Skip to content

Merge 4.4 into 4.5 #3005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 13, 2024
Merged

Merge 4.4 into 4.5 #3005

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 0 additions & 56 deletions .github/workflows/coding-standards.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,59 +67,3 @@ jobs:
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "apply phpcbf formatting"

analysis:
runs-on: "ubuntu-22.04"
continue-on-error: true
strategy:
matrix:
php:
- '8.1'
- '8.2'
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
extensions: curl, mbstring
tools: composer:v2
coverage: none

- name: Cache dependencies
id: composer-cache
uses: actions/cache@v4
with:
path: ./vendor
key: composer-${{ hashFiles('**/composer.lock') }}

- name: Install dependencies
run: composer install

- name: Restore cache PHPStan results
id: phpstan-cache-restore
uses: actions/cache/restore@v4
with:
path: .cache
key: "phpstan-result-cache-${{ github.run_id }}"
restore-keys: |
phpstan-result-cache-

- name: Run PHPStan
run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif

- name: "Upload SARIF report"
if: always()
uses: "github/codeql-action/upload-sarif@v3"
with:
sarif_file: phpstan.sarif

- name: Save cache PHPStan results
id: phpstan-cache-save
if: always()
uses: actions/cache/save@v4
with:
path: .cache
key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }}
101 changes: 77 additions & 24 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,21 +22,11 @@ jobs:
- name: "Create release output"
run: echo '🎬 Release process for version ${{ inputs.version }} started by @${{ github.triggering_actor }}' >> $GITHUB_STEP_SUMMARY

- name: "Create temporary app token"
uses: actions/create-github-app-token@v1
id: app-token
- name: "Generate token and checkout repository"
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: "Store GitHub token in environment"
run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
shell: bash

- uses: actions/checkout@v4
with:
submodules: true
token: ${{ env.GH_TOKEN }}
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}

- name: "Store version numbers in env variables"
run: |
Expand Down Expand Up @@ -71,11 +61,11 @@ jobs:
- name: "Create draft release"
run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --generate-notes --draft)" >> "$GITHUB_ENV"

# This step creates the signed release tag
- name: "Create release tag"
uses: mongodb-labs/drivers-github-tools/git-sign@v2
uses: mongodb-labs/drivers-github-tools/tag-version@v2
with:
command: "git tag -m 'Release ${{ inputs.version }}' -s --local-user=${{ env.GPG_KEY_ID }} ${{ inputs.version }}"
version: ${{ inputs.version }}
tag_message_template: 'Release ${VERSION}'

# TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created
# Process is:
Expand All @@ -84,14 +74,77 @@ jobs:
# 3. push next branch
# 4. switch back to release branch, then push

- name: "Push changes from release branch"
run: git push

# Pushing the release tag starts build processes that then produce artifacts for the release
- name: "Push release tag"
run: git push origin ${{ inputs.version }}

- name: "Set summary"
run: |
echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY

static-analysis:
needs: prepare-release
name: "Run Static Analysis"
uses: ./.github/workflows/static-analysis.yml
with:
ref: refs/tags/${{ inputs.version }}
permissions:
security-events: write
id-token: write

publish-ssdlc-assets:
needs: static-analysis
environment: release
name: "Publish SSDLC Assets"
runs-on: ubuntu-latest
permissions:
security-events: read
id-token: write
contents: write

steps:
- name: "Generate token and checkout repository"
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
ref: refs/tags/${{ inputs.version }}

# Sets the S3_ASSETS environment variable used later
- name: "Set up drivers-github-tools"
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: ${{ vars.AWS_REGION_NAME }}
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}

- name: "Generate authorized publication document"
uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
with:
product_name: "MongoDB Laravel Integration"
release_version: ${{ inputs.version }}
filenames: ""
token: ${{ env.GH_TOKEN }}

- name: "Download SBOM file from Silk"
uses: mongodb-labs/drivers-github-tools/sbom@v2
with:
silk_asset_group: mongodb-laravel-integration

- name: "Upload SBOM as release artifact"
run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
continue-on-error: true

- name: "Generate SARIF report from code scanning alerts"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
with:
ref: ${{ inputs.version }}
output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json

- name: "Generate compliance report"
uses: mongodb-labs/drivers-github-tools/compliance-report@v2
with:
token: ${{ env.GH_TOKEN }}

- name: Upload S3 assets
uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ inputs.version }}
product_name: laravel-mongodb
74 changes: 74 additions & 0 deletions .github/workflows/static-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: "Static Analysis"

on:
push:
pull_request:
workflow_call:
inputs:
ref:
description: "The git ref to check"
type: string
required: true

env:
PHP_VERSION: "8.2"
DRIVER_VERSION: "stable"

jobs:
phpstan:
runs-on: "ubuntu-22.04"
continue-on-error: true
strategy:
matrix:
php:
- '8.1'
- '8.2'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}

- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
extensions: curl, mbstring
tools: composer:v2
coverage: none

- name: Cache dependencies
id: composer-cache
uses: actions/cache@v4
with:
path: ./vendor
key: composer-${{ hashFiles('**/composer.lock') }}

- name: Install dependencies
run: composer install

- name: Restore cache PHPStan results
id: phpstan-cache-restore
uses: actions/cache/restore@v4
with:
path: .cache
key: "phpstan-result-cache-${{ matrix.php }}-${{ github.run_id }}"
restore-keys: |
phpstan-result-cache-

- name: Run PHPStan
run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif

- name: "Upload SARIF report"
if: always()
uses: "github/codeql-action/upload-sarif@v3"
with:
sarif_file: phpstan.sarif

- name: Save cache PHPStan results
id: phpstan-cache-save
if: always()
uses: actions/cache/save@v4
with:
path: .cache
key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }}