From 848b32da49b61780d0096c9cd6574e7963b730b3 Mon Sep 17 00:00:00 2001
From: Durran Jordan <durran@gmail.com>
Date: Mon, 3 Jun 2024 13:36:32 -0400
Subject: [PATCH 1/3] chore(NODE-6160): sign and upload to releases

---
 .github/actions/setup/action.yml              | 15 ++++
 .../sign_and_upload_package/action.yml        | 71 +++++++++++++++++++
 .github/workflows/build.yml                   | 43 +++++++----
 3 files changed, 115 insertions(+), 14 deletions(-)
 create mode 100644 .github/actions/setup/action.yml
 create mode 100644 .github/actions/sign_and_upload_package/action.yml

diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
new file mode 100644
index 0000000..a045df1
--- /dev/null
+++ b/.github/actions/setup/action.yml
@@ -0,0 +1,15 @@
+name: Setup
+description: 'Installs node, driver dependencies, and builds source'
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/setup-node@v4
+      with:
+        node-version: 'lts/*'
+        cache: 'npm'
+        registry-url: 'https://registry.npmjs.org'
+    - run: npm install -g npm@latest
+      shell: bash
+    - run: npm clean-install --ignore-scripts
+      shell: bash
diff --git a/.github/actions/sign_and_upload_package/action.yml b/.github/actions/sign_and_upload_package/action.yml
new file mode 100644
index 0000000..8d7c948
--- /dev/null
+++ b/.github/actions/sign_and_upload_package/action.yml
@@ -0,0 +1,71 @@
+name: Sign and Upload Package
+description: 'Signs native modules with garasign'
+
+inputs: 
+    aws_role_arn:
+      description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
+      required: true
+    aws_region_name:
+      description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
+      required: true
+    aws_secret_id:
+      description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
+      required: true
+    npm_package_name:
+      description: 'The name for the npm package this repository represents'
+      required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/download-artifact@v4
+
+    - name: Make signatures directory
+      shell: bash
+      run: mkdir artifacts
+
+    - name: Set up drivers-github-tools
+      uses: mongodb-labs/drivers-github-tools/setup@v2
+      with: 
+        aws_region_name: ${{ inputs.aws_region_name }}
+        aws_role_arn: ${{ inputs.aws_role_arn }}
+        aws_secret_id: ${{ inputs.aws_secret_id }}
+
+    - name: Create detached signature
+      uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+      with: 
+        filenames: 'build-*/*.tar.gz'
+      env: 
+        RELEASE_ASSETS: artifacts/
+
+    - name: Copy the tarballs to the artifacts directory
+      shell: bash
+      run: for filename in build-*/*.tar.gz; do cp ${filename} artifacts/; done
+
+    - run: npm pack
+      shell: bash
+
+    - name: Get release version and release package file name
+      id: get_vars
+      shell: bash
+      run: |
+        package_version=$(jq --raw-output '.version' package.json)
+        echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+        echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
+    - name: Create detached signature for module
+      uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+      with: 
+        filenames: ${{ steps.get_vars.outputs.package_file }}
+      env: 
+        RELEASE_ASSETS: artifacts/
+
+    - name: Display structure of downloaded files
+      shell: bash
+      run: ls -la artifacts/
+
+    - name: "Upload release artifacts"
+      run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
\ No newline at end of file
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a96ea03..eda08be 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -7,6 +7,11 @@ on:
 
 name: Build and Test
 
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
 jobs:
   host_builds:
     strategy:
@@ -65,21 +70,31 @@ jobs:
           retention-days: 1
           compression-level: 0
 
-  collect:
+  release_please:
     needs: [host_builds, container_builds]
     runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
     steps:
-      - uses: actions/download-artifact@v4
-
-      - name: Display structure of downloaded files
-        run: ls -R
+      - id: release
+        uses: googleapis/release-please-action@v4
 
