feat(NODE-6588): add ssdlc to zstd (#43)

baileympearson · web-flow · commit 016d857ccb76 · 2024-11-27T15:52:48.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,81 +26,80 @@ jobs:
     name: "Perform any build or bundling steps, as necessary."
     uses: ./.github/workflows/build.yml
 
-  # ssdlc:
-  #   needs: [release_please, build]
-  #   permissions:
-  #     # required for all workflows
-  #     security-events: write
-  #     id-token: write
-  #     contents: write
-  #   environment: release
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@v4
+  ssdlc:
+    needs: [release_please, build]
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
+    environment: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
 
-  #     - name: Install Node and dependencies
-  #       uses: mongodb-labs/drivers-github-tools/node/setup@v2
-  #       with:
-  #         ignore_install_scripts: true
+      - name: Install Node and dependencies
+        uses: mongodb-labs/drivers-github-tools/node/setup@v2
+        with:
+          ignore_install_scripts: true
 
-  #     - name: Load version and package info
-  #       uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2
-  #       with:
-  #         npm_package_name: mongodb-client-encryption
+      - name: Load version and package info
+        uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2
+        with:
+          npm_package_name: "@mongodb-js/zstd"
 
-  #     - name: actions/compress_sign_and_upload
-  #       uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2
-  #       with:
-  #         aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
-  #         aws_region_name: us-east-1
-  #         aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
-  #         npm_package_name: mongodb-client-encryption
-  #         dry_run: ${{ needs.release_please.outputs.release_created == '' }}
-  #         sign_native: true
+      - name: actions/compress_sign_and_upload
+        uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: us-east-1
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          npm_package_name: "@mongodb-js/zstd"
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+          sign_native: true
 
-  #     - name: Copy sbom file to release assets
-  #       shell: bash
-  #       if: ${{ 'mongodb-client-encryption-6.1' == '' }}
-  #       run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
+      - name: Copy sbom file to release assets
+        shell: bash
+        if: ${{ 'node-zstd' == '' }}
+        run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
 
-  #     # only used for mongodb-client-encryption
-  #     - name: Augment SBOM and copy to release assets
-  #       if: ${{ 'mongodb-client-encryption-6.1' != '' }}
-  #       uses: mongodb-labs/drivers-github-tools/sbom@v2
-  #       with:
-  #         silk_asset_group: 'mongodb-client-encryption-6.1'
-  #         sbom_file_name: sbom.json
+      - name: Augment SBOM and copy to release assets
+        if: ${{ 'node-zstd' != '' }}
+        uses: mongodb-labs/drivers-github-tools/sbom@v2
+        with:
+          silk_asset_group: "node-zstd"
+          sbom_file_name: sbom.json
 
-  #     - name: Generate authorized pub report
-  #       uses: mongodb-labs/drivers-github-tools/full-report@v2
-  #       with:
-  #         release_version: ${{ env.package_version }}
-  #         product_name: mongodb-client-encryption
-  #         sarif_report_target_ref: main
-  #         third_party_dependency_tool: n/a
-  #         dist_filenames: artifacts/*
-  #         token: ${{ github.token }}
-  #         sbom_file_name: sbom.json
+      - name: Generate authorized pub report
+        uses: mongodb-labs/drivers-github-tools/full-report@v2
+        with:
+          release_version: ${{ env.package_version }}
+          product_name: "@mongodb-js/zstd"
+          sarif_report_target_ref: main
+          third_party_dependency_tool: n/a
+          dist_filenames: artifacts/*
+          token: ${{ github.token }}
+          sbom_file_name: sbom.json
 
-  #     - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
-  #       with:
-  #         version: ${{ env.package_version }}
-  #         product_name: mongodb-client-encryption
-  #         dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+      - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+        with:
+          version: ${{ env.package_version }}
+          product_name: "@mongodb-js/zstd"
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
 
-  # publish:
-  #   needs: [release_please, ssdlc, build]
-  #   environment: release
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - uses: actions/checkout@v4
+  publish:
+    needs: [release_please, ssdlc, build]
+    environment: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
 
-  #     - name: Install Node and dependencies
-  #       uses: mongodb-labs/drivers-github-tools/node/setup@v2
-  #       with:
-  #         ignore_install_scripts: true
+      - name: Install Node and dependencies
+        uses: mongodb-labs/drivers-github-tools/node/setup@v2
+        with:
+          ignore_install_scripts: true
 
-  #     - run: npm publish --provenance
-  #       if: ${{ needs.release_please.outputs.release_created }}
-  #       env:
-  #         NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish --provenance
+        if: ${{ needs.release_please.outputs.release_created }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/README.md b/README.md
@@ -10,6 +10,35 @@ Zstandard compression library for Node.js
 npm install @mongodb-js/zstd
 ```
 
+### Release Integrity
+
+Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
+
+```
+gpg --import node-driver.asc
+```
+
+The GitHub release contains a detached signature file for the NPM package (named
+`mongodb-js-zstd-X.Y.Z.tgz.sig`).
+
+The following command returns the link npm package. 
+```shell
+npm view @mongodb-js/zstd@vX.Y.Z dist.tarball 
+```
+
+Using the result of the above command, a `curl` command can return the official npm package for the release.
+
+To verify the integrity of the downloaded package, run the following command:
+```shell
+gpg --verify mongodb-js-zstd-X.Y.Z.tgz.sig mongodb-js-zstd-X.Y.Z.tgz
+```
+
+>[!Note]
+No verification is done when using npm to install the package. The contents of the Github tarball and npm's tarball are identical.
+
+To verify the native `.node` packages, follow the same steps as above using `mongodb-js-zstd-X.Y.Z-platform.tgz` and the corresponding `.sig` file.
+
+
 ## OS Support matrix
 
 |                  | node12 | node14 | node16 | node18 | node20 |
@@ -72,6 +101,11 @@ import { compress, decompress } from '@mongodb-js/zstd';
 
 ## Running Tests
 
+First, install and build the zstd library:
+
+`npm run install-zstd`
+
+Then:
 `npm test`
 
 ## Releasing
