mongodb · comandeo-mongo · May 20, 2025 · May 20, 2025
@@ -306,7 +306,7 @@ functions:
         script: |
           set -ex
           cd ./libmongocrypt/bindings/python
-          PYTHON=${PYTHON} ./release.sh
+          PYTHON=${PYTHON} ./scripts/release.sh
 
   "upload python release":
     - command: archive.targz_pack
@@ -383,10 +383,7 @@ functions:
         script: |
           # Authenticate to artifactory.
           echo "${artifactory_password}" | docker login --password-stdin --username "${artifactory_username}" artifactory.corp.mongodb.com
-          # TODO(MONGOCRYPT-747): remove `--persist-build=false`. 
-          # Pass `--persist-build=false` to avoid using Docker Hub.
-          # Earthly hardcodes use of docker/dockerfile-copy:v0.1.9 for the CACHE command.
-          bash ${workdir}/libmongocrypt/.evergreen/earthly.sh ${args} --persist-build=false
+          bash ${workdir}/libmongocrypt/.evergreen/earthly.sh ${args}
 
   sbom:
     - command: ec2.assume_role
@@ -967,8 +964,6 @@ tasks:
         shell: bash
         script: |-
           set -o errexit
-          # Authenticate to artifactory for signing image.
-          echo "${artifactory_password}" | docker login --password-stdin --username "${artifactory_username}" artifactory.corp.mongodb.com
           # Copy file to sign into `libmongocrypt` directory to be used by Earthly.
           cp libmongocrypt_upload.tar.gz libmongocrypt
     - func: "earthly" # Sign tarball.

@@ -48,4 +48,4 @@ fi
 
 chmod a+x "$exe_path"
 
-"$exe_path" --buildkit-image "artifactory.corp.mongodb.com/dockerhub/earthly/buildkitd:v${EARTHLY_VERSION}" "$@"
+"$exe_path" "$@"
@@ -10,6 +10,11 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '17 10 * * 2'
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
 
 jobs:
   analyze-python:
@@ -27,18 +32,19 @@ jobs:
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        ref: ${{ inputs.ref }}
         persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3
       with:
         languages: actions
         build-mode: none
         # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         queries: security-extended
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3
       with:
         category: "/language:actions"
@@ -42,7 +42,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3
       with:
         languages: python
         build-mode: none
@@ -55,12 +55,12 @@ jobs:
     - name: Install package
       run: |
         cd bindings/python
-        export LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt)
+        export LIBMONGOCRYPT_VERSION=$(cat ./scripts/libmongocrypt-version.txt)
         git fetch origin $LIBMONGOCRYPT_VERSION
-        bash release.sh
+        bash ./scripts/release.sh
         pip install dist/*.whl
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3
       with:
         category: "/language:python"
@@ -54,9 +54,9 @@ jobs:
 
       - name: Build and test dist files
         run: |
-          export LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt)
+          export LIBMONGOCRYPT_VERSION=$(cat ./scripts/libmongocrypt-version.txt)
           git fetch origin $LIBMONGOCRYPT_VERSION
-          bash ./release.sh
+          bash ./scripts/release.sh
 
       - uses: actions/upload-artifact@v4
         with:

@@ -3,9 +3,6 @@ name: Python Release
 on:
   workflow_dispatch:
     inputs:
-      version:
-        description: "The new version to set"
-        required: true
       following_version:
         description: "The post (dev) version to set"
       dry_run:
@@ -24,7 +21,6 @@ env:
   # to 'false' when the input is set to 'false'.
   DRY_RUN: ${{ ! contains(inputs.dry_run, 'false') }}
   FOLLOWING_VERSION: ${{ inputs.following_version || '' }}
-  VERSION: ${{ inputs.version || '10.10.10.10' }}
 
 defaults:
   run:
@@ -54,7 +50,6 @@ jobs:
       - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2
         id: pre-publish
         with:
-          version: ${{ env.VERSION }}
           working_directory: ./bindings/python
           dry_run: ${{ env.DRY_RUN }}
           tag_template: "pymongocrypt-${VERSION}"
@@ -66,14 +61,20 @@ jobs:
     with:
       ref: ${{ needs.pre-publish.outputs.version }}
 
-  static-scan:
+  static-python:
     needs: [pre-publish]
     uses: ./.github/workflows/codeql-python.yml
     with:
       ref: ${{ needs.pre-publish.outputs.version }}
 
+  static-actions:
+    needs: [pre-publish]
+    uses: ./.github/workflows/codeql-actions.yml
+    with:
+      ref: ${{ needs.pre-publish.outputs.version }}
+
   publish:
-    needs: [build-dist, static-scan]
+    needs: [build-dist, static-python, static-actions]
     name: Upload release to PyPI
     runs-on: ubuntu-latest
     environment: release-python
@@ -86,14 +87,14 @@ jobs:
           name: all-dist-${{ github.run_id }}
           path: dist/
       - name: Publish package distributions to TestPyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
         with:
           repository-url: https://test.pypi.org/legacy/
           skip-existing: true
           attestations: ${{ env.DRY_RUN }}
       - name: Publish package distributions to PyPI
         if: startsWith(env.DRY_RUN, 'false')
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
 
   post-publish:
     needs: [publish]
@@ -117,7 +118,6 @@ jobs:
           artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
       - uses: mongodb-labs/drivers-github-tools/python/post-publish@v2
         with:
-          version: ${{ env.VERSION }}
           following_version: ${{ env.FOLLOWING_VERSION }}
           working_directory: ./bindings/python
           product_name: ${{ env.PRODUCT_NAME }}

