Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(NODE-6156): add signature to github releases #692

Merged
merged 25 commits into from
May 28, 2024
Merged

feat(NODE-6156): add signature to github releases #692

merged 25 commits into from
May 28, 2024

Conversation

aditi-khare-mongoDB
Copy link
Contributor

@aditi-khare-mongoDB aditi-khare-mongoDB commented May 21, 2024
edited
Loading

Description

Sign releases in both 5.x and 6.x

What is changing?

Automate release signing with a detached signature and verification instructions in the README.
Example Signature Link: https://github.com/mongodb/js-bson/actions/runs/9195659055

Is there new documentation needed for these changes?

No

What is the motivation for this change?

SSDLC Compliance

Release Highlight

Add Signature to Github Releases

The Github release for js-bson now contains a detached signature file for the NPM package (named
bson-X.Y.Z.tgz.sig), on every major and patch release to 6.x and 5.x. To verify the signature, follow the instructions in the 'Release Integrity' section of the README.md file.

Double check the following

  • Ran npm run check:lint script
  • Self-review completed using the steps outlined here
  • PR title follows the correct format: type(NODE-xxxx)[!]: description
    • Example: feat(NODE-1234)!: rewriting everything in coffeescript
  • Changes are covered by tests
  • New TODOs have a related JIRA ticket

@aditi-khare-mongoDB aditi-khare-mongoDB changed the title Node 6156/sign release artifacts feat(NODE-6156): Sign Release Artifacts - 6.x May 22, 2024
@evergreen-ci-prod evergreen-ci-prod bot mentioned this pull request May 22, 2024
Closed
5 tasks
@aditi-khare-mongoDB aditi-khare-mongoDB marked this pull request as ready for review May 22, 2024 19:03
@aditi-khare-mongoDB aditi-khare-mongoDB changed the title feat(NODE-6156): Sign Release Artifacts - 6.x feat(NODE-6156): Sign Release Artifacts May 22, 2024
baileympearson
baileympearson requested changes May 22, 2024
View reviewed changes
Copy link
Contributor

@baileympearson baileympearson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

One other note - Looks like only the release tarball (no signature file) is upload: https://github.com/mongodb/js-bson/actions/runs/9195659055

.github/workflows/release-5.x.yml Outdated Show resolved Hide resolved
@aditi-khare-mongoDB
Copy link
Contributor Author

@baileympearson If you click on the bson-6.6.0.tar.gz file, it contains a bson-6.6.0.tar.gz.sig file within

@baileympearson
Copy link
Contributor

@aditi-khare-mongoDB Oh, you're right! Nice.

Is is possible to upload them separately? I don't know if it matters much, but I think we should shoot for something similar to what devtools has for their repos, where the signatures are attached separate from the file. Here's an example: https://github.com/mongodb-js/compass/releases/tag/v1.43.0

@nbbeeken
Copy link
Contributor

nbbeeken commented May 22, 2024
edited
Loading

Jumping in here, yeah I also expected the .sig to be a "top-level" artifact and that the only tgz would be the one that can be obtained from npm. Not that there is something wrong with a tgz on our GH releases it just isn't the tgz users are likely to ingest. The following command:

npm view bson@latest dist.tarball

When automating this, I'll want to replace "latest" with something like npm ls bson and grab "my" version.

With that, I can get the tar url, a bit of curl here, and a bit of gpg there ✨ and you've got a validated signature. I am also thinking that the tgz we upload to npm gets replicated to artifactory instances so again the tgz on GH isn't the tgz folks care about.

@baileympearson baileympearson added the Primary Review In Review with primary reviewer, not yet ready for team's eyes label May 22, 2024
@baileympearson baileympearson self-assigned this May 22, 2024
nbbeeken
nbbeeken requested changes May 23, 2024
View reviewed changes
.github/workflows/release-5.x.yml Outdated Show resolved Hide resolved
.github/workflows/release.yml Outdated Show resolved Hide resolved
.github/workflows/release.yml Outdated Show resolved Hide resolved
.github/workflows/release.yml Outdated Show resolved Hide resolved
.github/workflows/release.yml Outdated Show resolved Hide resolved
README.md Show resolved Hide resolved
nbbeeken
nbbeeken previously approved these changes May 24, 2024
View reviewed changes
Copy link
Contributor

@nbbeeken nbbeeken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add release highlights, otherwise LGTM

@aditi-khare-mongoDB aditi-khare-mongoDB changed the title feat(NODE-6156): Sign Release Artifacts feat(NODE-6156): add signature to github releases May 28, 2024
@baileympearson baileympearson merged commit f0fbe91 into main May 28, 2024
10 checks passed
@baileympearson baileympearson deleted the NODE-6156/sign-release-artifacts branch May 28, 2024 19:27
@github-actions github-actions bot mentioned this pull request May 28, 2024
Merged
@biancode biancode mentioned this pull request Jul 19, 2024
Closed
@ilovepixelart ilovepixelart mentioned this pull request Jul 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@baileympearson baileympearson baileympearson approved these changes

@nbbeeken nbbeeken Awaiting requested review from nbbeeken

Assignees

@baileympearson baileympearson

Labels
Primary Review In Review with primary reviewer, not yet ready for team's eyes
Projects
None yet
Milestone
No milestone
3 participants
@aditi-khare-mongoDB @baileympearson @nbbeeken