From 598ced96bee287ee60c1ecbd812a0885cd5cab9b Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 17 Jun 2024 11:23:32 -0600 Subject: [PATCH 1/7] add compliance report and authorized publisher --- .../compress_sign_and_upload/action.yml | 41 +++++----- .github/workflows/release-5.x.yml | 74 +++++++++++++++++- .github/workflows/release.yml | 75 ++++++++++++++++++- 3 files changed, 167 insertions(+), 23 deletions(-) diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml index f38b3757b05..8bce52aafc4 100644 --- a/.github/actions/compress_sign_and_upload/action.yml +++ b/.github/actions/compress_sign_and_upload/action.yml @@ -1,19 +1,23 @@ name: Compress and Sign description: 'Compresses package and signs with garasign' -inputs: - aws_role_arn: - description: 'AWS role input for drivers-github-tools/gpg-sign@v2' - required: true - aws_region_name: - description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' - required: true - aws_secret_id: - description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' - required: true - npm_package_name: - description: 'The name for the npm package this repository represents' - required: true +inputs: + aws_role_arn: + description: 'AWS role input for drivers-github-tools/gpg-sign@v2' + required: true + aws_region_name: + description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' + required: true + aws_secret_id: + description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' + required: true + npm_package_name: + description: 'The name for the npm package this repository represents' + required: true + dry_run: + description: 'Should we upload files to the release?' + required: false + default: 'true' runs: using: composite @@ -31,24 +35,25 @@ runs: - name: Set up drivers-github-tools uses: mongodb-labs/drivers-github-tools/setup@v2 - with: + with: aws_region_name: ${{ inputs.aws_region_name }} aws_role_arn: ${{ inputs.aws_role_arn }} aws_secret_id: ${{ inputs.aws_secret_id }} - name: Create detached signature uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: + with: filenames: ${{ steps.get_vars.outputs.package_file }} - env: + env: RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig - - name: Name release asset correctly + - name: Name release asset correctly run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig shell: bash - name: "Upload release artifacts" + if: ${{ inputs.dry_run == false }} run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig shell: bash env: - GH_TOKEN: ${{ github.token }} \ No newline at end of file + GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 60967fadb40..fb0072152fb 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -23,13 +23,20 @@ jobs: compress_sign_and_upload: needs: [release_please] - if: ${{ needs.release_please.outputs.release_created }} environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: actions/setup uses: ./.github/actions/setup + - name: Get release version and release package file name + id: get_vars + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT" + - name: actions/compress_sign_and_upload uses: ./.github/actions/compress_sign_and_upload with: @@ -37,7 +44,27 @@ jobs: aws_region_name: 'us-east-1' aws_secret_id: ${{ secrets.AWS_SECRET_ID }} npm_package_name: 'mongodb' + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + with: + release_version: ${{ steps.get_version.outputs.package_version }} + product_name: node-mongodb-native + # and .sig + filenames: ${{ steps.get_vars.outputs.package_file }}* + token: ${{ github.token }} + + - name: actions/publish_asset_to_s3 + uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + with: + version: ${{ steps.get_version.outputs.package_version }} + product_name: node-mongodb-native + file: ${{env.S3_ASSETS}}/authorized-publication.txt + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + - run: npm publish --provenance --tag=5x + if: ${{ needs.release_please.outputs.release_created }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} @@ -73,7 +100,7 @@ jobs: package_version=$(jq --raw-output '.version' package.json) echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main + uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 with: version: ${{ steps.get_version.outputs.package_version }} product_name: node-mongodb-native @@ -113,3 +140,46 @@ jobs: product_name: node-mongodb-native file: sbom.json dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + generate_compliance_report: + environment: release + runs-on: ubuntu-latest + needs: [release_please] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + + steps: + - uses: actions/checkout@v4 + - name: Set up drivers-github-tools + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_region_name: us-east-1 + aws_role_arn: ${{ secrets.aws_role_arn }} + aws_secret_id: ${{ secrets.aws_secret_id }} + + - name: Get release version and release package file name + id: get_version + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + + - name: Generate compliance report + uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + with: + sbom_name: sbom.json + sarif_name: sarif-report.json + security_report_location: tbd + release_version: ${{ steps.get_version.outputs.package_version }} + token: ${{ github.token }} + + - name: actions/publish_asset_to_s3 + uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + with: + version: ${{ steps.get_version.outputs.package_version }} + product_name: node-mongodb-native + file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt + dry_run: ${{ needs.release_please.outputs.release_created == '' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d00ef44e6e6..a5fe0f582ce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,13 +21,20 @@ jobs: compress_sign_and_upload: needs: [release_please] - if: ${{ needs.release_please.outputs.release_created }} environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: actions/setup uses: ./.github/actions/setup + - name: Get release version and release package file name + id: get_vars + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT" + - name: actions/compress_sign_and_upload uses: ./.github/actions/compress_sign_and_upload with: @@ -35,7 +42,27 @@ jobs: aws_region_name: 'us-east-1' aws_secret_id: ${{ secrets.AWS_SECRET_ID }} npm_package_name: 'mongodb' - - run: npm publish --provenance + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + with: + release_version: ${{ steps.get_version.outputs.package_version }} + product_name: node-mongodb-native + # and .sig + filenames: ${{ steps.get_vars.outputs.package_file }}* + token: ${{ github.token }} + + - name: actions/publish_asset_to_s3 + uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + with: + version: ${{ steps.get_version.outputs.package_version }} + product_name: node-mongodb-native + file: ${{env.S3_ASSETS}}/authorized-publication.txt + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + - run: npm publish --provenance --tag=latest + if: ${{ needs.release_please.outputs.release_created }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} @@ -78,7 +105,6 @@ jobs: file: sarif-report.json dry_run: ${{ needs.release_please.outputs.release_created == '' }} - upload_sbom_lite: environment: release runs-on: ubuntu-latest @@ -112,3 +138,46 @@ jobs: product_name: node-mongodb-native file: sbom.json dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + generate_compliance_report: + environment: release + runs-on: ubuntu-latest + needs: [release_please] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + + steps: + - uses: actions/checkout@v4 + - name: Set up drivers-github-tools + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_region_name: us-east-1 + aws_role_arn: ${{ secrets.aws_role_arn }} + aws_secret_id: ${{ secrets.aws_secret_id }} + + - name: Get release version and release package file name + id: get_version + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + + - name: Generate compliance report + uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + with: + sbom_name: sbom.json + sarif_name: sarif-report.json + security_report_location: tbd + release_version: ${{ steps.get_version.outputs.package_version }} + token: ${{ github.token }} + + - name: actions/publish_asset_to_s3 + uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + with: + version: ${{ steps.get_version.outputs.package_version }} + product_name: node-mongodb-native + file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt + dry_run: ${{ needs.release_please.outputs.release_created == '' }} From c9f5c3f5ca8815b518d9cc5f4032ed3dc12c1678 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Thu, 20 Jun 2024 13:50:20 -0600 Subject: [PATCH 2/7] use shared action --- .github/workflows/release.yml | 129 ++-------------------------------- 1 file changed, 6 insertions(+), 123 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a5fe0f582ce..9ce4f320b32 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,139 +45,22 @@ jobs: dry_run: ${{ needs.release_please.outputs.release_created == '' }} - name: Generate authorized pub report - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + uses: baileympearson/drivers-github-tools/full-report@adjust-shared-actions-for-node with: release_version: ${{ steps.get_version.outputs.package_version }} product_name: node-mongodb-native + sarif_report_target_ref: main # and .sig - filenames: ${{ steps.get_vars.outputs.package_file }}* + dist_filenames: ${{ steps.get_vars.outputs.package_file }}* token: ${{ github.token }} - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: ${{env.S3_ASSETS}}/authorized-publication.txt + version: ${{ inputs.version }} + product_name: ${{ inputs.product_name }} dry_run: ${{ needs.release_please.outputs.release_created == '' }} - run: npm publish --provenance --tag=latest if: ${{ needs.release_please.outputs.release_created }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - - generate_sarif_report: - environment: release - runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: "Generate Sarif Report" - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 - with: - ref: main - output-file: sarif-report.json - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: sarif-report.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - upload_sbom_lite: - environment: release - runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: sbom.