Merge remote-tracking branch 'origin/main' into MONGOSH-1928-dry-run-homebrew-release-fail

Author: alenakhineika

.evergreen.yml

@@ -3780,6 +3780,23 @@ functions:
   # - signature_tag (either 'signed' or 'unsigned')
   ###
   add_crypt_shared_and_sbom:
+    - command: ec2.assume_role
+      display_name: Assume IAM role with permissions to pull Kondukto API token
+      params:
+        role_arn: ${kondukto_role_arn}
+    - command: shell.exec
+      display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file
+      params:
+        silent: true
+        shell: bash
+        working_dir: src
+        include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
+        script: |
+          set -e
+          # use AWS CLI to get the Kondukto API token from AWS Secrets Manager
+          kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
+          # set the KONDUKTO_TOKEN environment variable
+          echo "KONDUKTO_TOKEN=$kondukto_token" > /tmp/kondukto_credentials.env
     - command: subprocess.exec
       params:
         working_dir: src
@@ -3790,10 +3807,8 @@ functions:
           PACKAGE_VARIANT: ${package_variant}
           ARTIFACTORY_USERNAME: ${artifactory_username}
           ARTIFACTORY_PASSWORD: ${artifactory_password}
-          # for Silk SBOM integration
-          SILK_ASSET_GROUP: mongosh-${executable_os_id}
-          SILK_CLIENT_ID: ${silk_client_id}
-          SILK_CLIENT_SECRET: ${silk_client_secret}
+          # for Kondukto SBOM integration
+          KONDUKTO_BRANCH: ${branch_name}_${executable_os_id}
   create_static_analysis_report:
     - command: s3.get
       params:

.evergreen/evergreen.yml.in

@@ -489,6 +489,23 @@ functions:
   # - signature_tag (either 'signed' or 'unsigned')
   ###
   add_crypt_shared_and_sbom:
+    - command: ec2.assume_role
+      display_name: Assume IAM role with permissions to pull Kondukto API token
+      params:
+        role_arn: ${kondukto_role_arn}
+    - command: shell.exec
+      display_name: Pull Kondukto API token from AWS Secrets Manager and write it to file
+      params:
+        silent: true
+        shell: bash
+        working_dir: src
+        include_expansions_in_env: [AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN]
+        script: |
+          set -e
+          # use AWS CLI to get the Kondukto API token from AWS Secrets Manager
+          kondukto_token=$(aws secretsmanager get-secret-value --secret-id "kondukto-token" --region "us-east-1" --query 'SecretString' --output text)
+          # set the KONDUKTO_TOKEN environment variable
+          echo "KONDUKTO_TOKEN=$kondukto_token" > /tmp/kondukto_credentials.env
     - command: subprocess.exec
       params:
         working_dir: src
@@ -499,10 +516,8 @@ functions:
           PACKAGE_VARIANT: ${package_variant}
           ARTIFACTORY_USERNAME: ${artifactory_username}
           ARTIFACTORY_PASSWORD: ${artifactory_password}
-          # for Silk SBOM integration
-          SILK_ASSET_GROUP: mongosh-${executable_os_id}
-          SILK_CLIENT_ID: ${silk_client_id}
-          SILK_CLIENT_SECRET: ${silk_client_secret}
+          # for Kondukto SBOM integration
+          KONDUKTO_BRANCH: ${branch_name}_${executable_os_id}
   create_static_analysis_report:
   <%
   let firstPartyDepsFilenames = [];

THIRD_PARTY_NOTICES.md

@@ -1,5 +1,5 @@
 The following third-party software is used by and included in **mongosh**.
-This document was automatically generated on Tue Feb 25 2025.
+This document was automatically generated on Wed Feb 26 2025.
 
 ## List of dependencies
 

packages/build/src/homebrew/publish-to-homebrew.spec.ts

@@ -1,23 +1,25 @@
 import chai, { expect } from 'chai';
 import sinon from 'sinon';
 import type { GithubRepo } from '@mongodb-js/devtools-github-repo';
-import { publishToHomebrew } from './publish-to-homebrew';
+import type { HomebrewPublisherConfig } from './publish-to-homebrew';
+import { HomebrewPublisher } from './publish-to-homebrew';
 
 chai.use(require('sinon-chai'));
 
-describe('Homebrew publish-to-homebrew', function () {
+describe('HomebrewPublisher', function () {
   let homebrewCore: GithubRepo;
   let homebrewCoreFork: GithubRepo;
   let createPullRequest: sinon.SinonStub;
   let httpsSha256: sinon.SinonStub;
   let generateFormula: sinon.SinonStub;
   let updateHomebrewFork: sinon.SinonStub;
 
