Merge remote-tracking branch 'origin/beta-releases' into ga-releases

Author: github-actions[bot]

.evergreen/docker-config/bin/docker-credential-from-env

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -euo pipefail
+
+DOCKER_HUB_URL="https://index.docker.io/v1/"
+
+STDIN=$(cat)
+
+ACTION="$1"
+
+case "$ACTION" in
+  get)
+    SERVER_URL="$STDIN"
+
+    if [[ "$SERVER_URL" == "$DOCKER_HUB_URL" ]]; then
+      if [[ -z "${DOCKERHUB_USERNAME:-}" || -z "${DOCKERHUB_PASSWORD:-}" ]]; then
+        echo "Error: DOCKERHUB_USERNAME or DOCKERHUB_PASSWORD environment variables are not set." >&2
+        exit 1
+      fi
+
+      echo "{\"Username\": \"$DOCKERHUB_USERNAME\", \"Secret\": \"$DOCKERHUB_PASSWORD\"}"
+    else
+      echo "Error: No credentials available for $SERVER_URL" >&2
+      exit 1
+    fi
+    ;;
+
+  *)
+    echo "Unsupported action: $ACTION" >&2
+    exit 1
+    ;;
+esac

.evergreen/docker-config/config.json

@@ -0,0 +1,6 @@
+{
+	"auths": {
+		"https://index.docker.io/v1/": {}
+	},
+	"credsStore": "from-env"
+} 

.evergreen/functions.yml

@@ -78,6 +78,8 @@ variables:
     GARASIGN_PASSWORD: ${garasign_password}
     ARTIFACTORY_USERNAME: ${artifactory_username}
     ARTIFACTORY_PASSWORD: ${artifactory_password}
+    DOCKERHUB_USERNAME: ${dockerhub_username}
+    DOCKERHUB_PASSWORD: ${dockerhub_password}
 
 # This is here with the variables because anchors aren't supported across includes
 post:
@@ -982,16 +984,7 @@ functions:
 
           echo
 
-          # Runs for all the commits on main, including nightly builds:
-          if [[ "$EVERGREEN_IS_PATCH" != "true" ]] && [[ "${project}" == "10gen-compass-main" ]]; then
-            export JIRA_BASE_URL="https://jira.mongodb.org"
-            export JIRA_PROJECT="COMPASS"
-            export JIRA_VULNERABILITY_BUILD_INFO="- [Evergreen task|$EVERGREEN_TASK_URL]"
-
-            npm run create-vulnerability-tickets
-          else
-            cat .sbom/vulnerability-report.md
-          fi
+          cat .sbom/vulnerability-report.md
 
           echo
 

.evergreen/preinstall.sh

@@ -18,6 +18,8 @@ echo "IS_WINDOWS: $IS_WINDOWS"
 echo "IS_RHEL: $IS_RHEL"
 echo "IS_UBUNTU: $IS_UBUNTU"
 
+echo "DOCKER_CONFIG: $DOCKER_CONFIG"
+
 SCRIPTDIR="$(cd $(dirname "$0"); pwd)"
 
 if [ -n "$IS_WINDOWS" ]; then

.evergreen/print-compass-env.js

@@ -74,6 +74,8 @@ function printCompassEnv() {
     pathsToPrepend.unshift('/opt/mongodbtoolchain/v4/bin');
   }
 
+  pathsToPrepend.unshift(`${originalPWD}/.evergreen/docker-config/bin`);
+
   PATH = maybePrependPaths(PATH, pathsToPrepend);
   printVar('PATH', PATH);
 
@@ -113,6 +115,8 @@ function printCompassEnv() {
 
   // https://jira.mongodb.org/browse/NODE-6320
   printVar('GYP_DEFINES', `kerberos_use_rtld=${process.platform === 'linux'}`);
+
+  printVar('DOCKER_CONFIG', `${originalPWD}/.evergreen/docker-config`);
 }
 
 printCompassEnv();

.evergreen/start-atlas-cloud-cluster.sh

@@ -2,6 +2,7 @@
 
 RUN_ID="$(date +"%s")-$(git rev-parse --short HEAD)"
 DELETE_AFTER="$(date -u -Iseconds -d '+2 hours' 2>/dev/null || date -u -Iseconds -v '+2H')"
+DOCKER_REGISTRY="${DOCKER_REGISTRY:-docker.io}"
 
 # This script helps to automatically provision Atlas cluster for running the e2e
 # tests against. In CI this will always create a new cluster and delete it when
@@ -39,8 +40,8 @@ DELETE_AFTER="$(date -u -Iseconds -d '+2 hours' 2>/dev/null || date -u -Iseconds
 #     MCLI_ORG_ID           Org ID
 #     MCLI_PROJECT_ID       Project ID
 #
-#     COMPASS_E2E_ATLAS_CLOUD_SANDBOX_USERNAME         Cloud user you created
-#     COMPASS_E2E_ATLAS_CLOUD_SANDBOX_PASSWORD         Cloud user password
+#     COMPASS_E2E_ATLAS_CLOUD_SANDBOX_USERNAME  Cloud user you created
+#     COMPASS_E2E_ATLAS_CLOUD_SANDBOX_PASSWORD  Cloud user password
 #
 # - Source the script followed by running the tests to make sure that some
 #   variables exported from this script are available for the test env:
@@ -68,7 +69,7 @@ function atlascli() {
     -e MCLI_ORG_ID \
     -e MCLI_PROJECT_ID \
     -e MCLI_OPS_MANAGER_URL \
-    mongodb/atlas atlas $@
+    "$DOCKER_REGISTRY/mongodb/atlas" atlas $@
 }
 
 cleanup() {

.github/workflows/authors-and-third-party-notices.yaml

@@ -15,20 +15,27 @@ jobs:
     env:
       HADRON_DISTRIBUTION: compass
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
           # this is important so git log can pick up on
           # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
+          fetch-depth: "0"
+          token: ${{ steps.app-token.outputs.token }}
 
