From 344c9b59cb6bc8c3516ce8f55d2580ea6679975d Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:33:01 -0600 Subject: [PATCH 01/22] add node actions: --- node/get_version_info/action.yml | 18 ++++++++++ node/publish_asset_to_s3/action.yml | 39 --------------------- node/sign_js_only_package/action.yml | 51 ++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 39 deletions(-) create mode 100644 node/get_version_info/action.yml delete mode 100644 node/publish_asset_to_s3/action.yml create mode 100644 node/sign_js_only_package/action.yml diff --git a/node/get_version_info/action.yml b/node/get_version_info/action.yml new file mode 100644 index 0000000..88870f2 --- /dev/null +++ b/node/get_version_info/action.yml @@ -0,0 +1,18 @@ + +name: Publish Release Asset to S3 +description: "Publish Asset to S3" +inputs: + package_name: + description: the npm package name + required: true + +runs: + using: composite + steps: + - name: Get release version and release package file name + id: get_version + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_ENV" + echo "package_file=${{ inputs.package_name }}-${package_version}.tgz" >> "$GITHUB_ENV" \ No newline at end of file diff --git a/node/publish_asset_to_s3/action.yml b/node/publish_asset_to_s3/action.yml deleted file mode 100644 index 35533c4..0000000 --- a/node/publish_asset_to_s3/action.yml +++ /dev/null @@ -1,39 +0,0 @@ - -name: Publish Release Asset to S3 -description: "Publish Asset to S3" -inputs: - version: - description: "The published version" - required: true - product_name: - description: "The name of the product" - required: true - file: - description: file to upload - required: true - dry_run: - description: "Whether this is a dry run" - required: false - default: 'false' - -runs: - using: composite - steps: - - name: Run publish script - shell: bash - run: | - set -eux - if [ "$DRY_RUN" == "false" ]; then - echo "Uploading Release Reports" - TARGET=s3://${AWS_BUCKET}/${PRODUCT_NAME}/${VERSION}/${FILE} - aws s3 cp $FILE $TARGET - else - echo "Dry run, not uploading to S3 or creating GitHub Release" - echo "Would upload $FILE" - cat $FILE - fi - env: - VERSION: ${{ inputs.version }} - PRODUCT_NAME: ${{ inputs.product_name }} - DRY_RUN: ${{ inputs.dry_run }} - FILE: ${{ inputs.file }} diff --git a/node/sign_js_only_package/action.yml b/node/sign_js_only_package/action.yml new file mode 100644 index 0000000..9d75a9e --- /dev/null +++ b/node/sign_js_only_package/action.yml @@ -0,0 +1,51 @@ +name: Compress, Sign and Upload to GH Release +description: 'Compresses package and signs with garasign and uploads to GH release' + +inputs: + aws_role_arn: + description: 'AWS role input for drivers-github-tools/gpg-sign@v2' + required: true + aws_region_name: + description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' + required: true + aws_secret_id: + description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' + required: true + dry_run: + description: 'Should we upload files to the release?' + required: false + default: 'true' + +runs: + using: composite + steps: + - run: npm pack + shell: bash + + - name: Determine version and package info + uses: baileympearson/drivers-github-tools/node/get_version_info@add-node-actions + + - name: Set up drivers-github-tools + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_region_name: ${{ inputs.aws_region_name }} + aws_role_arn: ${{ inputs.aws_role_arn }} + aws_secret_id: ${{ inputs.aws_secret_id }} + + - name: Create detached signature + uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + with: + filenames: ${{ env.package_file }} + env: + RELEASE_ASSETS: ${{ env.package_file }}.temp.sig + + - name: Name release asset correctly + run: mv ${{ env.package_file }}.temp.sig ${{ env.package_file }}.sig + shell: bash + + - name: "Upload release artifacts" + if: ${{ inputs.dry_run == false }} + run: gh release upload v${{ env.package_version }} ${{ env.package_file }}.sig + shell: bash + env: + GH_TOKEN: ${{ github.token }} From 0f18ab75f4d5745bf3aa316fbdaa83f9a448fbe8 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:33:31 -0600 Subject: [PATCH 02/22] add node actions: --- node/sign_js_only_package/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node/sign_js_only_package/action.yml b/node/sign_js_only_package/action.yml index 9d75a9e..dbd45e8 100644 --- a/node/sign_js_only_package/action.yml +++ b/node/sign_js_only_package/action.yml @@ -45,7 +45,7 @@ runs: - name: "Upload release artifacts" if: ${{ inputs.dry_run == false }} - run: gh release upload v${{ env.package_version }} ${{ env.package_file }}.sig + run: echo "uploading" # gh release upload v${{ env.package_version }} ${{ env.package_file }}.sig shell: bash env: GH_TOKEN: ${{ github.token }} From d3eb67e0385e0cfecda25cd648c0104a1f597ca4 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:40:51 -0600 Subject: [PATCH 03/22] consolidate --- node/sign_js_only_package/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node/sign_js_only_package/action.yml b/node/sign_js_only_package/action.yml index dbd45e8..13a19ac 100644 --- a/node/sign_js_only_package/action.yml +++ b/node/sign_js_only_package/action.yml @@ -23,7 +23,7 @@ runs: shell: bash - name: Determine version and package info - uses: baileympearson/drivers-github-tools/node/get_version_info@add-node-actions + uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node - name: Set up drivers-github-tools uses: mongodb-labs/drivers-github-tools/setup@v2 From 6c43607d984ee589369f7ef0caed246117aa7d51 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:44:15 -0600 Subject: [PATCH 04/22] foo --- node/sign_js_only_package/action.