From 829ff4dbbd8d3b16f5e9d5dd143f90ef4361cb93 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Fri, 28 Jun 2024 07:58:33 -0600 Subject: [PATCH 1/4] hopefully passing action --- .github/actions/setup/action.yml | 15 --- .../sign_and_upload_package/action.yml | 71 ----------- .github/workflows/build.yml | 3 +- .github/workflows/release.yml | 105 ++++++++++++++++ .github/workflows/release_6.1.yml | 114 ++++++++++++++++++ 5 files changed, 220 insertions(+), 88 deletions(-) delete mode 100644 .github/actions/setup/action.yml delete mode 100644 .github/actions/sign_and_upload_package/action.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/release_6.1.yml diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml deleted file mode 100644 index a045df1..0000000 --- a/.github/actions/setup/action.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Setup -description: 'Installs node, driver dependencies, and builds source' - -runs: - using: composite - steps: - - uses: actions/setup-node@v4 - with: - node-version: 'lts/*' - cache: 'npm' - registry-url: 'https://registry.npmjs.org' - - run: npm install -g npm@latest - shell: bash - - run: npm clean-install --ignore-scripts - shell: bash diff --git a/.github/actions/sign_and_upload_package/action.yml b/.github/actions/sign_and_upload_package/action.yml deleted file mode 100644 index 8d7c948..0000000 --- a/.github/actions/sign_and_upload_package/action.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Sign and Upload Package -description: 'Signs native modules with garasign' - -inputs: - aws_role_arn: - description: 'AWS role input for drivers-github-tools/gpg-sign@v2' - required: true - aws_region_name: - description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' - required: true - aws_secret_id: - description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' - required: true - npm_package_name: - description: 'The name for the npm package this repository represents' - required: true - -runs: - using: composite - steps: - - uses: actions/download-artifact@v4 - - - name: Make signatures directory - shell: bash - run: mkdir artifacts - - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: ${{ inputs.aws_region_name }} - aws_role_arn: ${{ inputs.aws_role_arn }} - aws_secret_id: ${{ inputs.aws_secret_id }} - - - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: - filenames: 'build-*/*.tar.gz' - env: - RELEASE_ASSETS: artifacts/ - - - name: Copy the tarballs to the artifacts directory - shell: bash - run: for filename in build-*/*.tar.gz; do cp ${filename} artifacts/; done - - - run: npm pack - shell: bash - - - name: Get release version and release package file name - id: get_vars - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT" - - - name: Create detached signature for module - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: - filenames: ${{ steps.get_vars.outputs.package_file }} - env: - RELEASE_ASSETS: artifacts/ - - - name: Display structure of downloaded files - shell: bash - run: ls -la artifacts/ - - - name: "Upload release artifacts" - run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.* - shell: bash - env: - GH_TOKEN: ${{ github.token }} \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 908121f..c5a9e05 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,9 +1,8 @@ on: - push: - branches: [main] pull_request: branches: [main] workflow_dispatch: {} + workflow_call: {} name: Build and Test diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..e3de455 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,105 @@ +on: + push: + branches: ["6.1"] + pull_request: + branches: ["main"] + workflow_dispatch: {} + +permissions: + contents: write + pull-requests: write + id-token: write + +name: release-6.1 + +jobs: + release_please: + runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + steps: + - id: release + uses: googleapis/release-please-action@v4 + with: + target-branch: 6.1 + + build: + needs: [release_please] + name: "Perform any build or bundling steps, as necessary." + uses: ./.github/workflows/build.yml + + ssdlc: + needs: [release_please, build] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: true + + - name: Load version and package info + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + with: + npm_package_name: mongodb-client-encryption + + - name: actions/compress_sign_and_upload + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: us-east-1 + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: mongodb-client-encryption + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + - name: Copy sbom file to release assets + shell: bash + if: ${{ 'mongodb-client-encryption-6.1' == '' }} + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + + # only used for mongodb-client-encryption + - name: Augment SBOM and copy to release assets + if: ${{ 'mongodb-client-encryption-6.1' != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: 'mongodb-client-encryption-6.1' + sbom_file_name: sbom.json + + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 + with: + release_version: ${{ env.package_version }} + product_name: mongodb-client-encryption + sarif_report_target_ref: 6.1 + third_party_dependency_tool: n/a + dist_filenames: artifacts/* + token: ${{ github.token }} + sbom_file_name: sbom.json + + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ env.package_version }} + product_name: mongodb-client-encryption + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + publish: + needs: [release_please, ssdlc, build] + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + + - run: npm publish --provenance --tag=6.1 + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release_6.1.yml b/.github/workflows/release_6.1.yml new file mode 100644 index 0000000..ba2f4d9 --- /dev/null +++ b/.github/workflows/release_6.1.yml @@ -0,0 +1,114 @@ +on: + push: + branches: ["6.1"] + workflow_dispatch: {} + +permissions: + contents: write + pull-requests: write + id-token: write + +name: release-6.1 + +jobs: + release_please: + runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + steps: + - id: release + uses: googleapis/release-please-action@v4 + with: + target-branch: 6.1 + + build: + needs: [release_please] + name: "Perform any build or bundling steps, as necessary." + uses: ./.github/workflows/build.yml + + ssdlc: + needs: [release_please, build] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: true + + - name: Load version and package info + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + with: + npm_package_name: mongodb-client-encryption + + - name: actions/compress_sign_and_upload + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: us-east-1 + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: mongodb-client-encryption + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + - name: Download the Augmented SBOM file to the release assets and s3 assets folders + shell: bash + run: | + set -eu + SILKBOMB_ENVFILE=/tmp/silkbomb-envfile + cat << EOF > $SILKBOMB_ENVFILE + SILK_CLIENT_ID=${SILKBOMB_USER} + SILK_CLIENT_SECRET=${SILKBOMB_KEY} + EOF + echo 'SILKBOMB_ENVFILE=$SILKBOMB_ENVFILE' >> $GITHUB_ENV + + - name: Copy sbom file to release assets + shell: bash + if: ${{ 'mongodb-client-encryption-6.1' == '' }} + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + + # only used for mongodb-client-encryption + - name: Augment SBOM and copy to release assets + if: ${{ 'mongodb-client-encryption-6.1' != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: 'mongodb-client-encryption-6.1' + sbom_file_name: sbom.json + + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 + with: + release_version: ${{ env.package_version }} + product_name: mongodb-client-encryption + sarif_report_target_ref: 6.1 + third_party_dependency_tool: n/a + dist_filenames: artifacts/* + token: ${{ github.token }} + sbom_file_name: sbom.json + + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ env.package_version }} + product_name: mongodb-client-encryption + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + publish: + needs: [release_please, ssdlc, build] + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + + - run: npm publish --provenance --tag=6.1 + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From 532f3494d627918c2a02902cc6eb928b05215138 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Fri, 28 Jun 2024 09:19:03 -0600 Subject: [PATCH 2/4] adjust release actions --- .github/workflows/build.yml | 6 +- .github/workflows/release.yml | 105 ------------------------------ .github/workflows/release_6.1.yml | 4 +- 3 files changed, 7 insertions(+), 108 deletions(-) delete mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c5a9e05..765e02a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -85,8 +85,10 @@ jobs: environment: release steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: true - name: actions/sign_and_upload_package uses: ./.github/actions/sign_and_upload_package with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index e3de455..