From 1c62d6faf0c7fe3512b1015d55f5965dec92525b Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 18:20:41 +0200 Subject: [PATCH 01/15] remove release_github --- .github/workflows/release.yml | 92 ----------------------------------- 1 file changed, 92 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a25e11ec..252d24cb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -277,95 +277,3 @@ jobs: labels: failed-release title: Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Go Module Repository failed body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - release_github: - name: Publish to GitHub Releases - needs: [release, release_npm, release_maven, release_pypi, release_nuget, release_golang] - runs-on: ubuntu-latest - permissions: - contents: write - issues: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} - GITHUB_REF: ${{ github.ref }} - run: errout=$(mktemp); gh release create "$(cat dist/releasetag.txt)" -R "${GITHUB_REPOSITORY}" -F dist/changelog.md -t "$(cat dist/releasetag.txt)" --target "${GITHUB_REF}" 2> "$errout" && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" "$errout"; then cat "$errout"; exit $exitcode; fi - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Releases failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - - name: Generate PURL and SBOM - run: | - ./scripts/compliance/gen-purls.sh - ./scripts/compliance/gen-sbom.sh - env: - SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} - - name: Upload SBOM to Kondukto - run: ./scripts/compliance/upload-sbom.sh - env: - KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} - SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} - KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} - KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - - name: Generate SSDLC report - run: | - AUTHOR="${{ github.actor }}" - export AUTHOR - VERSION="${{ steps.extract-version.outputs.VERSION }}" - export VERSION - ./scripts/compliance/gen-ssdlc-report.sh - env: - KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} - SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} - KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} - KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec - with: - gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }} - git_user_signingkey: true - git_commit_gpgsign: true - - name: Commit changes - shell: bash - run: | - if [[ $(git status --porcelain) ]]; then - git pull - git config --local user.email svc-api-experience-integrations-escalation@mongodb.com - git config --local user.name svc-apix-bot - git remote set-url origin https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }} - git add compliance/v*/* - git commit -m "chore: Update SSDLC report for ${{ steps.extract-version.outputs.VERSION }}" - git push origin - else - echo "No changes to commit." - fi - - name: Upload SBOM as release artifact - uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 - with: - files: compliance/sbom.json - tag_name: ${{ steps.extract-version.outputs.VERSION }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From aa26284bf75f222295ea4e0630a32234c8ec9874 Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 18:21:49 +0200 Subject: [PATCH 02/15] remove succesful releases --- .github/workflows/release.yml | 95 +---------------------------------- 1 file changed, 1 insertion(+), 94 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 252d24cb..ebbe298c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -91,49 +91,7 @@ jobs: labels: failed-release title: Publishing v${{ steps.extract-version.outputs.VERSION }} to npm failed body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - release_maven: - name: Publish to Maven Central - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 - with: - distribution: temurin - java-version: 11.x - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Release - env: - MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} - MAVEN_GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSPHRASE }} - MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} - MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }} - MAVEN_STAGING_PROFILE_ID: ${{ secrets.MAVEN_STAGING_PROFILE_ID }} - MAVEN_SERVER_ID: ${{ vars.MAVEN_SERVER_ID }} - run: npx -p publib@latest publib-maven - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to Maven Central failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + release_pypi: name: Publish to PyPI needs: release @@ -187,57 +145,6 @@ jobs: labels: failed-release title: Publishing v${{ steps.extract-version.outputs.VERSION }} to PyPI failed body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - release_nuget: - name: Publish to NuGet Gallery - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 - with: - dotnet-version: 9.0.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Extract Version - id: extract-version - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Log in to MongoDB Docker registry - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 - with: - registry: ${{ secrets.ARTIFACTORY_REGISTRY }} - username: ${{ secrets.ARTIFACTORY_USER }} - password: ${{ secrets.ARTIFACTORY_PASSWORD }} - - name: Sign NuGet package - run: | - docker run \ - -e GRS_CONFIG_USER1_USERNAME="${{ secrets.ARTIFACTORY_SIGN_USER }}" \ - -e GRS_CONFIG_USER1_PASSWORD="${{ secrets.ARTIFACTORY_SIGN_PASSWORD }}" \ - --rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \ - "${{ secrets.ARTIFACTORY_REGISTRY }}/${{ secrets.ARTIFACTORY_SIGN_TOOL }}" \ - /bin/bash -c "jsign --tsaurl http://timestamp.digicert.com -a ${{ secrets.AUTHENTICODE_KEY_NAME }} \ - ./dist/dotnet/MongoDB.AWSCDKResourcesMongoDBAtlas.