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/node/sign_js_only_package/action.yml b/node/sign_js_only_package/action.yml index 13a19ac..cefcabc 100644 --- a/node/sign_js_only_package/action.yml +++ b/node/sign_js_only_package/action.yml @@ -11,6 +11,9 @@ inputs: aws_secret_id: description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' required: true + npm_package_name: + description: the npm package name + required: true dry_run: description: 'Should we upload files to the release?' required: false @@ -24,6 +27,8 @@ runs: - name: Determine version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + with: + npm_package_name: ${{ inputs.npm_package_name }} - name: Set up drivers-github-tools uses: mongodb-labs/drivers-github-tools/setup@v2 From 6c1e028635eaa927f59ddc47fa85c0c40d9c7e9d Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:47:09 -0600 Subject: [PATCH 05/22] npm --- node/get_version_info/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/node/get_version_info/action.yml b/node/get_version_info/action.yml index 88870f2..80bcc60 100644 --- a/node/get_version_info/action.yml +++ b/node/get_version_info/action.yml @@ -2,7 +2,7 @@ name: Publish Release Asset to S3 description: "Publish Asset to S3" inputs: - package_name: + npm_package_name: description: the npm package name required: true @@ -15,4 +15,4 @@ runs: run: | package_version=$(jq --raw-output '.version' package.json) echo "package_version=${package_version}" >> "$GITHUB_ENV" - echo "package_file=${{ inputs.package_name }}-${package_version}.tgz" >> "$GITHUB_ENV" \ No newline at end of file + echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_ENV" \ No newline at end of file From e50eff7ad34d88bd8d1017fa70197bc10d3c47d9 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 13:51:06 -0600 Subject: [PATCH 06/22] add back in upload --- node/sign_js_only_package/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node/sign_js_only_package/action.yml b/node/sign_js_only_package/action.yml index cefcabc..e762ee8 100644 --- a/node/sign_js_only_package/action.yml +++ b/node/sign_js_only_package/action.yml @@ -50,7 +50,7 @@ runs: - name: "Upload release artifacts" if: ${{ inputs.dry_run == false }} - run: echo "uploading" # gh release upload v${{ env.package_version }} ${{ env.package_file }}.sig + run: gh release upload v${{ env.package_version }} ${{ env.package_file }}.sig shell: bash env: GH_TOKEN: ${{ github.token }} From 5d145529f640ab6bbe68e5c3d98e6da79d5dc33f Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 14:17:20 -0600 Subject: [PATCH 07/22] add setup action --- node/setup/action.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 node/setup/action.yml diff --git a/node/setup/action.yml b/node/setup/action.yml new file mode 100644 index 0000000..ced847c --- /dev/null +++ b/node/setup/action.yml @@ -0,0 +1,15 @@ +name: Setup +description: 'Installs node, driver dependencies, and builds source' + +runs: + using: composite + steps: + - uses: actions/setup-node@v4 + with: + node-version: 'lts/*' + cache: 'npm' + registry-url: 'https://registry.npmjs.org' + - run: npm install -g npm@latest + shell: bash + - run: npm clean-install + shell: bash From 5f53adef980d0bb22e8cb42f66b6743dd0d0acf4 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Mon, 24 Jun 2024 14:33:14 -0600 Subject: [PATCH 08/22] add release template and release template generation --- node/generate_release.js | 19 +++++++++ node/release_template.yml | 86 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 node/generate_release.js create mode 100644 node/release_template.yml diff --git a/node/generate_release.js b/node/generate_release.js new file mode 100644 index 0000000..61d2839 --- /dev/null +++ b/node/generate_release.js @@ -0,0 +1,19 @@ +const { readFileSync } = require('fs'); +const { join } = require('path'); + +const args = process.argv.slice(2); +if (args.length != 3) { + console.error(`usage: generate_release.js `); + process.exitCode = 1; + process.exit(); +} + +const [package, branch, tag] = args; + +const template = readFileSync(join(__dirname, './release_template.yml'), 'utf-8'); + +const generated = template.replaceAll('RELEASE_BRANCH', branch) +.replaceAll('RELEASE_PACKAGE', package) +.replaceAll('RELEASE_TAG', tag); + +process.stdout.write(generated); \ No newline at end of file diff --git a/node/release_template.yml b/node/release_template.yml new file mode 100644 index 0000000..73a02d9 --- /dev/null +++ b/node/release_template.yml @@ -0,0 +1,86 @@ +on: + push: + branches: [RELEASE_BRANCH] + workflow_dispatch: {} + +permissions: + contents: write + pull-requests: write + id-token: write + +name: release-RELEASE_TAG + +jobs: + release_please: + runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + steps: + - id: release + uses: googleapis/release-please-action@v4 + with: + target-branch: RELEASE_BRANCH + + ssdlc: + needs: [release_please] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + + - name: Load version and package info + uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + + - name: actions/compress_sign_and_upload + uses: baileympearson/drivers-github-tools/node/sign_js_only_package@add-signing-env-action-for-node + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: us-east-1 + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: RELEASE_PACKAGE + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + - name: Copy sbom file to release assets + shell: bash + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 + with: + release_version: ${{ steps.get_version.outputs.package_version }} + product_name: RELEASE_PACKAGE + sarif_report_target_ref: RELEASE_BRANCH + third_party_dependency_tool: n/a + # and .sig + dist_filenames: ${{ steps.get_vars.outputs.package_file }}* + token: ${{ github.token }} + sbom_file_name: sbom.json + + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ env.package_version }} + product_name: RELEASE_PACKAGE + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + publish: + needs: [release_please, ssdlc] + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + + - run: npm publish --provenance --tag=RELEASE_TAG + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From 340513d9eea9e5a1a5a35ec03d4b54b335db4338 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Tue, 25 Jun 2024 08:27:12 -0600 Subject: [PATCH 09/22] generation script --- node/generate_release.js | 17 +++++++++++++++-- node/get_version_info/action.yml | 3 ++- node/release_template.yml | 6 ++++-- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/node/generate_release.js b/node/generate_release.js index 61d2839..50ff754 100644 --- a/node/generate_release.js +++ b/node/generate_release.js @@ -12,8 +12,21 @@ const [package, branch, tag] = args; const template = readFileSync(join(__dirname, './release_template.yml'), 'utf-8'); +const EVERGREEN_PROJECTS = { + 'mongodb': 'mongodb-node-driver-next', + 'bson': 'js-bson' +}; + const generated = template.replaceAll('RELEASE_BRANCH', branch) -.replaceAll('RELEASE_PACKAGE', package) -.replaceAll('RELEASE_TAG', tag); + .replaceAll('RELEASE_PACKAGE', package) + .replaceAll('RELEASE_TAG', tag) + .replaceAll('EVERGREEN_PROJECT', EVERGREEN_PROJECTS[package] ?? ''); + +const project = EVERGREEN_PROJECTS[package]; +if (!project) { + const final = generated.split('\n').filter(line => !line.includes("evergreen")).join('\n'); + process.stdout.write(final); + process.exit(); +} process.stdout.write(generated); \ No newline at end of file diff --git a/node/get_version_info/action.yml b/node/get_version_info/action.yml index 80bcc60..f8c6d95 100644 --- a/node/get_version_info/action.yml +++ b/node/get_version_info/action.yml @@ -15,4 +15,5 @@ runs: run: | package_version=$(jq --raw-output '.version' package.json) echo "package_version=${package_version}" >> "$GITHUB_ENV" - echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_ENV" \ No newline at end of file + echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_ENV" + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_ENV diff --git a/node/release_template.yml b/node/release_template.yml index 73a02d9..c9f8cd0 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -55,14 +55,16 @@ jobs: - name: Generate authorized pub report uses: mongodb-labs/drivers-github-tools/full-report@v2 with: - release_version: ${{ steps.get_version.outputs.package_version }} + release_version: ${{ env.package_version }} product_name: RELEASE_PACKAGE sarif_report_target_ref: RELEASE_BRANCH third_party_dependency_tool: n/a # and .sig - dist_filenames: ${{ steps.get_vars.outputs.package_file }}* + dist_filenames: ${{ env.package_file }}* token: ${{ github.token }} sbom_file_name: sbom.json + evergreen_project: EVERGREEN_PROJECT + evergreen_commit: ${{ env.commit }} - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 with: From 10a6b4181ea1d89629adc1584749a3484d20e83c Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Tue, 25 Jun 2024 08:29:06 -0600 Subject: [PATCH 10/22] generation script --- node/generate_release.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node/generate_release.js b/node/generate_release.js index 50ff754..411aea3 100644 --- a/node/generate_release.js +++ b/node/generate_release.js @@ -13,7 +13,7 @@ const [package, branch, tag] = args; const template = readFileSync(join(__dirname, './release_template.yml'), 'utf-8'); const EVERGREEN_PROJECTS = { - 'mongodb': 'mongodb-node-driver-next', + 'mongodb': 'mongo-node-driver-next', 'bson': 'js-bson' }; From aeef73c397a9cd1e625df753fd6646cdf6d78459 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Tue, 25 Jun 2024 14:42:09 -0600 Subject: [PATCH 11/22] signing fix --- gpg-sign/action.yml | 2 +- node/release_template.yml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 171451b..e4765fb 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -16,7 +16,7 @@ runs: id: filenames run: | set -eux - export FILENAMES=${{inputs.filenames}} + FILENAMES="${{inputs.filenames}}" if [[ $FILENAMES =~ '*' ]]; then FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') fi diff --git a/node/release_template.yml b/node/release_template.yml index c9f8cd0..3a2c5d2 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -38,6 +38,8 @@ jobs: - name: Load version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + with: + npm_package_name: RELEASE_PACKAGE - name: actions/compress_sign_and_upload uses: baileympearson/drivers-github-tools/node/sign_js_only_package@add-signing-env-action-for-node From c903292f3204a9885d458610ff3dbd2883c054eb Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Tue, 25 Jun 2024 14:50:38 -0600 Subject: [PATCH 12/22] add generic signing action --- node/sign_js_only_package/action.yml | 61 ++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 13 deletions(-) diff --git a/node/sign_js_only_package/action.yml b/node/sign_js_only_package/action.yml index e762ee8..4045a63 100644 --- a/node/sign_js_only_package/action.yml +++ b/node/sign_js_only_package/action.yml @@ -1,7 +1,7 @@ name: Compress, Sign and Upload to GH Release description: 'Compresses package and signs with garasign and uploads to GH release' -inputs: +inputs: aws_role_arn: description: 'AWS role input for drivers-github-tools/gpg-sign@v2' required: true @@ -12,45 +12,80 @@ inputs: description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' required: true npm_package_name: - description: the npm package name + description: 'The name for the npm package this repository represents' required: true dry_run: description: 'Should we upload files to the release?' required: false default: 'true' + artifact_directory: + description: The directory in which to output signatures. + required: true + sign_native: + description: Download and sign native packages + default: "false" runs: using: composite steps: + - uses: actions/download-artifact@v4 + if: ${{ inputs.sign_native == 'true' }} + - run: npm pack shell: bash - - name: Determine version and package info + - name: Make signatures directory + shell: bash + run: mkdir ${{ inputs.artifact_directory }} + + - name: Load version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node with: npm_package_name: ${{ inputs.npm_package_name }} - name: Set up drivers-github-tools uses: mongodb-labs/drivers-github-tools/setup@v2 - with: + with: aws_region_name: ${{ inputs.aws_region_name }} aws_role_arn: ${{ inputs.aws_role_arn }} aws_secret_id: ${{ inputs.aws_secret_id }} + - name: Determine what files to sign + if: ${{ inputs.sign_native == 'true' }} + shell: bash + run: | + FILENAMES="build-*/*.tar.gz" + if [[ $FILENAMES =~ '*' ]]; then + FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') + fi + FILENAMES="$FILENAMES ${{ env.package_file }}" + echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" + + - name: Determine what files to sign + if: ${{ inputs.sign_native != 'true' }} + shell: bash + run: | + FILENAMES="${{ env.package_file }}" + echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" + - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 - with: - filenames: ${{ env.package_file }} - env: - RELEASE_ASSETS: ${{ env.package_file }}.temp.sig + uses: baileympearson/drivers-github-tools/gpg-sign@add-signing-env-action-for-node + with: + filenames: ${{ env.FILES_TO_SIGN }} + env: + RELEASE_ASSETS: ${{ inputs.artifact_directory }} + + - name: Copy the tarballs to the artifacts directory + shell: bash + run: for filename in ${{ env.FILES_TO_SIGN }}; do cp ${filename} artifacts/; done - - name: Name release asset correctly - run: mv ${{ env.package_file }}.temp.sig ${{ env.package_file }}.sig + - name: Display structure of downloaded files shell: bash + run: ls -la artifacts/ - name: "Upload release artifacts" if: ${{ inputs.dry_run == false }} - run: gh release upload v${{ env.package_version }} ${{ env.package_file }}.sig + run: gh release upload v${{ env.package_version }} artifacts/*.