-
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.16.0
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install [email protected]
         run: |
@@ -40,38 +47,26 @@ jobs:
           npm run bootstrap-ci
 
       - name: Update AUTHORS
-        run: npm run update-authors
+        run: |
+          npm run update-authors
+          git add AUTHORS
 
       - name: Update THIRD-PARTY-NOTICES.md
-        run: npm run update-third-party-notices
+        run: |
+          npm run update-third-party-notices
+          git add THIRD-PARTY-NOTICES.md
 
       - name: Update Security Test Summary
         run: |
           npm run update-security-test-summary
+          git add docs/security-test-summary.md
 
       - name: Update tracking-plan.md
-        run: npm run update-tracking-plan
-
-      - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
-        with:
-          commit-message: Update report
-          branch: ci/update-3rd-party-notices-and-authors
-          title: 'chore: update AUTHORS, THIRD-PARTY-NOTICES, Security Test Summary'
-          add-paths: |
-            THIRD-PARTY-NOTICES.md
-            AUTHORS
-            docs/security-test-summary.md
-            docs/tracking-plan.md
-          body: |
-            - Update `AUTHORS`, `THIRD-PARTY-NOTICES`, docs/tracking-plan.md and `docs/security-test-summary.md`
+        run: |
+          npm run update-tracking-plan
+          git add docs/tracking-plan.md
 
-      - name: Merge PR
-        env:
-          PULL_REQUEST_NUMBER: ${{steps.cpr.outputs.pull-request-number}}
-          # NOTE: we don't use a PAT so to not trigger further automation
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Commit and push
         run: |
-          gh pr merge $PULL_REQUEST_NUMBER --squash --delete-branch
-          gh workflow run codeql.yml -r main
+          git commit --no-allow-empty -m "chore: update AUTHORS, THIRD-PARTY-NOTICES, Security Test Summary [skip actions]" || true
+          git push

.github/workflows/bump-packages.yaml

@@ -10,24 +10,22 @@ jobs:
     name: Bump packages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
-          # this is important so git log can pick up on
-          # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
-
-      - name: Setup git
-        run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.16.0
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install [email protected]
         run: |
@@ -40,21 +38,20 @@ jobs:
 
       - name: Bump packages
         env:
-          LAST_BUMP_COMMIT_MESSAGE: 'chore(release): bump package versions'
-          SKIP_BUMP_PACKAGES: 'mongodb-compass'
+          LAST_BUMP_COMMIT_MESSAGE: "chore(release): bump package versions"
+          SKIP_BUMP_PACKAGES: "mongodb-compass"
         run: |
           npm run bump-packages
           git add .
           git commit --no-allow-empty -m "$LAST_BUMP_COMMIT_MESSAGE" || true
 
       - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5
         with:
-          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
-          commit-message: 'chore(release): bump package versions'
+          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }} # TODO: replace with steps.app-token.outputs.token when it gets the PR permissions
+          commit-message: "chore(release): bump package versions"
           branch: ci/bump-packages
-          title: 'chore(release): bump package versions'
+          title: "chore(release): bump package versions"
           labels: no-title-validation
           body: |
             - Bump package versions

.github/workflows/merge-bump-packages-pr.yaml

@@ -3,18 +3,23 @@ on:
   workflow_dispatch:
   schedule:
     # Each Tuesday at 5 AM UTC
-    - cron: '0 5 * * 2'
+    - cron: "0 5 * * 2"
 
 jobs:
   merge_bump_packages_pr:
     name: Merge bump packages PR
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
 
       - name: Merge PR
         env:
-          GITHUB_TOKEN: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           set -e
           PR_NUMBER=$(gh pr list -s open --head=ci/bump-packages --limit=1 --json number | jq '.[0].number')

.github/workflows/update-electron.yaml

@@ -11,44 +11,40 @@ jobs:
     name: Update Electron
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
-          # this is important so git log can pick up on
-          # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
-
-      - name: Setup git
-        run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.16.0
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install [email protected]
         run: |
           npm install -g [email protected]
+
       - name: Install Dependencies
-        run: |
-          npm -v
-          npm ci
+        run: npm ci
+
       - name: Bump packages
-        run: |
-          node scripts/update-electron.js
-          git add .
-          git commit --no-allow-empty -m "chore(deps): update electron" || true
+        run: node scripts/update-electron.js
+
       - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5
         with:
-          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
-          commit-message: 'chore(deps): update electron'
+          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }} # TODO: replace with steps.app-token.outputs.token when it gets the PR permissions
+          commit-message: "chore(deps): update electron"
           branch: ci/update-electron
-          title: 'chore(deps): update electron'
+          title: "chore(deps): update electron"
           labels: no-title-validation
           body: |
             - Update electron