-  beforeEach(function () {
+  let testPublisher: HomebrewPublisher;
+
+  const setupHomebrewPublisher = (
+    config: Omit<HomebrewPublisherConfig, 'homebrewCore' | 'homebrewCoreFork'>
+  ) => {
     createPullRequest = sinon.stub();
-    httpsSha256 = sinon.stub();
-    generateFormula = sinon.stub();
-    updateHomebrewFork = sinon.stub();
 
     homebrewCore = {
       repo: {
@@ -32,9 +34,33 @@ describe('Homebrew publish-to-homebrew', function () {
         repo: 'homebrew-core',
       },
     } as unknown as GithubRepo;
+
+    testPublisher = new HomebrewPublisher({
+      ...config,
+      homebrewCore,
+      homebrewCoreFork,
+    });
+
+    httpsSha256 = sinon.stub(testPublisher, 'httpsSha256');
+    generateFormula = sinon.stub(testPublisher, 'generateFormula');
+    updateHomebrewFork = sinon.stub(testPublisher, 'updateHomebrewFork');
+  };
+
+  beforeEach(function () {
+    setupHomebrewPublisher({
+      packageVersion: '1.0.0',
+      githubReleaseLink: 'githubRelease',
+      isDryRun: false,
+    });
   });
 
   it('creates and merges a PR on update and cleans up', async function () {
+    setupHomebrewPublisher({
+      packageVersion: '1.0.0',
+      githubReleaseLink: 'githubRelease',
+      isDryRun: false,
+    });
+
     httpsSha256
       .rejects()
       .withArgs(
@@ -69,16 +95,7 @@ describe('Homebrew publish-to-homebrew', function () {
       )
       .resolves({ prNumber: 42, url: 'url' });
 
-    await publishToHomebrew(
-      homebrewCore,
-      homebrewCoreFork,
-      '1.0.0',
-      'githubRelease',
-      false,
-      httpsSha256,
-      generateFormula,
-      updateHomebrewFork
-    );
+    await testPublisher.publish();
 
     expect(httpsSha256).to.have.been.called;
     expect(generateFormula).to.have.been.called;
@@ -87,6 +104,12 @@ describe('Homebrew publish-to-homebrew', function () {
   });
 
   it('does not try to push/merge when there is no formula update', async function () {
+    setupHomebrewPublisher({
+      packageVersion: '1.0.0',
+      githubReleaseLink: 'githubRelease',
+      isDryRun: false,
+    });
+
     httpsSha256
       .rejects()
       .withArgs(
@@ -111,16 +134,7 @@ describe('Homebrew publish-to-homebrew', function () {
       })
       .resolves(undefined);
 
-    await publishToHomebrew(
-      homebrewCore,
-      homebrewCoreFork,
-      '1.0.0',
-      'githubRelease',
-      false,
-      httpsSha256,
-      generateFormula,
-      updateHomebrewFork
-    );
+    await testPublisher.publish();
 
     expect(httpsSha256).to.have.been.called;
     expect(generateFormula).to.have.been.called;
@@ -163,16 +177,7 @@ describe('Homebrew publish-to-homebrew', function () {
       )
       .resolves({ prNumber: 42, url: 'url' });
 
-    await publishToHomebrew(
-      homebrewCore,
-      homebrewCoreFork,
-      '1.0.0',
-      'githubRelease',
-      false,
-      httpsSha256,
-      generateFormula,
-      updateHomebrewFork
-    );
+    await testPublisher.publish();
 
     expect(httpsSha256).to.have.been.called;
     expect(generateFormula).to.have.been.called;

packages/build/src/homebrew/publish-to-homebrew.ts

@@ -1,60 +1,88 @@
 import type { GithubRepo } from '@mongodb-js/devtools-github-repo';
-import { generateUpdatedFormula } from './generate-formula';
-import { updateHomebrewFork } from './update-homebrew-fork';
-import { httpsSha256 } from './utils';
-
-export async function publishToHomebrew(
-  homebrewCore: GithubRepo,
-  homebrewCoreFork: GithubRepo,
-  packageVersion: string,
-  githubReleaseLink: string,
-  isDryRun: boolean,
-  httpsSha256Fn = httpsSha256,
-  generateFormulaFn = generateUpdatedFormula,
-  updateHomebrewForkFn = updateHomebrewFork
-): Promise<void> {
-  const cliReplPackageUrl = `https://registry.npmjs.org/@mongosh/cli-repl/-/cli-repl-${packageVersion}.tgz`;
-  const packageSha = isDryRun
-    ? `dryRun-fakesha256-${Date.now()}`
-    : await httpsSha256Fn(cliReplPackageUrl);
-
-  const homebrewFormula = await generateFormulaFn(
-    { version: packageVersion, sha: packageSha },
-    homebrewCore,
-    isDryRun
-  );
-  if (!homebrewFormula) {
-    console.warn('There are no changes to the homebrew formula');
-    return;
-  }
+import { generateUpdatedFormula as generateUpdatedFormulaFn } from './generate-formula';
+import { updateHomebrewFork as updateHomebrewForkFn } from './update-homebrew-fork';
+import { httpsSha256 as httpsSha256Fn } from './utils';
+
+export type HomebrewPublisherConfig = {
+  homebrewCore: GithubRepo;
+  homebrewCoreFork: GithubRepo;
+  packageVersion: string;
+  githubReleaseLink: string;
+  isDryRun?: boolean;
+};
 