@@ -40,6 +40,7 @@ jobs:
     if: github.repository_owner == 'mongodb'
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
         python-version: ["3.8", "3.13"]
@@ -59,6 +60,6 @@ jobs:
           if [ "${{ matrix.python-version }}" == "3.13" ]; then 
             export PIP_PRE=1
           fi
-          export LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt)
+          export LIBMONGOCRYPT_VERSION=$(cat ./scripts/libmongocrypt-version.txt)
           git fetch origin $LIBMONGOCRYPT_VERSION
-          bash ./release.sh
+          bash ./scripts/release.sh
@@ -19,15 +19,15 @@ jobs:
         with:
           persist-credentials: false
       - name: Setup Rust
-        uses: actions-rust-lang/setup-rust-toolchain@v1
+        uses: actions-rust-lang/setup-rust-toolchain@9d7e65c320fdb52dcd45ffaa68deb6c02c8754d9 # v1
       - name: Get zizmor
         run: cargo install zizmor
       - name: Run zizmor
         run: zizmor --format sarif . > results.sarif
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
         with:
           sarif_file: results.sarif
           category: zizmor
@@ -53,6 +53,18 @@ repos:
     language: system
     types: [shell]
 
+- repo: local
+  hooks:
+    - id: synchro
+      name: synchro
+      entry: bash ./bindings/python/scripts/synchro.sh
+      language: python
+      require_serial: true
+      fail_fast: true
+      additional_dependencies:
+        - ruff==0.1.3
+        - unasync
+
 - repo: https://github.com/astral-sh/ruff-pre-commit
   # Ruff version.
   rev: v0.1.3

@@ -1,4 +1,12 @@
 # ChangeLog
+## 1.14.0
+### Fixed
+- Fix building against libbson with extra alignment enabled (`ENABLE_EXTRA_ALIGNMENT=ON`).
+- Retry KMS encrypt request for context created by `mongocrypt_ctx_rewrap_many_datakey_init`.
+### Improvements
+- Improve performance of OpenSSL crypto operations.
+- Improve error for incorrect path to crypt_shared library.
+
 ## 1.13.2
 ### Notes
 - Bump downloaded libbson version from 1.28.1 to 1.30.3. Fixes a CMake configure error on macOS with CMake 4.

@@ -108,13 +108,15 @@ set (MONGOCRYPT_SOURCES
    src/mc-fle2-encryption-placeholder.c
    src/mc-fle2-find-equality-payload.c
    src/mc-fle2-find-equality-payload-v2.c
+   src/mc-fle2-find-text-payload.c
    src/mc-fle2-payload-iev.c
    src/mc-fle2-payload-iev-v2.c
    src/mc-fle2-payload-uev.c
    src/mc-fle2-payload-uev-common.c
    src/mc-fle2-payload-uev-v2.c
    src/mc-fle2-rfds.c
    src/mc-fle2-tag-and-encrypted-metadata-block.c
+   src/mc-parse-utils.c
    src/mc-range-edge-generation.c
    src/mc-range-mincover.c
    src/mc-range-encoding.c
@@ -469,6 +471,7 @@ set (TEST_MONGOCRYPT_SOURCES
    test/test-mc-fle2-encryption-placeholder.c
    test/test-mc-fle2-find-equality-payload-v2.c
    test/test-mc-fle2-find-range-payload-v2.c
+   test/test-mc-fle2-find-text-payload.c
    test/test-mc-fle2-payload-iev.c
    test/test-mc-fle2-payload-iev-v2.c
    test/test-mc-fle2-payload-iup.c
@@ -533,6 +536,8 @@ target_compile_definitions (test-mongocrypt PRIVATE
    "TEST_MONGOCRYPT_OUTPUT_PATH=\"$<TARGET_FILE:test-mongocrypt>\""
    # Tell test-mongocrypt whether we have a real csfle library for testing
    TEST_MONGOCRYPT_HAVE_REAL_CRYPT_SHARED_LIB=$<BOOL:${MONGOCRYPT_TESTING_CRYPT_SHARED_FILE}>
+   # Tell test-mongocrypt the path of the libmongocrypt shared library for testing.
+   "TEST_MONGOCRYPT_MONGOCRYPT_SHARED_PATH=\"$<TARGET_FILE:mongocrypt>\""
    )
 
 add_test (
@@ -712,4 +717,3 @@ install (
    COMPONENT
       Devel
 )
-
@@ -1,4 +1,7 @@
 # Code Owners will automatically be added as reviewers on PRs
 
+# Listing code owners is required by DRIVERS-3098
+* @mongodb/dbx-c-cxx
+
 # Python Bindings
-bindings/python @mongodb/dbx-python
+bindings/python @mongodb/dbx-python
Original file line number	Diff line number	Diff line change
Expand Up		@@ -48,4 +48,4 @@ fi

		chmod a+x "$exe_path"

		"$exe_path" --buildkit-image "artifactory.corp.mongodb.com/dockerhub/earthly/buildkitd:v${EARTHLY_VERSION}" "$@"
		"$exe_path" "$@"