From 72a08d03ac41b6feb4a34899ff3d8e7885db91d0 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Feb 2025 09:33:30 -0600 Subject: [PATCH 1/9] DRIVERS-3110 Follow up for Kondukto migration --- create-branch/action.yml | 13 ++++---- create-branch/create-branch.sh | 61 +--------------------------------- full-report/action.yml | 6 ++-- golang/publish/action.yml | 10 +++--- python/post-publish/action.yml | 8 ++--- sbom/action.yml | 6 +++- 6 files changed, 25 insertions(+), 79 deletions(-) diff --git a/create-branch/action.yml b/create-branch/action.yml index 9879dca..a322a19 100644 --- a/create-branch/action.yml +++ b/create-branch/action.yml @@ -23,15 +23,15 @@ inputs: release_workflow_path: description: The path to the release workflow file default: .github/workflows/release.yml - sbom_file_path: - description: The path of the sbom-lite file - default: sbom.json - silk_group_prefix: - description: The prefix to use for the silk asset group, defaults to the repo name artifactory_image: description: Image to use for artifactory default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local - + # Unused inputs, to be removed in V3. + sbom_file_path: + description: The path of the sbom-lite file + default: sbom.json + silk_group_prefix: + description: The prefix to use for the silk asset group, defaults to the repo name runs: using: composite steps: @@ -43,7 +43,6 @@ runs: SBOM_FILE_PATH: ${{ inputs.sbom_file_path }} RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }} EVERGREEN_PROJECT: ${{ inputs.evergreen_project }} - SILK_PREFIX: ${{ inputs.silk_group_prefix }} ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} run: ${{ github.action_path }}/create-branch.sh - uses: mongodb-labs/drivers-github-tools/bump-version@v2 diff --git a/create-branch/create-branch.sh b/create-branch/create-branch.sh index af30c77..c8daeea 100755 --- a/create-branch/create-branch.sh +++ b/create-branch/create-branch.sh @@ -9,66 +9,7 @@ git ls-remote --exit-code --heads https://github.com/${OWNER_REPO}.git refs/head git fetch origin $BRANCH || true git checkout $BRANCH -echo "Get silk creds." -# shellcheck disable=SC2046 -export $(grep -v '^#' $SILKBOMB_ENVFILE | xargs -0) - -echo "Get a silk token." -SILK_JWT_TOKEN=$(curl -s -X POST "https://silkapi.us1.app.silk.security/api/v1/authenticate" \ - -H "accept: application/json" -H "Content-Type: application/json" \ - -d '{ "client_id": "'${SILK_CLIENT_ID}'", "client_secret": "'${SILK_CLIENT_SECRET}'" }' \ - | jq -r '.token') - -echo "Get the silk asset group prefix." -if [ -z "${SILK_PREFIX:-}" ]; then - REPO="${OWNER_REPO##*/}" - SILK_PREFIX=${REPO} -fi -SILK_GROUP="${SILK_PREFIX}-${BRANCH}" - -echo "Create the silk asset group." -json_payload=$(cat <> $GITHUB_STEP_SUMMARY - -echo "Create a temp sbom." -TMP_SBOM=sbom-for-${BRANCH}.json -podman run --platform="linux/amd64" --rm -v "$(pwd)":/pwd \ - ${ARTIFACTORY_IMAGE}/silkbomb:1.0 \ - update --sbom-out /pwd/${TMP_SBOM} - -echo "Get the new timestamp and serial number." -set -x -SERIAL=$(jq -r '.serialNumber' ${TMP_SBOM}) -TIMESTAMP=$(jq -r '.metadata.timestamp' ${TMP_SBOM}) -rm ${TMP_SBOM} - -cat ${SBOM_FILE_PATH} -echo "Replace the values in the existing sbom." -cat <<< "$(jq --indent 4 '.serialNumber = "'${SERIAL}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH} -cat <<< "$(jq --indent 4 '.metadata.timestamp = "'${TIMESTAMP}'"' ${SBOM_FILE_PATH})" > ${SBOM_FILE_PATH} -cat ${SBOM_FILE_PATH} - -echo "Update the workflow with the silk asset group and evergreen project." -sed -i 's/SILK_ASSET_GROUP:.*/SILK_ASSET_GROUP: '${SILK_GROUP}'/' ${RELEASE_WORKFLOW_PATH} +echo "Update the workflow with the new evergreen project." sed -i 's/EVERGREEN_PROJECT:.*/EVERGREEN_PROJECT: '${EVERGREEN_PROJECT}'/' ${RELEASE_WORKFLOW_PATH} echo "Add the changed files." diff --git a/full-report/action.yml b/full-report/action.yml index ddce9c9..2d4c16b 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -18,9 +18,6 @@ inputs: sbom_file_name: description: The name of the augmented sbom file. default: cyclonedx.sbom.json - # No longer used. - silk_asset_group: - description: The Silk Asset Group for the Project third_party_dependency_tool: description: The name of the tool used to track 3rd party dependencies. default: Silk @@ -34,6 +31,9 @@ inputs: description: The distribution filename or glob pattern token: description: The GitHub access token + # No longer used, to be removed in V3. + silk_asset_group: + description: The Silk Asset Group for the Project runs: using: composite diff --git a/golang/publish/action.yml b/golang/publish/action.yml index 029b977..5abe52e 100644 --- a/golang/publish/action.yml +++ b/golang/publish/action.yml @@ -7,9 +7,6 @@ inputs: prev_version: description: The previous version required: true - silk_asset_group: - description: The Silk Asset Group - required: true evergreen_project: description: The evergreen project name. required: true @@ -18,6 +15,11 @@ inputs: default: "true" token: description: The GitHub token + # No longer used, to be removed in V3. + silk_asset_group: + description: The Silk Asset Group for the Project + required: false + runs: using: composite steps: @@ -30,7 +32,7 @@ runs: with: product_name: mongo-go-driver release_version: ${{ inputs.version }} - silk_asset_group: ${{ inputs.silk_asset_group }} + sbom_in_file: sbom.json evergreen_project: ${{ inputs.evergreen_project }} evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }} security_report_location: ${{ env.SECURITY_REPORT_URL }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index 2585ea6..f7eeb1e 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -20,10 +20,6 @@ inputs: kondukto_sub_project: description: The Kondukto sub-project name (appended to the branch name) required: false - # No longer used. - silk_asset_group: - description: The Silk Asset Group for the Project - required: false evergreen_project: description: The evergreen project name. required: true @@ -41,6 +37,10 @@ inputs: dry_run: description: Whether this is a dry run required: true + # No longer used, to be removed in V3. + silk_asset_group: + description: The Silk Asset Group for the Project + required: false runs: using: composite diff --git a/sbom/action.yml b/sbom/action.yml index 5634ecb..2fceee7 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -13,7 +13,7 @@ inputs: artifactory_image: description: Image to use for artifactory default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 - # no longer used + # No longer used, to be removed in V3. silk_asset_group: description: The Silk Asset Group for the Project required: false @@ -36,6 +36,10 @@ runs: KONDUKTO_BRANCH="${GITHUB_REF_NAME}" fi echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." + podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + --env-file=${KONDUKTO_ENVFILE} \ + ${ARTIFACTORY_IMAGE} \ + update --sbom-in /repo/${SBOM_IN_PATH} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ARTIFACTORY_IMAGE} \ From 8bad106f6891685fda03438375a25c3de8df3fbb Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Feb 2025 09:37:50 -0600 Subject: [PATCH 2/9] update readme --- README.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/README.md b/README.md index 61ccf6b..6f323b8 100644 --- a/README.md +++ b/README.md @@ -258,17 +258,10 @@ filename along with the resulting location in the bucket is printed. ## Create Release Branch Use this action to create a release branch and populate it with metadata. -It will create a new Silk Asset Group, update the SBOM-lite file, -update the ``SILK_ASSET_GROUP`` and ``EVERGREEN_PROJECT`` env variables +It will update ``EVERGREEN_PROJECT`` env variable in the release workflow file, bump the version to a prerelease version, and push the changes. -> [!Note] -> You will need to wait overnight before making a release on -> the new branch to allow Silk to be populated, so it is recommended to -> make a minor/major release prior to creating a release branch, or create the -> release branch at least one day before a planned release. - ```yaml - name: Setup uses: mongodb-labs/drivers-github-tools/setup@v2 From 5b9b572b6aaf9a7c121f109056c8ab30f068f374 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Feb 2025 09:40:08 -0600 Subject: [PATCH 3/9] internal test --- full-report/action.yml | 2 +- python/post-publish/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/full-report/action.yml b/full-report/action.yml index 2d4c16b..dcb5d2f 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -48,7 +48,7 @@ runs: - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} - uses: mongodb-labs/drivers-github-tools/sbom@v2 + uses: mongodb-labs/drivers-github-tools/sbom@DRIVERS-3110 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index f7eeb1e..97c9c3d 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -65,7 +65,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@v2 + - uses: mongodb-labs/drivers-github-tools/full-report@DRIVERS-3110 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }} From f2eded29147dd4bab10e2d69d77c675b0d6db7a4 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Feb 2025 09:57:27 -0600 Subject: [PATCH 4/9] update output --- sbom/action.