diff --git a/README.md b/README.md index 61ccf6b..6f323b8 100644 --- a/README.md +++ b/README.md @@ -258,17 +258,10 @@ filename along with the resulting location in the bucket is printed. ## Create Release Branch Use this action to create a release branch and populate it with metadata. -It will create a new Silk Asset Group, update the SBOM-lite file, -update the ``SILK_ASSET_GROUP`` and ``EVERGREEN_PROJECT`` env variables +It will update ``EVERGREEN_PROJECT`` env variable in the release workflow file, bump the version to a prerelease version, and push the changes. -> [!Note] -> You will need to wait overnight before making a release on -> the new branch to allow Silk to be populated, so it is recommended to -> make a minor/major release prior to creating a release branch, or create the -> release branch at least one day before a planned release. - ```yaml - name: Setup uses: mongodb-labs/drivers-github-tools/setup@v2 diff --git a/create-branch/action.yml b/create-branch/action.yml index 9879dca..a322a19 100644 --- a/create-branch/action.yml +++ b/create-branch/action.yml @@ -23,15 +23,15 @@ inputs: release_workflow_path: description: The path to the release workflow file default: .github/workflows/release.yml - sbom_file_path: - description: The path of the sbom-lite file - default: sbom.json - silk_group_prefix: - description: The prefix to use for the silk asset group, defaults to the repo name artifactory_image: description: Image to use for artifactory default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local - + # Unused inputs, to be removed in V3. + sbom_file_path: + description: The path of the sbom-lite file + default: sbom.json + silk_group_prefix: + description: The prefix to use for the silk asset group, defaults to the repo name runs: using: composite steps: @@ -43,7 +43,6 @@ runs: SBOM_FILE_PATH: ${{ inputs.sbom_file_path }} RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }} EVERGREEN_PROJECT: ${{ inputs.evergreen_project }} - SILK_PREFIX: ${{ inputs.silk_group_prefix }} ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} run: ${{ github.action_path }}/create-branch.sh - uses: mongodb-labs/drivers-github-tools/bump-version@v2 diff --git a/create-branch/create-branch.sh b/create-branch/create-branch.sh index af30c77..c8daeea 100755 --- a/create-branch/create-branch.sh +++ b/create-branch/create-branch.sh @@ -9,66 +9,7 @@ git ls-remote --exit-code --heads https://github.com/${OWNER_REPO}.git refs/head git fetch origin $BRANCH || true git checkout $BRANCH -echo "Get silk creds." -# shellcheck disable=SC2046 -export $(grep -v '^#' $SILKBOMB_ENVFILE | xargs -0) - -echo "Get a silk token." -SILK_JWT_TOKEN=$(curl -s -X POST "https://silkapi.us1.app.silk.security/api/v1/authenticate" \ - -H "accept: application/json" -H "Content-Type: application/json" \ - -d '{ "client_id": "'${SILK_CLIENT_ID}'", "client_secret": "'${SILK_CLIENT_SECRET}'" }' \ - | jq -r '.token') - -echo "Get the silk asset group prefix." -if [ -z "${SILK_PREFIX:-}" ]; then - REPO="${OWNER_REPO##*/}" - SILK_PREFIX=${REPO} -fi -SILK_GROUP="${SILK_PREFIX}-${BRANCH}" - -echo "Create the silk asset group." -json_payload=$(cat <> $GITHUB_STEP_SUMMARY - -echo "Create a temp sbom." -TMP_SBOM=sbom-for-${BRANCH}.json -podman run --platform="linux/amd64" --rm -v "$(pwd)":/pwd \ - ${ARTIFACTORY_IMAGE}/silkbomb:1.0 \ - update --sbom-out /pwd/${TMP_SBOM} - -echo "Get the new timestamp and serial number." -set -x -SERIAL=$(jq -r '.serialNumber' ${TMP_SBOM}) -TIMESTAMP=$(jq -r '.metadata.timestamp' ${TMP_SBOM}) -rm ${TMP_SBOM} - -cat ${SBOM_FILE_PATH} -echo "Replace the values in the existing sbom." -cat <<< "$(jq --indent 4 '.serialNumber = "'${SERIAL}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH} -cat <<< "$(jq --indent 4 '.metadata.timestamp = "'${TIMESTAMP}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH} -cat ${SBOM_FILE_PATH} - -echo "Update the workflow with the silk asset group and evergreen project." -sed -i 's/SILK_ASSET_GROUP:.*/SILK_ASSET_GROUP: '${SILK_GROUP}'/' ${RELEASE_WORKFLOW_PATH} +echo "Update the workflow with the new evergreen project." sed -i 's/EVERGREEN_PROJECT:.*/EVERGREEN_PROJECT: '${EVERGREEN_PROJECT}'/' ${RELEASE_WORKFLOW_PATH} echo "Add the changed files." diff --git a/full-report/action.yml b/full-report/action.yml index ddce9c9..2d4c16b 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -18,9 +18,6 @@ inputs: sbom_file_name: description: The name of the augmented sbom file. default: cyclonedx.sbom.json - # No longer used. - silk_asset_group: - description: The Silk Asset Group for the Project third_party_dependency_tool: description: The name of the tool used to track 3rd party dependencies. default: Silk @@ -34,6 +31,9 @@ inputs: description: The distribution filename or glob pattern token: description: The GitHub access token + # No longer used, to be removed in V3. + silk_asset_group: + description: The Silk Asset Group for the Project runs: using: composite diff --git a/golang/publish/action.yml b/golang/publish/action.yml index 029b977..5abe52e 100644 --- a/golang/publish/action.yml +++ b/golang/publish/action.yml @@ -7,9 +7,6 @@ inputs: prev_version: description: The previous version required: true - silk_asset_group: - description: The Silk Asset Group - required: true evergreen_project: description: The evergreen project name. required: true @@ -18,6 +15,11 @@ inputs: default: "true" token: description: The GitHub token + # No longer used, to be removed in V3. + silk_asset_group: + description: The Silk Asset Group for the Project + required: false + runs: using: composite steps: @@ -30,7 +32,7 @@ runs: with: product_name: mongo-go-driver release_version: ${{ inputs.version }} - silk_asset_group: ${{ inputs.silk_asset_group }} + sbom_in_file: sbom.json evergreen_project: ${{ inputs.evergreen_project }} evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }} security_report_location: ${{ env.SECURITY_REPORT_URL }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index 2585ea6..f7eeb1e 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -20,10 +20,6 @@ inputs: kondukto_sub_project: description: The Kondukto sub-project name (appended to the branch name) required: false - # No longer used. - silk_asset_group: - description: The Silk Asset Group for the Project - required: false evergreen_project: description: The evergreen project name. required: true @@ -41,6 +37,10 @@ inputs: dry_run: description: Whether this is a dry run required: true + # No longer used, to be removed in V3. + silk_asset_group: + description: The Silk Asset Group for the Project + required: false runs: using: composite diff --git a/sbom/action.yml b/sbom/action.yml index 5634ecb..b13d675 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -13,7 +13,7 @@ inputs: artifactory_image: description: Image to use for artifactory default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 - # no longer used + # No longer used, to be removed in V3. silk_asset_group: description: The Silk Asset Group for the Project required: false @@ -29,13 +29,19 @@ runs: ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} SBOM_FILE_NAME: ${{ inputs.sbom_file_name }} run: | - set -eux + set -eu if [ -n "${KONDUKTO_SUB_PROJECT}" ]; then KONDUKTO_BRANCH="${GITHUB_REF_NAME}_${KONDUKTO_SUB_PROJECT}" else KONDUKTO_BRANCH="${GITHUB_REF_NAME}" fi echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." + echo "Updating SBOM file..." + podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + --env-file=${KONDUKTO_ENVFILE} \ + ${ARTIFACTORY_IMAGE} \ + update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number + echo "Augumenting SBOM file..." podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ARTIFACTORY_IMAGE} \