${{ steps.extract-version.outputs.VERSION }}.nupkg" - - name: Release - env: - NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} - run: npx -p publib@latest publib-nuget - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to NuGet Gallery failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} release_golang: name: Publish to GitHub Go Module Repository needs: release From 6332746aa859f4da4f4dacdb88c24a3cf03831dd Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 18:24:36 +0200 Subject: [PATCH 03/15] relese_npm --- .github/workflows/release.yml | 38 +---------------------------------- 1 file changed, 1 insertion(+), 37 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ebbe298c..2ea76d8a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -55,43 +55,7 @@ jobs: name: build-artifact path: dist overwrite: true - release_npm: - name: Publish to npm - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Publish to npm with provenance - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - run: | - cd dist/js - npm publish --provenance --access public --tag latest - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to npm failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - + release_pypi: name: Publish to PyPI needs: release From 5f262130b5d005b9f4351a8d664da895e5b70497 Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 18:25:20 +0200 Subject: [PATCH 04/15] release_pypi --- .github/workflows/release.yml | 53 ----------------------------------- 1 file changed, 53 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2ea76d8a..1ce5809c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,59 +56,6 @@ jobs: path: dist overwrite: true - release_pypi: - name: Publish to PyPI - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: 3.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec - with: - gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }} - - name: GPG sign PyPI distributions - run: | - for file in dist/python/*.whl dist/python/*.tar.gz; do - if [ -f "$file" ]; then - gpg --batch --yes --pinentry-mode loopback --passphrase "$APIX_BOT_GPG_PASSPHRASE" --detach-sign -a "$file" - fi - done - env: - APIX_BOT_GPG_PASSPHRASE: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }} - - - name: Upload to PyPI - env: - TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} - TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} - run: twine upload dist/* - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to PyPI failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} release_golang: name: Publish to GitHub Go Module Repository needs: release From a98ca91e6bb8ea0065d0178371e11b25498745bd Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 18:25:41 +0200 Subject: [PATCH 05/15] don't create issue --- .github/workflows/release.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1ce5809c..5dd504a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,10 +88,3 @@ jobs: id: extract-version if: ${{ failure() }} run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Go Module Repository failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} From 7af59e71688d77c7d7e8b2bd4c262b7a376af4ef Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 19:22:21 +0200 Subject: [PATCH 06/15] python --- .github/workflows/release.yml | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5dd504a7..b0638238 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,8 +56,8 @@ jobs: path: dist overwrite: true - release_golang: - name: Publish to GitHub Go Module Repository + release_pypi: + name: Publish to PyPI needs: release runs-on: ubuntu-latest permissions: @@ -67,9 +67,9 @@ jobs: - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 with: node-version: 18.x - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 + - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c with: - go-version: ^1.16.0 + python-version: 3.x - name: Download build artifacts uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: @@ -78,12 +78,26 @@ jobs: - name: Restore build artifact permissions run: cd dist && setfacl --restore=permissions-backup.acl continue-on-error: true - - name: Release + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec + with: + gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }} + - name: GPG sign PyPI distributions + run: | + for file in dist/python/*.whl dist/python/*.tar.gz; do + if [ -f "$file" ]; then + gpg --batch --yes --pinentry-mode loopback --passphrase "$APIX_BOT_GPG_PASSPHRASE" --detach-sign -a "$file" + fi + done + env: + APIX_BOT_GPG_PASSPHRASE: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }} + + - name: Upload to PyPI env: - GITHUB_TOKEN: ${{ secrets.GO_GITHUB_TOKEN }} - GIT_USER_NAME: ${{ secrets.GO_GIT_USER_NAME }} - GIT_USER_EMAIL: ${{ secrets.GO_GIT_USER_EMAIL }} - run: npx -p publib@latest publib-golang + TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} + TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} + run: twine upload dist/* - name: Extract Version id: extract-version if: ${{ failure() }} From 05f4bd4bc47fc00a65c248e48714438b9c11f5dd Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 19:56:16 +0200 Subject: [PATCH 07/15] install twine --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b0638238..48e5e0a0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -97,7 +97,9 @@ jobs: env: TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} - run: twine upload dist/* + run: | + pip install twine + twine upload dist/* - name: Extract Version id: extract-version if: ${{ failure() }} From 9008dced913f8a7acbc00a2dbee6d226eacea7f2 Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 20:12:13 +0200 Subject: [PATCH 08/15] only upload python specific files --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 48e5e0a0..e32d388f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,7 +99,7 @@ jobs: TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} run: | pip install twine - twine upload dist/* + twine upload dist/python/*.whl dist/python/*.tar.gz - name: Extract Version id: extract-version if: ${{ failure() }} From 911c971b62a102b26bcece54ad22fa6f72042c3a Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 20:20:09 +0200 Subject: [PATCH 09/15] release_npm back, don't create issues --- .github/workflows/release.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e32d388f..c8e8dce7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -104,3 +104,33 @@ jobs: id: extract-version if: ${{ failure() }} run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" + + release_npm: + name: Publish to npm + needs: release + runs-on: ubuntu-latest + permissions: + contents: read + issues: write + steps: + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 + with: + node-version: 18.x + - name: Download build artifacts + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 + with: + name: build-artifact + path: dist + - name: Restore build artifact permissions + run: cd dist && setfacl --restore=permissions-backup.acl + continue-on-error: true + - name: Publish to npm with provenance + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + run: | + cd dist/js + npm publish --provenance --access public --tag latest + - name: Extract Version + id: extract-version + if: ${{ failure() }} + run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" From 7d1cd9a67da99202c4a7544ca0257ce9d9462d79 Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 20:22:49 +0200 Subject: [PATCH 10/15] npm provedance --- .github/workflows/release.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c8e8dce7..d3238958 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -126,10 +126,9 @@ jobs: continue-on-error: true - name: Publish to npm with provenance env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - run: | - cd dist/js - npm publish --provenance --access public --tag latest + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true + run: npx -p publib@latest publib-npm - name: Extract Version id: extract-version if: ${{ failure() }} From 584c59fdb2c2a0f2669651067adfd42ae5c23f0f Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 20:23:03 +0200 Subject: [PATCH 11/15] remove pypy --- .github/workflows/release.yml | 49 ----------------------------------- 1 file changed, 49 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d3238958..af940cf3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,55 +56,6 @@ jobs: path: dist overwrite: true - release_pypi: - name: Publish to PyPI - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: 3.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec - with: - gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }} - - name: GPG sign PyPI distributions - run: | - for file in dist/python/*.whl dist/python/*.tar.gz; do - if [ -f "$file" ]; then - gpg --batch --yes --pinentry-mode loopback --passphrase "$APIX_BOT_GPG_PASSPHRASE" --detach-sign -a "$file" - fi - done - env: - APIX_BOT_GPG_PASSPHRASE: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }} - - - name: Upload to PyPI - env: - TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} - TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} - run: | - pip install twine - twine upload dist/python/*.whl dist/python/*.tar.gz - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - release_npm: name: Publish to npm needs: release From 6add3c123c59c092a17c8bc525a64b959358023a Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 20:31:59 +0200 Subject: [PATCH 12/15] id-token: write for error: Provenance generation in GitHub Actions requires "write" access to the "id-token" permission --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index af940cf3..a5e9f35e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,6 +63,7 @@ jobs: permissions: contents: read issues: write + id-token: write steps: - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 with: From 7170ce0dc3ce3e09aab0bdf240eda187b23c9039 Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 20:35:34 +0200 Subject: [PATCH 13/15] release_github --- .github/workflows/release.yml | 85 +++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a5e9f35e..f499f63a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -85,3 +85,88 @@ jobs: id: extract-version if: ${{ failure() }} run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" + + + release_github: + name: Publish to