diff --git a/.github/actions/sign_and_upload_package/action.yml b/.github/actions/sign_and_upload_package/action.yml index 8d7c948..12bcba9 100644 --- a/.github/actions/sign_and_upload_package/action.yml +++ b/.github/actions/sign_and_upload_package/action.yml @@ -14,6 +14,10 @@ inputs: npm_package_name: description: 'The name for the npm package this repository represents' required: true + dry_run: + description: 'Should we upload files to the release?' + required: false + default: 'true' runs: using: composite @@ -65,6 +69,7 @@ runs: run: ls -la artifacts/ - name: "Upload release artifacts" + if: ${{ inputs.dry_run == false }} run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.* shell: bash env: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a4c3421..3859054 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -79,15 +79,103 @@ jobs: - id: release uses: googleapis/release-please-action@v4 + generate_sarif_report: + environment: release + runs-on: ubuntu-latest + needs: [release_please] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + + steps: + - uses: actions/checkout@v4 + - name: Set up drivers-github-tools + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_region_name: us-east-1 + aws_role_arn: ${{ secrets.aws_role_arn }} + aws_secret_id: ${{ secrets.aws_secret_id }} + + - name: "Generate Sarif Report" + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + with: + ref: main + output-file: sarif-report.json + + - name: Get release version and release package file name + id: get_version + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + - name: actions/publish_asset_to_s3 + uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + with: + version: ${{ steps.get_version.outputs.package_version }} + product_name: mongodb-client-encryption + file: sarif-report.json + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + generate_compliance_report: + environment: release + runs-on: ubuntu-latest + needs: [release_please] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + + steps: + - uses: actions/checkout@v4 + - name: Set up drivers-github-tools + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_region_name: us-east-1 + aws_role_arn: ${{ secrets.aws_role_arn }} + aws_secret_id: ${{ secrets.aws_secret_id }} + + - name: Get release version and release package file name + id: get_version + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + + - name: Generate compliance report + uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + with: + sbom_name: sbom.json # TODO - confirm sbom file name + sarif_name: sarif-report.json + security_report_location: tbd + release_version: ${{ steps.get_version.outputs.package_version }} + token: ${{ github.token }} + + - name: actions/publish_asset_to_s3 + uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + with: + version: ${{ steps.get_version.outputs.package_version }} + product_name: mongodb-client-encryption + file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + sign_and_upload: needs: [release_please] - if: ${{ needs.release_please.outputs.release_created }} runs-on: ubuntu-latest environment: release steps: - uses: actions/checkout@v4 - name: actions/setup uses: ./.github/actions/setup + - name: Get release version and release package file name + id: get_vars + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT" - name: actions/sign_and_upload_package uses: ./.github/actions/sign_and_upload_package with: @@ -95,6 +183,26 @@ jobs: aws_region_name: 'us-east-1' aws_secret_id: ${{ secrets.AWS_SECRET_ID }} npm_package_name: 'mongodb-client-encryption' - - run: npm publish --provenance --tag=alpha - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + with: + release_version: ${{ steps.get_version.outputs.package_version }} + product_name: mongodb-client-encryption + # and .sig + filenames: artifacts/* + token: ${{ github.token }} + + - name: actions/publish_asset_to_s3 + uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + with: + version: ${{ steps.get_version.outputs.package_version }} + product_name: mongodb-client-encryption + file: ${{env.S3_ASSETS}}/authorized-publication.txt + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + # - run: npm publish --provenance --tag=alpha + # if: ${{ needs.release_please.outputs.release_created }} + # env: + # NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}