Adopt zizmor GitHub Actions security scanning tool

.github/workflows/check-dist.yml

@@ -34,6 +34,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         id: setup-node

.github/workflows/ci.yml

@@ -25,6 +25,8 @@ jobs:
       - name: Checkout
         id: checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         id: setup-node

.github/workflows/test.yml

@@ -18,6 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+            persist-credentials: false
       - uses: actions/setup-python@v5
       - uses: pre-commit/[email protected]
         with:

.github/workflows/update-action-tag.yml

@@ -3,15 +3,14 @@ name: Update Tag
 on:
   workflow_dispatch:
 
-permissions:
-  contents: write
-  id-token: write
-
 jobs:
   update-tag:
     name: Update Tag
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
       - uses: actions/create-github-app-token@v1
@@ -23,6 +22,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Setup
         uses: ./setup

.github/workflows/zizmor.yml

@@ -0,0 +1,32 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  zizmor:
+    name: zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+      - name: Get zizmor
+        run: cargo install zizmor
+      - name: Run zizmor 🌈
+        run: zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor

README.md

@@ -255,11 +255,44 @@ By default, all files in the S3 directory are uploaded. When the `dry_run` input
 is set to anything other than `false`, no files are uploaded, but instead the
 filename along with the resulting location in the bucket is printed.
 
+## Create Release Branch
+
+Use this action to create a release branch and populate it with metadata.
+It will create a new Silk Asset Group, update the SBOM-lite file,
+update the ``SILK_ASSET_GROUP`` and ``EVERGREEN_PROJECT`` env variables
+in the release workflow file, bump the version to a
+prerelease version, and push the changes.
+
+> [!Note]
+> You will need to wait overnight before making a release on
+> the new branch to allow Silk to be populated, so it is recommended to
+> make a minor/major release prior to creating a release branch, or create the
+> release branch at least one day before a planned release.
+
+```yaml
+- name: Setup
+  uses: mongodb-labs/drivers-github-tools/setup@v2
+  with:
+    ...
+
+- name: Create Release Branch
+  uses: mongodb-labs/drivers-github-tools/create-branch@v2
+  with:
+    # user inputs
+    branch: ...
+    version: ...
+    base_ref: <optional>
+    push_changes: <whether to push changes>
+    # other inputs
+    version_bump_script: <path/to/version/bump/script>
+    evergreen_project: <name of evergreen release project>
+```
+
 ## Python Helper Scripts
 
 These scripts are opinionated helper scripts for Python releases.
 
-### Bump and Tag
+### Pre-Publish
 
 Bump the version and create a new tag.  Verify the tag.
 Push the commit and tag to the source branch unless `dry_run` is set.
@@ -270,7 +303,7 @@ Push the commit and tag to the source branch unless `dry_run` is set.
   with:
     ...
 
-- uses: mongodb-labs/drivers-github-tools/python/bump-and-tag@v2
+- uses: mongodb-labs/drivers-github-tools/python/pre-publishv2
   with:
     version: ${{ inputs.version }}
     version_bump_script: ./.github/scripts/bump-version.sh

create-branch/action.yml

@@ -0,0 +1,54 @@
+name: Create Release Branch
+description: Create a release branch and update branch metadata
+inputs:
+  # User provided inputs.
+  branch_name:
+    description: The name of the new branch
+    required: true
+  version:
+    description: The version to set on the branch
+    required: true
+  base_ref:
+    description: The base reference for the branch
+  push_changes:
+    description: Whether to push the changes
+    default: "true"
+  # Workflow provided inputs.
+  version_bump_script:
+    description: The script used to bump the version
+    required: true
+  evergreen_project:
+    description: The name of the evergreen project for the new branch
+    required: true
+  release_workflow_path:
+    description: The path to the release workflow file
+    default: .github/workflows/release.yml
+  sbom_file_path:
+    description: The path of the sbom-lite file
+    default: sbom.json
+  silk_group_prefix:
+    description: The prefix to use for the silk asset group, defaults to the repo name
+  artifactory_image:
+    description: Image to use for artifactory
+    default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local
+
+runs:
+  using: composite
+  steps:
+    - name: Create a release branch and update branch metadata
+      shell: bash
+      env:
+        BRANCH: ${{ inputs.branch_name }}
+        BASE_REF: ${{ inputs.base_ref }}
+        SBOM_FILE_PATH: ${{ inputs.sbom_file_path }}
+        RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }}
+        EVERGREEN_PROJECT: ${{ inputs.evergreen_project }}
+        SILK_PREFIX: ${{ inputs.silk_group_prefix }}
+        ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
+      run: ${{ github.action_path }}/create-branch.sh
+    - uses: mongodb-labs/drivers-github-tools/bump-version@v2
+      with:
+        version: ${{ inputs.version }}
+        version_bump_script: ${{ inputs.version_bump_script }}
+        commit_template: "Prep branch ${{ inputs.branch_name }}"
+        push_commit: ${{ inputs.push_changes }}

