Skip to content

Commit

Permalink
chore(NODE-6118): generate authorized publisher report and compliance…
Browse files Browse the repository at this point in the history
… report (#4156)
  • Loading branch information
baileympearson authored Jun 24, 2024
1 parent 8fb43f8 commit 27cb35b
Show file tree
Hide file tree
Showing 3 changed files with 98 additions and 154 deletions.
41 changes: 23 additions & 18 deletions .github/actions/compress_sign_and_upload/action.yml
Original file line number Diff line number Diff line change
@@ -1,19 +1,23 @@
name: Compress and Sign
description: 'Compresses package and signs with garasign'

inputs:
aws_role_arn:
description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
required: true
aws_region_name:
description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
required: true
aws_secret_id:
description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
required: true
npm_package_name:
description: 'The name for the npm package this repository represents'
required: true
inputs:
aws_role_arn:
description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
required: true
aws_region_name:
description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
required: true
aws_secret_id:
description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
required: true
npm_package_name:
description: 'The name for the npm package this repository represents'
required: true
dry_run:
description: 'Should we upload files to the release?'
required: false
default: 'true'

runs:
using: composite
Expand All @@ -31,24 +35,25 @@ runs:
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
with:
aws_region_name: ${{ inputs.aws_region_name }}
aws_role_arn: ${{ inputs.aws_role_arn }}
aws_secret_id: ${{ inputs.aws_secret_id }}

- name: Create detached signature
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
with:
with:
filenames: ${{ steps.get_vars.outputs.package_file }}
env:
env:
RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig

- name: Name release asset correctly
- name: Name release asset correctly
run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig
shell: bash

- name: "Upload release artifacts"
if: ${{ inputs.dry_run == false }}
run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig
shell: bash
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ github.token }}
105 changes: 36 additions & 69 deletions .github/workflows/release-5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,95 +21,62 @@ jobs:
with:
target-branch: 5.x

compress_sign_and_upload:
ssdlc:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup
- name: Get release version and release package file name
id: get_vars
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"
- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb'
- run: npm publish --provenance --tag=5x
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

generate_sarif_report:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

- name: "Generate Sarif Report"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
with:
ref: 5.x
output-file: sarif-report.json

- name: Get release version and release package file name
id: get_version
- name: Copy sbom file to release assets
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json

- name: Generate authorized pub report
uses: mongodb-labs/drivers-github-tools/full-report@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sarif-report.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
release_version: ${{ steps.get_version.outputs.package_version }}
product_name: mongodb
sarif_report_target_ref: 5.x
third_party_dependency_tool: n/a
# <package> and <package>.sig
dist_filenames: ${{ steps.get_vars.outputs.package_file }}*
token: ${{ github.token }}
sbom_file_name: sbom.json

upload_sbom_lite:
publish:
needs: [release_please, ssdlc]
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/setup
uses: ./.github/actions/setup

- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sbom.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
- run: npm publish --provenance --tag=5.x
if: ${{ needs.release_please.outputs.release_created }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
106 changes: 39 additions & 67 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,96 +19,68 @@ jobs:
- id: release
uses: googleapis/release-please-action@v4

compress_sign_and_upload:
ssdlc:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup
- name: Get release version and release package file name
id: get_vars
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"
- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb'
- run: npm publish --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

generate_sarif_report:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}
- name: Copy sbom file to release assets
shell: bash
run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json

- name: "Generate Sarif Report"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
- name: Generate authorized pub report
uses: mongodb-labs/drivers-github-tools/full-report@v2
with:
ref: main
output-file: sarif-report.json
release_version: ${{ steps.get_version.outputs.package_version }}
product_name: mongodb
sarif_report_target_ref: main
third_party_dependency_tool: n/a
# <package> and <package>.sig
dist_filenames: ${{ steps.get_vars.outputs.package_file }}*
token: ${{ github.token }}
sbom_file_name: sbom.json

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
- uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sarif-report.json
version: ${{ inputs.version }}
product_name: ${{ inputs.product_name }}
dry_run: ${{ needs.release_please.outputs.release_created == '' }}


upload_sbom_lite:
publish:
needs: [release_please, ssdlc]
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/setup
uses: ./.github/actions/setup

- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sbom.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
- run: npm publish --provenance --tag=latest
if: ${{ needs.release_please.outputs.release_created }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

0 comments on commit 27cb35b

Please sign in to comment.