Skip to content

Update readme with best practices #89

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 5, 2025
Merged

Update readme with best practices #89

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 47 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,47 @@

This repository contains GitHub Actions that are common to drivers.

## Secure Checkout
## Working on Actions

Many of the actions in this repo depend on one another. There is no supported way to reference
another action using a relative path. Therefore the recommended approach is to
set all of the relative actions to your branch name while working on a feature,
then reverting to the version tag before merging.

## Consuming Actions

It is recommended that you use Dependabot and use an explicit reference when
using these actions. This will allow Dependabot to update to a more recent sha
and allow you to accept updates to the actions as needed.

Example `dependabot.yml`:

```yaml
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
groups:
actions:
patterns:
- "*"
```

Example usage with references:

```yaml
- name: secure-checkout
uses: mongodb-labs/drivers-github-tools/secure-checkout@40b8ff3c0decd1388587fcc3d0a36d4818a054a6 # v2
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
```

## Basic Actions

### Secure Checkout

This action will perform a checkout with the GitHub App credentials.

Expand All @@ -21,8 +61,7 @@ By default it will use the current `${{github.ref}}` if the `ref` parameter is
not given. It will write the secure global variable `GH_TOKEN` that can be
used with the `gh` cli.


## Setup
### Setup

There is a common setup action that is meant to be run before all
other actions. It handles fetching secrets from AWS Secrets Manager,
Expand Down Expand Up @@ -212,7 +251,9 @@ There are several ways to specify the security report:
- By specifying a relative path, which is then linked to the corresponding git blob for the tagged version
- By adding the `security-report-url` to the AWS Secrets Vault

## Full Report
## Other Common Actions

### Full Report

This action is a convenience function to handle all of the SSDLC reports and put them
in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbom`, `code-scanning-export`, and `compliance-report` actions.
Expand All @@ -232,7 +273,7 @@ in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbo
dist_filenames: dist/*
```

## Upload S3 assets
### Upload S3 assets

A number of scripts create files in the `tmp/s3_assets` folder, which then can
be uploaded to the product's S3 bucket:
Expand All @@ -255,7 +296,7 @@ By default, all files in the S3 directory are uploaded. When the `dry_run` input
is set to anything other than `false`, no files are uploaded, but instead the
filename along with the resulting location in the bucket is printed.

## Create Release Branch
### Create Release Branch

Use this action to create a release branch and populate it with metadata.
It will update ``EVERGREEN_PROJECT`` env variable
Expand Down
Loading