PHPC-2384, PHPC-2399, PHPC-2400: Publish SSDLC assets on release (#1584)

* Run packaging manually from release workflow

* Run static analysis for tag manually from release workflow

* Publish SSDLC assets after release

* Use secure-checkout action to generate token and run checkout

* Use API to generate changelog for PECL package

* Use inputs.version to pass version

* Use bump and tag actions from drivers-github-tools

* Remove build artifacts and require release asset upload to succeed

* Continue publishing SSDLC assets if SBOM download fails

* Extract building Windows Package to reusable workflow

* Remove unnecessary release files

* Apply suggestion from code review

* Let publish job error out when SBOM download fails

Author: alcaeus

.github/actions/windows/prepare-build/action.yml

@@ -41,7 +41,7 @@ runs:
     - name: Enable Developer Command Prompt
       uses: ilammy/msvc-dev-cmd@v1
       with:
-        arch: ${{ matrix.arch }}
+        arch: ${{ inputs.arch }}
         toolset: ${{ steps.setup-php.outputs.toolset }}
 
     - name: phpize

.github/workflows/build-windows-package.yml

@@ -0,0 +1,122 @@
+name: "Build Windows Package"
+run-name: "Build Windows Package for ${{ inputs.ref }} (PHP ${{ inputs.php }} ${{ inputs.arch }} ${{ inputs.ts }})"
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: "The version being built"
+        type: string
+        required: true
+      ref:
+        description: "The git reference to build"
+        type: string
+        required: true
+      php:
+        description: "The PHP version to build for"
+        type: string
+        required: true
+      arch:
+        description: "The architecture to build for (x64 or x86)"
+        type: string
+        required: true
+      ts:
+        description: "Thread safety (ts or nts)"
+        type: string
+        required: true
+      upload_release_asset:
+        description: "Whether to upload a release asset"
+        type: boolean
+        default: false
+
+jobs:
+  build:
+    name: "Build DLL"
+    # windows-latest is required to use enableCrossOsArchive with Ubuntu in the
+    # next step. See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
+    runs-on: windows-latest
+    defaults:
+      run:
+        shell: cmd
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: true
+          ref: ${{ inputs.ref }}
+
+      - name: "Build Driver"
+        id: build-driver
+        uses: ./.github/actions/windows/build
+        with:
+          version: ${{ inputs.php }}
+          arch: ${{ inputs.arch }}
+          ts: ${{ inputs.ts }}
+
+      - name: "Copy DLL and PDB files to CWD"
+        run: |
+          cp %BUILD_DIR%\php_mongodb.dll .
+          cp %BUILD_DIR%\php_mongodb.pdb .
+        env:
+          BUILD_DIR: ${{ steps.build-driver.outputs.build-dir }}
+
+      - name: "Cache build artifacts for subsequent builds"
+        uses: actions/cache/save@v4
+        with:
+          key: ${{ github.sha }}-${{ inputs.php }}-${{ inputs.ts }}-${{ inputs.arch }}
+          enableCrossOsArchive: true
+          path: |
+            php_mongodb.dll
+            php_mongodb.pdb
+
+  sign-and-package:
+    environment: release
+    name: "Sign and create package"
+    needs: build
+    # ubuntu-latest is required to use enableCrossOsArchive
+    # See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
+    runs-on: "ubuntu-latest"
+    permissions:
+      id-token: write
+
+    steps:
+      - name: "Generate token and checkout repository"
+        uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          ref: ${{ inputs.ref }}
+
+      - name: "Set up drivers-github-tools"
+        uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+
+      - name: Restore cached build artifacts
+        id: cache-build-artifacts
+        uses: actions/cache/restore@v4
+        with:
+          fail-on-cache-miss: true
+          key: ${{ github.sha }}-${{ inputs.php }}-${{ inputs.ts }}-${{ inputs.arch }}
+          enableCrossOsArchive: true
+          path: |
+            php_mongodb.dll
+            php_mongodb.pdb
+
+      - name: "Create detached DLL signature"
+        uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+        with:
+          filenames: php_mongodb.dll
+
+      # Copy the signature file from the release asset directory to avoid directory issues in the ZIP file
+      - name: "Copy signature file"
+        run: cp ${RELEASE_ASSETS}/php_mongodb.dll.sig .
+
+      - name: "Create and upload release asset"
+        if: ${{ inputs.upload_release_asset }}
+        run: |
+          ARCHIVE=php_mongodb-${{ inputs.version }}-${{ inputs.php }}-${{ inputs.ts }}-${{ inputs.arch }}.zip
+          zip ${ARCHIVE} php_mongodb.dll php_mongodb.dll.sig php_mongodb.pdb CREDITS CONTRIBUTING.md LICENSE README.md THIRD_PARTY_NOTICES
+          gh release upload ${{ inputs.version }} ${ARCHIVE}

