ssdlc compliance, minus sbom generation

Author: baileympearson

.github/actions/setup/action.yml

@@ -28,6 +28,10 @@ runs:
       shell: bash
       run: mkdir artifacts
 
+    - name: Load version and package info
+      uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node
+
+
     - name: Set up drivers-github-tools
       uses: mongodb-labs/drivers-github-tools/setup@v2
       with: 
@@ -49,18 +53,10 @@ runs:
     - run: npm pack
       shell: bash
 
-    - name: Get release version and release package file name
-      id: get_vars
-      shell: bash
-      run: |
-        package_version=$(jq --raw-output '.version' package.json)
-        echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
-        echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT"
-
     - name: Create detached signature for module
       uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
       with: 
-        filenames: ${{ steps.get_vars.outputs.package_file }}
+        filenames: ${{ env.package_file }}
       env: 
         RELEASE_ASSETS: artifacts/
 
@@ -70,7 +66,7 @@ runs:
 
     - name: "Upload release artifacts"
       if: ${{ inputs.dry_run == false }}
-      run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
+      run: gh release upload v${{ env.package_version }} artifacts/*.*
       shell: bash
       env:
         GH_TOKEN: ${{ github.token }}

.github/actions/sign_and_upload_package/action.yml

@@ -70,139 +70,4 @@ jobs:
           retention-days: 1
           compression-level: 0
 
-  release_please:
-    needs: [host_builds, container_builds]
-    runs-on: ubuntu-latest
-    outputs:
-      release_created: ${{ steps.release.outputs.release_created }}
-    steps:
-      - id: release
-        uses: googleapis/release-please-action@v4
-
-  generate_sarif_report:
-    environment: release
-    runs-on: ubuntu-latest
-    needs: [release_please]
-    permissions:
-      # required for all workflows
-      security-events: write
-      id-token: write
-      contents: write
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up drivers-github-tools
-        uses: mongodb-labs/drivers-github-tools/setup@v2
-        with:
-          aws_region_name: us-east-1
-          aws_role_arn: ${{ secrets.aws_role_arn }}
-          aws_secret_id: ${{ secrets.aws_secret_id }}
-
-      - name: "Generate Sarif Report"
-        uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
-        with:
-          ref: main
-          output-file: sarif-report.json
-
-      - name: Get release version and release package file name
-        id: get_version
-        shell: bash
-        run: |
-          package_version=$(jq --raw-output '.version' package.json)
-          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
-      - name: actions/publish_asset_to_s3
-        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
-        with:
-          version: ${{ steps.get_version.outputs.package_version }}
-          product_name: mongodb-client-encryption
-          file: sarif-report.json
-          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
-
-  generate_compliance_report:
-    environment: release
-    runs-on: ubuntu-latest
-    needs: [release_please]
-    permissions:
-      # required for all workflows
-      security-events: write
-      id-token: write
-      contents: write
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up drivers-github-tools
-        uses: mongodb-labs/drivers-github-tools/setup@v2
-        with:
-          aws_region_name: us-east-1
-          aws_role_arn: ${{ secrets.aws_role_arn }}
-          aws_secret_id: ${{ secrets.aws_secret_id }}
-
-      - name: Get release version and release package file name
-        id: get_version
-        shell: bash
-        run: |
-          package_version=$(jq --raw-output '.version' package.json)
-          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
-
-      - name: Generate compliance report
-        uses: mongodb-labs/drivers-github-tools/compliance-report@v2
-        with:
-          sbom_name: sbom.json # TODO - confirm sbom file name
-          sarif_name: sarif-report.json
-          security_report_location: tbd
-          release_version: ${{ steps.get_version.outputs.package_version }}
-          token:  ${{ github.token }}
-
-      - name: actions/publish_asset_to_s3
-        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
-        with:
-          version: ${{ steps.get_version.outputs.package_version }}
-          product_name: mongodb-client-encryption
-          file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt
-          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
-
-  sign_and_upload:
-    needs: [release_please]
-    runs-on: ubuntu-latest
-    environment: release
-    steps:
-      - uses: actions/checkout@v4
-      - name: actions/setup
-        uses: ./.github/actions/setup
-      - name: Get release version and release package file name
-        id: get_vars
-        shell: bash
-        run: |
-          package_version=$(jq --raw-output '.version' package.json)
-          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
-          echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"
-      - name: actions/sign_and_upload_package
-        uses: ./.github/actions/sign_and_upload_package
-        with:
-          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
-          aws_region_name: 'us-east-1'
-          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
-          npm_package_name: 'mongodb-client-encryption'
-          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
-
-      - name: Generate authorized pub report
-        uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
-        with:
-          release_version: ${{ steps.get_version.outputs.package_version }}
-          product_name: mongodb-client-encryption
-          # <package> and <package>.sig
-          filenames: artifacts/*
-          token:  ${{ github.token }}
-
-      - name: actions/publish_asset_to_s3
-        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
-        with:
-          version: ${{ steps.get_version.outputs.package_version }}
-          product_name: mongodb-client-encryption
-          file: ${{env.S3_ASSETS}}/authorized-publication.txt
-          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
-
-      - run: npm publish --provenance --tag=alpha
-        if: ${{ needs.release_please.outputs.release_created }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  

.github/workflows/build.yml

@@ -0,0 +1,91 @@
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch: {}
+
+name: Build and Test
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
+jobs:
+  release_please:
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+    steps:
+      - id: release
+        uses: googleapis/release-please-action@v4
+
+  build:
+    needs: [release_please]
+    name: "Build native code"
+    uses: ./.github/workflows/build.yml
+
+  ssdlc:
+    needs: [release_please, build]
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
+    environment: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Node and dependencies
+        uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node
+
+      - name: Load version and package info
+        uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node
+
+      - name: actions/sign_and_upload_package
+        uses: ./.github/actions/sign_and_upload_package
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: 'us-east-1'
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          npm_package_name: 'mongodb-client-encryption'
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+
+      - name: Copy sbom file to release assets
+        shell: bash
+        run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
+
+      - name: Generate authorized pub report
+        uses: mongodb-labs/drivers-github-tools/full-report@v2
+        with:
+          release_version: ${{ env.package_version }}
+          product_name: mongodb-client-encryption
+          sarif_report_target_ref: main
+          third_party_dependency_tool: Silk
+          # <package> and <package>.sig
+          dist_filenames: ${{ env.package_file }}*
+          token:  ${{ github.token }}
+          sbom_file_name: sbom.json
+
+      - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+        with:
+          version: ${{ env.package_version }}
+          product_name: mongodb-client-encryption
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+
+  publish:
+    needs: [release_please, ssdlc, build]
+    environment: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Node and dependencies
+        uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node
+
+      # - run: npm publish --provenance --tag=latest
+      #   if: ${{ needs.release_please.outputs.release_created }}
+      #   env:
+      #     NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}