create-branch/create-branch.sh

@@ -0,0 +1,76 @@
+#! /bin/bash
+set -eu
+
+echo "Create or checkout the branch."
+OWNER_REPO="${GITHUB_REPOSITORY}"
+git ls-remote --exit-code --heads https://github.com/${OWNER_REPO}.git refs/heads/$BRANCH || {
+  git branch $BRANCH $BASE_REF
+}
+git fetch origin $BRANCH || true
+git checkout $BRANCH
+
+echo "Get silk creds."
+# shellcheck disable=SC2046
+export $(grep -v '^#' $SILKBOMB_ENVFILE | xargs -0)
+
+echo "Get a silk token."
+SILK_JWT_TOKEN=$(curl -s -X POST "https://silkapi.us1.app.silk.security/api/v1/authenticate" \
+  -H "accept: application/json" -H "Content-Type: application/json" \
+  -d '{ "client_id": "'${SILK_CLIENT_ID}'", "client_secret": "'${SILK_CLIENT_SECRET}'" }' \
+  | jq -r '.token')
+
+echo "Get the silk asset group prefix."
+if [ -z "${SILK_PREFIX:-}" ]; then
+  REPO="${OWNER_REPO##*/}"
+  SILK_PREFIX=${REPO}
+fi
+SILK_GROUP="${SILK_PREFIX}-${BRANCH}"
+
+echo "Create the silk asset group."
+json_payload=$(cat <<EOF
+{
+    "active": true,
+    "name": "${SILK_GROUP}",
+    "code_repo_url": "https://github.com/${OWNER_REPO}",
+    "branch": "${BRANCH}",
+    "metadata": {
+        "sbom_lite_path": "${SBOM_FILE_PATH}"
+    },
+    "file_paths": [],
+    "asset_id": "$SILK_GROUP"
+}
+EOF
+)
+curl -X 'POST' \
+  'https://silkapi.us1.app.silk.security/api/v1/raw/asset_group' \
+  -H "accept: application/json" -H "Authorization: ${SILK_JWT_TOKEN}" \
+  -H 'Content-Type: application/json' \
+  -d "$json_payload"
+
+echo "SILK_ASSET_GROUP=$SILK_GROUP" >> $GITHUB_STEP_SUMMARY
+
+echo "Create a temp sbom."
+TMP_SBOM=sbom-for-${BRANCH}.json
+podman run --platform="linux/amd64" --rm -v "$(pwd)":/pwd \
+  ${ARTIFACTORY_IMAGE}/silkbomb:1.0 \
+  update --sbom-out /pwd/${TMP_SBOM}
+
+echo "Get the new timestamp and serial number."
+set -x
+SERIAL=$(jq -r '.serialNumber' ${TMP_SBOM})
+TIMESTAMP=$(jq -r '.metadata.timestamp' ${TMP_SBOM})
+rm ${TMP_SBOM}
+
+cat ${SBOM_FILE_PATH}
+echo "Replace the values in the existing sbom."
+cat <<< "$(jq --indent 4 '.serialNumber = "'${SERIAL}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH}
+cat <<< "$(jq --indent 4 '.metadata.timestamp = "'${TIMESTAMP}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH}
+cat ${SBOM_FILE_PATH}
+
+echo "Update the workflow with the silk asset group and evergreen project."
+sed -i 's/SILK_ASSET_GROUP:.*/SILK_ASSET_GROUP: '${SILK_GROUP}'/' ${RELEASE_WORKFLOW_PATH}
+sed -i 's/EVERGREEN_PROJECT:.*/EVERGREEN_PROJECT: '${EVERGREEN_PROJECT}'/' ${RELEASE_WORKFLOW_PATH}
+
+echo "Add the changed files."
+git --no-pager diff
+git add ${SBOM_FILE_PATH} ${RELEASE_WORKFLOW_PATH}