Skip to content

PHPC-2384, PHPC-2399, PHPC-2400: Publish SSDLC assets on release #1584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Jun 13, 2024
Merged

PHPC-2384, PHPC-2399, PHPC-2400: Publish SSDLC assets on release #1584

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
f7a7f46
Run packaging manually from release workflow
alcaeus Jun 12, 2024
d5021c1
Run static analysis for tag manually from release workflow
alcaeus Jun 12, 2024
af09ea9
Publish SSDLC assets after release
alcaeus Jun 12, 2024
d804694
Use secure-checkout action to generate token and run checkout
alcaeus Jun 12, 2024
cf85c7c
Use API to generate changelog for PECL package
alcaeus Jun 12, 2024
c53c215
Use inputs.version to pass version
alcaeus Jun 12, 2024
de9a496
Use bump and tag actions from drivers-github-tools
alcaeus Jun 12, 2024
235978e
Remove build artifacts and require release asset upload to succeed
alcaeus Jun 12, 2024
a38f678
Continue publishing SSDLC assets if SBOM download fails
alcaeus Jun 12, 2024
0b11963
Extract building Windows Package to reusable workflow
alcaeus Jun 12, 2024
03dbe44
Remove unnecessary release files
alcaeus Jun 13, 2024
5441f3b
Apply suggestion from code review
alcaeus Jun 13, 2024
d05c633
Let publish job error out when SBOM download fails
alcaeus Jun 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/actions/windows/prepare-build/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ runs:
- name: Enable Developer Command Prompt
uses: ilammy/msvc-dev-cmd@v1
with:
arch: ${{ matrix.arch }}
arch: ${{ inputs.arch }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This happened to "just work" before, but broke down once the action was used in a job that didn't use the matrix strategy. Took me longer to figure out than I care to admit...

toolset: ${{ steps.setup-php.outputs.toolset }}

- name: phpize
Expand Down
122 changes: 122 additions & 0 deletions .github/workflows/build-windows-package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
name: "Build Windows Package"
run-name: "Build Windows Package for ${{ inputs.ref }} (PHP ${{ inputs.php }} ${{ inputs.arch }} ${{ inputs.ts }})"

on:
workflow_call:
inputs:
version:
description: "The version being built"
type: string
required: true
ref:
description: "The git reference to build"
type: string
required: true
php:
description: "The PHP version to build for"
type: string
required: true
arch:
description: "The architecture to build for (x64 or x86)"
type: string
required: true
ts:
description: "Thread safety (ts or nts)"
type: string
required: true
upload_release_asset:
description: "Whether to upload a release asset"
type: boolean
default: false

jobs:
build:
name: "Build DLL"
# windows-latest is required to use enableCrossOsArchive with Ubuntu in the
# next step. See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
runs-on: windows-latest
defaults:
run:
shell: cmd

steps:
- uses: actions/checkout@v4
with:
submodules: true
ref: ${{ inputs.ref }}

- name: "Build Driver"
id: build-driver
uses: ./.github/actions/windows/build
with:
version: ${{ inputs.php }}
arch: ${{ inputs.arch }}
ts: ${{ inputs.ts }}

- name: "Copy DLL and PDB files to CWD"
run: |
cp %BUILD_DIR%\php_mongodb.dll .
cp %BUILD_DIR%\php_mongodb.pdb .
env:
BUILD_DIR: ${{ steps.build-driver.outputs.build-dir }}

- name: "Cache build artifacts for subsequent builds"
uses: actions/cache/save@v4
with:
key: ${{ github.sha }}-${{ inputs.php }}-${{ inputs.ts }}-${{ inputs.arch }}
enableCrossOsArchive: true
path: |
php_mongodb.dll
php_mongodb.pdb

sign-and-package:
environment: release
name: "Sign and create package"
needs: build
# ubuntu-latest is required to use enableCrossOsArchive
# See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
runs-on: "ubuntu-latest"
permissions:
id-token: write

steps:
- name: "Generate token and checkout repository"
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
ref: ${{ inputs.ref }}

