Skip to content

chore(ci): update to silkbomb 2.0 #6734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 21, 2025
Merged

chore(ci): update to silkbomb 2.0 #6734

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .evergreen/buildvariants-and-tasks.in.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,31 +32,31 @@ const PACKAGE_BUILD_VARIANTS = [
// # when compiling/re-building addons. This ensures compatibility with other
// # debian platforms that have glibc 2.27 or newer.
run_on: 'ubuntu1804-large',
silk_asset_group: 'compass-ubuntu',
target_platform: 'ubuntu',
},
{
name: 'package-windows',
display_name: 'Package Windows',
run_on: 'windows-vsCurrent-large',
silk_asset_group: 'compass-windows',
target_platform: 'windows',
},
{
name: 'package-rhel',
display_name: 'Package RHEL',
run_on: 'rhel80-large',
silk_asset_group: 'compass-rhel',
target_platform: 'rhel',
},
{
name: 'package-macos-x64',
display_name: 'Package MacOS Intel',
run_on: 'macos-14',
silk_asset_group: 'compass-macos',
target_platform: 'macos',
},
{
name: 'package-macos-arm',
display_name: 'Package MacOS Arm64',
run_on: 'macos-14-arm64',
silk_asset_group: 'compass-macos-arm',
target_platform: 'macos-arm',
}
];

Expand Down
10 changes: 5 additions & 5 deletions .evergreen/buildvariants-and-tasks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ buildvariants:
run_on: macos-14-arm64-gui
- name: package-ubuntu
expansions:
silk_asset_group: compass-ubuntu
target_platform: ubuntu
display_name: Package Ubuntu
run_on: ubuntu1804-large
tasks:
Expand All @@ -42,7 +42,7 @@ buildvariants:
- name: package-compass-readonly
- name: package-windows
expansions:
silk_asset_group: compass-windows
target_platform: windows
display_name: Package Windows
run_on: windows-vsCurrent-large
tasks:
Expand All @@ -51,7 +51,7 @@ buildvariants:
- name: package-compass-readonly
- name: package-rhel
expansions:
silk_asset_group: compass-rhel
target_platform: rhel
display_name: Package RHEL
run_on: rhel80-large
tasks:
Expand All @@ -60,7 +60,7 @@ buildvariants:
- name: package-compass-readonly
- name: package-macos-x64
expansions:
silk_asset_group: compass-macos
target_platform: macos
display_name: Package MacOS Intel
run_on: macos-14
tasks:
Expand All @@ -69,7 +69,7 @@ buildvariants:
- name: package-compass-readonly
- name: package-macos-arm
expansions:
silk_asset_group: compass-macos-arm
target_platform: macos-arm
display_name: Package MacOS Arm64
run_on: macos-14-arm64
tasks:
Expand Down
27 changes: 13 additions & 14 deletions .evergreen/create-sbom.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,27 +7,26 @@ CRYPT_SHARED_VERSION=$(cat packages/compass/src/deps/csfle/version)

set +x
echo "${ARTIFACTORY_PASSWORD}" > /tmp/artifactory_password
cat << EOF > /tmp/silkbomb.env
SILK_CLIENT_ID=${SILK_CLIENT_ID}
SILK_CLIENT_SECRET=${SILK_CLIENT_SECRET}
EOF
set -x

trap_handler() {
rm -vf /tmp/artifactory_password /tmp/silkbomb.env
rm -vf /tmp/artifactory_password
}
trap trap_handler ERR EXIT

scp -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" .sbom/dependencies.json /tmp/silkbomb.env /tmp/artifactory_password "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/
scp -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" .sbom/dependencies.json /tmp/artifactory_password "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/
ssh -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -p "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME" \
"(cat /tmp/dependencies.json | jq -r '.[] | "'"pkg:npm/" + .name + "@" + .version'"' > /tmp/purls.txt) && \
echo "pkg:generic/mongo_crypt_shared@${CRYPT_SHARED_VERSION}" >> /tmp/purls.txt && \
(cat /tmp/artifactory_password | docker login artifactory.corp.mongodb.com --username '${ARTIFACTORY_USERNAME}' --password-stdin ; rm -f /tmp/artifactor_password ) && \
docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 && \
docker run --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 update \
(cat /tmp/artifactory_password | docker login artifactory.corp.mongodb.com --username '${ARTIFACTORY_USERNAME}' --password-stdin ; rm -f /tmp/artifactory_password ) && \
docker pull artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 && \
docker run --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 update \
--purls /tmp/purls.txt --sbom-out /tmp/sbom-lite.json && \
docker run --env-file /tmp/silkbomb.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 upload \
--silk-asset-group "${SILK_ASSET_GROUP}" --sbom-in /tmp/sbom-lite.json && \
docker run --env-file /tmp/silkbomb.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:1.0 download \
--silk-asset-group "${SILK_ASSET_GROUP}" --sbom-out /tmp/sbom.json"
scp -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/{sbom-lite.json,sbom.json,purls.txt} .sbom/
kondukto_token=\$(AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \
aws secretsmanager get-secret-value --secret-id \"kondukto-token\" --query 'SecretString' --output text) && \
echo \"KONDUKTO_TOKEN=\$kondukto_token\" > /tmp/kondukto_credentials.env && \
docker run --env-file /tmp/kondukto_credentials.env --rm -v /tmp:/tmp artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 augment \
--repo mongodb-js/compass --branch ${KONDUKTO_BRANCH} --sbom-in /tmp/sbom-lite.json --sbom-out /tmp/sbom.json"
scp -v -i "$SIGNING_SERVER_PRIVATE_KEY_CYGPATH" -P "$SIGNING_SERVER_PORT" "$SIGNING_SERVER_USERNAME"@"$SIGNING_SERVER_HOSTNAME":/tmp/{sbom-lite.json,sbom.json,purls.txt} .sbom/
11 changes: 7 additions & 4 deletions .evergreen/functions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -413,10 +413,15 @@ functions:
# Load environment variables
eval $(.evergreen/print-compass-env.sh)
cd packages/compass && npm run prepackage-compass
- command: ec2.assume_role
display_name: Assume IAM role with permissions to pull Kondukto API token
params:
role_arn: ${kondukto_role_arn}
- command: shell.exec
params:
working_dir: src
shell: bash
include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
env:
ARTIFACTORY_USERNAME: ${artifactory_username}
ARTIFACTORY_PASSWORD: ${artifactory_password}
Expand All @@ -425,10 +430,8 @@ functions:
SIGNING_SERVER_PRIVATE_KEY_CYGPATH: ${SIGNING_SERVER_PRIVATE_KEY_CYGPATH}
SIGNING_SERVER_USERNAME: ${SIGNING_SERVER_USERNAME}
SIGNING_SERVER_PORT: ${SIGNING_SERVER_PORT}
# for Silk SBOM integration
SILK_ASSET_GROUP: ${silk_asset_group}
SILK_CLIENT_ID: ${silk_client_id}
SILK_CLIENT_SECRET: ${silk_client_secret}
# for SilkBomb integration
KONDUKTO_BRANCH: ${branch_name}_${target_platform}
script: |
set -e

Expand Down
Loading