* shell: bash env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ github.token }} \ No newline at end of file From 8d5ff355d013fc113a556389aaa89215cb566356 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Tue, 25 Jun 2024 15:11:44 -0600 Subject: [PATCH 13/22] shared signing action --- node/sign_js_only_package/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node/sign_js_only_package/action.yml b/node/sign_js_only_package/action.yml index 4045a63..538b411 100644 --- a/node/sign_js_only_package/action.yml +++ b/node/sign_js_only_package/action.yml @@ -20,7 +20,7 @@ inputs: default: 'true' artifact_directory: description: The directory in which to output signatures. - required: true + default: artifacts sign_native: description: Download and sign native packages default: "false" From 508b0f1c31f7a2d6a23a43286580f67152503990 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 26 Jun 2024 10:28:48 -0600 Subject: [PATCH 14/22] make action shared --- node/generate_release.js | 6 +- node/native_release_template.yml | 96 +++++++++++++++++++ node/release_template.yml | 5 +- node/setup/action.yml | 8 ++ .../action.yml | 0 5 files changed, 109 insertions(+), 6 deletions(-) create mode 100644 node/native_release_template.yml rename node/{sign_js_only_package => sign_node_package}/action.yml (100%) diff --git a/node/generate_release.js b/node/generate_release.js index 411aea3..a88bc08 100644 --- a/node/generate_release.js +++ b/node/generate_release.js @@ -4,13 +4,13 @@ const { join } = require('path'); const args = process.argv.slice(2); if (args.length != 3) { console.error(`usage: generate_release.js `); - process.exitCode = 1; - process.exit(); + process.exit(1); } const [package, branch, tag] = args; -const template = readFileSync(join(__dirname, './release_template.yml'), 'utf-8'); +const isNative = package === 'kerberos' || package === 'mongodb-client-encryption'; +const template = readFileSync(join(__dirname, isNative ? './native_release_template.yml' : './release_template.yml'), 'utf-8'); const EVERGREEN_PROJECTS = { 'mongodb': 'mongo-node-driver-next', diff --git a/node/native_release_template.yml b/node/native_release_template.yml new file mode 100644 index 0000000..d2c4d85 --- /dev/null +++ b/node/native_release_template.yml @@ -0,0 +1,96 @@ +on: + push: + branches: [RELEASE_BRANCH] + workflow_dispatch: {} + +permissions: + contents: write + pull-requests: write + id-token: write + +name: release-RELEASE_TAG + +jobs: + release_please: + runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + steps: + - id: release + uses: googleapis/release-please-action@v4 + with: + target-branch: RELEASE_BRANCH + + build: + needs: [release_please] + name: "Perform any build or bundling steps, as necessary." + uses: ./.github/workflows/build.yml + + ssdlc: + needs: [release_please, build] + permissions: + # required for all workflows + security-events: write + id-token: write + contents: write + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + with: + ignore_install_scripts: true + + - name: Load version and package info + uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + with: + npm_package_name: RELEASE_PACKAGE + + - name: actions/compress_sign_and_upload + uses: baileympearson/drivers-github-tools/node/sign_node_package@add-signing-env-action-for-node + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: us-east-1 + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: RELEASE_PACKAGE + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + - name: Copy sbom file to release assets + shell: bash + run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + + - name: Generate authorized pub report + uses: mongodb-labs/drivers-github-tools/full-report@v2 + with: + release_version: ${{ env.package_version }} + product_name: RELEASE_PACKAGE + sarif_report_target_ref: RELEASE_BRANCH + third_party_dependency_tool: n/a + dist_filenames: artifacts/* + token: ${{ github.token }} + sbom_file_name: sbom.json + evergreen_project: EVERGREEN_PROJECT + evergreen_commit: ${{ env.commit }} + + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ env.package_version }} + product_name: RELEASE_PACKAGE + dry_run: ${{ needs.release_please.outputs.release_created == '' }} + + publish: + needs: [release_please, ssdlc, build] + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Node and dependencies + uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + + - run: npm publish --provenance --tag=RELEASE_TAG + if: ${{ needs.release_please.outputs.release_created }} + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/node/release_template.yml b/node/release_template.yml index 3a2c5d2..aeae6d8 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -42,7 +42,7 @@ jobs: npm_package_name: RELEASE_PACKAGE - name: actions/compress_sign_and_upload - uses: baileympearson/drivers-github-tools/node/sign_js_only_package@add-signing-env-action-for-node + uses: baileympearson/drivers-github-tools/node/sign_node_package@add-signing-env-action-for-node with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 @@ -61,8 +61,7 @@ jobs: product_name: RELEASE_PACKAGE sarif_report_target_ref: RELEASE_BRANCH third_party_dependency_tool: n/a - # and .sig - dist_filenames: ${{ env.package_file }}* + dist_filenames: artifacts/* token: ${{ github.token }} sbom_file_name: sbom.json evergreen_project: EVERGREEN_PROJECT diff --git a/node/setup/action.yml b/node/setup/action.yml index ced847c..d1fa40d 100644 --- a/node/setup/action.yml +++ b/node/setup/action.yml @@ -1,5 +1,9 @@ name: Setup description: 'Installs node, driver dependencies, and builds source' +inputs: + ignore_install_scripts: + description: Should we ignore postinstall scripts? + default: 'false' runs: using: composite @@ -12,4 +16,8 @@ runs: - run: npm install -g npm@latest shell: bash - run: npm clean-install + if: ${{ inputs.ignore_install_scripts == 'false' }} shell: bash + - run: npm clean-install --ignore-scripts + if: ${{ inputs.ignore_install_scripts == 'true' }} + shell: bash diff --git a/node/sign_js_only_package/action.yml b/node/sign_node_package/action.yml similarity index 100% rename from node/sign_js_only_package/action.yml rename to node/sign_node_package/action.yml From 2f3357e96e10b6dcd546398eaa38b92e7783f2ed Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 26 Jun 2024 10:58:39 -0600 Subject: [PATCH 15/22] prettier changes --- node/generate_release.js | 48 ++++++++++------ node/get_version_info/action.yml | 1 - node/native_release_template.yml | 96 ------------------------------- node/release_template.yml | 22 ++++++- node/setup/action.yml | 14 ++--- node/sign_node_package/action.yml | 24 ++++---- 6 files changed, 68 insertions(+), 137 deletions(-) delete mode 100644 node/native_release_template.yml diff --git a/node/generate_release.js b/node/generate_release.js index a88bc08..f00e729 100644 --- a/node/generate_release.js +++ b/node/generate_release.js @@ -1,32 +1,44 @@ -const { readFileSync } = require('fs'); -const { join } = require('path'); +const { readFileSync } = require("fs"); +const { join } = require("path"); const args = process.argv.slice(2); -if (args.length != 3) { - console.error(`usage: generate_release.js `); - process.exit(1); +if (!(args.length === 3 || args.length === 4)) { + console.error( + `usage: generate_release.js `, + ); + process.exit(1); } -const [package, branch, tag] = args; +const [package, branch, tag, assetGroup] = args; -const isNative = package === 'kerberos' || package === 'mongodb-client-encryption'; -const template = readFileSync(join(__dirname, isNative ? './native_release_template.yml' : './release_template.yml'), 'utf-8'); +const isNative = + package === "kerberos" || package === "mongodb-client-encryption"; +const template = readFileSync( + join(__dirname, "./release_template.yml"), + "utf-8", +); const EVERGREEN_PROJECTS = { - 'mongodb': 'mongo-node-driver-next', - 'bson': 'js-bson' + mongodb: "mongo-node-driver-next", + bson: "js-bson", }; -const generated = template.replaceAll('RELEASE_BRANCH', branch) - .replaceAll('RELEASE_PACKAGE', package) - .replaceAll('RELEASE_TAG', tag) - .replaceAll('EVERGREEN_PROJECT', EVERGREEN_PROJECTS[package] ?? ''); +const generated = template + .replaceAll("RELEASE_BRANCH", branch) + .replaceAll("RELEASE_PACKAGE", package) + .replaceAll("RELEASE_TAG", tag) + .replaceAll("EVERGREEN_PROJECT", EVERGREEN_PROJECTS[package] ?? "") + .replaceAll("IGNORE_INSTALL_SCRIPTS", isNative) + .replaceAll("SILK_ASSET_GROUP", assetGroup ?? "''"); const project = EVERGREEN_PROJECTS[package]; if (!project) { - const final = generated.split('\n').filter(line => !line.includes("evergreen")).join('\n'); - process.stdout.write(final); - process.exit(); + const final = generated + .split("\n") + .filter((line) => !line.includes("evergreen")) + .join("\n"); + process.stdout.write(final); + process.exit(); } -process.stdout.write(generated); \ No newline at end of file +process.stdout.write(generated); diff --git a/node/get_version_info/action.yml b/node/get_version_info/action.yml index f8c6d95..9d76e0f 100644 --- a/node/get_version_info/action.yml +++ b/node/get_version_info/action.yml @@ -1,4 +1,3 @@ - name: Publish Release Asset to S3 description: "Publish Asset to S3" inputs: diff --git a/node/native_release_template.yml b/node/native_release_template.yml deleted file mode 100644 index d2c4d85..0000000 --- a/node/native_release_template.yml +++ /dev/null @@ -1,96 +0,0 @@ -on: - push: - branches: [RELEASE_BRANCH] - workflow_dispatch: {} - -permissions: - contents: write - pull-requests: write - id-token: write - -name: release-RELEASE_TAG - -jobs: - release_please: - runs-on: ubuntu-latest - outputs: - release_created: ${{ steps.release.outputs.release_created }} - steps: - - id: release - uses: googleapis/release-please-action@v4 - with: - target-branch: RELEASE_BRANCH - - build: - needs: [release_please] - name: "Perform any build or bundling steps, as necessary." - uses: ./.github/workflows/build.yml - - ssdlc: - needs: [release_please, build] - permissions: - # required for all workflows - security-events: write - id-token: write - contents: write - environment: release - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node - with: - ignore_install_scripts: true - - - name: Load version and package info - uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node - with: - npm_package_name: RELEASE_PACKAGE - - - name: actions/compress_sign_and_upload - uses: baileympearson/drivers-github-tools/node/sign_node_package@add-signing-env-action-for-node - with: - aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} - aws_region_name: us-east-1 - aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - npm_package_name: RELEASE_PACKAGE - dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - - name: Copy sbom file to release assets - shell: bash - run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json - - - name: Generate authorized pub report - uses: mongodb-labs/drivers-github-tools/full-report@v2 - with: - release_version: ${{ env.package_version }} - product_name: RELEASE_PACKAGE - sarif_report_target_ref: RELEASE_BRANCH - third_party_dependency_tool: n/a - dist_filenames: artifacts/* - token: ${{ github.token }} - sbom_file_name: sbom.json - evergreen_project: EVERGREEN_PROJECT - evergreen_commit: ${{ env.commit }} - - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 - with: - version: ${{ env.package_version }} - product_name: RELEASE_PACKAGE - dry_run: ${{ needs.release_please.outputs.release_created == '' }} - - publish: - needs: [release_please, ssdlc, build] - environment: release - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node - - - run: npm publish --provenance --tag=RELEASE_TAG - if: ${{ needs.release_please.outputs.release_created }} - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/node/release_template.yml b/node/release_template.yml index aeae6d8..b4fd197 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -21,8 +21,13 @@ jobs: with: target-branch: RELEASE_BRANCH - ssdlc: + build: needs: [release_please] + name: "Perform any build or bundling steps, as necessary." + uses: ./.github/workflows/build.yml + + ssdlc: + needs: [release_please, build] permissions: # required for all workflows security-events: write @@ -35,6 +40,8 @@ jobs: - name: Install Node and dependencies uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + with: + ignore_install_scripts: IGNORE_INSTALL_SCRIPTS - name: Load version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node @@ -52,8 +59,17 @@ jobs: - name: Copy sbom file to release assets shell: bash + if: ${{ SILK_ASSET_GROUP == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json + # only used for mongodb-client-encryption + - name: Augment SBOM and copy to release assets + if: ${{ SILK_ASSET_GROUP != '' }} + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: ${{ SILK_ASSET_GROUP }} + sbom_file_name: sbom.json + - name: Generate authorized pub report uses: mongodb-labs/drivers-github-tools/full-report@v2 with: @@ -62,7 +78,7 @@ jobs: sarif_report_target_ref: RELEASE_BRANCH third_party_dependency_tool: n/a dist_filenames: artifacts/* - token: ${{ github.token }} + token: ${{ github.token }} sbom_file_name: sbom.json evergreen_project: EVERGREEN_PROJECT evergreen_commit: ${{ env.commit }} @@ -74,7 +90,7 @@ jobs: dry_run: ${{ needs.release_please.outputs.release_created == '' }} publish: - needs: [release_please, ssdlc] + needs: [release_please, ssdlc, build] environment: release runs-on: ubuntu-latest steps: diff --git a/node/setup/action.yml b/node/setup/action.yml index d1fa40d..90799d0 100644 --- a/node/setup/action.yml +++ b/node/setup/action.yml @@ -1,18 +1,18 @@ name: Setup -description: 'Installs node, driver dependencies, and builds source' -inputs: +description: "Installs node, driver dependencies, and builds source" +inputs: ignore_install_scripts: description: Should we ignore postinstall scripts? - default: 'false' + default: "false" runs: using: composite steps: - uses: actions/setup-node@v4 with: - node-version: 'lts/*' - cache: 'npm' - registry-url: 'https://registry.npmjs.org' + node-version: "lts/*" + cache: "npm" + registry-url: "https://registry.npmjs.org" - run: npm install -g npm@latest shell: bash - run: npm clean-install @@ -20,4 +20,4 @@ runs: shell: bash - run: npm clean-install --ignore-scripts if: ${{ inputs.ignore_install_scripts == 'true' }} - shell: bash + shell: bash diff --git a/node/sign_node_package/action.yml b/node/sign_node_package/action.yml index 538b411..873dd23 100644 --- a/node/sign_node_package/action.yml +++ b/node/sign_node_package/action.yml @@ -1,23 +1,23 @@ name: Compress, Sign and Upload to GH Release -description: 'Compresses package and signs with garasign and uploads to GH release' +description: "Compresses package and signs with garasign and uploads to GH release" -inputs: +inputs: aws_role_arn: - description: 'AWS role input for drivers-github-tools/gpg-sign@v2' + description: "AWS role input for drivers-github-tools/gpg-sign@v2" required: true aws_region_name: - description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' + description: "AWS region name input for drivers-github-tools/gpg-sign@v2" required: true aws_secret_id: - description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' + description: "AWS secret id input for drivers-github-tools/gpg-sign@v2" required: true npm_package_name: - description: 'The name for the npm package this repository represents' + description: "The name for the npm package this repository represents" required: true dry_run: - description: 'Should we upload files to the release?' + description: "Should we upload files to the release?" required: false - default: 'true' + default: "true" artifact_directory: description: The directory in which to output signatures. default: artifacts @@ -45,7 +45,7 @@ runs: - name: Set up drivers-github-tools uses: mongodb-labs/drivers-github-tools/setup@v2 - with: + with: aws_region_name: ${{ inputs.aws_region_name }} aws_role_arn: ${{ inputs.aws_role_arn }} aws_secret_id: ${{ inputs.aws_secret_id }} @@ -70,9 +70,9 @@ runs: - name: Create detached signature uses: baileympearson/drivers-github-tools/gpg-sign@add-signing-env-action-for-node - with: + with: filenames: ${{ env.FILES_TO_SIGN }} - env: + env: RELEASE_ASSETS: ${{ inputs.artifact_directory }} - name: Copy the tarballs to the artifacts directory @@ -88,4 +88,4 @@ runs: run: gh release upload v${{ env.package_version }} artifacts/*.* shell: bash env: - GH_TOKEN: ${{ github.token }} \ No newline at end of file + GH_TOKEN: ${{ github.token }} From c3c773952b849ad4581b7cfbee2df93bcc313ca9 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 26 Jun 2024 12:39:33 -0600 Subject: [PATCH 16/22] address comments except for env --- ...generate_release.js => generate_release.mjs} | 17 ++++++++++------- node/release_template.yml | 6 +++--- node/sign_node_package/action.yml | 14 ++++++-------- 3 files changed, 19 insertions(+), 18 deletions(-) rename node/{generate_release.js => generate_release.mjs} (63%) diff --git a/node/generate_release.js b/node/generate_release.mjs similarity index 63% rename from node/generate_release.js rename to node/generate_release.mjs index f00e729..d46e2e0 100644 --- a/node/generate_release.js +++ b/node/generate_release.mjs @@ -1,5 +1,8 @@ -const { readFileSync } = require("fs"); -const { join } = require("path"); +import { readFileSync } from 'node:fs'; +import { join, dirname } from 'node:path'; +import { fileURLToPath } from 'node:url'; + +const __dirname = dirname(fileURLToPath(import.meta.url)); const args = process.argv.slice(2); if (!(args.length === 3 || args.length === 4)) { @@ -9,10 +12,10 @@ if (!