Publish SSDLC assets after release

alcaeus · alcaeus · commit af09ea9b853c · 2024-06-12T10:23:49.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -182,3 +182,77 @@ jobs:
     secrets: inherit
     permissions:
       id-token: write
+
+  publish-ssdlc-assets:
+    needs:
+      - static-analysis
+      - package-release
+    environment: release
+    name: "Publish SSDLC Assets"
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: read
+      id-token: write
+      contents: write
+
+    steps:
+      - name: "Create temporary app token"
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: "Store GitHub token in environment"
+        run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
+        shell: bash
+
+      - uses: actions/checkout@v4
+        with:
+          ref: refs/tags/${{ inputs.version }}
+          token: ${{ env.GH_TOKEN }}
+
+      # Sets the S3_ASSETS environment variable used later
+      - name: "Set up drivers-github-tools"
+        uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+
+      - name: Download all release artifacts
+        run: gh release download ${{ inputs.version }} --dir ${{ env.RELEASE_ASSETS }}
+
+      - name: "Generate authorized publication document"
+        uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+        with:
+          product_name: "MongoDB PHP Driver (extension)"
+          release_version: ${{ inputs.version }}
+          filenames: "${{ env.RELEASE_ASSETS }}/*"
+          token: ${{ env.GH_TOKEN }}
+
+      - name: "Download SBOM file from Silk"
+        uses: mongodb-labs/drivers-github-tools/sbom@v2
+        with:
+          silk_asset_group: mongodb-php-driver-extension
+
+      - name: "Upload SBOM as release artifact"
+        run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
+        continue-on-error: true
+
+      - name: "Generate SARIF report from code scanning alerts"
+        uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+        with:
+          ref: ${{ inputs.version }}
+          output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
+
+      - name: "Generate compliance report"
+        uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+        with:
+          token: ${{ env.GH_TOKEN }}
+
+      - name: Upload S3 assets
+        uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+        with:
+          version: ${{ inputs.version }}
+          product_name: mongo-php-driver