- name: "Set up drivers-github-tools"
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: ${{ vars.AWS_REGION_NAME }}
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}

- name: Restore cached build artifacts
id: cache-build-artifacts
uses: actions/cache/restore@v4
with:
fail-on-cache-miss: true
key: ${{ github.sha }}-${{ inputs.php }}-${{ inputs.ts }}-${{ inputs.arch }}
enableCrossOsArchive: true
path: |
php_mongodb.dll
php_mongodb.pdb

- name: "Create detached DLL signature"
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
with:
filenames: php_mongodb.dll

# Copy the signature file from the release asset directory to avoid directory issues in the ZIP file
- name: "Copy signature file"
run: cp ${RELEASE_ASSETS}/php_mongodb.dll.sig .

- name: "Create and upload release asset"
if: ${{ inputs.upload_release_asset }}
run: |
ARCHIVE=php_mongodb-${{ inputs.version }}-${{ inputs.php }}-${{ inputs.ts }}-${{ inputs.arch }}.zip
zip ${ARCHIVE} php_mongodb.dll php_mongodb.dll.sig php_mongodb.pdb CREDITS CONTRIBUTING.md LICENSE README.md THIRD_PARTY_NOTICES
gh release upload ${{ inputs.version }} ${ARCHIVE}
16 changes: 0 additions & 16 deletions .github/workflows/commit-and-tag.sh
View file
Open in desktop

This file was deleted.

185 changes: 35 additions & 150 deletions .github/workflows/package-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,17 @@
name: "Package Release"
run-name: "Package Release ${{ github.ref_name }}"
run-name: "Package Release ${{ inputs.version }}"

on:
push:
tags:
- "*"
workflow_call:
inputs:
version:
description: "The version being built"
type: string
required: true
ref:
description: "The git reference to build"
type: string
required: true

jobs:
build-pecl:
Expand All @@ -13,25 +20,15 @@ jobs:
runs-on: "ubuntu-latest"
permissions:
id-token: write
contents: write

steps:
- name: "Create temporary app token"
uses: actions/create-github-app-token@v1
id: app-token
- name: "Generate token and checkout repository"
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: "Store GitHub token in environment"
run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
shell: bash

- name: "Checkout"
uses: "actions/checkout@v4"
with:
# Manually specify a ref. When actions/checkout is run for a tag without a ref, it looks up the underlying
# commit and specifically fetches this to the refs/tags/<tag> ref, which denies us access to the tag message
ref: ${{ github.ref }}
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
ref: ${{ inputs.ref }}
submodules: true

- name: "Set up drivers-github-tools"
Expand All @@ -47,7 +44,13 @@ jobs:
version: "8.3"

- name: "Write changelog file for packaging"
run: git tag -l ${{ github.ref_name }} --format='%(contents)' > changelog
run: |
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/${{ github.repository }}/releases/generate-notes \
-f "tag_name=${{ inputs.version }}" --jq '.body' > changelog

# This will fill in the release notes from the previously generated changelog
- name: "Build package.xml"
Expand Down Expand Up @@ -77,142 +80,24 @@ jobs:
- name: "Copy signature file"
run: cp ${RELEASE_ASSETS}/${{ env.PACKAGE_FILE }}.sig .

- name: "Upload artifacts"
uses: actions/upload-artifact@v4
with:
name: ${{ env.PACKAGE_FILE }}
path: |
${{ env.PACKAGE_FILE }}
${{ env.PACKAGE_FILE }}.sig
retention-days: 3

- name: "Upload release artifacts"
run: gh release upload ${{ github.ref_name }} ${{ env.PACKAGE_FILE }} ${{ env.PACKAGE_FILE }}.sig
continue-on-error: true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was the removal of continue-on-error: true intentional?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was. I put it there initially because any tag build would trigger the package workflow, regardless of whether there was a GitHub release to go with it. With the change, the package workflow is only triggered from the release workflow, so if the upload fails we want to be alerted instead of the workflow run passing as if nothing went wrong.

