Skip to content

chore(NODE-6118): generate authorized publisher report and compliance report #4156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jun 24, 2024
Merged

chore(NODE-6118): generate authorized publisher report and compliance report #4156

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
598ced9
add compliance report and authorized publisher
baileympearson Jun 17, 2024
c9f5c3f
use shared action
baileympearson Jun 20, 2024
4cc2a44
combine
baileympearson Jun 20, 2024
c0b9189
add 3rd party dependency tracking
baileympearson Jun 21, 2024
2abdf1c
use main branch, not fork
baileympearson Jun 24, 2024
06f55f6
comments
baileympearson Jun 24, 2024
21ef171
add target branch
baileympearson Jun 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 23 additions & 18 deletions .github/actions/compress_sign_and_upload/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,23 @@
name: Compress and Sign
description: 'Compresses package and signs with garasign'

inputs:
aws_role_arn:
description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
required: true
aws_region_name:
description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
required: true
aws_secret_id:
description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
required: true
npm_package_name:
description: 'The name for the npm package this repository represents'
required: true
inputs:
aws_role_arn:
description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
required: true
aws_region_name:
description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
required: true
aws_secret_id:
description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
required: true
npm_package_name:
description: 'The name for the npm package this repository represents'
required: true
dry_run:
description: 'Should we upload files to the release?'
required: false
default: 'true'

runs:
using: composite
Expand All @@ -31,24 +35,25 @@ runs:

- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
with:
aws_region_name: ${{ inputs.aws_region_name }}
aws_role_arn: ${{ inputs.aws_role_arn }}
aws_secret_id: ${{ inputs.aws_secret_id }}

- name: Create detached signature
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
with:
with:
filenames: ${{ steps.get_vars.outputs.package_file }}
env:
env:
RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig

- name: Name release asset correctly
- name: Name release asset correctly
run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig
shell: bash

- name: "Upload release artifacts"
if: ${{ inputs.dry_run == false }}
run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig
shell: bash
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ github.token }}
107 changes: 36 additions & 71 deletions .github/workflows/release-5.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,98 +18,63 @@ jobs:
steps:
- id: release
uses: googleapis/release-please-action@v4
with:
target-branch: 5.x

compress_sign_and_upload:
ssdlc:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup
- name: Get release version and release package file name
id: get_vars
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"

- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb'
- run: npm publish --provenance --tag=5x
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

generate_sarif_report:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

- name: "Generate Sarif Report"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
with:
ref: 5.x
output-file: sarif-report.json

- name: Get release version and release package file name
id: get_version
- name: Copy sbom file to release assets
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json

- name: Generate authorized pub report
uses: mongodb-labs/drivers-github-tools/full-report@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sarif-report.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
release_version: ${{ steps.get_version.outputs.package_version }}
product_name: mongodb
sarif_report_target_ref: 5.x
third_party_dependency_tool: n/a
# <package> and <package>.sig
dist_filenames: ${{ steps.get_vars.outputs.package_file }}*
token: ${{ github.token }}
sbom_file_name: sbom.json

upload_sbom_lite:
publish:
needs: [release_please, ssdlc]
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/setup
uses: ./.github/actions/setup

- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sbom.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
- run: npm publish --provenance --tag=5.x
if: ${{ needs.release_please.outputs.release_created }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
106 changes: 39 additions & 67 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,96 +19,68 @@ jobs:
- id: release
uses: googleapis/release-please-action@v4

compress_sign_and_upload:
ssdlc:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup
- name: Get release version and release package file name
id: get_vars
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"

- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb'
- run: npm publish --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

generate_sarif_report:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}
- name: Copy sbom file to release assets
shell: bash
run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json

- name: "Generate Sarif Report"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
- name: Generate authorized pub report
uses: mongodb-labs/drivers-github-tools/full-report@v2
with:
ref: main
output-file: sarif-report.json
release_version: ${{ steps.get_version.outputs.package_version }}
product_name: mongodb
sarif_report_target_ref: main
third_party_dependency_tool: n/a
# <package> and <package>.sig
dist_filenames: ${{ steps.get_vars.outputs.package_file }}*
token: ${{ github.token }}
sbom_file_name: sbom.json

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
- uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sarif-report.json
version: ${{ inputs.version }}
product_name: ${{ inputs.product_name }}
dry_run: ${{ needs.release_please.outputs.release_created == '' }}


upload_sbom_lite:
publish:
needs: [release_please, ssdlc]
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/setup
uses: ./.github/actions/setup

- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: sbom.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
- run: npm publish --provenance --tag=latest
if: ${{ needs.release_please.outputs.release_created }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}