Skip to content

PHPLIB-1434: Publish SSDLC assets upon release #1342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jun 11, 2024
Merged

PHPLIB-1434: Publish SSDLC assets upon release #1342

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d450528
Allow reusing static analysis workflow
alcaeus Jun 10, 2024
4b3c5b1
Run static analysis on release and publish SSDLC assets
alcaeus Jun 10, 2024
74c8f2a
Address code review feedback
alcaeus Jun 11, 2024
b8537dc
Move rector to coding standards workflow
alcaeus Jun 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .github/workflows/coding-standards.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,20 @@ jobs:
# The -q option is required until phpcs v4 is released
- name: "Run PHP_CodeSniffer"
run: "vendor/bin/phpcs -q --no-colors --report=checkstyle | cs2pr"

rector:
name: "Rector"
runs-on: "ubuntu-22.04"

steps:
- name: "Checkout"
uses: "actions/checkout@v4"

- name: "Setup"
uses: "./.github/actions/setup"
with:
php-version: ${{ env.PHP_VERSION }}
driver-version: ${{ env.DRIVER_VERSION }}

- name: "Run Rector"
run: "vendor/bin/rector --ansi --dry-run"
82 changes: 79 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,6 @@ jobs:
aws_region_name: ${{ vars.AWS_REGION_NAME }}
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}

# Create a draft release with release message filled in
- name: "Prepare release message"
run: |
cat > release-message <<'EOL'
Expand All @@ -103,7 +102,6 @@ jobs:
- name: "Create draft release"
run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV"

# This step creates the signed release tag
- name: "Create release tag"
uses: mongodb-labs/drivers-github-tools/git-sign@v2
with:
Expand All @@ -119,11 +117,89 @@ jobs:
- name: "Push changes from release branch"
run: git push

# Pushing the release tag starts build processes that then produce artifacts for the release
- name: "Push release tag"
run: git push origin ${{ inputs.version }}

- name: "Set summary"
run: |
echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY

static-analysis:
needs: prepare-release
name: "Run Static Analysis"
uses: ./.github/workflows/static-analysis.yml
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default, I assume this would invoke all jobs in the referenced file and that's why you added a conditional on the Rector job.

I noted that this is re-using an entire workflow (jobs.<job_id>.uses), as opposed to an action being imported into a step (jobs.<job_id>.steps[*].uses).

I'm a bit confused about how this single static-analysis job would map to multiple jobs in static-analysis.yml if you hadn't specified a condition to exclude Rector. Would they just be run in sequence? Reusing Workflows doesn't address this, and the example therein only has a single job defined in the import file. To that end, I wonder if it'd make more sense to split the Psalm and Rector jobs into separate files (e.g. static-analysis-psalm.yml and static-analysis-rector.yml) if there isn't much commonality between them anyway.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes - unlike actions that contain a set of functionality to be included in a job, this allows to reuse an entire workflow as a job in a different workflow, without sharing data with any other job.

As for what this looks like, I wasn't sure at first either but it actually looks rather nice: https://github.com/alcaeus/mongo-php-library/actions/runs/9447195881. I'll split the workflow up into separate workflows for psalm and rector.

with:
ref: refs/tags/${{ inputs.version }}
permissions:
security-events: write
id-token: write

publish-ssdlc-assets:
needs: static-analysis
environment: release
name: "Publish SSDLC Assets"
runs-on: ubuntu-latest
permissions:
security-events: read
id-token: write
contents: write

steps:
- name: "Create temporary app token"
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: "Store GitHub token in environment"
run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
shell: bash

- uses: actions/checkout@v4
with:
ref: refs/tags/${{ inputs.version }}
token: ${{ env.GH_TOKEN }}

# Sets the S3_ASSETS environment variable used later
- name: "Set up drivers-github-tools"
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: ${{ vars.AWS_REGION_NAME }}
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}

- name: "Generate authorized publication document"
uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
with:
product_name: "MongoDB PHP Driver (library)"
release_version: ${{ inputs.version }}
filenames: ""
token: ${{ env.GH_TOKEN }}

- name: "Download SBOM file from Silk"
uses: mongodb-labs/drivers-github-tools/sbom@v2
with:
silk_asset_group: mongodb-php-driver-library

- name: "Upload SBOM as release artifact"
run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
continue-on-error: true

- name: "Generate SARIF report from code scanning alerts"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
with:
ref: ${{ inputs.version }}
output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear to me where env.S3_ASSETS gets set. Does publishing here depend on the "Set up drivers-github-tools" task above, which is configured with the AWS secrets?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is set by the setup action above. I'll add a comment for this


- name: "Generate compliance report"
uses: mongodb-labs/drivers-github-tools/compliance-report@v2
with:
token: ${{ env.GH_TOKEN }}

- name: Upload S3 assets
uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ inputs.version }}
product_name: mongo-php-library
27 changes: 8 additions & 19 deletions .github/workflows/static-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,12 @@ on:
- "v*.*"
- "master"
- "feature/*"
tags:
- "*"
workflow_call:
inputs:
ref:
description: "The git ref to check"
type: string
required: true

env:
PHP_VERSION: "8.2"
Expand All @@ -27,6 +31,8 @@ jobs:
steps:
- name: "Checkout"
uses: "actions/checkout@v4"
with:
ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't familiar with the syntax, but I consulted the Expressions docs to infer that it's a ternary statement and equivalent to the following:

if (github.event_name == 'workflow_dispatch') {
    inputs.ref ?? github.ref
} else {
    github.ref
}


- name: "Setup"
uses: "./.github/actions/setup"
Expand All @@ -41,20 +47,3 @@ jobs:
uses: "github/codeql-action/upload-sarif@v3"
with:
sarif_file: psalm.sarif

rector:
name: "Rector"
runs-on: "ubuntu-22.04"

steps:
- name: "Checkout"
uses: "actions/checkout@v4"

- name: "Setup"
uses: "./.github/actions/setup"
with:
php-version: ${{ env.PHP_VERSION }}
driver-version: ${{ env.DRIVER_VERSION }}

- name: "Run Rector"
run: "vendor/bin/rector --ansi --dry-run"