ +name: Setup +description: 'Installs node, driver dependencies, and builds source' + +runs: + using: composite + steps: + - uses: actions/setup-node@v4 + with: + node-version: 'lts/*' + cache: 'npm' + registry-url: 'https://registry.npmjs.org' + - run: npm install -g npm@latest + shell: bash + - run: npm clean-install --ignore-scripts + shell: bash diff --git a/.github/actions/sign_and_upload_package/action.yml b/.github/actions/sign_and_upload_package/action.yml new file mode 100644 index 0000000..8d7c948 --- /dev/null +++ b/.github/actions/sign_and_upload_package/action.yml @@ -0,0 +1,71 @@ +name: Sign and Upload Package +description: 'Signs native modules with garasign' + +inputs: + aws_role_arn: + description: 'AWS role input for drivers-github-tools/gpg-sign@v2' + required: true + aws_region_name: + description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' + required: true + aws_secret_id: + description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' + required: true + npm_package_name: + description: 'The name for the npm package this repository represents' + required: true + +runs: + using: composite + steps: + - uses: actions/download-artifact@v4 + + - name: Make signatures directory + shell: bash + run: mkdir artifacts + + - name: Set up drivers-github-tools + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_region_name: ${{ inputs.aws_region_name }} + aws_role_arn: ${{ inputs.aws_role_arn }} + aws_secret_id: ${{ inputs.aws_secret_id }} + + - name: Create detached signature + uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + with: + filenames: 'build-*/*.tar.gz' + env: + RELEASE_ASSETS: artifacts/ + + - name: Copy the tarballs to the artifacts directory + shell: bash + run: for filename in build-*/*.tar.gz; do cp ${filename} artifacts/; done + + - run: npm pack + shell: bash + + - name: Get release version and release package file name + id: get_vars + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT" + + - name: Create detached signature for module + uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + with: + filenames: ${{ steps.get_vars.outputs.package_file }} + env: + RELEASE_ASSETS: artifacts/ + + - name: Display structure of downloaded files + shell: bash + run: ls -la artifacts/ + + - name: "Upload release artifacts" + run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.* + shell: bash + env: + GH_TOKEN: ${{ github.token }} \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a96ea03..eda08be 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,6 +7,11 @@ on: name: Build and Test +permissions: + contents: write + pull-requests: write + id-token: write + jobs: host_builds: strategy: @@ -65,21 +70,31 @@ jobs: retention-days: 1 compression-level: 0 - collect: + release_please: needs: [host_builds, container_builds] runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} steps: - - uses: actions/download-artifact@v4 - - - name: Display structure of downloaded files - run: ls -R + - id: release + uses: googleapis/release-please-action@v4 - - id: upload - name: Upload all prebuilds - uses: actions/upload-artifact@v4 - with: - name: all-build - path: '*.tar.gz' - if-no-files-found: 'error' - retention-days: 1 - compression-level: 0 + sign_and_upload: + needs: [release_please] + if: ${{ needs.release_please.outputs.release_created }} + runs-on: ubuntu-latest + environment: release + steps: + - uses: actions/checkout@v4 + - name: actions/setup + uses: ./.github/actions/setup + - name: actions/sign_and_upload_package + uses: ./.github/actions/sign_and_upload_package + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: 'us-east-1' + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: 'mongodb-client-encryption' + - run: npm publish --provenance + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file