Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: full ssdlc report #40

Merged
merged 11 commits into from
Jun 27, 2024
Merged

chore: full ssdlc report #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
b0a68f9
full report
baileympearson Jun 24, 2024
d3af900
new garasign adction
baileympearson Jun 24, 2024
a8a3ede
testing
baileympearson Jun 24, 2024
2087e67
test with shared action
baileympearson Jun 24, 2024
815926a
misc changes
baileympearson Jun 24, 2024
1851f41
asdf
baileympearson Jun 24, 2024
25b9c8a
dry run
baileympearson Jun 24, 2024
711cdfa
use generated yml file and shared tooling
baileympearson Jun 25, 2024
d2aaf1c
add build.yml action
baileympearson Jun 26, 2024
38d7c02
use shared actions v2
baileympearson Jun 27, 2024
7182470
fix lint
baileympearson Jun 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 0 additions & 54 deletions .github/actions/compress_sign_and_upload/action.yml
View file
Open in desktop

This file was deleted.

15 changes: 0 additions & 15 deletions .github/actions/setup/action.yml
View file
Open in desktop

This file was deleted.

16 changes: 16 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
on:
workflow_call: {}

name: Build

permissions:
contents: write
pull-requests: write
id-token: write

jobs:
build:
runs-on: ubuntu-latest
steps:
- run: echo "nothing to do."
shell: bash
nbbeeken marked this conversation as resolved.
Show resolved Hide resolved
5 changes: 2 additions & 3 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: actions/setup
uses: ./.github/actions/setup
- name: Install Node and dependencies
uses: mongodb-labs/drivers-github-tools/node/setup@v2

- run: npm run check:lint
128 changes: 59 additions & 69 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ permissions:
pull-requests: write
id-token: write

name: release
name: release-latest

jobs:
release_please:
Expand All @@ -18,96 +18,86 @@ jobs:
steps:
- id: release
uses: googleapis/release-please-action@v4
with:
target-branch: main

compress_sign_and_upload:
build:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
name: "Perform any build or bundling steps, as necessary."
uses: ./.github/workflows/build.yml

ssdlc:
needs: [release_please, build]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup

- name: Install Node and dependencies
uses: mongodb-labs/drivers-github-tools/node/setup@v2
with:
ignore_install_scripts: false

- name: Load version and package info
uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2
with:
npm_package_name: mongodb-legacy

- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_region_name: us-east-1
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb-legacy'
- run: npm publish --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
npm_package_name: mongodb-legacy
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

generate_sarif_report:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write
- name: Copy sbom file to release assets
shell: bash
if: ${{ '' == '' }}
run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
# only used for mongodb-client-encryption
- name: Augment SBOM and copy to release assets
if: ${{ '' != '' }}
uses: mongodb-labs/drivers-github-tools/sbom@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}
silk_asset_group: ''
sbom_file_name: sbom.json

- name: "Generate Sarif Report"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
- name: Generate authorized pub report
uses: mongodb-labs/drivers-github-tools/full-report@v2
with:
ref: main
output-file: sarif-report.json
release_version: ${{ env.package_version }}
product_name: mongodb-legacy
sarif_report_target_ref: main
third_party_dependency_tool: n/a
dist_filenames: artifacts/*
token: ${{ github.token }}
sbom_file_name: sbom.json

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
- uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
version: ${{ env.package_version }}
product_name: mongodb-legacy
file: sarif-report.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

upload_sbom_lite:
publish:
needs: [release_please, ssdlc, build]
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: Install Node and dependencies
uses: mongodb-labs/drivers-github-tools/node/setup@v2

- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: mongodb-legacy
file: sbom.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
- run: npm publish --provenance --tag=latest
if: ${{ needs.release_please.outputs.release_created }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
4 changes: 2 additions & 2 deletions .github/workflows/release_notes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,8 @@ jobs:


# Setup Node.js and npm install
- name: actions/setup
uses: ./.github/actions/setup
- name: Install Node and dependencies
uses: mongodb-labs/drivers-github-tools/node/setup@v2

# See: https://github.com/googleapis/release-please/issues/1274

Expand Down