From 06ed9076e11b00fccc56e24f1ef770cec6010eab Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:18:58 -0600 Subject: [PATCH 1/9] add actions to BSON --- .../compress_sign_and_upload/action.yml | 44 +++---- .github/workflows/release-5.x.yml | 107 +++++++---------- .github/workflows/release.yml | 108 +++++++----------- 3 files changed, 102 insertions(+), 157 deletions(-) diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml index 04e602d3..8bce52aa 100644 --- a/.github/actions/compress_sign_and_upload/action.yml +++ b/.github/actions/compress_sign_and_upload/action.yml @@ -1,22 +1,23 @@ name: Compress and Sign description: 'Compresses package and signs with garasign' -inputs: - aws_role_arn: - description: 'AWS role input for drivers-github-tools/gpg-sign@v2' - required: true - aws_region_name: - description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' - required: true - aws_secret_id: - description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' - required: true - npm_package_name: - description: 'The name for the npm package this repository represents' - required: true - sign_SBOMs: - description: 'If provided, this script will create SBOM signatures' - required: false +inputs: + aws_role_arn: + description: 'AWS role input for drivers-github-tools/gpg-sign@v2' + required: true + aws_region_name: + description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' + required: true + aws_secret_id: + description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' + required: true + npm_package_name: + description: 'The name for the npm package this repository represents' + required: true + dry_run: + description: 'Should we upload files to the release?' + required: false + default: 'true' runs: using: composite @@ -34,24 +35,25 @@ runs: - name: Set up drivers-github-tools uses: mongodb-labs/drivers-github-tools/setup@v2 - with: + with: aws_region_name: ${{ inputs.aws_region_name }} aws_role_arn: ${{ inputs.aws_role_arn }} aws_secret_id: ${{ inputs.aws_secret_id }} - name: Create detached signature uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: + with: filenames: ${{ steps.get_vars.outputs.package_file }} - env: + env: RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig - - name: Name release asset correctly + - name: Name release asset correctly run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig shell: bash - name: "Upload release artifacts" + if: ${{ inputs.dry_run == false }} run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig shell: bash env: - GH_TOKEN: ${{ github.token }} \ No newline at end of file + GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 85d085b3..ed2b5969 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -20,16 +20,28 @@ jobs: uses: googleapis/release-please-action@v4 with: target-branch: 5.x - - compress_sign_and_upload: + + ssdlc: needs: [release_please] - if: ${{ needs.release_please.outputs.release_created }} + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: actions/setup uses: ./.github/actions/setup + - name: Get release version and release package file name + id: get_version + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT" + - name: actions/compress_sign_and_upload uses: ./.github/actions/compress_sign_and_upload with: @@ -37,80 +49,39 @@ jobs: aws_region_name: 'us-east-1' aws_secret_id: ${{ secrets.AWS_SECRET_ID }} npm_package_name: 'bson' - - run: npm publish --provenance --tag=5x - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + dry_run: ${{ needs.release_please.outputs.release_created == '' }} - generate_sarif_report: - environment: release - runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: "Generate Sarif Report" - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 - with: - ref: 5.x - output-file: sarif-report.json - - - name: Get release version and release package file name - id: get_version + - name: Copy sbom file to release assets shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 + with: + release_version: ${{ steps.get_version.outputs.package_version }} + product_name: bson + sarif_report_target_ref: 5.x + third_party_dependency_tool: n/a + # and .sig + dist_filenames: ${{ steps.get_version.outputs.package_file }}* + token: ${{ github.token }} + sbom_file_name: sbom.json + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: version: ${{ steps.get_version.outputs.package_version }} - product_name: js-bson - file: sarif-report.json + product_name: bson dry_run: ${{ needs.release_please.outputs.release_created == '' }} - upload_sbom_lite: + publish: + needs: [release_please, ssdlc] environment: release runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - steps: - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + - name: actions/setup + uses: ./.github/actions/setup - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: js-bson - file: sbom.