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sbom/action.yml b/sbom/action.yml index 2fceee7..e930d72 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -29,17 +29,19 @@ runs: ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} SBOM_FILE_NAME: ${{ inputs.sbom_file_name }} run: | - set -eux + set -eu if [ -n "${KONDUKTO_SUB_PROJECT}" ]; then KONDUKTO_BRANCH="${GITHUB_REF_NAME}_${KONDUKTO_SUB_PROJECT}" else KONDUKTO_BRANCH="${GITHUB_REF_NAME}" fi echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." + echo "Updating SBOM file..." podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ARTIFACTORY_IMAGE} \ update --sbom-in /repo/${SBOM_IN_PATH} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json + echo "Augumenting SBOM file..." podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ARTIFACTORY_IMAGE} \ From 4d32ee6c3aaefe55dda80c0e8538bdfff7e3b3ef Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Feb 2025 09:58:09 -0600 Subject: [PATCH 5/9] fix update usage --- sbom/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbom/action.yml b/sbom/action.yml index e930d72..ab966cf 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -40,7 +40,7 @@ runs: podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ARTIFACTORY_IMAGE} \ - update --sbom-in /repo/${SBOM_IN_PATH} --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json + update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json echo "Augumenting SBOM file..." podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ From 6bdee236f8b9ea5a24ed7d67f1932c7b5f3b8c45 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Feb 2025 10:20:50 -0600 Subject: [PATCH 6/9] Revert "internal test" This reverts commit 5b9b572b6aaf9a7c121f109056c8ab30f068f374. --- full-report/action.yml | 2 +- python/post-publish/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/full-report/action.yml b/full-report/action.yml index dcb5d2f..2d4c16b 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -48,7 +48,7 @@ runs: - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} - uses: mongodb-labs/drivers-github-tools/sbom@DRIVERS-3110 + uses: mongodb-labs/drivers-github-tools/sbom@v2 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index 97c9c3d..f7eeb1e 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -65,7 +65,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@DRIVERS-3110 + - uses: mongodb-labs/drivers-github-tools/full-report@v2 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }} From 40e4eb4ae0ac4158fb3b5d0376740cf61bbc9a4d Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Feb 2025 10:27:15 -0600 Subject: [PATCH 7/9] Revert "Revert "internal test"" This reverts commit 6bdee236f8b9ea5a24ed7d67f1932c7b5f3b8c45. --- full-report/action.yml | 2 +- python/post-publish/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/full-report/action.yml b/full-report/action.yml index 2d4c16b..dcb5d2f 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -48,7 +48,7 @@ runs: - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} - uses: mongodb-labs/drivers-github-tools/sbom@v2 + uses: mongodb-labs/drivers-github-tools/sbom@DRIVERS-3110 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index f7eeb1e..97c9c3d 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -65,7 +65,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@v2 + - uses: mongodb-labs/drivers-github-tools/full-report@DRIVERS-3110 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }} From fd8f589910cd75bf695bfd2d766c82812bd19114 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Feb 2025 10:27:25 -0600 Subject: [PATCH 8/9] add flag --- sbom/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sbom/action.yml b/sbom/action.yml index ab966cf..b13d675 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -40,7 +40,7 @@ runs: podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ARTIFACTORY_IMAGE} \ - update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json + update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number echo "Augumenting SBOM file..." podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ From 2a395cf5003c7c1be99751f13f2b0acfcd9c484e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Feb 2025 10:44:57 -0600 Subject: [PATCH 9/9] use upstream --- full-report/action.yml | 2 +- python/post-publish/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/full-report/action.yml b/full-report/action.yml index dcb5d2f..2d4c16b 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -48,7 +48,7 @@ runs: - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} - uses: mongodb-labs/drivers-github-tools/sbom@DRIVERS-3110 + uses: mongodb-labs/drivers-github-tools/sbom@v2 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index 97c9c3d..f7eeb1e 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -65,7 +65,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@DRIVERS-3110 + - uses: mongodb-labs/drivers-github-tools/full-report@v2 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }}