Run static analysis on release and publish SSDLC assets

alcaeus · alcaeus · commit 89aed9b222d2 · 2024-06-10T13:17:03.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -76,12 +76,6 @@ jobs:
             exit 1
           fi
 
-      - name: "Fail if branch names don't match"
-        if: ${{ github.ref_name != env.RELEASE_BRANCH }}
-        run: |
-          echo '❌ Release failed due to branch mismatch: expected ${{ inputs.version }} to be released from ${{ env.RELEASE_BRANCH }}, got ${{ github.ref_name }}' >> $GITHUB_STEP_SUMMARY
-          exit 1
-
       #
       # Preliminary checks done - commence the release process
       #
@@ -93,7 +87,6 @@ jobs:
           aws_region_name: ${{ vars.AWS_REGION_NAME }}
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
 
-      # Create a draft release with release message filled in
       - name: "Prepare release message"
         run: |
           cat > release-message <<'EOL'
@@ -103,7 +96,6 @@ jobs:
       - name: "Create draft release"
         run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV"
 
-      # This step creates the signed release tag
       - name: "Create release tag"
         uses: mongodb-labs/drivers-github-tools/git-sign@v2
         with:
@@ -119,11 +111,95 @@ jobs:
       - name: "Push changes from release branch"
         run: git push
 
-      # Pushing the release tag starts build processes that then produce artifacts for the release
       - name: "Push release tag"
         run: git push origin ${{ inputs.version }}
 
       - name: "Set summary"
         run: |
           echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
           echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
+
+  static-analysis:
+    needs: prepare-release
+    name: "Run Static Analysis"
+    uses: ./.github/workflows/static-analysis.yml
+    with:
+      ref: refs/tags/${{ inputs.version }}
+    permissions:
+      security-events: write
+      id-token: write
+
+  publish-ssdlc-assets:
+    needs: static-analysis
+    environment: release
+    name: "Publish SSDLC Assets"
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: read
+      id-token: write
+      contents: write
+
+    steps:
+      - name: "Create temporary app token"
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: "Store GitHub token in environment"
+        run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
+        shell: bash
+
+      - uses: actions/checkout@v4
+        with:
+          ref: refs/tags/${{ inputs.version }}
+          token: ${{ env.GH_TOKEN }}
+
+      - name: "Set up drivers-github-tools"
+        # TODO: Use main repository when https://github.com/mongodb-labs/drivers-github-tools/pull/25 is merged
+        uses: blink1073/drivers-github-tools/setup@add-compliance-report
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+
+      - name: "Generate authorized publication document"
+        uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+        with:
+          product_name: "MongoDB PHP Driver (library)"
+          release_version: ${{ inputs.version }}
+          filenames: ""
+          token: ${{ env.GH_TOKEN }}
+
+      # TODO: Currently disabled as the asset group seems to no longer exist?
+#      - name: "Download SBOM file from Silk"
+#        uses: mongodb-labs/drivers-github-tools/sbom@v2
+#        with:
+#          silk_asset_group: mongodb-php-driver-library
+
+      # TODO: Currently disabled as the asset group seems to no longer exist?
+      # TODO: File name is only correct after https://github.com/mongodb-labs/drivers-github-tools/pull/25 is merged
+#      - name: "Upload SBOM as release artifact"
+#        run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
+#        continue-on-error: true
+
+      - name: "Generate SARIF report from code scanning alerts"
+        # TODO: Use main repository when https://github.com/mongodb-labs/drivers-github-tools/pull/29 is merged
+        uses: alcaeus/drivers-github-tools/code-scanning-export@document-code-scanning-export
+        with:
+          ref: ${{ inputs.version }}
+          output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
+
+      - name: "Generate compliance report"
+        # TODO: Use main repository when https://github.com/mongodb-labs/drivers-github-tools/pull/25 is merged
+        uses: blink1073/drivers-github-tools/compliance-report@add-compliance-report
+        with:
+          token: ${{ env.GH_TOKEN }}
+
+      - name: Upload S3 assets
+        # TODO: Use main repository when https://github.com/mongodb-labs/drivers-github-tools/pull/30 is merged
+        uses: alcaeus/drivers-github-tools/upload-s3-assets@upload-s3-assets
+        with:
+          version: ${{ inputs.version }}
+          product_name: mongo-php-library
