diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml new file mode 100644 index 0000000..32b21f7 --- /dev/null +++ b/.github/actions/compress_sign_and_upload/action.yml @@ -0,0 +1,54 @@ +name: Compress and Sign +description: 'Compresses package and signs with garasign' + +inputs: + aws_role_arn: + description: 'AWS role input for drivers-github-tools/gpg-sign@v2' + required: true + aws_region_name: + description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' + required: true + aws_secret_id: + description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' + required: true + npm_package_name: + description: 'The name for the npm package this repository represents' + required: true + +runs: + using: composite + steps: + - run: npm pack + shell: bash + + - name: Get release version and release package file name + id: get_vars + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT" + + - name: Set up drivers-github-tools + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_region_name: ${{ inputs.aws_region_name }} + aws_role_arn: ${{ inputs.aws_role_arn }} + aws_secret_id: ${{ inputs.aws_secret_id }} + + - name: Create detached signature + uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + with: + filenames: ${{ steps.get_vars.outputs.package_file }} + env: + RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig + + - name: Name release asset correctly + run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig + shell: bash + + - name: "Upload release artifacts" + run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig + shell: bash + env: + GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c161f12..4dc3009 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,19 +11,30 @@ permissions: name: release jobs: - release-please: + release_please: runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} steps: - id: release uses: googleapis/release-please-action@v4 - # If release-please created a release, publish to npm - - if: ${{ steps.release.outputs.release_created }} - uses: actions/checkout@v4 - - if: ${{ steps.release.outputs.release_created }} - name: actions/setup + compress_sign_and_upload: + needs: [release_please] + if: ${{ needs.release_please.outputs.release_created }} + environment: release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: actions/setup uses: ./.github/actions/setup - - if: ${{ steps.release.outputs.release_created }} - run: npm publish --provenance + - name: actions/compress_sign_and_upload + uses: ./.github/actions/compress_sign_and_upload + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: 'us-east-1' + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: 'mongodb-legacy' + - run: npm publish --provenance env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/readme.md b/readme.md index bf33ce4..fc7c1e4 100644 --- a/readme.md +++ b/readme.md @@ -62,6 +62,24 @@ In your existing project add `mongodb-legacy` to your `package.json` with the fo npm install mongodb-legacy ``` + +### Release Integrity + +The GitHub release contains a detached signature file for the NPM package (named +`mongodb-legacy-X.Y.Z.tgz.sig`). + +The following command returns the link npm package. +```shell +npm view mongodb-legacy@vX.Y.Z dist.tarball +``` + +Using the result of the above command, a `curl` command can return the official npm package for the release. + +To verify the integrity of the downloaded package, run the following command: +```shell +gpg --verify mongodb-legacy-X.Y.Z.tgz.sig mongodb-legacy-X.Y.Z.tgz +``` + ### Versioning We recommend replacing your `mongodb` dependency with this one.