mongodb
diff --git a/‎.evergreen/config.yml‎
Lines changed: 33 additions & 68 deletions b/‎.evergreen/config.yml‎
Lines changed: 33 additions & 68 deletions
diff --git a/‎.github/workflows/scorecard.yml‎
Lines changed: 78 additions & 0 deletions b/‎.github/workflows/scorecard.yml‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 6 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 3 additions & 0 deletions b/‎README.md‎
Lines changed: 3 additions & 0 deletions
@@ -26,6 +26,11 @@ timeout:
       args: [ls, -la]
 
 functions:
+  assume-test-secrets-ec2-role: 
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
+
   setup-system:
     # Executes clone and applies the submitted patch, if any
     - command: git.get_project
@@ -109,9 +114,13 @@ functions:
         display_name: test_suite.tgz
 
   bootstrap-mongohoused:
+    - command: ec2.assume_role
+      params:
+        role_arn: ${aws_test_secrets_role}
     - command: subprocess.exec
       params:
         binary: bash
+        add_expansions_to_env: true
         args: 
           - ${DRIVERS_TOOLS}/.evergreen/atlas_data_lake/pull-mongohouse-image.sh
     - command: subprocess.exec
@@ -204,6 +213,7 @@ functions:
       type: test
       params:
         binary: bash
+        add_expansions_to_env: true
         env:
           BASE_SHA: "${revision}"
           HEAD_SHA: "${github_commit}"
@@ -214,6 +224,7 @@ functions:
       type: test
       params:
         binary: bash
+        add_expansions_to_env: true
         env:
           COMMIT: "${github_commit}"
           PR_TASK: apply-labels
@@ -224,6 +235,7 @@ functions:
       type: test
       params:
         binary: bash
+        add_expansions_to_env: true
         env:
           COMMIT: "${github_commit}"
           PR_TASK: assign-reviewer
@@ -376,20 +388,6 @@ functions:
         binary: bash
         args: [*task-runner, evg-test-load-balancers]
 
-  run-serverless-tests:
-    - command: subprocess.exec
-      type: test
-      params:
-        binary: "bash"
-        env:
-          SERVERLESS: "serverless"
-        args: [*task-runner, setup-test]
-    - command: subprocess.exec
-      type: test
-      params:
-        binary: "bash"
-        args: [*task-runner, evg-test-serverless]
-
   run-atlas-data-lake-test:
     - command: subprocess.exec
       type: test
@@ -652,6 +650,7 @@ tasks:
   - name: pull-request-helpers
     allowed_requesters: ["patch", "github_pr"]
     commands:
+      - func: assume-test-secrets-ec2-role
       - func: "add PR reviewer"  
       - func: "add PR labels"
       - func: "create-api-report"
@@ -1606,14 +1605,6 @@ tasks:
       - func: start-cse-servers
       - func: run-retry-kms-requests
 
-  - name: "test-serverless"
-    tags: ["serverless"]
-    commands:
-      - func: start-cse-servers
-      - func: "run-serverless-tests"
-        vars:
-          MONGO_GO_DRIVER_COMPRESSOR: "snappy"
-
   - name: "testgcpkms-task"
     commands:
     - command: subprocess.exec
@@ -1636,20 +1627,24 @@ tasks:
 
   - name: "testawskms-task"
     commands:
+    - func: assume-test-secrets-ec2-role
     - command: subprocess.exec
       type: test
       params:
         binary: "bash"
+        add_expansions_to_env: true
         args: [*task-runner, test-awskms]
 
   - name: "testawskms-fail-task"
     # testawskms-fail-task runs without environment variables.
     # It is expected to fail to obtain credentials.
     commands:
+    - func: assume-test-secrets-ec2-role
     - command: subprocess.exec
       type: test
       params:
         binary: "bash"
+        add_expansions_to_env: true
         env: 
           EXPECT_ERROR: 'status=400'
         args: [*task-runner, test-awskms]
@@ -1660,16 +1655,19 @@ tasks:
       type: test
       params:
         binary: bash
+        add_expansions_to_env: true
         args: [*task-runner, test-azurekms]
 
   - name: "testazurekms-fail-task"
     # testazurekms-fail-task runs without environment variables.
     # It is expected to fail to obtain credentials.
     commands:
+    - func: assume-test-secrets-ec2-role
     - command: subprocess.exec
       type: test
       params:
         binary: bash
+        add_expansions_to_env: true
         env:
           EXPECT_ERROR: "1"
         args: [*task-runner, test-azurekms]
@@ -1681,19 +1679,15 @@ tasks:
 
   - name: "test-aws-lambda-deployed"
     commands:
-      - command: ec2.assume_role
-        params:
-          role_arn: ${LAMBDA_AWS_ROLE_ARN}
-          duration_seconds: 3600
       - command: subprocess.exec
         type: test
         params:
           binary: bash
+          add_expansions_to_env: true
           env:
             TEST_LAMBDA_DIRECTORY: ${PROJECT_DIRECTORY}/internal/cmd/faas/awslambda
             LAMBDA_STACK_NAME: dbx-go-lambda
             AWS_REGION: us-east-1
-          include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
           args: [*task-runner, evg-test-deployed-lambda-aws]
 
   - name: "oidc-auth-test"
@@ -1896,49 +1890,17 @@ axes:
         variables:
           GO_DIST: "/opt/golang/go1.23"
 