.github/workflows/commit-and-tag.sh

@@ -1,10 +1,17 @@
 name: "Package Release"
-run-name: "Package Release ${{ github.ref_name }}"
+run-name: "Package Release ${{ inputs.version }}"
 
 on:
-  push:
-    tags:
-      - "*"
+  workflow_call:
+    inputs:
+      version:
+        description: "The version being built"
+        type: string
+        required: true
+      ref:
+        description: "The git reference to build"
+        type: string
+        required: true
 
 jobs:
   build-pecl:
@@ -13,25 +20,15 @@ jobs:
     runs-on: "ubuntu-latest"
     permissions:
       id-token: write
+      contents: write
 
     steps:
-      - name: "Create temporary app token"
-        uses: actions/create-github-app-token@v1
-        id: app-token
+      - name: "Generate token and checkout repository"
+        uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
         with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.APP_PRIVATE_KEY }}
-
-      - name: "Store GitHub token in environment"
-        run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
-        shell: bash
-
-      - name: "Checkout"
-        uses: "actions/checkout@v4"
-        with:
-          # Manually specify a ref. When actions/checkout is run for a tag without a ref, it looks up the underlying
-          # commit and specifically fetches this to the refs/tags/<tag> ref, which denies us access to the tag message
-          ref: ${{ github.ref }}
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          ref: ${{ inputs.ref }}
           submodules: true
 
       - name: "Set up drivers-github-tools"
@@ -47,7 +44,13 @@ jobs:
           version: "8.3"
 
       - name: "Write changelog file for packaging"
-        run: git tag -l ${{ github.ref_name }} --format='%(contents)' > changelog
+        run: |
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/${{ github.repository }}/releases/generate-notes \
+            -f "tag_name=${{ inputs.version }}" --jq '.body' > changelog
 
       # This will fill in the release notes from the previously generated changelog
       - name: "Build package.xml"
@@ -77,142 +80,24 @@ jobs:
       - name: "Copy signature file"
         run: cp ${RELEASE_ASSETS}/${{ env.PACKAGE_FILE }}.sig .
 
-      - name: "Upload artifacts"
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ env.PACKAGE_FILE }}
-          path: |
-            ${{ env.PACKAGE_FILE }}
-            ${{ env.PACKAGE_FILE }}.sig
-          retention-days: 3
-
       - name: "Upload release artifacts"
-        run: gh release upload ${{ github.ref_name }} ${{ env.PACKAGE_FILE }} ${{ env.PACKAGE_FILE }}.sig
-        continue-on-error: true
+        run: gh release upload ${{ inputs.version }} ${{ env.PACKAGE_FILE }} ${{ env.PACKAGE_FILE }}.sig
 
   build-windows:
-    name: "Create Windows package"
-    # windows-latest is required to use enableCrossOsArchive with Ubuntu in the
-    # next step. See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
-    runs-on: windows-latest
-    defaults:
-      run:
-        shell: cmd
-
+    name: "Create Windows packages"
+    uses: ./.github/workflows/build-windows-package.yml
+    with:
+      version: ${{ inputs.version }}
+      ref: refs/tags/${{ inputs.version }}
+      php: ${{ matrix.php }}
+      arch: ${{ matrix.arch }}
+      ts: ${{ matrix.ts }}
+      upload_release_asset: true
+    secrets: inherit
     strategy:
       fail-fast: false
       matrix:
         # Note: keep this in sync with the Windows matrix in windows-tests.yml
         php: [ "7.4", "8.0", "8.1", "8.2", "8.3" ]
         arch: [ x64, x86 ]
         ts: [ ts, nts ]
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-
-      - name: "Build Driver"
-        id: build-driver
-        uses: ./.github/actions/windows/build
-        with:
-          version: ${{ matrix.php }}
-          arch: ${{ matrix.arch }}
-          ts: ${{ matrix.ts }}
-
-      - name: "Copy DLL and PDB files to CWD"
-        run: |
-          cp %BUILD_DIR%\php_mongodb.dll .
-          cp %BUILD_DIR%\php_mongodb.pdb .
-        env:
-          BUILD_DIR: ${{ steps.build-driver.outputs.build-dir }}
-
-      - name: "Cache build artifacts for subsequent builds"
-        uses: actions/cache/save@v4
-        with:
-          key: ${{ github.sha }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}
-          enableCrossOsArchive: true
-          path: |
-            php_mongodb.dll
-            php_mongodb.pdb
-
-  sign-and-publish-windows:
-    environment: release
-    name: "Sign and Publish Windows package"
-    needs: [build-windows]
-    # ubuntu-latest is required to use enableCrossOsArchive
-    # See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
-    runs-on: "ubuntu-latest"
-    permissions:
-      id-token: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        # Note: keep this in sync with the Windows matrix in windows-tests.yml
-        php: [ "7.4", "8.0", "8.1", "8.2", "8.3" ]
-        arch: [ x64, x86 ]
-        ts: [ ts, nts ]
-
-    steps:
-      - name: "Create temporary app token"
-        uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.APP_PRIVATE_KEY }}
-
-      - name: "Store GitHub token in environment"
-        run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
-        shell: bash
-
-      - uses: actions/checkout@v4
-
-      - name: "Set up drivers-github-tools"
-        uses: mongodb-labs/drivers-github-tools/setup@v2
-        with:
-          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
-          aws_region_name: ${{ vars.AWS_REGION_NAME }}
-          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
-
-      - name: Restore cached build artifacts
-        id: cache-build-artifacts
-        uses: actions/cache/restore@v4
-        with:
-          fail-on-cache-miss: true
-          key: ${{ github.sha }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}
-          enableCrossOsArchive: true
-          path: |
-            php_mongodb.dll
-            php_mongodb.pdb
-
-      - name: "Create detached DLL signature"
-        uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
-        with:
-          filenames: php_mongodb.dll
-
-      # Copy the signature file from the release asset directory to avoid directory issues in the ZIP file
-      - name: "Copy signature file"
-        run: cp ${RELEASE_ASSETS}/php_mongodb.dll.sig .
-
-      - name: "Upload DLL and PDB files as build artifacts"
-        uses: actions/upload-artifact@v4
-        with:
-          name: php_mongodb-${{ github.ref_name }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}
-          path: |
-            php_mongodb.dll
-            php_mongodb.dll.sig
-            php_mongodb.pdb
-            CREDITS
-            CONTRIBUTING.md
-            LICENSE
-            README.md
-            THIRD_PARTY_NOTICES
-          retention-days: 3
-
-      - name: "Create and upload release artifact"
-        run: |
-          ARCHIVE=php_mongodb-${{ github.ref_name }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}.zip
-          zip ${ARCHIVE} php_mongodb.dll php_mongodb.dll.sig php_mongodb.pdb CREDITS CONTRIBUTING.md LICENSE README.md THIRD_PARTY_NOTICES
-          gh release upload ${{ github.ref_name }} ${ARCHIVE}
-        continue-on-error: true