(args.length === 3 || args.length === 4)) { process.exit(1); } -const [package, branch, tag, assetGroup] = args; +const [npmPackage, branch, tag, assetGroup] = args; const isNative = - package === "kerberos" || package === "mongodb-client-encryption"; + npmPackage === "kerberos" || npmPackage === "mongodb-client-encryption"; const template = readFileSync( join(__dirname, "./release_template.yml"), "utf-8", @@ -25,13 +28,13 @@ const EVERGREEN_PROJECTS = { const generated = template .replaceAll("RELEASE_BRANCH", branch) - .replaceAll("RELEASE_PACKAGE", package) + .replaceAll("RELEASE_PACKAGE", npmPackage) .replaceAll("RELEASE_TAG", tag) - .replaceAll("EVERGREEN_PROJECT", EVERGREEN_PROJECTS[package] ?? "") + .replaceAll("EVERGREEN_PROJECT", EVERGREEN_PROJECTS[npmPackage] ?? "") .replaceAll("IGNORE_INSTALL_SCRIPTS", isNative) .replaceAll("SILK_ASSET_GROUP", assetGroup ?? "''"); -const project = EVERGREEN_PROJECTS[package]; +const project = EVERGREEN_PROJECTS[npmPackage]; if (!project) { const final = generated .split("\n") diff --git a/node/release_template.yml b/node/release_template.yml index b4fd197..b7d48b9 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -59,15 +59,15 @@ jobs: - name: Copy sbom file to release assets shell: bash - if: ${{ SILK_ASSET_GROUP == '' }} + if: ${{ 'SILK_ASSET_GROUP' == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json # only used for mongodb-client-encryption - name: Augment SBOM and copy to release assets - if: ${{ SILK_ASSET_GROUP != '' }} + if: ${{ 'SILK_ASSET_GROUP' != '' }} uses: mongodb-labs/drivers-github-tools/sbom@v2 with: - silk_asset_group: ${{ SILK_ASSET_GROUP }} + silk_asset_group: SILK_ASSET_GROUP sbom_file_name: sbom.json - name: Generate authorized pub report diff --git a/node/sign_node_package/action.yml b/node/sign_node_package/action.yml index 873dd23..82b9868 100644 --- a/node/sign_node_package/action.yml +++ b/node/sign_node_package/action.yml @@ -17,7 +17,7 @@ inputs: dry_run: description: "Should we upload files to the release?" required: false - default: "true" + default: "false" artifact_directory: description: The directory in which to output signatures. default: artifacts @@ -50,7 +50,7 @@ runs: aws_role_arn: ${{ inputs.aws_role_arn }} aws_secret_id: ${{ inputs.aws_secret_id }} - - name: Determine what files to sign + - name: Determine what files to sign (native packages, works with glob patterns of build artifacts) if: ${{ inputs.sign_native == 'true' }} shell: bash run: | @@ -61,7 +61,7 @@ runs: FILENAMES="$FILENAMES ${{ env.package_file }}" echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" - - name: Determine what files to sign + - name: Determine what files to sign (non-native packages, with only the release tarball) if: ${{ inputs.sign_native != 'true' }} shell: bash run: | @@ -77,11 +77,9 @@ runs: - name: Copy the tarballs to the artifacts directory shell: bash - run: for filename in ${{ env.FILES_TO_SIGN }}; do cp ${filename} artifacts/; done - - - name: Display structure of downloaded files - shell: bash - run: ls -la artifacts/ + run: | + for filename in ${{ env.FILES_TO_SIGN }}; do cp ${filename} artifacts/; done + ls -la artifacts/ - name: "Upload release artifacts" if: ${{ inputs.dry_run == false }} From b1e4e6fefe35b29f65d56fccb28df6f94118e795 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 26 Jun 2024 14:08:12 -0600 Subject: [PATCH 17/22] revert env -> outputs change --- node/generate_release.mjs | 2 +- node/get_version_info/action.yml | 19 +++++++++++++++---- node/release_template.yml | 4 ++-- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/node/generate_release.mjs b/node/generate_release.mjs index d46e2e0..2e1254e 100644 --- a/node/generate_release.mjs +++ b/node/generate_release.mjs @@ -32,7 +32,7 @@ const generated = template .replaceAll("RELEASE_TAG", tag) .replaceAll("EVERGREEN_PROJECT", EVERGREEN_PROJECTS[npmPackage] ?? "") .replaceAll("IGNORE_INSTALL_SCRIPTS", isNative) - .replaceAll("SILK_ASSET_GROUP", assetGroup ?? "''"); + .replaceAll("SILK_ASSET_GROUP", assetGroup ? `'${assetGroup}'` : "''"); const project = EVERGREEN_PROJECTS[npmPackage]; if (!project) { diff --git a/node/get_version_info/action.yml b/node/get_version_info/action.yml index 9d76e0f..48b92f2 100644 --- a/node/get_version_info/action.yml +++ b/node/get_version_info/action.yml @@ -5,14 +5,25 @@ inputs: description: the npm package name required: true +outputs: + package_version: + description: "the package version" + value: ${{ steps.get_version_info.outputs.package_version }} + package_file: + description: "the package_file" + value: ${{ steps.get_version_info.outputs.package_file }} + commit: + description: "the commit" + value: ${{ steps.get_version_info.outputs.commit }} + runs: using: composite steps: - name: Get release version and release package file name - id: get_version + id: get_version_info shell: bash run: | package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_ENV" - echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_ENV" - echo "commit=$(git rev-parse HEAD)" >> $GITHUB_ENV + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT" + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT diff --git a/node/release_template.yml b/node/release_template.yml index b7d48b9..f45142b 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -59,12 +59,12 @@ jobs: - name: Copy sbom file to release assets shell: bash - if: ${{ 'SILK_ASSET_GROUP' == '' }} + if: ${{ SILK_ASSET_GROUP == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json # only used for mongodb-client-encryption - name: Augment SBOM and copy to release assets - if: ${{ 'SILK_ASSET_GROUP' != '' }} + if: ${{ SILK_ASSET_GROUP != '' }} uses: mongodb-labs/drivers-github-tools/sbom@v2 with: silk_asset_group: SILK_ASSET_GROUP From 8e445741c266b21b8eb29695d381001bde9dfc3e Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 26 Jun 2024 14:15:28 -0600 Subject: [PATCH 18/22] add debug information --- node/sign_node_package/action.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/node/sign_node_package/action.yml b/node/sign_node_package/action.yml index 82b9868..ed82c0a 100644 --- a/node/sign_node_package/action.yml +++ b/node/sign_node_package/action.yml @@ -36,7 +36,10 @@ runs: - name: Make signatures directory shell: bash - run: mkdir ${{ inputs.artifact_directory }} + run: | + mkdir ${{ inputs.artifact_directory }} + echo "artifacts exists" + ls | grep artifacts - name: Load version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node @@ -59,6 +62,7 @@ runs: FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') fi FILENAMES="$FILENAMES ${{ env.package_file }}" + echo "FILENAMES: $FILENAMES" echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" - name: Determine what files to sign (non-native packages, with only the release tarball) @@ -66,6 +70,10 @@ runs: shell: bash run: | FILENAMES="${{ env.package_file }}" + echo "package_version: $package_version" + echo "FILENAMES: $FILENAMES" + echo "FILENAMES: $FILENAMES" + echo "FILENAMES: $FILENAMES" echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" - name: Create detached signature From 4fa219db4efe9bc14e58cec10b4b0c2b2f61e191 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 26 Jun 2024 14:17:31 -0600 Subject: [PATCH 19/22] use env --- node/get_version_info/action.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/node/get_version_info/action.yml b/node/get_version_info/action.yml index 48b92f2..9d76e0f 100644 --- a/node/get_version_info/action.yml +++ b/node/get_version_info/action.yml @@ -5,25 +5,14 @@ inputs: description: the npm package name required: true -outputs: - package_version: - description: "the package version" - value: ${{ steps.get_version_info.outputs.package_version }} - package_file: - description: "the package_file" - value: ${{ steps.get_version_info.outputs.package_file }} - commit: - description: "the commit" - value: ${{ steps.get_version_info.outputs.commit }} - runs: using: composite steps: - name: Get release version and release package file name - id: get_version_info + id: get_version shell: bash run: | package_version=$(jq --raw-output '.version' package.json) - echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT" - echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT + echo "package_version=${package_version}" >> "$GITHUB_ENV" + echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_ENV" + echo "commit=$(git rev-parse HEAD)" >> $GITHUB_ENV From b6962dfc86a3d529955dbbf089dc8b2ee8277287 Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 26 Jun 2024 14:24:53 -0600 Subject: [PATCH 20/22] clean up unneeded debugging informatoin --- node/sign_node_package/action.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/node/sign_node_package/action.yml b/node/sign_node_package/action.yml index ed82c0a..fc38bf1 100644 --- a/node/sign_node_package/action.yml +++ b/node/sign_node_package/action.yml @@ -38,8 +38,6 @@ runs: shell: bash run: | mkdir ${{ inputs.artifact_directory }} - echo "artifacts exists" - ls | grep artifacts - name: Load version and package info uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node @@ -62,7 +60,6 @@ runs: FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') fi FILENAMES="$FILENAMES ${{ env.package_file }}" - echo "FILENAMES: $FILENAMES" echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" - name: Determine what files to sign (non-native packages, with only the release tarball) @@ -70,10 +67,6 @@ runs: shell: bash run: | FILENAMES="${{ env.package_file }}" - echo "package_version: $package_version" - echo "FILENAMES: $FILENAMES" - echo "FILENAMES: $FILENAMES" - echo "FILENAMES: $FILENAMES" echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" - name: Create detached signature From 5deae41bece55a0828abf5863ec3180c5dd8e12d Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Wed, 26 Jun 2024 14:35:51 -0600 Subject: [PATCH 21/22] format --- node/generate_release.mjs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/node/generate_release.mjs b/node/generate_release.mjs index 2e1254e..f07ab1a 100644 --- a/node/generate_release.mjs +++ b/node/generate_release.mjs @@ -1,7 +1,7 @@ -import { readFileSync } from 'node:fs'; -import { join, dirname } from 'node:path'; -import { fileURLToPath } from 'node:url'; - +import { readFileSync } from "node:fs"; +import { join, dirname } from "node:path"; +import { fileURLToPath } from "node:url"; + const __dirname = dirname(fileURLToPath(import.meta.url)); const args = process.argv.slice(2); From 56ef850487b032a82e7ba52f5386883ed842deba Mon Sep 17 00:00:00 2001 From: Bailey Pearson Date: Thu, 27 Jun 2024 08:24:20 -0600 Subject: [PATCH 22/22] adjust names --- node/release_template.yml | 8 ++++---- node/sign_node_package/action.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/node/release_template.yml b/node/release_template.yml index f45142b..ee5eb93 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -39,17 +39,17 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/setup@v2 with: ignore_install_scripts: IGNORE_INSTALL_SCRIPTS - name: Load version and package info - uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 with: npm_package_name: RELEASE_PACKAGE - name: actions/compress_sign_and_upload - uses: baileympearson/drivers-github-tools/node/sign_node_package@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 @@ -97,7 +97,7 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: baileympearson/drivers-github-tools/node/setup@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/setup@v2 - run: npm publish --provenance --tag=RELEASE_TAG if: ${{ needs.release_please.outputs.release_created }} diff --git a/node/sign_node_package/action.yml b/node/sign_node_package/action.yml index fc38bf1..63b607a 100644 --- a/node/sign_node_package/action.yml +++ b/node/sign_node_package/action.yml @@ -40,7 +40,7 @@ runs: mkdir ${{ inputs.artifact_directory }} - name: Load version and package info - uses: baileympearson/drivers-github-tools/node/get_version_info@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 with: npm_package_name: ${{ inputs.npm_package_name }} @@ -70,7 +70,7 @@ runs: echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" - name: Create detached signature - uses: baileympearson/drivers-github-tools/gpg-sign@add-signing-env-action-for-node + uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 with: filenames: ${{ env.FILES_TO_SIGN }} env: