From 1150d9c3cda4e6987288bd2ba8f003470cce4f08 Mon Sep 17 00:00:00 2001
From: Durran Jordan <durran@gmail.com>
Date: Mon, 3 Jun 2024 13:36:32 -0400
Subject: [PATCH] chore(NODE-4869): sign and upload to releases

---
 .../actions/sign_and_upload_native/action.yml | 32 ++++++++++++++
 .../sign_and_upload_package/action.yml        | 43 +++++++++++++++++++
 .github/workflows/build.yml                   | 18 ++++++++
 3 files changed, 93 insertions(+)
 create mode 100644 .github/actions/sign_and_upload_native/action.yml
 create mode 100644 .github/actions/sign_and_upload_package/action.yml

diff --git a/.github/actions/sign_and_upload_native/action.yml b/.github/actions/sign_and_upload_native/action.yml
new file mode 100644
index 0000000..e493146
--- /dev/null
+++ b/.github/actions/sign_and_upload_native/action.yml
@@ -0,0 +1,32 @@
+name: Sign and Upload Native
+description: 'Signs and uploads the native release artifacts'
+
+inputs: 
+    garasign_username:
+      description: 'Garasign username input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    garasign_password:
+      description: 'Garasign password input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    artifactory_username:
+      description: 'Artifactory username input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    artifactory_password:
+      description: 'Artifactory password input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/download-artifact@v4
+
+    - name: Display structure of downloaded files
+      run: ls -R
+
+    - name: Get release version and release package file name
+      id: vars
+      shell: bash
+      run: |
+        package_version=$(jq --raw-output '.version' package.json)
+        echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+        echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT"
\ No newline at end of file
diff --git a/.github/actions/sign_and_upload_package/action.yml b/.github/actions/sign_and_upload_package/action.yml
new file mode 100644
index 0000000..9a890a0
--- /dev/null
+++ b/.github/actions/sign_and_upload_package/action.yml
@@ -0,0 +1,43 @@
+name: Sign and Upload Package
+description: 'Signs and uploads the release artifacts'
+
+inputs: 
+    garasign_username:
+      description: 'Garasign username input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    garasign_password:
+      description: 'Garasign password input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    artifactory_username:
+      description: 'Artifactory username input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    artifactory_password:
+      description: 'Artifactory password input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+
+runs:
+  using: composite
+  steps:
+    - run: npm pack
+      shell: bash
+
+    - name: Get release version and release package file name
+      id: vars
+      shell: bash
+      run: |
+        package_version=$(jq --raw-output '.version' package.json)
+        echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+        echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
+    - name: Create detached signature
+      uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@v1
+      with:
+        filenames: ${{ steps.vars.package_file }}
+        garasign_username: ${{ inputs.garasign_username }}
+        garasign_password: ${{ inputs.garasign_password }}
+        artifactory_username: ${{ inputs.artifactory_username }}
+        artifactory_password: ${{ inputs.artifactory_password }}
+
+    - name: "Upload release artifacts"
+      run: gh release upload v${{ steps.vars.package_version }} ${{ steps.vars.package_file }}.sig
+      shell: bash
\ No newline at end of file
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1270be7..d6ad077 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -79,3 +79,21 @@ jobs:
           if-no-files-found: 'error'
           retention-days: 1
           compression-level: 0
+
+  sign_and_upload:
+    needs: [host_builds, container_builds]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: actions/setup
+        uses: ./.github/actions/setup
+      - name: actions/sign_and_upload_package
+        uses: ./.github/actions/sign_and_upload_package
+        with: 
+          garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
+          garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
+          artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+          artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+      # - run: npm publish --provenance
+      #  env:
+      #    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
\ No newline at end of file