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} \ No newline at end of file + - run: npm publish --provenance --tag=5.x + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a5a83f75..715dd729 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,16 +18,28 @@ jobs: steps: - id: release uses: googleapis/release-please-action@v4 - - compress_sign_and_upload: + + ssdlc: needs: [release_please] - if: ${{ needs.release_please.outputs.release_created }} + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: actions/setup uses: ./.github/actions/setup + - name: Get release version and release package file name + id: get_version + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT" + - name: actions/compress_sign_and_upload uses: ./.github/actions/compress_sign_and_upload with: @@ -35,80 +47,40 @@ jobs: aws_region_name: 'us-east-1' aws_secret_id: ${{ secrets.AWS_SECRET_ID }} npm_package_name: 'bson' - - run: npm publish --provenance - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - - generate_sarif_report: - environment: release - runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write + dry_run: ${{ needs.release_please.outputs.release_created == '' }} - steps: - - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} + - name: Copy sbom file to release assets + shell: bash + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json - - name: "Generate Sarif Report" - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 with: - ref: main - output-file: sarif-report.json + release_version: ${{ steps.get_version.outputs.package_version }} + product_name: bson + sarif_report_target_ref: main + third_party_dependency_tool: n/a + # and .sig + dist_filenames: ${{ steps.get_version.outputs.package_file }}* + token: ${{ github.token }} + sbom_file_name: sbom.json - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: version: ${{ steps.get_version.outputs.package_version }} - product_name: js-bson - file: sarif-report.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} + product_name: bson + dry_run: ${{ needs.release_please.outputs.release_created == '' }} - upload_sbom_lite: + publish: + needs: [release_please, ssdlc] environment: release runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - steps: - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + - name: actions/setup + uses: ./.github/actions/setup - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: js-bson - file: sbom.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} \ No newline at end of file + - run: npm publish --provenance --tag=latest + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From e76d14300a429c3f55a9b066e71366f68c5b27ed Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:36:48 -0600 Subject: [PATCH 2/9] use shared actions --- .../compress_sign_and_upload/action.yml | 59 ------------------- .github/workflows/release-5.x.yml | 23 ++++---- .github/workflows/release.yml | 23 ++++---- 3 files changed, 20 insertions(+), 85 deletions(-) delete mode 100644 .github/actions/compress_sign_and_upload/action.yml diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml deleted file mode 100644 index 8bce52aa..00000000 --- a/.github/actions/compress_sign_and_upload/action.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Compress and Sign -description: 'Compresses package and signs with garasign' - -inputs: - aws_role_arn: - description: 'AWS role input for drivers-github-tools/gpg-sign@v2' - required: true - aws_region_name: - description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' - required: true - aws_secret_id: - description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' - required: true - npm_package_name: - description: 'The name for the npm package this repository represents' - required: true - dry_run: - description: 'Should we upload files to the release?' - required: false - default: 'true' - -runs: - using: composite - steps: - - run: npm pack - shell: bash - - - name: Get release version and release package file name - id: get_vars - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT" - - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: ${{ inputs.aws_region_name }} - aws_role_arn: ${{ inputs.aws_role_arn }} - aws_secret_id: ${{ inputs.aws_secret_id }} - - - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: - filenames: ${{ steps.get_vars.outputs.package_file }} - env: - RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig - - - name: Name release asset correctly - run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig - shell: bash - - - name: "Upload release artifacts" - if: ${{ inputs.dry_run == false }} - run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig - shell: bash - env: - GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index ed2b5969..ebff278d 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -32,23 +32,20 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - name: actions/setup uses: ./.github/actions/setup - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT" + + - name: Load version and package info + uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node - name: actions/compress_sign_and_upload - uses: ./.github/actions/compress_sign_and_upload + uses: baileympearson/drivers-github-tools/node/sign_js_only_package@add-signing-env-action-for-node with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} - aws_region_name: 'us-east-1' + aws_region_name: us-east-1 aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - npm_package_name: 'bson' + npm_package_name: bson dry_run: ${{ needs.release_please.outputs.release_created == '' }} - name: Copy sbom file to release assets @@ -58,17 +55,17 @@ jobs: - name: Generate authorized pub report uses: mongodb-labs/drivers-github-tools/full-report@v2 with: - release_version: ${{ steps.get_version.outputs.package_version }} + release_version: ${{ env.package_version.package_version }} product_name: bson sarif_report_target_ref: 5.x third_party_dependency_tool: n/a # and .sig - dist_filenames: ${{ steps.get_version.outputs.package_file }}* + dist_filenames: ${{ env.package_version.package_file }}* token: ${{ github.token }} sbom_file_name: sbom.json - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: - version: ${{ steps.get_version.outputs.package_version }} + version: ${{ env.package_version.package_version }} product_name: bson dry_run: ${{ needs.release_please.outputs.release_created == '' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 715dd729..8ba238d6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,23 +30,20 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + - name: actions/setup uses: ./.github/actions/setup - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT" + + - name: Load version and package info + uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node - name: actions/compress_sign_and_upload - uses: ./.github/actions/compress_sign_and_upload + uses: baileympearson/drivers-github-tools/node/sign_js_only_package@add-signing-env-action-for-node with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} - aws_region_name: 'us-east-1' + aws_region_name: us-east-1 aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - npm_package_name: 'bson' + npm_package_name: bson dry_run: ${{ needs.release_please.outputs.release_created == '' }} - name: Copy sbom file to release assets @@ -56,18 +53,18 @@ jobs: - name: Generate authorized pub report uses: mongodb-labs/drivers-github-tools/full-report@v2 with: - release_version: ${{ steps.get_version.outputs.package_version }} + release_version: ${{ env.package_version }} product_name: bson sarif_report_target_ref: main third_party_dependency_tool: n/a # and .sig - dist_filenames: ${{ steps.get_version.outputs.package_file }}* + dist_filenames: ${{ env.package_version.package_file }}* token: ${{ github.token }} sbom_file_name: sbom.json - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: - version: ${{ steps.get_version.outputs.package_version }} + version: ${{ env.package_version.package_version }} product_name: bson dry_run: ${{ needs.release_please.outputs.release_created == '' }} From 68f67baa90ca999b96a20119bac3c97a069f21f7 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:51:30 -0600 Subject: [PATCH 3/9] upload file --- .github/workflows/release-5.x.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index ebff278d..2d4e0830 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -60,7 +60,7 @@ jobs: sarif_report_target_ref: 5.x third_party_dependency_tool: n/a # and .sig - dist_filenames: ${{ env.package_version.package_file }}* + dist_filenames: ${{ env.package_file }}* token: ${{ github.token }} sbom_file_name: sbom.json - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8ba238d6..7cddf7c4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -58,7 +58,7 @@ jobs: sarif_report_target_ref: main third_party_dependency_tool: n/a # and .sig - dist_filenames: ${{ env.package_version.package_file }}* + dist_filenames: ${{ env.package_file }}* token: ${{ github.token }} sbom_file_name: sbom.json From 7f5696c1e29fb352ba6a0c0a2e63af108d7c7f78 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:54:30 -0600 Subject: [PATCH 4/9] correctly specify version --- .github/workflows/release-5.x.