-  - id: os-serverless
-    display_name: OS
-    values:
-      - id: "rhel87"
-        display_name: "RHEL 8.7"
-        run_on: rhel8.7-small
-        variables:
-          GO_DIST: "/opt/golang/go1.23"
-
 task_groups:
-  - name: serverless_task_group
-    setup_group_can_fail_task: true
-    setup_group_timeout_secs: 1800 # 30 minutes
-    setup_group:
-      - func: setup-system
-      - command: subprocess.exec
-        params:
-          binary: "bash"
-          args: 
-            - ${DRIVERS_TOOLS}/.evergreen/serverless/setup.sh
-      - command: expansions.update
-        params:
-          file: serverless-expansion.yml
-    teardown_group:
-      - command: subprocess.exec
-        params:
-          binary: "bash"
-          args:
-            - ${DRIVERS_TOOLS}/.evergreen/serverless/teardown.sh
-      - func: teardown
-      - func: handle-test-artifacts
-      
-    tasks:
-      - ".serverless"
-
   - name: testgcpkms_task_group
     setup_group_can_fail_task: true
     setup_group_timeout_secs: 1800 # 30 minutes
     setup_group:
       - func: setup-system
+      - func: assume-test-secrets-ec2-role
       - command: subprocess.exec
         params:
           binary: "bash"
+          add_expansions_to_env: true
           args: 
             - ${DRIVERS_TOOLS}/.evergreen/csfle/gcpkms/setup.sh
     teardown_group:
@@ -1958,9 +1920,11 @@ task_groups:
     setup_group_timeout_secs: 1800 # 30 minutes
     setup_group:
       - func: setup-system
+      - func: assume-test-secrets-ec2-role
       - command: subprocess.exec
         params:
           binary: bash
+          add_expansions_to_env: true
           env: 
             AZUREKMS_VMNAME_PREFIX: GODRIVER
           args:
@@ -2013,9 +1977,11 @@ task_groups:
     teardown_group_timeout_secs: 180 # 3 minutes (max allowed time)
     setup_group:
       - func: setup-system
+      - func: assume-test-secrets-ec2-role
       - command: subprocess.exec
         params:
           binary: bash
+          add_expansions_to_env: true
           env:
             AZUREOIDC_VMNAME_PREFIX: "GO_DRIVER"
           args:
@@ -2038,9 +2004,11 @@ task_groups:
     teardown_group_timeout_secs: 180 # 3 minutes (max allowed time)
     setup_group:
       - func: setup-system
+      - func: assume-test-secrets-ec2-role
       - command: subprocess.exec
         params:
           binary: bash
+          add_expansions_to_env: true
           env:
             AZUREOIDC_VMNAME_PREFIX: "GO_DRIVER"
           args:
@@ -2063,6 +2031,7 @@ task_groups:
     teardown_group_timeout_secs: 180 # 3 minutes (max allowed time)
     setup_group:
       - func: setup-system
+      - func: assume-test-secrets-ec2-role
       - command: subprocess.exec
         params:
           binary: bash
@@ -2083,10 +2052,12 @@ task_groups:
   - name: test-aws-lambda-task-group
     setup_group:
       - func: setup-system
+      - func: assume-test-secrets-ec2-role
       - command: subprocess.exec
         params:
           working_dir: src/go.mongodb.org/mongo-driver
           binary: bash
+          add_expansions_to_env: true
           env:
             LAMBDA_STACK_NAME: dbx-go-lambda
           args:
@@ -2096,6 +2067,7 @@ task_groups:
         params:
           working_dir: src/go.mongodb.org/mongo-driver
           binary: bash
+          add_expansions_to_env: true
           env:
             LAMBDA_STACK_NAME: dbx-go-lambda
             AWS_REGION: us-east-1
@@ -2340,13 +2312,6 @@ buildvariants:
     tasks:
       - name: ".load-balancer"
 
-  - matrix_name: "serverless"
-    tags: ["pullrequest"]
-    matrix_spec: { os-serverless: "*" }
-    display_name: "Serverless ${os-serverless}"
-    tasks:
-      - "serverless_task_group"
-
   - matrix_name: "kms-kmip-test"
     matrix_spec: { version: ["7.0"], os-ssl-40: ["rhel87-64"] }
     display_name: "KMS KMIP ${os-ssl-40}"
 
@@ -0,0 +1,78 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '24 21 * * 1'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+          # file_mode: git
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
@@ -65,3 +65,9 @@ repos:
     require_serial: true
     pass_filenames: false
     entry: etc/golangci-lint.sh
+
+  - id: check-licenses
+    name: check-licenses
+    language: system
+    types: [go]
+    entry: etc/check_license.sh
@@ -4,6 +4,9 @@
   <a href="https://pkg.go.dev/go.mongodb.org/mongo-driver/v2/mongo"><img src="etc/assets/godev-mongo-blue.svg" alt="docs"></a>
   <a href="https://pkg.go.dev/go.mongodb.org/mongo-driver/v2/bson"><img src="etc/assets/godev-bson-blue.svg" alt="docs"></a>
   <a href="https://www.mongodb.com/docs/drivers/go/current/"><img src="etc/assets/docs-mongodb-green.svg"></a>
+  <a href="https://securityscorecards.dev/viewer/?uri=github.com/mongodb/mongo-go-driver">
+    <img src="https://api.securityscorecards.dev/projects/github.com/mongodb/mongo-go-driver/badge" alt="OpenSSF Scorecard" />
+  </a>
 </p>
 
 # MongoDB Go Driver