-  const forkBranch = await updateHomebrewForkFn({
-    packageVersion,
-    packageSha,
-    homebrewFormula,
-    homebrewCore,
-    homebrewCoreFork,
-    isDryRun,
-  });
-  if (!forkBranch) {
-    console.warn('There are no changes to the homebrew formula');
-    return;
+export class HomebrewPublisher {
+  readonly httpsSha256: typeof httpsSha256Fn;
+  readonly generateFormula: typeof generateUpdatedFormulaFn;
+  readonly updateHomebrewFork: typeof updateHomebrewForkFn;
+
+  constructor(
+    public config: HomebrewPublisherConfig,
+    {
+      httpsSha256 = httpsSha256Fn,
+      generateFormula = generateUpdatedFormulaFn,
+      updateHomebrewFork = updateHomebrewForkFn,
+    } = {}
+  ) {
+    this.httpsSha256 = httpsSha256;
+    this.generateFormula = generateFormula;
+    this.updateHomebrewFork = updateHomebrewFork;
   }
 
-  const description = `This PR was created automatically and bumps \`mongosh\` to the latest published version \`${packageVersion}\`.\n\nFor additional details see ${githubReleaseLink}.`;
+  async publish(): Promise<void> {
+    const {
+      isDryRun,
+      homebrewCore,
+      packageVersion,
+      homebrewCoreFork,
+      githubReleaseLink,
+    } = this.config;
+
+    const cliReplPackageUrl = `https://registry.npmjs.org/@mongosh/cli-repl/-/cli-repl-${packageVersion}.tgz`;
+    const packageSha = isDryRun
+      ? `dryRun-fakesha256-${Date.now()}`
+      : await this.httpsSha256(cliReplPackageUrl);
+
+    const homebrewFormula = await this.generateFormula(
+      { version: packageVersion, sha: packageSha },
+      homebrewCore,
+      isDryRun || false
+    );
+    if (!homebrewFormula) {
+      console.warn('There are no changes to the homebrew formula');
+      return;
+    }
+
+    const forkBranch = await this.updateHomebrewFork({
+      packageVersion,
+      packageSha,
+      homebrewFormula,
+      homebrewCore,
+      homebrewCoreFork,
+      isDryRun: isDryRun || false,
+    });
+    if (!forkBranch) {
+      console.warn('There are no changes to the homebrew formula');
+      return;
+    }
+
+    const description = `This PR was created automatically and bumps \`mongosh\` to the latest published version \`${packageVersion}\`.\n\nFor additional details see ${githubReleaseLink}.`;
 
-  if (isDryRun) {
-    await homebrewCoreFork.deleteBranch(forkBranch);
-    console.warn('Deleted branch instead of creating homebrew PR');
-    return;
+    if (isDryRun) {
+      await homebrewCoreFork.deleteBranch(forkBranch);
+      console.warn('Deleted branch instead of creating homebrew PR');
+      return;
+    }
+    const pr = await homebrewCore.createPullRequest(
+      `mongosh ${packageVersion}`,
+      description,
+      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+      `${homebrewCoreFork.repo.owner}:${forkBranch}`,
+      'master'
+    );
+    console.info(
+      // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
+      `Created PR #${pr.prNumber} in ${homebrewCore.repo.owner}/${homebrewCore.repo.repo}: ${pr.url}`
+    );
   }
-  const pr = await homebrewCore.createPullRequest(
-    `mongosh ${packageVersion}`,
-    description,
-    `${homebrewCoreFork.repo.owner}:${forkBranch}`,
-    'master'
-  );
-  console.info(
-    `Created PR #${pr.prNumber} in ${homebrewCore.repo.owner}/${homebrewCore.repo.repo}: ${pr.url}`
-  );
 }