From 9f447e96a8792da2ad7a34e0d46f1322bc9186e4 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Thu, 27 Jun 2024 12:25:06 -0600 Subject: [PATCH] chore(NODE-6243): move Node release tooling to drivers-github-tools (#4159) --- .../compress_sign_and_upload/action.yml | 59 ---------------- .github/actions/setup/action.yml | 15 ----- .github/workflows/build.yml | 16 +++++ .github/workflows/build_docs.yml | 4 +- .github/workflows/dependencies.yml | 4 +- .github/workflows/release-5.x.yml | 65 ++++++++++++------ .github/workflows/release-alpha.yml | 4 +- .github/workflows/release-nightly.yml | 4 +- .github/workflows/release.yml | 67 ++++++++++++------- .github/workflows/release_notes.yml | 4 +- 10 files changed, 113 insertions(+), 129 deletions(-) delete mode 100644 .github/actions/compress_sign_and_upload/action.yml delete mode 100644 .github/actions/setup/action.yml create mode 100644 .github/workflows/build.yml diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml deleted file mode 100644 index 8bce52aafc..0000000000 --- a/.github/actions/compress_sign_and_upload/action.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Compress and Sign -description: 'Compresses package and signs with garasign' - -inputs: - aws_role_arn: - description: 'AWS role input for drivers-github-tools/gpg-sign@v2' - required: true - aws_region_name: - description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' - required: true - aws_secret_id: - description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' - required: true - npm_package_name: - description: 'The name for the npm package this repository represents' - required: true - dry_run: - description: 'Should we upload files to the release?' - required: false - default: 'true' - -runs: - using: composite - steps: - - run: npm pack - shell: bash - - - name: Get release version and release package file name - id: get_vars - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT" - - - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 - with: - aws_region_name: ${{ inputs.aws_region_name }} - aws_role_arn: ${{ inputs.aws_role_arn }} - aws_secret_id: ${{ inputs.aws_secret_id }} - - - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: - filenames: ${{ steps.get_vars.outputs.package_file }} - env: - RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig - - - name: Name release asset correctly - run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig - shell: bash - - - name: "Upload release artifacts" - if: ${{ inputs.dry_run == false }} - run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig - shell: bash - env: - GH_TOKEN: ${{ github.token }} diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml deleted file mode 100644 index ced847c1bc..0000000000 --- a/.github/actions/setup/action.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: Setup -description: 'Installs node, driver dependencies, and builds source' - -runs: - using: composite - steps: - - uses: actions/setup-node@v4 - with: - node-version: 'lts/*' - cache: 'npm' - registry-url: 'https://registry.npmjs.org' - - run: npm install -g npm@latest - shell: bash - - run: npm clean-install - shell: bash diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000000..3c601ae7b9 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,16 @@ +on: + workflow_call: {} + +name: Build + +permissions: + contents: write + pull-requests: write + id-token: write + +jobs: + build: + runs-on: ubuntu-latest + steps: + - run: echo "nothing to do." + shell: bash diff --git a/.github/workflows/build_docs.yml b/.github/workflows/build_docs.yml index de47ba9028..5fa8064e3d 100644 --- a/.github/workflows/build_docs.yml +++ b/.github/workflows/build_docs.yml @@ -19,8 +19,8 @@ jobs: steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 - run: sudo apt-get install hugo - name: Build Docs run: npm run build:docs -- --yes diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index eab5170f25..310b9a3e5e 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -14,6 +14,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 - run: npm run check:dependencies diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index f62347a7b6..02d862cb86 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -21,8 +21,13 @@ jobs: with: target-branch: 5.x - ssdlc: + build: needs: [release_please] + name: "Perform any build or bundling steps, as necessary." + uses: ./.github/workflows/build.yml + + ssdlc: + needs: [release_please, build] permissions: # required for all workflows security-events: write @@ -32,51 +37,69 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup - - name: Get release version and release package file name - id: get_vars - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT" + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: false + + - name: Load version and package info + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + with: + npm_package_name: mongodb - name: actions/compress_sign_and_upload - uses: ./.github/actions/compress_sign_and_upload + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} - aws_region_name: 'us-east-1' + aws_region_name: us-east-1 aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - npm_package_name: 'mongodb' + npm_package_name: mongodb dry_run: ${{ needs.release_please.outputs.release_created == '' }} - name: Copy sbom file to release assets shell: bash + if: ${{ '' == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + # only used for mongodb-client-encryption + - name: Augment SBOM and copy to release assets + if: ${{ '' != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: '' + sbom_file_name: sbom.json + - name: Generate authorized pub report uses: mongodb-labs/drivers-github-tools/full-report@v2 with: - release_version: ${{ steps.get_version.outputs.package_version }} + release_version: ${{ env.package_version }} product_name: mongodb sarif_report_target_ref: 5.x third_party_dependency_tool: n/a - # and .sig - dist_filenames: ${{ steps.get_vars.outputs.package_file }}* - token: ${{ github.token }} + dist_filenames: artifacts/* + token: ${{ github.token }} sbom_file_name: sbom.json + evergreen_project: mongo-node-driver-next + evergreen_commit: ${{ env.commit }} + + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ env.package_version }} + product_name: mongodb + dry_run: ${{ needs.release_please.outputs.release_created == '' }} publish: - needs: [release_please, ssdlc] + needs: [release_please, ssdlc, build] environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup - - run: npm publish --provenance --tag=5.x + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + + - run: npm publish --provenance --tag=5x if: ${{ needs.release_please.outputs.release_created }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release-alpha.yml b/.github/workflows/release-alpha.yml index e3b024ccd5..ab7512d72e 100644 --- a/.github/workflows/release-alpha.yml +++ b/.github/workflows/release-alpha.yml @@ -26,8 +26,8 @@ jobs: exit 1 fi - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 - run: npm version "${{ inputs.alphaVersion }}" --git-tag-version=false - run: npm publish --provenance --tag=alpha env: diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml index 649b6c760a..b94eb6caf9 100644 --- a/.github/workflows/release-nightly.yml +++ b/.github/workflows/release-nightly.yml @@ -20,8 +20,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 - id: build_nightly run: npm run build:nightly - if: ${{ steps.build_nightly.outputs.publish == 'yes' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 29ff67862a..8369b7af8e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ permissions: pull-requests: write id-token: write -name: release +name: release-latest jobs: release_please: @@ -18,9 +18,16 @@ jobs: steps: - id: release uses: googleapis/release-please-action@v4 + with: + target-branch: main - ssdlc: + build: needs: [release_please] + name: "Perform any build or bundling steps, as necessary." + uses: ./.github/workflows/build.yml + + ssdlc: + needs: [release_please, build] permissions: # required for all workflows security-events: write @@ -30,55 +37,67 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup - - name: Get release version and release package file name - id: get_vars - shell: bash - run: | - package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT" + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 + with: + ignore_install_scripts: false + + - name: Load version and package info + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + with: + npm_package_name: mongodb - name: actions/compress_sign_and_upload - uses: ./.github/actions/compress_sign_and_upload + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} - aws_region_name: 'us-east-1' + aws_region_name: us-east-1 aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - npm_package_name: 'mongodb' + npm_package_name: mongodb dry_run: ${{ needs.release_please.outputs.release_created == '' }} - name: Copy sbom file to release assets shell: bash + if: ${{ '' == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + # only used for mongodb-client-encryption + - name: Augment SBOM and copy to release assets + if: ${{ '' != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: '' + sbom_file_name: sbom.json + - name: Generate authorized pub report uses: mongodb-labs/drivers-github-tools/full-report@v2 with: - release_version: ${{ steps.get_version.outputs.package_version }} + release_version: ${{ env.package_version }} product_name: mongodb sarif_report_target_ref: main third_party_dependency_tool: n/a - # and .sig - dist_filenames: ${{ steps.get_vars.outputs.package_file }}* - token: ${{ github.token }} + dist_filenames: artifacts/* + token: ${{ github.token }} sbom_file_name: sbom.json + evergreen_project: mongo-node-driver-next + evergreen_commit: ${{ env.commit }} - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: - version: ${{ inputs.version }} - product_name: ${{ inputs.product_name }} - dry_run: ${{ needs.release_please.outputs.release_created == '' }} + version: ${{ env.package_version }} + product_name: mongodb + dry_run: ${{ needs.release_please.outputs.release_created == '' }} publish: - needs: [release_please, ssdlc] + needs: [release_please, ssdlc, build] environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: actions/setup - uses: ./.github/actions/setup + + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 - run: npm publish --provenance --tag=latest if: ${{ needs.release_please.outputs.release_created }} diff --git a/.github/workflows/release_notes.yml b/.github/workflows/release_notes.yml index 54b038f531..486aa5ec95 100644 --- a/.github/workflows/release_notes.yml +++ b/.github/workflows/release_notes.yml @@ -45,8 +45,8 @@ jobs: # Setup Node.js and npm install - - name: actions/setup - uses: ./.github/actions/setup + - name: Install Node and dependencies + uses: mongodb-labs/drivers-github-tools/node/setup@v2 # See: https://github.com/googleapis/release-please/issues/1274