-      - id: upload
-        name: Upload all prebuilds
-        uses: actions/upload-artifact@v4
-        with:
-          name: all-build
-          path: '*.tar.gz'
-          if-no-files-found: 'error'
-          retention-days: 1
-          compression-level: 0
+  sign_and_upload:
+    needs: [release_please]
+    if: ${{ needs.release_please.outputs.release_created }}
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - uses: actions/checkout@v4
+      - name: actions/setup
+        uses: ./.github/actions/setup
+      - name: actions/sign_and_upload_package
+        uses: ./.github/actions/sign_and_upload_package
+        with: 
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: 'us-east-1'
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          npm_package_name: 'mongodb-client-encryption'
+      - run: npm publish --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
\ No newline at end of file

From d77f37e48fbb43b92807340311c457ffe7f06873 Mon Sep 17 00:00:00 2001
From: Durran Jordan <durran@gmail.com>
Date: Thu, 13 Jun 2024 17:18:47 +0200
Subject: [PATCH 2/3] chore: temp build

---
 .github/actions/sign_and_upload_package/action.yml | 10 +++++-----
 .github/workflows/build.yml                        | 11 ++++++-----
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/.github/actions/sign_and_upload_package/action.yml b/.github/actions/sign_and_upload_package/action.yml
index 8d7c948..d14e9ef 100644
--- a/.github/actions/sign_and_upload_package/action.yml
+++ b/.github/actions/sign_and_upload_package/action.yml
@@ -64,8 +64,8 @@ runs:
       shell: bash
       run: ls -la artifacts/
 
-    - name: "Upload release artifacts"
-      run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
-      shell: bash
-      env:
-        GH_TOKEN: ${{ github.token }}
\ No newline at end of file
+    # - name: "Upload release artifacts"
+    #   run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
+    #   shell: bash
+    #   env:
+    #     GH_TOKEN: ${{ github.token }}
\ No newline at end of file
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index eda08be..72db297 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -80,8 +80,9 @@ jobs:
         uses: googleapis/release-please-action@v4
 
   sign_and_upload:
-    needs: [release_please]
-    if: ${{ needs.release_please.outputs.release_created }}
+    needs: [host_builds, container_builds]
+    # needs: [release_please]
+    # if: ${{ needs.release_please.outputs.release_created }}
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -95,6 +96,6 @@ jobs:
           aws_region_name: 'us-east-1'
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
           npm_package_name: 'mongodb-client-encryption'
-      - run: npm publish --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
\ No newline at end of file
+      # - run: npm publish --provenance
+      #   env:
+      #     NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
\ No newline at end of file

From c412d5a24b18bbdc07ce2df8ae95d1b73a437bcd Mon Sep 17 00:00:00 2001
From: Durran Jordan <durran@gmail.com>
Date: Thu, 13 Jun 2024 17:52:43 +0200
Subject: [PATCH 3/3] chore: bring back proper order

---
 .github/actions/sign_and_upload_package/action.yml | 10 +++++-----
 .github/workflows/build.yml                        | 11 +++++------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/.github/actions/sign_and_upload_package/action.yml b/.github/actions/sign_and_upload_package/action.yml
index d14e9ef..8d7c948 100644
--- a/.github/actions/sign_and_upload_package/action.yml
+++ b/.github/actions/sign_and_upload_package/action.yml
@@ -64,8 +64,8 @@ runs:
       shell: bash
       run: ls -la artifacts/
 
-    # - name: "Upload release artifacts"
-    #   run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
-    #   shell: bash
-    #   env:
-    #     GH_TOKEN: ${{ github.token }}
\ No newline at end of file
+    - name: "Upload release artifacts"
+      run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
\ No newline at end of file
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 72db297..eda08be 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -80,9 +80,8 @@ jobs:
         uses: googleapis/release-please-action@v4
 
   sign_and_upload:
-    needs: [host_builds, container_builds]
-    # needs: [release_please]
-    # if: ${{ needs.release_please.outputs.release_created }}
+    needs: [release_please]
+    if: ${{ needs.release_please.outputs.release_created }}
     runs-on: ubuntu-latest
     environment: release
     steps:
@@ -96,6 +95,6 @@ jobs:
           aws_region_name: 'us-east-1'
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
           npm_package_name: 'mongodb-client-encryption'
-      # - run: npm publish --provenance
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
\ No newline at end of file
+      - run: npm publish --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
\ No newline at end of file