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - generate_compliance_report: - environment: release - runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - - - name: Generate compliance report - uses: mongodb-labs/drivers-github-tools/compliance-report@v2 - with: - sbom_name: sbom.json - sarif_name: sarif-report.json - security_report_location: tbd - release_version: ${{ steps.get_version.outputs.package_version }} - token: ${{ github.token }} - - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt - dry_run: ${{ needs.release_please.outputs.release_created == '' }} From 4cc2a44bab3c297f733e96067c08f45a531eb7b4 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Thu, 20 Jun 2024 14:48:34 -0600 Subject: [PATCH 3/7] combine --- .github/workflows/release-5.x.yml | 149 +++++------------------------- .github/workflows/release.yml | 29 +++++- 2 files changed, 52 insertions(+), 126 deletions(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index fb0072152fb..10e12f6c4a0 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -18,11 +18,14 @@ jobs: steps: - id: release uses: googleapis/release-please-action@v4 - with: - target-branch: 5.x - compress_sign_and_upload: + ssdlc: needs: [release_please] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write environment: release runs-on: ubuntu-latest steps: @@ -46,140 +49,38 @@ jobs: npm_package_name: 'mongodb' dry_run: ${{ needs.release_please.outputs.release_created == '' }} + - name: Copy sbom file to release assets + shell: bash + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + - name: Generate authorized pub report - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + uses: baileympearson/drivers-github-tools/full-report@adjust-shared-actions-for-node with: release_version: ${{ steps.get_version.outputs.package_version }} product_name: node-mongodb-native + sarif_report_target_ref: 5.x # and .sig - filenames: ${{ steps.get_vars.outputs.package_file }}* + dist_filenames: ${{ steps.get_vars.outputs.package_file }}* token: ${{ github.token }} + sbom_file_name: sbom.json - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + - uses: baileympearson/drivers-github-tools/upload-s3-assets@adjust-shared-actions-for-node with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: ${{env.S3_ASSETS}}/authorized-publication.txt + version: ${{ inputs.version }} + product_name: ${{ inputs.product_name }} dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - run: npm publish --provenance --tag=5x - if: ${{ needs.release_please.outputs.release_created }} - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - generate_sarif_report: + publish: + needs: [release_please, ssdlc] environment: release runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: "Generate Sarif Report" - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 - with: - ref: 5.x - output-file: sarif-report.json - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: sarif-report.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - upload_sbom_lite: - environment: release - runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - steps: - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: sbom.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - generate_compliance_report: - environment: release - runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - - - name: Generate compliance report - uses: mongodb-labs/drivers-github-tools/compliance-report@v2 - with: - sbom_name: sbom.json - sarif_name: sarif-report.json - security_report_location: tbd - release_version: ${{ steps.get_version.outputs.package_version }} - token: ${{ github.token }} + - name: actions/setup + uses: ./.github/actions/setup - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt - dry_run: ${{ needs.release_please.outputs.release_created == '' }} + - run: npm publish --provenance --tag=5.x + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9ce4f320b32..2709bbd99c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,8 +19,13 @@ jobs: - id: release uses: googleapis/release-please-action@v4 - compress_sign_and_upload: + ssdlc: needs: [release_please] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write environment: release runs-on: ubuntu-latest steps: @@ -44,6 +49,10 @@ jobs: npm_package_name: 'mongodb' dry_run: ${{ needs.release_please.outputs.release_created == '' }} + - name: Copy sbom file to release assets + shell: bash + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + - name: Generate authorized pub report uses: baileympearson/drivers-github-tools/full-report@adjust-shared-actions-for-node with: @@ -53,8 +62,10 @@ jobs: # and .sig dist_filenames: ${{ steps.get_vars.outputs.package_file }}* token: ${{ github.token }} + sbom_file_name: sbom.json - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + + - uses: baileympearson/drivers-github-tools/upload-s3-assets@adjust-shared-actions-for-node with: version: ${{ inputs.version }} product_name: ${{ inputs.product_name }} @@ -64,3 +75,17 @@ jobs: if: ${{ needs.release_please.outputs.release_created }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + + publish: + needs: [release_please, ssdlc] + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: actions/setup + uses: ./.github/actions/setup + + - run: npm publish --provenance --tag=latest + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From c0b9189fe7b309862eda9c967cedf2c7af053a67 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Fri, 21 Jun 2024 09:35:10 -0600 Subject: [PATCH 4/7] add 3rd party dependency tracking --- .github/workflows/release-5.x.yml | 1 + .github/workflows/release.