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 2d4e0830..bf8d485b 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -65,7 +65,7 @@ jobs: sbom_file_name: sbom.json - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: - version: ${{ env.package_version.package_version }} + version: ${{ env.package_version }} product_name: bson dry_run: ${{ needs.release_please.outputs.release_created == '' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7cddf7c4..8a95e828 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -64,7 +64,7 @@ jobs: - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: - version: ${{ env.package_version.package_version }} + version: ${{ env.package_version }} product_name: bson dry_run: ${{ needs.release_please.outputs.release_created == '' }} From f2f00cc806182dc28e42a19c07ac253d97336082 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Tue, 25 Jun 2024 11:07:16 -0600 Subject: [PATCH 5/9] use shared tooling and generated release ymls --- .github/actions/setup/action.yml | 15 --------------- .github/workflows/release-5.x.yml | 20 ++++++++++++-------- .github/workflows/release-alpha.yml | 6 ++++-- .github/workflows/release.yml | 17 +++++++++++------ .github/workflows/release_notes.yml | 5 +++-- 5 files changed, 30 insertions(+), 33 deletions(-) delete mode 100644 .github/actions/setup/action.yml diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml deleted file mode 100644 index ced847c1..00000000 --- a/.github/actions/setup/action.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Setup -description: 'Installs node, driver dependencies, and builds source' - -runs: - using: composite - steps: - - uses: actions/setup-node@v4 - with: - node-version: 'lts/*' - cache: 'npm' - registry-url: 'https://registry.npmjs.org' - - run: npm install -g npm@latest - shell: bash - - run: npm clean-install - shell: bash diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index bf8d485b..a28ed165 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -8,7 +8,7 @@ permissions: pull-requests: write id-token: write -name: release-5x +name: release-5.x jobs: release_please: @@ -33,15 +33,15 @@ jobs: steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node - name: Load version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node - name: actions/compress_sign_and_upload uses: baileympearson/drivers-github-tools/node/sign_js_only_package@add-signing-env-action-for-node - with: + with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 aws_secret_id: ${{ secrets.AWS_SECRET_ID }} @@ -55,7 +55,7 @@ jobs: - name: Generate authorized pub report uses: mongodb-labs/drivers-github-tools/full-report@v2 with: - release_version: ${{ env.package_version.package_version }} + release_version: ${{ env.package_version }} product_name: bson sarif_report_target_ref: 5.x third_party_dependency_tool: n/a @@ -63,11 +63,14 @@ jobs: dist_filenames: ${{ env.package_file }}* token: ${{ github.token }} sbom_file_name: sbom.json + evergreen_project: js-bson + evergreen_commit: ${{ env.commit }} + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: version: ${{ env.package_version }} product_name: bson - dry_run: ${{ needs.release_please.outputs.release_created == '' }} + dry_run: ${{ needs.release_please.outputs.release_created == '' }} publish: needs: [release_please, ssdlc] @@ -75,8 +78,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node - run: npm publish --provenance --tag=5.x if: ${{ needs.release_please.outputs.release_created }} diff --git a/.github/workflows/release-alpha.yml b/.github/workflows/release-alpha.yml index e3b024cc..ecc8e1bf 100644 --- a/.github/workflows/release-alpha.yml +++ b/.github/workflows/release-alpha.yml @@ -26,8 +26,10 @@ jobs: exit 1 fi - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + - run: npm version "${{ inputs.alphaVersion }}" --git-tag-version=false - run: npm publish --provenance --tag=alpha env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8a95e828..6b228bfd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ permissions: pull-requests: write id-token: write -name: release +name: release-latest jobs: release_please: @@ -18,6 +18,8 @@ jobs: steps: - id: release uses: googleapis/release-please-action@v4 + with: + target-branch: main ssdlc: needs: [release_please] @@ -31,15 +33,15 @@ jobs: steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node - name: Load version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node - name: actions/compress_sign_and_upload