Skip to content

Commit

Permalink
chore(NODE-6212): generate sarif reports in releases and upload sbom …
Browse files Browse the repository at this point in the history 
…lite to s3 [skip-ci] (#4143)
  • Loading branch information
@baileympearson
baileympearson committed Jun 13, 2024
1 parent c1af6ad commit 35fd6b0
Show file tree
Hide file tree
Showing 3 changed files with 151 additions and 4 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ name: "CodeQL"

on:
push:
branches: [ "main" ]
branches: [ "main", "5.x" ]
pull_request:
branches: [ "main" ]
branches: [ "main", "5.x" ]

jobs:
analyze:
Expand Down
75 changes: 74 additions & 1 deletion .github/workflows/release-5.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
uses: googleapis/release-please-action@v4
with:
target-branch: 5.x

compress_sign_and_upload:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
Expand All @@ -40,3 +40,76 @@ jobs:
- run: npm publish --provenance --tag=5x
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

generate_sarif_report:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: "Generate Sarif Report"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
with:
ref: 5.x
output-file: sarif-report.json

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sarif-report.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

upload_sbom_lite:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sbom.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
76 changes: 75 additions & 1 deletion .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,85 @@ jobs:
uses: ./.github/actions/setup
- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
with:
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb'
- run: npm publish --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

generate_sarif_report:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: "Generate Sarif Report"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
with:
ref: main
output-file: sarif-report.json

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sarif-report.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}


upload_sbom_lite:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sbom.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

0 comments on commit 35fd6b0

Please sign in to comment.