add compliance report and authorized publisher

baileympearson · baileympearson · commit 598ced96bee2 · 2024-06-20T10:10:29.000-06:00
diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml
@@ -1,19 +1,23 @@
 name: Compress and Sign
 description: 'Compresses package and signs with garasign'
 
-inputs: 
-    aws_role_arn:
-      description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
-      required: true
-    aws_region_name:
-      description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
-      required: true
-    aws_secret_id:
-      description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
-      required: true
-    npm_package_name:
-      description: 'The name for the npm package this repository represents'
-      required: true
+inputs:
+  aws_role_arn:
+    description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
+    required: true
+  aws_region_name:
+    description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
+    required: true
+  aws_secret_id:
+    description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
+    required: true
+  npm_package_name:
+    description: 'The name for the npm package this repository represents'
+    required: true
+  dry_run:
+    description: 'Should we upload files to the release?'
+    required: false
+    default: 'true'
 
 runs:
   using: composite
@@ -31,24 +35,25 @@ runs:
 
     - name: Set up drivers-github-tools
       uses: mongodb-labs/drivers-github-tools/setup@v2
-      with: 
+      with:
         aws_region_name: ${{ inputs.aws_region_name }}
         aws_role_arn: ${{ inputs.aws_role_arn }}
         aws_secret_id: ${{ inputs.aws_secret_id }}
 
     - name: Create detached signature
       uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
-      with: 
+      with:
         filenames: ${{ steps.get_vars.outputs.package_file }}
-      env: 
+      env:
         RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig
 
-    - name: Name release asset correctly 
+    - name: Name release asset correctly
       run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig
       shell: bash
 
     - name: "Upload release artifacts"
+      if: ${{ inputs.dry_run == false }}
       run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig
       shell: bash
       env:
-        GH_TOKEN: ${{ github.token }}
+        GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml
@@ -23,21 +23,48 @@ jobs:
 
   compress_sign_and_upload:
     needs: [release_please]
-    if: ${{ needs.release_please.outputs.release_created }}
     environment: release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: actions/setup
         uses: ./.github/actions/setup
+      - name: Get release version and release package file name
+        id: get_vars
+        shell: bash
+        run: |
+          package_version=$(jq --raw-output '.version' package.json)
+          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+          echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
       - name: actions/compress_sign_and_upload
         uses: ./.github/actions/compress_sign_and_upload
         with:
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region_name: 'us-east-1'
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
           npm_package_name: 'mongodb'
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+
+      - name: Generate authorized pub report
+        uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+        with:
+          release_version: ${{ steps.get_version.outputs.package_version }}
+          product_name: node-mongodb-native
+          # <package> and <package>.sig
+          filenames: ${{ steps.get_vars.outputs.package_file }}*
+          token:  ${{ github.token }}
+
+      - name: actions/publish_asset_to_s3
+        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+        with:
+          version: ${{ steps.get_version.outputs.package_version }}
+          product_name: node-mongodb-native
+          file: ${{env.S3_ASSETS}}/authorized-publication.txt
+          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+
       - run: npm publish --provenance --tag=5x
+        if: ${{ needs.release_please.outputs.release_created }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -73,7 +100,7 @@ jobs:
           package_version=$(jq --raw-output '.version' package.json)
           echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
       - name: actions/publish_asset_to_s3
-        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
+        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
         with:
           version: ${{ steps.get_version.outputs.package_version }}
           product_name: node-mongodb-native
@@ -113,3 +140,46 @@ jobs:
           product_name: node-mongodb-native
           file: sbom.json
           dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+
+  generate_compliance_report:
+    environment: release
+    runs-on: ubuntu-latest
+    needs: [release_please]
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up drivers-github-tools
+        uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_region_name: us-east-1
+          aws_role_arn: ${{ secrets.aws_role_arn }}
+          aws_secret_id: ${{ secrets.aws_secret_id }}
+
+      - name: Get release version and release package file name
+        id: get_version
+        shell: bash
+        run: |
+          package_version=$(jq --raw-output '.version' package.json)
+          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+
+      - name: Generate compliance report
+        uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+        with:
+          sbom_name: sbom.json
+          sarif_name: sarif-report.json
+          security_report_location: tbd
+          release_version: ${{ steps.get_version.outputs.package_version }}
+          token:  ${{ github.token }}
+
+      - name: actions/publish_asset_to_s3
+        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+        with:
+          version: ${{ steps.get_version.outputs.package_version }}
+          product_name: node-mongodb-native
+          file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt
+          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,21 +21,48 @@ jobs:
 
   compress_sign_and_upload:
     needs: [release_please]
-    if: ${{ needs.release_please.outputs.release_created }}
     environment: release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: actions/setup
         uses: ./.github/actions/setup
+      - name: Get release version and release package file name
+        id: get_vars
+        shell: bash
+        run: |
+          package_version=$(jq --raw-output '.version' package.json)
+          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+          echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
       - name: actions/compress_sign_and_upload
         uses: ./.github/actions/compress_sign_and_upload
         with:
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region_name: 'us-east-1'
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
           npm_package_name: 'mongodb'
-      - run: npm publish --provenance
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+
+      - name: Generate authorized pub report
+        uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+        with:
+          release_version: ${{ steps.get_version.outputs.package_version }}
+          product_name: node-mongodb-native
+          # <package> and <package>.sig
+          filenames: ${{ steps.get_vars.outputs.package_file }}*
+          token:  ${{ github.token }}
+
+      - name: actions/publish_asset_to_s3
+        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+        with:
+          version: ${{ steps.get_version.outputs.package_version }}
+          product_name: node-mongodb-native
+          file: ${{env.S3_ASSETS}}/authorized-publication.txt
+          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+
+      - run: npm publish --provenance --tag=latest
+        if: ${{ needs.release_please.outputs.release_created }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -78,7 +105,6 @@ jobs:
           file: sarif-report.json
           dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
 
-
   upload_sbom_lite:
     environment: release
     runs-on: ubuntu-latest
@@ -112,3 +138,46 @@ jobs:
           product_name: node-mongodb-native
           file: sbom.json
           dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+
+  generate_compliance_report:
+    environment: release
+    runs-on: ubuntu-latest
+    needs: [release_please]
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up drivers-github-tools
+        uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_region_name: us-east-1
+          aws_role_arn: ${{ secrets.aws_role_arn }}
+          aws_secret_id: ${{ secrets.aws_secret_id }}
+
+      - name: Get release version and release package file name
+        id: get_version
+        shell: bash
+        run: |
+          package_version=$(jq --raw-output '.version' package.json)
+          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+
+      - name: Generate compliance report
+        uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+        with:
+          sbom_name: sbom.json
+          sarif_name: sarif-report.json
+          security_report_location: tbd
+          release_version: ${{ steps.get_version.outputs.package_version }}
+          token:  ${{ github.token }}
+
+      - name: actions/publish_asset_to_s3
+        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+        with:
+          version: ${{ steps.get_version.outputs.package_version }}
+          product_name: node-mongodb-native
+          file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt
+          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