uses: baileympearson/drivers-github-tools/node/sign_js_only_package@add-signing-env-action-for-node - with: + with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 aws_secret_id: ${{ secrets.AWS_SECRET_ID }} @@ -61,6 +63,8 @@ jobs: dist_filenames: ${{ env.package_file }}* token: ${{ github.token }} sbom_file_name: sbom.json + evergreen_project: js-bson + evergreen_commit: ${{ env.commit }} - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: @@ -74,8 +78,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node - run: npm publish --provenance --tag=latest if: ${{ needs.release_please.outputs.release_created }} diff --git a/.github/workflows/release_notes.yml b/.github/workflows/release_notes.yml index 54b038f5..10961782 100644 --- a/.github/workflows/release_notes.yml +++ b/.github/workflows/release_notes.yml @@ -45,8 +45,9 @@ jobs: # Setup Node.js and npm install - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + # See: https://github.com/googleapis/release-please/issues/1274 From d79941e6dcbd1da6695f636b3636eab2c130af8f Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 26 Jun 2024 14:39:33 -0600 Subject: [PATCH 6/9] add latest tooling --- .github/workflows/build.yml | 16 ++++++++++++++++ .github/workflows/release-5.x.yml | 29 +++++++++++++++++++++++------ .github/workflows/release.yml | 29 +++++++++++++++++++++++------ 3 files changed, 62 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..3c601ae7 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,16 @@ +on: + workflow_call: {} + +name: Build + +permissions: + contents: write + pull-requests: write + id-token: write + +jobs: + build: + runs-on: ubuntu-latest + steps: + - run: echo "nothing to do." + shell: bash diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index a28ed165..2cdf1d6f 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -21,8 +21,13 @@ jobs: with: target-branch: 5.x - ssdlc: + build: needs: [release_please] + name: "Perform any build or bundling steps, as necessary." + uses: ./.github/workflows/build.yml + + ssdlc: + needs: [release_please, build] permissions: # required for all workflows security-events: write @@ -35,12 +40,16 @@ jobs: - name: Install Node and dependencies uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + with: + ignore_install_scripts: false - name: Load version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + with: + npm_package_name: bson - name: actions/compress_sign_and_upload - uses: baileympearson/drivers-github-tools/node/sign_js_only_package@add-signing-env-action-for-node + uses: baileympearson/drivers-github-tools/node/sign_node_package@add-signing-env-action-for-node with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 @@ -50,8 +59,17 @@ jobs: - name: Copy sbom file to release assets shell: bash + if: ${{ '' == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + # only used for mongodb-client-encryption + - name: Augment SBOM and copy to release assets + if: ${{ '' != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: '' + sbom_file_name: sbom.json + - name: Generate authorized pub report uses: mongodb-labs/drivers-github-tools/full-report@v2 with: @@ -59,9 +77,8 @@ jobs: product_name: bson sarif_report_target_ref: 5.x third_party_dependency_tool: n/a - # and .sig - dist_filenames: ${{ env.package_file }}* - token: ${{ github.token }} + dist_filenames: artifacts/* + token: ${{ github.token }} sbom_file_name: sbom.json evergreen_project: js-bson evergreen_commit: ${{ env.commit }} @@ -73,7 +90,7 @@ jobs: dry_run: ${{ needs.release_please.outputs.release_created == '' }} publish: - needs: [release_please, ssdlc] + needs: [release_please, ssdlc, build] environment: release runs-on: ubuntu-latest steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6b228bfd..117c54bd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,8 +21,13 @@ jobs: with: target-branch: main - ssdlc: + build: needs: [release_please] + name: "Perform any build or bundling steps, as necessary." + uses: ./.github/workflows/build.yml + + ssdlc: + needs: [release_please, build] permissions: # required for all workflows security-events: write @@ -35,12 +40,16 @@ jobs: - name: Install Node and dependencies uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + with: + ignore_install_scripts: false - name: Load version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + with: + npm_package_name: bson - name: actions/compress_sign_and_upload - uses: baileympearson/drivers-github-tools/node/sign_js_only_package@add-signing-env-action-for-node + uses: baileympearson/drivers-github-tools/node/sign_node_package@add-signing-env-action-for-node with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 @@ -50,8 +59,17 @@ jobs: - name: Copy sbom file to release assets shell: bash + if: ${{ '' == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + # only used for mongodb-client-encryption + - name: Augment SBOM and copy to release assets + if: ${{ '' != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: '' + sbom_file_name: sbom.json + - name: Generate authorized pub report uses: mongodb-labs/drivers-github-tools/full-report@v2 with: @@ -59,9 +77,8 @@ jobs: product_name: bson sarif_report_target_ref: main third_party_dependency_tool: n/a - # and .sig - dist_filenames: ${{ env.package_file }}* - token: ${{ github.token }} + dist_filenames: artifacts/* + token: ${{ github.token }} sbom_file_name: sbom.json evergreen_project: js-bson evergreen_commit: ${{ env.commit }} @@ -73,7 +90,7 @@ jobs: dry_run: ${{ needs.release_please.outputs.release_created == '' }} publish: - needs: [release_please, ssdlc] + needs: [release_please, ssdlc, build] environment: release runs-on: ubuntu-latest steps: From 97ac17d8a0fe19ed0a591a82bd42b1d6795441e4 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Thu, 27 Jun 2024 10:23:47 -0600 Subject: [PATCH 7/9] update to use latest templates --- .github/workflows/release-5.x.yml | 8 ++++---- .github/workflows/release-alpha.yml | 2 +- .github/workflows/release.yml | 8 ++++---- .github/workflows/release_notes.yml | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 2cdf1d6f..c0fa2e83 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -39,17 +39,17 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/setup@v2 with: ignore_install_scripts: false - name: Load version and package info - uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 with: npm_package_name: bson - name: actions/compress_sign_and_upload - uses: baileympearson/drivers-github-tools/node/sign_node_package@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 @@ -97,7 +97,7 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/setup@v2 - run: npm publish --provenance --tag=5.x if: ${{ needs.release_please.outputs.release_created }} diff --git a/.github/workflows/release-alpha.yml b/.github/workflows/release-alpha.yml index ecc8e1bf..66b77d9d 100644 --- a/.github/workflows/release-alpha.yml +++ b/.github/workflows/release-alpha.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/setup@v2 - run: npm version "${{ inputs.alphaVersion }}" --git-tag-version=false - run: npm publish --provenance --tag=alpha diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 117c54bd..2f6e5f64 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,17 +39,17 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/setup@v2 with: ignore_install_scripts: false - name: Load version and package info - uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 with: npm_package_name: bson - name: actions/compress_sign_and_upload - uses: baileympearson/drivers-github-tools/node/sign_node_package@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 @@ -97,7 +97,7 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/setup@v2 - run: npm publish --provenance --tag=latest if: ${{ needs.release_please.outputs.release_created }} diff --git a/.github/workflows/release_notes.yml b/.github/workflows/release_notes.yml index 10961782..4a1ebfa6 100644 --- a/.github/workflows/release_notes.yml +++ b/.github/workflows/release_notes.yml @@ -46,7 +46,7 @@ jobs: # Setup Node.js and npm install - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/setup@v2 # See: https://github.com/googleapis/release-please/issues/1274 From 1d5ab94e1a6bc2b9561001549f3d1a5a74f3d17f Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Thu, 27 Jun 2024 10:27:30 -0600 Subject: [PATCH 8/9] fix tag --- .github/workflows/release-5.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index c0fa2e83..363ff45f 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -99,7 +99,7 @@ jobs: - name: Install Node and dependencies uses: mongodb-labs/drivers-github-tools/node/setup@v2 - - run: npm publish --provenance --tag=5.x + - run: npm publish --provenance --tag=5x if: ${{ needs.release_please.outputs.release_created }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From 7ad250a9d7d7c37dfda459d7c3def3161f359081 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Thu, 27 Jun 2024 10:30:03 -0600 Subject: [PATCH 9/9] fix name --- .github/workflows/release-5.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 363ff45f..05df1d75 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -8,7 +8,7 @@ permissions: pull-requests: write id-token: write -name: release-5.x +name: release-5x jobs: release_please: