From b3eba5f164fc3d4429435b95f661b6570222a06e Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Tue, 26 Nov 2024 13:50:06 -0700 Subject: [PATCH 1/8] add ssdlc action --- .github/workflows/build.yml | 6 +- .github/workflows/release.yml | 108 +++++++++++++++++----------------- 2 files changed, 58 insertions(+), 56 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a3d038b..48ca177 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,7 +44,8 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - linux_arch: [s390x, arm64, amd64] + linux_arch: [amd64] + # linux_arch: [s390x, arm64, amd64] fail-fast: false steps: - uses: actions/checkout@v4 @@ -84,7 +85,8 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - linux_arch: [amd64, arm64] + linux_arch: [amd64] + # linux_arch: [amd64, arm64] fail-fast: false steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 27e9152..a68e270 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,67 +26,67 @@ jobs: name: "Perform any build or bundling steps, as necessary." uses: ./.github/workflows/build.yml - # ssdlc: - # needs: [release_please, build] - # permissions: - # # required for all workflows - # security-events: write - # id-token: write - # contents: write - # environment: release - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v4 + ssdlc: + needs: [release_please, build] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 - # - name: Install Node and dependencies - # uses: mongodb-labs/drivers-github-tools/node/setup@v2 - # with: - # ignore_install_scripts: true + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: true - # - name: Load version and package info - # uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 - # with: - # npm_package_name: mongodb-client-encryption + - name: Load version and package info + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + with: + npm_package_name: "@mongodb-js/zstd" - # - name: actions/compress_sign_and_upload - # uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 - # with: - # aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} - # aws_region_name: us-east-1 - # aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - # npm_package_name: mongodb-client-encryption - # dry_run: ${{ needs.release_please.outputs.release_created == '' }} - # sign_native: true + - name: actions/compress_sign_and_upload + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: us-east-1 + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: "@mongodb-js/zstd" + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + sign_native: true - # - name: Copy sbom file to release assets - # shell: bash - # if: ${{ 'mongodb-client-encryption-6.1' == '' }} - # run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + - name: Copy sbom file to release assets + shell: bash + if: ${{ 'node-zstd' == '' }} + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json - # # only used for mongodb-client-encryption - # - name: Augment SBOM and copy to release assets - # if: ${{ 'mongodb-client-encryption-6.1' != '' }} - # uses: mongodb-labs/drivers-github-tools/sbom@v2 - # with: - # silk_asset_group: 'mongodb-client-encryption-6.1' - # sbom_file_name: sbom.json + # only used for mongodb-client-encryption + - name: Augment SBOM and copy to release assets + if: ${{ 'node-zstd' != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: "node-zstd" + sbom_file_name: sbom.json - # - name: Generate authorized pub report - # uses: mongodb-labs/drivers-github-tools/full-report@v2 - # with: - # release_version: ${{ env.package_version }} - # product_name: mongodb-client-encryption - # sarif_report_target_ref: main - # third_party_dependency_tool: n/a - # dist_filenames: artifacts/* - # token: ${{ github.token }} - # sbom_file_name: sbom.json + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 + with: + release_version: ${{ env.package_version }} + product_name: "@mongodb-js/zstd" + sarif_report_target_ref: main + third_party_dependency_tool: n/a + dist_filenames: artifacts/* + token: ${{ github.token }} + sbom_file_name: sbom.json - # - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 - # with: - # version: ${{ env.package_version }} - # product_name: mongodb-client-encryption - # dry_run: ${{ needs.release_please.outputs.release_created == '' }} + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ env.package_version }} + product_name: "@mongodb-js/zstd" + dry_run: ${{ needs.release_please.outputs.release_created == '' }} # publish: # needs: [release_please, ssdlc, build] From 50736125c8fb093d99147d759dfd084c0c445f3f Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 27 Nov 2024 10:53:53 -0700 Subject: [PATCH 2/8] clean run --- .github/workflows/build.yml | 6 +++--- .github/workflows/release.yml | 11 +++++++++-- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 48ca177..2774fba 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: name: Upload prebuild uses: actions/upload-artifact@v4 with: - name: build-${{ matrix.os }} + name: build-${{ matrix.os }}.tar.gz path: prebuilds/ if-no-files-found: "error" retention-days: 1 @@ -75,7 +75,7 @@ jobs: name: Upload prebuild uses: actions/upload-artifact@v4 with: - name: build-linux-glibc-${{ matrix.linux_arch }} + name: build-linux-glibc-${{ matrix.linux_arch }}.tar.gz path: prebuilds/ if-no-files-found: "error" retention-days: 1 @@ -116,7 +116,7 @@ jobs: name: Upload prebuild uses: actions/upload-artifact@v4 with: - name: build-linux-musl-${{ matrix.linux_arch }} + name: build-linux-musl-${{ matrix.linux_arch }}.tar.gz path: prebuilds/ if-no-files-found: "error" retention-days: 1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a68e270..6302059 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,12 +44,19 @@ jobs: ignore_install_scripts: true - name: Load version and package info - uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + uses: baileympearson/drivers-github-tools/node/get_version_info@no-story-files with: npm_package_name: "@mongodb-js/zstd" + # - name: Set up drivers-github-tools + # uses: mongodb-labs/drivers-github-tools/setup@v2 + # with: + # aws_region_name: ${{ inputs.aws_region_name }} + # aws_role_arn: ${{ inputs.aws_role_arn }} + # aws_secret_id: ${{ inputs.aws_secret_id }} + - name: actions/compress_sign_and_upload - uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 + uses: baileympearson/drivers-github-tools/node/sign_node_package@no-story-files with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 From 03a9b5eba010d9203c2fc5d7db55bf1c38313c13 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 27 Nov 2024 10:55:28 -0700 Subject: [PATCH 3/8] clean run --- .github/workflows/release.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6302059..a68e270 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,19 +44,12 @@ jobs: ignore_install_scripts: true - name: Load version and package info - uses: baileympearson/drivers-github-tools/node/get_version_info@no-story-files + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 with: npm_package_name: "@mongodb-js/zstd" - # - name: Set up drivers-github-tools - # uses: mongodb-labs/drivers-github-tools/setup@v2 - # with: - # aws_region_name: ${{ inputs.aws_region_name }} - # aws_role_arn: ${{ inputs.aws_role_arn }} - # aws_secret_id: ${{ inputs.aws_secret_id }} - - name: actions/compress_sign_and_upload - uses: baileympearson/drivers-github-tools/node/sign_node_package@no-story-files + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 From ba435668a2da0a00f0b03f3ee2457e0847dbc4b2 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 27 Nov 2024 11:02:21 -0700 Subject: [PATCH 4/8] remove postfix --- .github/workflows/build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2774fba..48ca177 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -34,7 +34,7 @@ jobs: name: Upload prebuild uses: actions/upload-artifact@v4 with: - name: build-${{ matrix.os }}.tar.gz + name: build-${{ matrix.os }} path: prebuilds/ if-no-files-found: "error" retention-days: 1 @@ -75,7 +75,7 @@ jobs: name: Upload prebuild uses: actions/upload-artifact@v4 with: - name: build-linux-glibc-${{ matrix.linux_arch }}.tar.gz + name: build-linux-glibc-${{ matrix.linux_arch }} path: prebuilds/ if-no-files-found: "error" retention-days: 1 @@ -116,7 +116,7 @@ jobs: name: Upload prebuild uses: actions/upload-artifact@v4 with: - name: build-linux-musl-${{ matrix.linux_arch }}.tar.gz + name: build-linux-musl-${{ matrix.linux_arch }} path: prebuilds/ if-no-files-found: "error" retention-days: 1 From e4cdb2c4e16ef97503ed5a4bf17388851559ede6 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 27 Nov 2024 11:11:37 -0700 Subject: [PATCH 5/8] full matrix --- .github/workflows/build.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 48ca177..a3d038b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -44,8 +44,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - linux_arch: [amd64] - # linux_arch: [s390x, arm64, amd64] + linux_arch: [s390x, arm64, amd64] fail-fast: false steps: - uses: actions/checkout@v4 @@ -85,8 +84,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - linux_arch: [amd64] - # linux_arch: [amd64, arm64] + linux_arch: [amd64, arm64] fail-fast: false steps: - uses: actions/checkout@v4 From 9183ab0b51fd8911132a1c9ee32a15ada920d2cc Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 27 Nov 2024 11:34:35 -0700 Subject: [PATCH 6/8] add back publish step --- .github/workflows/release.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a68e270..b32b070 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,19 +88,19 @@ jobs: product_name: "@mongodb-js/zstd" dry_run: ${{ needs.release_please.outputs.release_created == '' }} - # publish: - # needs: [release_please, ssdlc, build] - # environment: release - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v4 + publish: + needs: [release_please, ssdlc, build] + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 - # - name: Install Node and dependencies - # uses: mongodb-labs/drivers-github-tools/node/setup@v2 - # with: - # ignore_install_scripts: true + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: true - # - run: npm publish --provenance - # if: ${{ needs.release_please.outputs.release_created }} - # env: - # NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + - run: npm publish --provenance + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From 61ee3adfa6eb7b07de4936a52d7c3f63b963e359 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 27 Nov 2024 11:38:31 -0700 Subject: [PATCH 7/8] update readme --- README.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/README.md b/README.md index e8823a9..b1cc57c 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,35 @@ Zstandard compression library for Node.js npm install @mongodb-js/zstd ``` +### Release Integrity + +Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg: + +``` +gpg --import node-driver.asc +``` + +The GitHub release contains a detached signature file for the NPM package (named +`mongodb-js-zstd-X.Y.Z.tgz.sig`). + +The following command returns the link npm package. +```shell +npm view @mongodb-js/zstd@vX.Y.Z dist.tarball +``` + +Using the result of the above command, a `curl` command can return the official npm package for the release. + +To verify the integrity of the downloaded package, run the following command: +```shell +gpg --verify mongodb-js-zstd-X.Y.Z.tgz.sig mongodb-js-zstd-X.Y.Z.tgz +``` + +>[!Note] +No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical. + +To verify the native `.node` packages, follow the same steps as above using `mongodb-js-zstd-X.Y.Z-platform.tgz` and the corresponding `.sig` file. + + ## OS Support matrix | | node12 | node14 | node16 | node18 | node20 | @@ -72,6 +101,11 @@ import { compress, decompress } from '@mongodb-js/zstd'; ## Running Tests +First, install and build the zstd library: + +`npm run install-zstd` + +Then: `npm test` ## Releasing From e4d75d1873244f6e210ea45caacd6e2d569e36d8 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 27 Nov 2024 12:29:40 -0700 Subject: [PATCH 8/8] comment --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b32b070..710ea13 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,7 +63,6 @@ jobs: if: ${{ 'node-zstd' == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json - # only used for mongodb-client-encryption - name: Augment SBOM and copy to release assets if: ${{ 'node-zstd' != '' }} uses: mongodb-labs/drivers-github-tools/sbom@v2