Add GitHub Actions for artifact signing

Author: alcaeus

README.md

@@ -0,0 +1,61 @@
+# drivers-github-tools
+
+> [!IMPORTANT]
+> This Repository is NOT a supported MongoDB product
+
+This repository contains GitHub Actions that are common to drivers.
+
+## Signing tools
+
+The actions in the `garasign` folder are used to sign artifacts using the team's
+GPG key.
+
+### git-sign
+
+Use this action to create signed git artifacts:
+```markdown
+- name: "Create signed commit"
+  uses: mongodb/drivers-github-tools/garasign/git-sign@main
+  with:
+    command: "git commit -m 'Commit' -s --gpg-sign=${{ vars.GPG_KEY_ID }}"
+    garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
+    garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
+    artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+    artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+
+- name: "Create signed tag"
+  uses: mongodb/drivers-github-tools/garasign/git-sign@main
+  with:
+    command: "git tag -m 'Tag' -s --local-user=${{ vars.GPG_KEY_ID }} <tag>"
+    garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
+    garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
+    artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+    artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+```
+
+If the action is used multiple times within the same job, the `skip_setup`
+option can be set to a truthy value to avoid unnecessary logins to artifactory.
+
+### gpg-sign
+
+This action is used to create detached signatures for files:
+```markdown
+- name: "Create detached signature"
+  uses: mongodb/drivers-github-tools/garasign/gpg-sign@main
+  with:
+    filename: somefile.ext
+    garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
+    garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
+    artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+    artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+```
+
+The action will create a signature file `somefile.ext.sig` in the working
+directory.
+If the action is used multiple times within the same job, the `skip_setup`
+option can be set to a truthy value to avoid unnecessary logins to artifactory.
+
+### setup
+
+The setup action is used by `git-sign` and `gpg-sign` to create an env file and
+sign in to artifactory. It can also be used standalone.

garasign/git-sign/action.yml

@@ -0,0 +1,51 @@
+name: "Sign artifact using garasign"
+description: "Signs a release artifact"
+inputs:
+  command:
+    description: "Command to run inside the container"
+    required: true
+  garasign_username:
+    description: "Garasign username"
+    required: true
+  garasign_password:
+    description: "Garasign password"
+    required: true
+  artifactory_username:
+    description: "Artifactory user"
+    required: true
+  artifactory_password:
+    description: "Artifactory password"
+    required: true
+  artifactory_image:
+    description: "Image to use for artifactory"
+    default: release-tools-container-registry-local/garasign-git
+  artifactory_registry:
+    description: "Artifactory registry to be used"
+    default: artifactory.corp.mongodb.com
+  skip_setup:
+    description: "Whether to skip setup"
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    - name: Prepare garasign container
+      if: ${{ inputs.skip_setup == 'false' }}
+      uses: ./.github/actions/garasign/setup
+      with:
+        garasign_username: ${{ inputs.garasign_username }}
+        garasign_password: ${{ inputs.garasign_password }}
+        artifactory_username: ${{ inputs.artifactory_username }}
+        artifactory_password: ${{ inputs.artifactory_password }}
+        artifactory_registry: ${{ inputs.artifactory_registry }}
+
+    - name: "Run git command"
+      run: |
+        podman run \
+          --env-file=envfile \
+          --rm \
+          -v $(pwd):$(pwd) \
+          -w $(pwd) \
+          ${{ inputs.artifactory_registry }}/${{ inputs.artifactory_image }} \
+          /bin/bash -c "gpgloader && ${{ inputs.command }}"
+      shell: bash

garasign/gpg-sign/action.yml

@@ -0,0 +1,51 @@
+name: "Sign artifact using garasign"
+description: "Signs a release artifact"
+inputs:
+  filename:
+    description: "File name to sign"
+    required: true
+  garasign_username:
+    description: "Garasign username"
+    required: true
+  garasign_password:
+    description: "Garasign password"
+    required: true
+  artifactory_username:
+    description: "Artifactory user"
+    required: true
+  artifactory_password:
+    description: "Artifactory password"
+    required: true
+  artifactory_image:
+    description: "Image to use for artifactory"
+    default: release-tools-container-registry-local/garasign-gpg
+  artifactory_registry:
+    description: "Artifactory registry to be used"
+    default: artifactory.corp.mongodb.com
+  skip_setup:
+    description: "Whether to skip setup"
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    - name: Prepare garasign container
+      if: ${{ inputs.skip_setup == 'false' }}
+      uses: ./.github/actions/garasign/setup
+      with:
+        garasign_username: ${{ inputs.garasign_username }}
+        garasign_password: ${{ inputs.garasign_password }}
+        artifactory_username: ${{ inputs.artifactory_username }}
+        artifactory_password: ${{ inputs.artifactory_password }}
+        artifactory_registry: ${{ inputs.artifactory_registry }}
+
+    - name: "Create detached signature"
+      run: |
+        podman run \
+          --env-file=envfile \
+          --rm \
+          -v $(pwd):$(pwd) \
+          -w $(pwd) \
+          ${{ inputs.artifactory_registry }}/${{ inputs.artifactory_image }} \
+          /bin/bash -c "gpgloader && gpg --detach-sign --armor --output ${{ inputs.filename }}.sig ${{ inputs.filename }}"
+      shell: bash

garasign/setup/action.yml

@@ -0,0 +1,36 @@
+name: "Prepare garasign container"
+description: "Prepares the garasign container used to sign artifacts"
+inputs:
+  garasign_username:
+    description: "Garasign username"
+    required: true
+  garasign_password:
+    description: "Garasign password"
+    required: true
+  artifactory_username:
+    description: "Artifactory user"
+    required: true
+  artifactory_password:
+    description: "Artifactory password"
+    required: true
+  artifactory_registry:
+    description: "Artifactory registry to be used"
+    default: artifactory.corp.mongodb.com
+
+runs:
+  using: composite
+  steps:
+    - name: Create the envfile
+      run: |
+        cat << EOF > envfile
+        GRS_CONFIG_USER1_USERNAME=${{ inputs.garasign_username }}
+        GRS_CONFIG_USER1_PASSWORD=${{ inputs.garasign_password }}
+        EOF
+      shell: bash
+
+    - name: Log in to artifactory
+      uses: redhat-actions/podman-login@v1
+      with:
+        username: ${{ inputs.artifactory_username }}
+        password: ${{ inputs.artifactory_password }}
+        registry: ${{ inputs.artifactory_registry }}