diff --git a/README.md b/README.md index d3d0705..0a1acb8 100644 --- a/README.md +++ b/README.md @@ -255,11 +255,44 @@ By default, all files in the S3 directory are uploaded. When the `dry_run` input is set to anything other than `false`, no files are uploaded, but instead the filename along with the resulting location in the bucket is printed. +## Create Release Branch + +Use this action to create a release branch and populate it with metadata. +It will create a new Silk Asset Group, update the SBOM-lite file, +update the ``SILK_ASSET_GROUP`` and ``EVERGREEN_PROJECT`` env variables +in the release workflow file, bump the version to a +prerelease version, and push the changes. + +> [!Note] +> You will need to wait overnight before making a release on +> the new branch to allow Silk to be populated, so it is recommended to +> make a minor/major release prior to creating a release branch, or create the +> release branch at least one day before a planned release. + +```yaml +- name: Setup + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + ... + +- name: Create Release Branch + uses: mongodb-labs/drivers-github-tools/create-branch@v2 + with: + # user inputs + branch: ... + version: ... + base_ref: + push_changes: + # other inputs + version_bump_script: + evergreen_project: +``` + ## Python Helper Scripts These scripts are opinionated helper scripts for Python releases. -### Bump and Tag +### Pre-Publish Bump the version and create a new tag. Verify the tag. Push the commit and tag to the source branch unless `dry_run` is set. @@ -270,7 +303,7 @@ Push the commit and tag to the source branch unless `dry_run` is set. with: ... -- uses: mongodb-labs/drivers-github-tools/python/bump-and-tag@v2 +- uses: mongodb-labs/drivers-github-tools/python/pre-publishv2 with: version: ${{ inputs.version }} version_bump_script: ./.github/scripts/bump-version.sh diff --git a/create-branch/action.yml b/create-branch/action.yml new file mode 100644 index 0000000..9879dca --- /dev/null +++ b/create-branch/action.yml @@ -0,0 +1,54 @@ +name: Create Release Branch +description: Create a release branch and update branch metadata +inputs: + # User provided inputs. + branch_name: + description: The name of the new branch + required: true + version: + description: The version to set on the branch + required: true + base_ref: + description: The base reference for the branch + push_changes: + description: Whether to push the changes + default: "true" + # Workflow provided inputs. + version_bump_script: + description: The script used to bump the version + required: true + evergreen_project: + description: The name of the evergreen project for the new branch + required: true + release_workflow_path: + description: The path to the release workflow file + default: .github/workflows/release.yml + sbom_file_path: + description: The path of the sbom-lite file + default: sbom.json + silk_group_prefix: + description: The prefix to use for the silk asset group, defaults to the repo name + artifactory_image: + description: Image to use for artifactory + default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local + +runs: + using: composite + steps: + - name: Create a release branch and update branch metadata + shell: bash + env: + BRANCH: ${{ inputs.branch_name }} + BASE_REF: ${{ inputs.base_ref }} + SBOM_FILE_PATH: ${{ inputs.sbom_file_path }} + RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }} + EVERGREEN_PROJECT: ${{ inputs.evergreen_project }} + SILK_PREFIX: ${{ inputs.silk_group_prefix }} + ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} + run: ${{ github.action_path }}/create-branch.sh + - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + with: + version: ${{ inputs.version }} + version_bump_script: ${{ inputs.version_bump_script }} + commit_template: "Prep branch ${{ inputs.branch_name }}" + push_commit: ${{ inputs.push_changes }} \ No newline at end of file diff --git a/create-branch/create-branch.sh b/create-branch/create-branch.sh new file mode 100755 index 0000000..af30c77 --- /dev/null +++ b/create-branch/create-branch.sh @@ -0,0 +1,76 @@ +#! /bin/bash +set -eu + +echo "Create or checkout the branch." +OWNER_REPO="${GITHUB_REPOSITORY}" +git ls-remote --exit-code --heads https://github.com/${OWNER_REPO}.git refs/heads/$BRANCH || { + git branch $BRANCH $BASE_REF +} +git fetch origin $BRANCH || true +git checkout $BRANCH + +echo "Get silk creds." +# shellcheck disable=SC2046 +export $(grep -v '^#' $SILKBOMB_ENVFILE | xargs -0) + +echo "Get a silk token." +SILK_JWT_TOKEN=$(curl -s -X POST "https://silkapi.us1.app.silk.security/api/v1/authenticate" \ + -H "accept: application/json" -H "Content-Type: application/json" \ + -d '{ "client_id": "'${SILK_CLIENT_ID}'", "client_secret": "'${SILK_CLIENT_SECRET}'" }' \ + | jq -r '.token') + +echo "Get the silk asset group prefix." +if [ -z "${SILK_PREFIX:-}" ]; then + REPO="${OWNER_REPO##*/}" + SILK_PREFIX=${REPO} +fi +SILK_GROUP="${SILK_PREFIX}-${BRANCH}" + +echo "Create the silk asset group." +json_payload=$(cat <> $GITHUB_STEP_SUMMARY + +echo "Create a temp sbom." +TMP_SBOM=sbom-for-${BRANCH}.json +podman run --platform="linux/amd64" --rm -v "$(pwd)":/pwd \ + ${ARTIFACTORY_IMAGE}/silkbomb:1.0 \ + update --sbom-out /pwd/${TMP_SBOM} + +echo "Get the new timestamp and serial number." +set -x +SERIAL=$(jq -r '.serialNumber' ${TMP_SBOM}) +TIMESTAMP=$(jq -r '.metadata.timestamp' ${TMP_SBOM}) +rm ${TMP_SBOM} + +cat ${SBOM_FILE_PATH} +echo "Replace the values in the existing sbom." +cat <<< "$(jq --indent 4 '.serialNumber = "'${SERIAL}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH} +cat <<< "$(jq --indent 4 '.metadata.timestamp = "'${TIMESTAMP}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH} +cat ${SBOM_FILE_PATH} + +echo "Update the workflow with the silk asset group and evergreen project." +sed -i 's/SILK_ASSET_GROUP:.*/SILK_ASSET_GROUP: '${SILK_GROUP}'/' ${RELEASE_WORKFLOW_PATH} +sed -i 's/EVERGREEN_PROJECT:.*/EVERGREEN_PROJECT: '${EVERGREEN_PROJECT}'/' ${RELEASE_WORKFLOW_PATH} + +echo "Add the changed files." +git --no-pager diff +git add ${SBOM_FILE_PATH} ${RELEASE_WORKFLOW_PATH} \ No newline at end of file