GitHub Releases + needs: [release, release_npm] + runs-on: ubuntu-latest + permissions: + contents: write + issues: write + steps: + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 + with: + node-version: 18.x + - name: Download build artifacts + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 + with: + name: build-artifact + path: dist + - name: Restore build artifact permissions + run: cd dist && setfacl --restore=permissions-backup.acl + continue-on-error: true + - name: Release + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_REPOSITORY: ${{ github.repository }} + GITHUB_REF: ${{ github.ref }} + run: errout=$(mktemp); gh release create "$(cat dist/releasetag.txt)" -R "${GITHUB_REPOSITORY}" -F dist/changelog.md -t "$(cat dist/releasetag.txt)" --target "${GITHUB_REF}" 2> "$errout" && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" "$errout"; then cat "$errout"; exit $exitcode; fi + - name: Extract Version + id: extract-version + if: ${{ failure() }} + run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" + - name: Generate PURL and SBOM + run: | + ./scripts/compliance/gen-purls.sh + ./scripts/compliance/gen-sbom.sh + env: + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} + - name: Upload SBOM to Kondukto + run: ./scripts/compliance/upload-sbom.sh + env: + KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} + KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} + KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + - name: Generate SSDLC report + run: | + AUTHOR="${{ github.actor }}" + export AUTHOR + VERSION="${{ steps.extract-version.outputs.VERSION }}" + export VERSION + ./scripts/compliance/gen-ssdlc-report.sh + env: + KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} + KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} + KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec + with: + gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }} + git_user_signingkey: true + git_commit_gpgsign: true + - name: Commit changes + shell: bash + run: | + if [[ $(git status --porcelain) ]]; then + git pull + git config --local user.email svc-api-experience-integrations-escalation@mongodb.com + git config --local user.name svc-apix-bot + git remote set-url origin https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }} + git add compliance/v*/* + git commit -m "chore: Update SSDLC report for ${{ steps.extract-version.outputs.VERSION }}" + git push origin + else + echo "No changes to commit." + fi + - name: Upload SBOM as release artifact + uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 + with: + files: compliance/sbom.json + tag_name: ${{ steps.extract-version.outputs.VERSION }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 8092558df38bed8945dfa2190cc3d1701ec8a104 Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 20:53:03 +0200 Subject: [PATCH 14/15] checks dir for purl and sbom scripts --- .github/workflows/release.yml | 41 ++++------------------------------- 1 file changed, 4 insertions(+), 37 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f499f63a..10081ba8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,40 +56,10 @@ jobs: path: dist overwrite: true - release_npm: - name: Publish to npm - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - id-token: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Publish to npm with provenance - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_CONFIG_PROVENANCE: true - run: npx -p publib@latest publib-npm - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - release_github: name: Publish to GitHub Releases - needs: [release, release_npm] + needs: [release] runs-on: ubuntu-latest permissions: contents: write @@ -106,16 +76,13 @@ jobs: - name: Restore build artifact permissions run: cd dist && setfacl --restore=permissions-backup.acl continue-on-error: true - - name: Release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} - GITHUB_REF: ${{ github.ref }} - run: errout=$(mktemp); gh release create "$(cat dist/releasetag.txt)" -R "${GITHUB_REPOSITORY}" -F dist/changelog.md -t "$(cat dist/releasetag.txt)" --target "${GITHUB_REF}" 2> "$errout" && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" "$errout"; then cat "$errout"; exit $exitcode; fi - name: Extract Version id: extract-version if: ${{ failure() }} run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" + - uses: mxschmitt/action-tmate@v3 + with: + limit-access-to-actor: true - name: Generate PURL and SBOM run: | ./scripts/compliance/gen-purls.sh From 661835dd4b2263ec1b7f144c2d34068311e48312 Mon Sep 17 00:00:00 2001 From: Leo Antoli <430982+lantoli@users.noreply.github.com> Date: Mon, 15 Sep 2025 21:24:53 +0200 Subject: [PATCH 15/15] checkout before using scripts --- .github/workflows/release.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 10081ba8..d4a42eb3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -80,9 +80,7 @@ jobs: id: extract-version if: ${{ failure() }} run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - uses: mxschmitt/action-tmate@v3 - with: - limit-access-to-actor: true + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Generate PURL and SBOM run: | ./scripts/compliance/gen-purls.sh @@ -96,7 +94,6 @@ jobs: SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Generate SSDLC report run: | AUTHOR="${{ github.actor }}"