Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(NODE-6160): sign and upload to releases #9

Merged
merged 4 commits into from
Jun 13, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/actions/setup/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
name: Setup
description: 'Installs node, driver dependencies, and builds source'

runs:
using: composite
steps:
- uses: actions/setup-node@v4
with:
node-version: 'lts/*'
cache: 'npm'
registry-url: 'https://registry.npmjs.org'
- run: npm install -g npm@latest
shell: bash
- run: npm clean-install --ignore-scripts
shell: bash
71 changes: 71 additions & 0 deletions .github/actions/sign_and_upload_package/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: Sign and Upload Package
description: 'Signs native modules with garasign'

inputs:
aws_role_arn:
description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
required: true
aws_region_name:
description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
required: true
aws_secret_id:
description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
required: true
npm_package_name:
description: 'The name for the npm package this repository represents'
required: true

runs:
using: composite
steps:
- uses: actions/download-artifact@v4

- name: Make signatures directory
shell: bash
run: mkdir artifacts

- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: ${{ inputs.aws_region_name }}
aws_role_arn: ${{ inputs.aws_role_arn }}
aws_secret_id: ${{ inputs.aws_secret_id }}

- name: Create detached signature
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
with:
filenames: 'build-*/*.tar.gz'
env:
RELEASE_ASSETS: artifacts/

- name: Copy the tarballs to the artifacts directory
shell: bash
run: for filename in build-*/*.tar.gz; do cp ${filename} artifacts/; done

- run: npm pack
shell: bash

- name: Get release version and release package file name
id: get_vars
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code LGTM, is is possible to point me to an example test release, as an extra check?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I'm going off is seeing release-please creating the PR now: #15 and was verifying the signing actions working but not being able to upload before release-please was put in, example run here: https://github.com/mongodb-js/mongodb-client-encryption/actions/runs/9403489046/job/25900735594

If that's not sufficient let me know and I can create a new fake repo and project and copy everything over.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need for a fork: Can we have a run where we run build.yml to see the structure of the downloaded files, but comment out gh release upload .. and npm publish? To confirm the signatures are there.

echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT"

- name: Create detached signature for module
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
with:
filenames: ${{ steps.get_vars.outputs.package_file }}
env:
RELEASE_ASSETS: artifacts/

- name: Display structure of downloaded files
shell: bash
run: ls -la artifacts/

- name: "Upload release artifacts"
run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
shell: bash
env:
GH_TOKEN: ${{ github.token }}
43 changes: 29 additions & 14 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@ on:

name: Build and Test

permissions:
contents: write
pull-requests: write
id-token: write

jobs:
host_builds:
strategy:
Expand Down Expand Up @@ -65,21 +70,31 @@ jobs:
retention-days: 1
compression-level: 0

collect:
release_please:
needs: [host_builds, container_builds]
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release.outputs.release_created }}
steps:
- uses: actions/download-artifact@v4

- name: Display structure of downloaded files
run: ls -R
- id: release
uses: googleapis/release-please-action@v4

- id: upload
name: Upload all prebuilds
uses: actions/upload-artifact@v4
with:
name: all-build
path: '*.tar.gz'
if-no-files-found: 'error'
retention-days: 1
compression-level: 0
sign_and_upload:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
runs-on: ubuntu-latest
environment: release
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup
- name: actions/sign_and_upload_package
uses: ./.github/actions/sign_and_upload_package
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb-client-encryption'
- run: npm publish --provenance
nbbeeken marked this conversation as resolved.
Show resolved Hide resolved
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Loading