run: gh release upload ${{ inputs.version }} ${{ env.PACKAGE_FILE }} ${{ env.PACKAGE_FILE }}.sig

build-windows:
name: "Create Windows package"
# windows-latest is required to use enableCrossOsArchive with Ubuntu in the
# next step. See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
runs-on: windows-latest
defaults:
run:
shell: cmd

name: "Create Windows packages"
uses: ./.github/workflows/build-windows-package.yml
with:
version: ${{ inputs.version }}
ref: refs/tags/${{ inputs.version }}
php: ${{ matrix.php }}
arch: ${{ matrix.arch }}
ts: ${{ matrix.ts }}
upload_release_asset: true
secrets: inherit
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idsecretsinherit

strategy:
fail-fast: false
matrix:
# Note: keep this in sync with the Windows matrix in windows-tests.yml
php: [ "7.4", "8.0", "8.1", "8.2", "8.3" ]
arch: [ x64, x86 ]
ts: [ ts, nts ]

steps:
- uses: actions/checkout@v4
with:
submodules: true

- name: "Build Driver"
id: build-driver
uses: ./.github/actions/windows/build
with:
version: ${{ matrix.php }}
arch: ${{ matrix.arch }}
ts: ${{ matrix.ts }}

- name: "Copy DLL and PDB files to CWD"
run: |
cp %BUILD_DIR%\php_mongodb.dll .
cp %BUILD_DIR%\php_mongodb.pdb .
env:
BUILD_DIR: ${{ steps.build-driver.outputs.build-dir }}

- name: "Cache build artifacts for subsequent builds"
uses: actions/cache/save@v4
with:
key: ${{ github.sha }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}
enableCrossOsArchive: true
path: |
php_mongodb.dll
php_mongodb.pdb

sign-and-publish-windows:
environment: release
name: "Sign and Publish Windows package"
needs: [build-windows]
# ubuntu-latest is required to use enableCrossOsArchive
# See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
runs-on: "ubuntu-latest"
permissions:
id-token: write

strategy:
fail-fast: false
matrix:
# Note: keep this in sync with the Windows matrix in windows-tests.yml
php: [ "7.4", "8.0", "8.1", "8.2", "8.3" ]
arch: [ x64, x86 ]
ts: [ ts, nts ]

steps:
- name: "Create temporary app token"
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: "Store GitHub token in environment"
run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
shell: bash

- uses: actions/checkout@v4

- name: "Set up drivers-github-tools"
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: ${{ vars.AWS_REGION_NAME }}
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}

- name: Restore cached build artifacts
id: cache-build-artifacts
uses: actions/cache/restore@v4
with:
fail-on-cache-miss: true
key: ${{ github.sha }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}
enableCrossOsArchive: true
path: |
php_mongodb.dll
php_mongodb.pdb

- name: "Create detached DLL signature"
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
with:
filenames: php_mongodb.dll

# Copy the signature file from the release asset directory to avoid directory issues in the ZIP file
- name: "Copy signature file"
run: cp ${RELEASE_ASSETS}/php_mongodb.dll.sig .

- name: "Upload DLL and PDB files as build artifacts"
uses: actions/upload-artifact@v4
with:
name: php_mongodb-${{ github.ref_name }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}
path: |
php_mongodb.dll
php_mongodb.dll.sig
php_mongodb.pdb
CREDITS
CONTRIBUTING.md
LICENSE
README.md
THIRD_PARTY_NOTICES
retention-days: 3

- name: "Create and upload release artifact"
run: |
ARCHIVE=php_mongodb-${{ github.ref_name }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}.zip
zip ${ARCHIVE} php_mongodb.dll php_mongodb.dll.sig php_mongodb.pdb CREDITS CONTRIBUTING.md LICENSE README.md THIRD_PARTY_NOTICES
gh release upload ${{ github.ref_name }} ${ARCHIVE}
continue-on-error: true
Loading
Loading