PYTHON-4418 SSDLC Conformance (#31)

Signed-off-by: mongodb-dbx-release-bot[bot] <167856002+mongodb-dbx-release-bot[bot]@users.noreply.github.com>
Co-authored-by: mongodb-dbx-release-bot[bot] <167856002+mongodb-dbx-release-bot[bot]@users.noreply.github.com>

Author: blink1073

.github/workflows/codeql.yml

@@ -18,6 +18,11 @@ on:
     branches: [ "master", "*" ]
   schedule:
     - cron: '35 23 * * 5'
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
 
 jobs:
   analyze:
@@ -35,6 +40,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.ref }}
     - name: Set up Python
       uses: actions/setup-python@v4
       with:

.github/workflows/dist.yml

@@ -0,0 +1,31 @@
+name: Python Dist
+
+on:
+  workflow_dispatch:
+  workflow_call:
+  push:
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+.post[0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+[a-b][0-9]+"
+      - "[0-9]+.[0-9]+.[0-9]+rc[0-9]+"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Python
+      uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - name: Install dependencies
+      run: pip install build
+    - name: Create packages
+      run: python -m build .
+    - name: Store package artifacts
+      uses: actions/upload-artifact@v4
+      with:
+          name: all-dist-${{ github.run_id }}
+          path: "dist/*"

.github/workflows/release-python.yml

@@ -1,43 +1,86 @@
-name: Publish packages to PyPI
+name: Release
 
 on:
   workflow_dispatch:
-  push:
-    tags:
-      - "[0-9]+.[0-9]+.[0-9]+"
-      - "[0-9]+.[0-9]+.[0-9]+.post[0-9]+"
-      - "[0-9]+.[0-9]+.[0-9]+[a-b][0-9]+"
-      - "[0-9]+.[0-9]+.[0-9]+rc[0-9]+"
+    inputs:
+      version:
+        description: "The new version to set"
+        required: true
+      following_version:
+        description: "The post (dev) version to set"
+        required: true
+      dry_run:
+        description: "Dry Run?"
+        default: false
+        type: boolean
+
+env:
+  # Changes per repo
+  PRODUCT_NAME: pymongo-auth-aws
+  # Changes per branch
+  SILK_ASSET_GROUP: pymongo-auth-aws
+
+defaults:
+  run:
+    shell: bash -eux {0}
 
 jobs:
-  build:
-    runs-on: ubuntu-latest
+  pre-publish:
     environment: release
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
     steps:
-    - uses: actions/checkout@v4
-    - name: Set up Python
-      uses: actions/setup-python@v4
-      with:
-        python-version: 3.x
-    - name: Install dependencies
-      run: pip install build
-    - name: Create packages
-      run: python -m build .
-    - name: Store package artifacts
-      uses: actions/upload-artifact@v3
-      with:
-        name: dist
-        path: dist
+      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+      - uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
+      - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2
+        with:
+          version: ${{ inputs.version }}
+          dry_run: ${{ inputs.dry_run }}
+
+  build-dist:
+    needs: [pre-publish]
+    uses: ./.github/workflows/dist.yml
+
+  static-scan:
+    needs: [pre-publish]
+    uses: ./.github/workflows/codeql.yml
+    with:
+      ref: ${{ inputs.version }}
 
   publish:
-    needs: build
-    if: startsWith(github.ref, 'refs/tags/')
+    needs: [build-dist, static-scan]
     runs-on: ubuntu-latest
     environment: release
     permissions:
       id-token: write
+      contents: write
+      security-events: write
     steps:
-    - name: Retrieve package artifacts
-      uses: actions/download-artifact@v3
-    - name: Upload packages
-      uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+      - uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
+      - uses: mongodb-labs/drivers-github-tools/python/publish@v2
+        with:
+          version: ${{ inputs.version }}
+          following_version: ${{ inputs.following_version }}
+          product_name: ${{ env.PRODUCT_NAME }}
+          silk_asset_group: ${{ env.SILK_ASSET_GROUP }}
+          token: ${{ github.token }}
+          dry_run: ${{ inputs.dry_run }}

pyproject.toml

@@ -42,6 +42,7 @@ Homepage = "https://github.com/mongodb/pymongo-auth-aws"
 
 [tool.hatch.version]
 path = "pymongo_auth_aws/version.py"
+validate-bump = false
 
 [tool.hatch.metadata.hooks.requirements_txt]
 files = ["requirements.txt"]