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,105 +0,0 @@ -on: - push: - branches: ["6.1"] - pull_request: - branches: ["main"] - workflow_dispatch: {} - -permissions: - contents: write - pull-requests: write - id-token: write - -name: release-6.1 - -jobs: - release_please: - runs-on: ubuntu-latest - outputs: - release_created: ${{ steps.release.outputs.release_created }} - steps: - - id: release - uses: googleapis/release-please-action@v4 - with: - target-branch: 6.1 - - build: - needs: [release_please] - name: "Perform any build or bundling steps, as necessary." - uses: ./.github/workflows/build.yml - - ssdlc: - needs: [release_please, build] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - environment: release - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Install Node and dependencies - uses: mongodb-labs/drivers-github-tools/node/setup@v2 - with: - ignore_install_scripts: true - - - name: Load version and package info - uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 - with: - npm_package_name: mongodb-client-encryption - - - name: actions/compress_sign_and_upload - uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 - with: - aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} - aws_region_name: us-east-1 - aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - npm_package_name: mongodb-client-encryption - dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - - name: Copy sbom file to release assets - shell: bash - if: ${{ 'mongodb-client-encryption-6.1' == '' }} - run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json - - # only used for mongodb-client-encryption - - name: Augment SBOM and copy to release assets - if: ${{ 'mongodb-client-encryption-6.1' != '' }} - uses: mongodb-labs/drivers-github-tools/sbom@v2 - with: - silk_asset_group: 'mongodb-client-encryption-6.1' - sbom_file_name: sbom.json - - - name: Generate authorized pub report - uses: mongodb-labs/drivers-github-tools/full-report@v2 - with: - release_version: ${{ env.package_version }} - product_name: mongodb-client-encryption - sarif_report_target_ref: 6.1 - third_party_dependency_tool: n/a - dist_filenames: artifacts/* - token: ${{ github.token }} - sbom_file_name: sbom.json - - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 - with: - version: ${{ env.package_version }} - product_name: mongodb-client-encryption - dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - publish: - needs: [release_please, ssdlc, build] - environment: release - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Install Node and dependencies - uses: mongodb-labs/drivers-github-tools/node/setup@v2 - - - run: npm publish --provenance --tag=6.1 - if: ${{ needs.release_please.outputs.release_created }} - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release_6.1.yml b/.github/workflows/release_6.1.yml index ba2f4d9..d4b70f5 100644 --- a/.github/workflows/release_6.1.yml +++ b/.github/workflows/release_6.1.yml @@ -107,8 +107,10 @@ jobs: - name: Install Node and dependencies uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: true - - run: npm publish --provenance --tag=6.1 + - run: npm publish --provenance --tag=alpha if: ${{ needs.release_please.outputs.release_created }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From 12838d9759f3e0820bf37d8cfa2c60ab1aad7a4c Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Fri, 28 Jun 2024 09:22:07 -0600 Subject: [PATCH 3/4] remove extra steps --- .github/workflows/release_6.1.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/release_6.1.yml b/.github/workflows/release_6.1.yml index d4b70f5..6614545 100644 --- a/.github/workflows/release_6.1.yml +++ b/.github/workflows/release_6.1.yml @@ -57,17 +57,6 @@ jobs: npm_package_name: mongodb-client-encryption dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - name: Download the Augmented SBOM file to the release assets and s3 assets folders - shell: bash - run: | - set -eu - SILKBOMB_ENVFILE=/tmp/silkbomb-envfile - cat << EOF > $SILKBOMB_ENVFILE - SILK_CLIENT_ID=${SILKBOMB_USER} - SILK_CLIENT_SECRET=${SILKBOMB_KEY} - EOF - echo 'SILKBOMB_ENVFILE=$SILKBOMB_ENVFILE' >> $GITHUB_ENV - - name: Copy sbom file to release assets shell: bash if: ${{ 'mongodb-client-encryption-6.1' == '' }} From 0fa6dcc20a1ff1d3ddc1d97fef895d793ce9b57e Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Fri, 28 Jun 2024 09:22:43 -0600 Subject: [PATCH 4/4] add sign native --- .github/workflows/release_6.1.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release_6.1.yml b/.github/workflows/release_6.1.yml index 6614545..b64fe76 100644 --- a/.github/workflows/release_6.1.yml +++ b/.github/workflows/release_6.1.yml @@ -56,6 +56,7 @@ jobs: aws_secret_id: ${{ secrets.AWS_SECRET_ID }} npm_package_name: mongodb-client-encryption dry_run: ${{ needs.release_please.outputs.release_created == '' }} + sign_native: true - name: Copy sbom file to release assets shell: bash