mongodb-js · baileympearson · Jun 20, 2024
@@ -14,6 +14,10 @@ inputs:
     npm_package_name:
       description: 'The name for the npm package this repository represents'
       required: true
+    dry_run:
+      description: 'Should we upload files to the release?'
+      required: false
+      default: 'true'
 
 runs:
   using: composite
@@ -65,6 +69,7 @@ runs:
       run: ls -la artifacts/
 
     - name: "Upload release artifacts"
+      if: ${{ inputs.dry_run == false }}
       run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
       shell: bash
       env:

@@ -79,22 +79,130 @@ jobs:
       - id: release
         uses: googleapis/release-please-action@v4
 
+  generate_sarif_report:
+    environment: release
+    runs-on: ubuntu-latest
+    needs: [release_please]
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up drivers-github-tools
+        uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_region_name: us-east-1
+          aws_role_arn: ${{ secrets.aws_role_arn }}
+          aws_secret_id: ${{ secrets.aws_secret_id }}
+
+      - name: "Generate Sarif Report"
+        uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+        with:
+          ref: main
+          output-file: sarif-report.json
+
+      - name: Get release version and release package file name
+        id: get_version
+        shell: bash
+        run: |
+          package_version=$(jq --raw-output '.version' package.json)
+          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+      - name: actions/publish_asset_to_s3
+        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+        with:
+          version: ${{ steps.get_version.outputs.package_version }}
+          product_name: mongodb-client-encryption
+          file: sarif-report.json
+          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+
+  generate_compliance_report:
+    environment: release
+    runs-on: ubuntu-latest
+    needs: [release_please]
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up drivers-github-tools
+        uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_region_name: us-east-1
+          aws_role_arn: ${{ secrets.aws_role_arn }}
+          aws_secret_id: ${{ secrets.aws_secret_id }}
+
+      - name: Get release version and release package file name
+        id: get_version
+        shell: bash
+        run: |
+          package_version=$(jq --raw-output '.version' package.json)
+          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+
+      - name: Generate compliance report
+        uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+        with:
+          sbom_name: sbom.json # TODO - confirm sbom file name
+          sarif_name: sarif-report.json
+          security_report_location: tbd
+          release_version: ${{ steps.get_version.outputs.package_version }}
+          token:  ${{ github.token }}
+
+      - name: actions/publish_asset_to_s3
+        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+        with:
+          version: ${{ steps.get_version.outputs.package_version }}
+          product_name: mongodb-client-encryption
+          file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt
+          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+
   sign_and_upload:
     needs: [release_please]
-    if: ${{ needs.release_please.outputs.release_created }}
     runs-on: ubuntu-latest
     environment: release
     steps:
       - uses: actions/checkout@v4
       - name: actions/setup
         uses: ./.github/actions/setup
+      - name: Get release version and release package file name
+        id: get_vars
+        shell: bash
+        run: |
+          package_version=$(jq --raw-output '.version' package.json)
+          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+          echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"
       - name: actions/sign_and_upload_package
         uses: ./.github/actions/sign_and_upload_package
         with:
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region_name: 'us-east-1'
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
           npm_package_name: 'mongodb-client-encryption'
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+
+      - name: Generate authorized pub report
+        uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+        with:
+          release_version: ${{ steps.get_version.outputs.package_version }}
+          product_name: mongodb-client-encryption
+          # <package> and <package>.sig
+          filenames: artifacts/*
+          token:  ${{ github.token }}
+
+      - name: actions/publish_asset_to_s3
+        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+        with:
+          version: ${{ steps.get_version.outputs.package_version }}
+          product_name: mongodb-client-encryption
+          file: ${{env.S3_ASSETS}}/authorized-publication.txt
+          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+
       - run: npm publish --provenance --tag=alpha
+        if: ${{ needs.release_please.outputs.release_created }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}