RUBY-3504 SSDLC processes for libmongocrypt-helper (#10)

Author: jamis

.github/workflows/cleanup.yml

@@ -0,0 +1,44 @@
+name: "Dry-Run Cleanup"
+run-name: "Dry Run Cleanup for ${{ github.ref }}"
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm:
+        description: Indicate whether you want this workflow to run (must be "true")
+        required: true
+        type: string
+      tag:
+        description: The name of the tag (and release) to clean up
+        required: true
+        type: string
+
+jobs:
+  release:
+    name: "Dry-Run Cleanup"
+    environment: release
+    runs-on: 'ubuntu-latest'
+    if: ${{ inputs.confirm == 'true' }}
+
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: write
+
+      # required by the mongodb-labs/drivers-github-tools/setup@v2 step
+      # also required by `rubygems/release-gem`
+      id-token: write
+
+    steps:
+      - name: "Run the cleanup action"
+        uses: mongodb-labs/drivers-github-tools/ruby/cleanup@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          tag: ${{ inputs.tag }}

.github/workflows/codeql.yml

@@ -0,0 +1,50 @@
+name: "CodeQL"
+
+on: [ push, pull_request ]
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 360
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: ruby
+          build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        config: |
+          paths-ignore:
+            - etc
+            - ext/libmongocrypt/libmongocrypt
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/release.yml

@@ -0,0 +1,66 @@
+name: "Release"
+run-name: "Release for ${{ github.ref }}"
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: Is this a dry run?
+        required: true
+        default: true
+        type: boolean
+
+env:
+  RELEASE_MESSAGE_TEMPLATE: |
+    Version {0} of the [libmongocrypt helper for Ruby](https://rubygems.org/gems/libmongocrypt-helper) is now available.
+
+    **Release Highlights**
+
+    TODO: one or more paragraphs describing important changes in this release
+
+    **Documentation**
+
+    Documentation is available at [MongoDB.com](https://www.mongodb.com/docs/ruby-driver/current/).
+
+    **Installation**
+
+    You may install this version via RubyGems, with:
+
+    gem install --version {0} libmongocrypt-helper
+
+jobs:
+  release:
+    name: "Release"
+    environment: release
+    runs-on: 'ubuntu-latest'
+
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: write
+
+      # required by the mongodb-labs/drivers-github-tools/setup@v2 step
+      # also required by `rubygems/release-gem`
+      id-token: write
+
+    steps:
+      - name: "Run the publish action"
+        uses: mongodb-labs/drivers-github-tools/ruby/publish@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          dry_run: ${{ inputs.dry_run }}
+          gem_name: libmongocrypt-helper
+          product_name: Libmongocrypt Helper for Ruby
+          product_id: libmongocrypt-helper-ruby
+          release_message_template: ${{ env.RELEASE_MESSAGE_TEMPLATE }}
+          silk_asset_group: libmongocrypt-helper-ruby

README.maint.md

@@ -10,11 +10,11 @@ Edit `lib/libmongocrypt_helper/version.rb` and:
 2. Update the `VERSION` constant to the version of the helper, which is
 derived from `libmongocrypt` version as described below.
 3. Download the source code of the corresponding version of `libmongocrypt` from
-https://github.com/mongodb/libmongocrypt/releases/, and unpack it to
+<https://github.com/mongodb/libmongocrypt/releases/>, and unpack it to
 `ext/libmongocrypt/libmongocrypt`.
 4. Update the SBOM lite file by running `etc/update-sbom.sh`
 5. Commit the changes including the new shared library.
-6Run `./release.sh` to create a gem and push it to RubyGems.
+6. Create a PR for the changes. Once approved and merged, run the "Release" action on GitHub to create and publish the new gem.
 
 ## Helper Version Scheme
 

Rakefile

@@ -1,14 +1,5 @@
 require 'bundler'
-require 'bundler/gem_tasks'
 require 'rubygems/package'
-require 'rubygems/security/policies'
-
-def signed_gem?(path_to_gem)
-  Gem::Package.new(path_to_gem, Gem::Security::HighSecurity).verify
-  true
-rescue Gem::Security::Exception => e
-  false
-end
 
 desc 'Compiles the libmongocrypt library'
 task :compile do
@@ -17,18 +8,46 @@ task :compile do
   end
 end
 
-desc 'Verifies that all built gems in pkg/ are valid'
-task :verify do
-  gems = Dir['pkg/*.gem']
-  if gems.empty?
-    puts 'There are no gems in pkg/ to verify'
-  else
-    gems.each do |gem|
-      if signed_gem?(gem)
-        puts "#{gem} is signed"
-      else
-        abort "#{gem} is not signed"
-      end
-    end
+desc 'NOT USED'
+task :build do
+  abort <<~WARNING
+    `rake build` does nothing in this project. The gem must be built via
+    the `Release` action on GitHub, which is triggered manually when
+    a new release is ready.
+  WARNING
+end
+
+# `rake version` is used by the deployment system so get the release version
+# of the product beng deployed. It must do nothing more than just print the
+# product version number.
+#
+# See the mongodb-labs/driver-github-tools/ruby/publish Github action.
+desc 'Print the current value of Mongo::VERSION'
+task :version do
+  require_relative 'lib/libmongocrypt_helper/version'
+
+  puts LibmongocryptHelper::VERSION
+end
+
+# overrides the default Bundler-provided `release` task, which also
+# builds the gem. Our release process assumes the gem has already
+# been built (and signed via GPG), so we just need `rake release` to
+# push the gem to rubygems.
+desc 'USED BY GITHUB ACTIONS'
+task :release do
+  require_relative 'lib/libmongocrypt_helper/version'
+
+  if ENV['GITHUB_ACTION'].nil?
+    abort <<~WARNING
+      `rake release` must be invoked from the `Release` GitHub action,
+      and must not be invoked locally. This ensures the gem is properly signed
+      and distributed by the appropriate user.
+
+      Note that it is the `rubygems/release-gem@v1` step in the `Release`
+      action that invokes this task. Do not rename or remove this task, or the
+      release-gem step will fail. Reimplement this task with caution.
+    WARNING
   end
+
+  system 'gem', 'push', "libmongocrypt-helper-#{LibmongocryptHelper::VERSION}.gem"
 end

gem-public_cert.pem

@@ -1,4 +1,4 @@
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'libmongocrypt_helper/version'
 
@@ -21,14 +21,7 @@ Gem::Specification.new do |s|
     'source_code_uri' => 'https://github.com/mongodb/libmongocrypt-helper-ruby'
   }
 
-  if File.exist?('gem-private_key.pem')
-    s.signing_key = 'gem-private_key.pem'
-    s.cert_chain = ['gem-public_cert.pem']
-  else
-    warn "[#{s.name}] Warning: No private key present, creating unsigned gem."
-  end
-
-  #s.files = %w(CONTRIBUTING.md CHANGELOG.md LICENSE NOTICE README.md Rakefile)
+  # s.files = %w(CONTRIBUTING.md CHANGELOG.md LICENSE NOTICE README.md Rakefile)
   s.extensions = ['ext/libmongocrypt/extconf.rb']
   s.files = Dir.glob('lib/**/*') + Dir.glob('ext/**/*') - [File.join('ext/libmongocrypt/libmongocrypt/build')]