Skip to content

Commit

Permalink
feat(NODE-6157): add signature to github releases (#4119)
Browse files Browse the repository at this point in the history
  • Loading branch information
@aditi-khare-mongoDB
aditi-khare-mongoDB committed Jun 3, 2024
1 parent f56938f commit f38c5fe
Show file tree
Hide file tree
Showing 4 changed files with 113 additions and 18 deletions.
54 changes: 54 additions & 0 deletions .github/actions/compress_sign_and_upload/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Compress and Sign
description: 'Compresses package and signs with garasign'

inputs:
aws_role_arn:
description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
required: true
aws_region_name:
description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
required: true
aws_secret_id:
description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
required: true
npm_package_name:
description: 'The name for the npm package this repository represents'
required: true

runs:
using: composite
steps:
- run: npm pack
shell: bash

- name: Get release version and release package file name
id: get_vars
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT"
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: ${{ inputs.aws_region_name }}
aws_role_arn: ${{ inputs.aws_role_arn }}
aws_secret_id: ${{ inputs.aws_secret_id }}

- name: Create detached signature
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
with:
filenames: ${{ steps.get_vars.outputs.package_file }}
env:
RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig

- name: Name release asset correctly
run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig
shell: bash

- name: "Upload release artifacts"
run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig
shell: bash
env:
GH_TOKEN: ${{ github.token }}
31 changes: 21 additions & 10 deletions .github/workflows/release-5.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,21 +11,32 @@ permissions:
name: release-5x

jobs:
release-please:
release_please:
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release.outputs.release_created }}
steps:
- id: release
uses: google-github-actions/release-please-action@v4
uses: googleapis/release-please-action@v4
with:
target-branch: 5.x

# If release-please created a release, publish to npm
- if: ${{ steps.release.outputs.release_created }}
uses: actions/checkout@v4
- if: ${{ steps.release.outputs.release_created }}
name: actions/setup

compress_sign_and_upload:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup
- if: ${{ steps.release.outputs.release_created }}
run: npm publish --provenance --tag=5x
- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb'
- run: npm publish --provenance --tag=5x
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
27 changes: 19 additions & 8 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,30 @@ permissions:
name: release

jobs:
release-please:
release_please:
runs-on: ubuntu-latest
outputs:
release_created: ${{ steps.release.outputs.release_created }}
steps:
- id: release
uses: googleapis/release-please-action@v4

# If release-please created a release, publish to npm
- if: ${{ steps.release.outputs.release_created }}
uses: actions/checkout@v4
- if: ${{ steps.release.outputs.release_created }}
name: actions/setup
compress_sign_and_upload:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup
- if: ${{ steps.release.outputs.release_created }}
run: npm publish --provenance
- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb'
- run: npm publish --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
19 changes: 19 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,25 @@ The official [MongoDB](https://www.mongodb.com/) driver for Node.js.
| Contributing | [CONTRIBUTING.md](https://github.com/mongodb/node-mongodb-native/blob/HEAD/CONTRIBUTING.md) |
| Changelog | [HISTORY.md](https://github.com/mongodb/node-mongodb-native/blob/HEAD/HISTORY.md) |



### Release Integrity

The GitHub release contains a detached signature file for the NPM package (named
`mongodb-X.Y.Z.tgz.sig`).

The following command returns the link npm package.
```shell
npm view mongodb@vX.Y.Z dist.tarball
```

Using the result of the above command, a `curl` command can return the official npm package for the release.

To verify the integrity of the downloaded package, run the following command:
```shell
gpg --verify mongodb-X.Y.Z.tgz.sig mongodb-X.Y.Z.tgz
```

### Bugs / Feature Requests

Think you’ve found a bug? Want to see a new feature in `node-mongodb-native`? Please open a
Expand Down

0 comments on commit f38c5fe

Please sign in to comment.