From 27cb35bb2f95ecbc6c1b6ac1719c206792d09f90 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 11:08:09 -0600 Subject: [PATCH] chore(NODE-6118): generate authorized publisher report and compliance report (#4156) --- .../compress_sign_and_upload/action.yml | 41 ++++--- .github/workflows/release-5.x.yml | 105 ++++++----------- .github/workflows/release.yml | 106 +++++++----------- 3 files changed, 98 insertions(+), 154 deletions(-) diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml index f38b3757b0..8bce52aafc 100644 --- a/.github/actions/compress_sign_and_upload/action.yml +++ b/.github/actions/compress_sign_and_upload/action.yml @@ -1,19 +1,23 @@ name: Compress and Sign description: 'Compresses package and signs with garasign' -inputs: - aws_role_arn: - description: 'AWS role input for drivers-github-tools/gpg-sign@v2' - required: true - aws_region_name: - description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' - required: true - aws_secret_id: - description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' - required: true - npm_package_name: - description: 'The name for the npm package this repository represents' - required: true +inputs: + aws_role_arn: + description: 'AWS role input for drivers-github-tools/gpg-sign@v2' + required: true + aws_region_name: + description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' + required: true + aws_secret_id: + description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' + required: true + npm_package_name: + description: 'The name for the npm package this repository represents' + required: true + dry_run: + description: 'Should we upload files to the release?' + required: false + default: 'true' runs: using: composite @@ -31,24 +35,25 @@ runs: - name: Set up drivers-github-tools uses: mongodb-labs/drivers-github-tools/setup@v2 - with: + with: aws_region_name: ${{ inputs.aws_region_name }} aws_role_arn: ${{ inputs.aws_role_arn }} aws_secret_id: ${{ inputs.aws_secret_id }} - name: Create detached signature uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: + with: filenames: ${{ steps.get_vars.outputs.package_file }} - env: + env: RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig - - name: Name release asset correctly + - name: Name release asset correctly run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig shell: bash - name: "Upload release artifacts" + if: ${{ inputs.dry_run == false }} run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig shell: bash env: - GH_TOKEN: ${{ github.token }} \ No newline at end of file + GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 60967fadb4..f62347a7b6 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -21,15 +21,27 @@ jobs: with: target-branch: 5.x - compress_sign_and_upload: + ssdlc: needs: [release_please] - if: ${{ needs.release_please.outputs.release_created }} + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: actions/setup uses: ./.github/actions/setup + - name: Get release version and release package file name + id: get_vars + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT" + - name: actions/compress_sign_and_upload uses: ./.github/actions/compress_sign_and_upload with: @@ -37,79 +49,34 @@ jobs: aws_region_name: 'us-east-1' aws_secret_id: ${{ secrets.AWS_SECRET_ID }} npm_package_name: 'mongodb' - - run: npm publish --provenance --tag=5x - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - - generate_sarif_report: - environment: release - runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} + dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - name: "Generate Sarif Report" - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 - with: - ref: 5.x - output-file: sarif-report.json - - - name: Get release version and release package file name - id: get_version + - name: Copy sbom file to release assets shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: sarif-report.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} + release_version: ${{ steps.get_version.outputs.package_version }} + product_name: mongodb + sarif_report_target_ref: 5.x + third_party_dependency_tool: n/a + # and .sig + dist_filenames: ${{ steps.get_vars.outputs.package_file }}* + token: ${{ github.token }} + sbom_file_name: sbom.json - upload_sbom_lite: + publish: + needs: [release_please, ssdlc] environment: release runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - steps: - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + - name: actions/setup + uses: ./.github/actions/setup - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: sbom.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} + - run: npm publish --provenance --tag=5.x + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d00ef44e6e..29ff67862a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,15 +19,27 @@ jobs: - id: release uses: googleapis/release-please-action@v4 - compress_sign_and_upload: + ssdlc: needs: [release_please] - if: ${{ needs.release_please.outputs.release_created }} + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: actions/setup uses: ./.github/actions/setup + - name: Get release version and release package file name + id: get_vars + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT" + - name: actions/compress_sign_and_upload uses: ./.github/actions/compress_sign_and_upload with: @@ -35,80 +47,40 @@ jobs: aws_region_name: 'us-east-1' aws_secret_id: ${{ secrets.AWS_SECRET_ID }} npm_package_name: 'mongodb' - - run: npm publish --provenance - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + dry_run: ${{ needs.release_please.outputs.release_created == '' }} - generate_sarif_report: - environment: release - runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - - steps: - - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} + - name: Copy sbom file to release assets + shell: bash + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json - - name: "Generate Sarif Report" - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 with: - ref: main - output-file: sarif-report.json + release_version: ${{ steps.get_version.outputs.package_version }} + product_name: mongodb + sarif_report_target_ref: main + third_party_dependency_tool: n/a + # and .sig + dist_filenames: ${{ steps.get_vars.outputs.package_file }}* + token: ${{ github.token }} + sbom_file_name: sbom.json - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: sarif-report.json + version: ${{ inputs.version }} + product_name: ${{ inputs.product_name }} dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - upload_sbom_lite: + publish: + needs: [release_please, ssdlc] environment: release runs-on: ubuntu-latest - needs: [release_please] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - steps: - uses: actions/checkout@v4 - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: us-east-1 - aws_role_arn: ${{ secrets.aws_role_arn }} - aws_secret_id: ${{ secrets.aws_secret_id }} - - - name: Get release version and release package file name - id: get_version - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + - name: actions/setup + uses: ./.github/actions/setup - - name: actions/publish_asset_to_s3 - uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2 - with: - version: ${{ steps.get_version.outputs.package_version }} - product_name: node-mongodb-native - file: sbom.json - dry_run: ${{ needs.release_please.outputs.release_created == '' }} + - run: npm publish --provenance --tag=latest + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}