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 10e12f6c4a0..745d25713a8 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -59,6 +59,7 @@ jobs: release_version: ${{ steps.get_version.outputs.package_version }} product_name: node-mongodb-native sarif_report_target_ref: 5.x + third_party_dependency_tool: n/a # and .sig dist_filenames: ${{ steps.get_vars.outputs.package_file }}* token: ${{ github.token }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2709bbd99c7..8cef12a54c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,6 +59,7 @@ jobs: release_version: ${{ steps.get_version.outputs.package_version }} product_name: node-mongodb-native sarif_report_target_ref: main + third_party_dependency_tool: n/a # and .sig dist_filenames: ${{ steps.get_vars.outputs.package_file }}* token: ${{ github.token }} From 2abdf1c3a03710f203540d1f8858c442ac419b62 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 09:30:44 -0600 Subject: [PATCH 5/7] use main branch, not fork --- .github/workflows/release-5.x.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 745d25713a8..671602384db 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -54,7 +54,7 @@ jobs: run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json - name: Generate authorized pub report - uses: baileympearson/drivers-github-tools/full-report@adjust-shared-actions-for-node + uses: mongodb-labs/drivers-github-tools/full-report@v2 with: release_version: ${{ steps.get_version.outputs.package_version }} product_name: node-mongodb-native @@ -65,7 +65,7 @@ jobs: token: ${{ github.token }} sbom_file_name: sbom.json - - uses: baileympearson/drivers-github-tools/upload-s3-assets@adjust-shared-actions-for-node + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: version: ${{ inputs.version }} product_name: ${{ inputs.product_name }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8cef12a54c1..29699b9b4d8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -54,7 +54,7 @@ jobs: run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json - name: Generate authorized pub report - uses: baileympearson/drivers-github-tools/full-report@adjust-shared-actions-for-node + uses: mongodb-labs/drivers-github-tools/full-report@v2 with: release_version: ${{ steps.get_version.outputs.package_version }} product_name: node-mongodb-native @@ -66,7 +66,7 @@ jobs: sbom_file_name: sbom.json - - uses: baileympearson/drivers-github-tools/upload-s3-assets@adjust-shared-actions-for-node + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: version: ${{ inputs.version }} product_name: ${{ inputs.product_name }} From 06f55f6c2514d7562eebf9f57aa124aa63b9ae44 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 09:58:47 -0600 Subject: [PATCH 6/7] comments --- .github/workflows/release-5.x.yml | 9 +-------- .github/workflows/release.yml | 8 +------- 2 files changed, 2 insertions(+), 15 deletions(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 671602384db..fe5be0c5efe 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -57,7 +57,7 @@ jobs: uses: mongodb-labs/drivers-github-tools/full-report@v2 with: release_version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native + product_name: mongodb sarif_report_target_ref: 5.x third_party_dependency_tool: n/a # and .sig @@ -65,13 +65,6 @@ jobs: token: ${{ github.token }} sbom_file_name: sbom.json - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 - with: - version: ${{ inputs.version }} - product_name: ${{ inputs.product_name }} - dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - publish: needs: [release_please, ssdlc] environment: release diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 29699b9b4d8..29ff67862a4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -57,7 +57,7 @@ jobs: uses: mongodb-labs/drivers-github-tools/full-report@v2 with: release_version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native + product_name: mongodb sarif_report_target_ref: main third_party_dependency_tool: n/a # and .sig @@ -65,18 +65,12 @@ jobs: token: ${{ github.token }} sbom_file_name: sbom.json - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: version: ${{ inputs.version }} product_name: ${{ inputs.product_name }} dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - run: npm publish --provenance --tag=latest - if: ${{ needs.release_please.outputs.release_created }} - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - publish: needs: [release_please, ssdlc] environment: release From 21ef17103f55230144dc87f24fffdfe045f86ed9 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 10:05:02 -0600 Subject: [PATCH 7/7] add target branch --- .github/workflows/release-5.x.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index fe5be0c5efe..f62347a7b62 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -18,6 +18,8 @@ jobs: steps: - id: release uses: googleapis/release-please-action@v4 + with: + target-branch: 5.x ssdlc: needs: [release_please]