Skip to content

chore(NODE-6118): generate authorized publisher report and compliance report #4156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jun 24, 2024
Merged

chore(NODE-6118): generate authorized publisher report and compliance report #4156

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
598ced9
add compliance report and authorized publisher
baileympearson Jun 17, 2024
c9f5c3f
use shared action
baileympearson Jun 20, 2024
4cc2a44
combine
baileympearson Jun 20, 2024
c0b9189
add 3rd party dependency tracking
baileympearson Jun 21, 2024
2abdf1c
use main branch, not fork
baileympearson Jun 24, 2024
06f55f6
comments
baileympearson Jun 24, 2024
21ef171
add target branch
baileympearson Jun 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 23 additions & 18 deletions .github/actions/compress_sign_and_upload/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,23 @@
name: Compress and Sign
description: 'Compresses package and signs with garasign'

inputs:
aws_role_arn:
description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
required: true
aws_region_name:
description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
required: true
aws_secret_id:
description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
required: true
npm_package_name:
description: 'The name for the npm package this repository represents'
required: true
inputs:
aws_role_arn:
description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
required: true
aws_region_name:
description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
required: true
aws_secret_id:
description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
required: true
npm_package_name:
description: 'The name for the npm package this repository represents'
required: true
dry_run:
description: 'Should we upload files to the release?'
required: false
default: 'true'

runs:
using: composite
Expand All @@ -31,24 +35,25 @@ runs:

- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
with:
aws_region_name: ${{ inputs.aws_region_name }}
aws_role_arn: ${{ inputs.aws_role_arn }}
aws_secret_id: ${{ inputs.aws_secret_id }}

- name: Create detached signature
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
with:
with:
filenames: ${{ steps.get_vars.outputs.package_file }}
env:
env:
RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig

- name: Name release asset correctly
- name: Name release asset correctly
run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig
shell: bash

- name: "Upload release artifacts"
if: ${{ inputs.dry_run == false }}
run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig
shell: bash
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ github.token }}
74 changes: 72 additions & 2 deletions .github/workflows/release-5.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,21 +23,48 @@ jobs:

compress_sign_and_upload:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup
- name: Get release version and release package file name
id: get_vars
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"

- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb'
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

- name: Generate authorized pub report
uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
with:
release_version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
# <package> and <package>.sig
filenames: ${{ steps.get_vars.outputs.package_file }}*
token: ${{ github.token }}

- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: ${{env.S3_ASSETS}}/authorized-publication.txt
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

- run: npm publish --provenance --tag=5x
if: ${{ needs.release_please.outputs.release_created }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Expand Down Expand Up @@ -73,7 +100,7 @@ jobs:
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
Expand Down Expand Up @@ -113,3 +140,46 @@ jobs:
product_name: node-mongodb-native
file: sbom.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

generate_compliance_report:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"

- name: Generate compliance report
uses: mongodb-labs/drivers-github-tools/compliance-report@v2
with:
sbom_name: sbom.json
sarif_name: sarif-report.json
security_report_location: tbd
release_version: ${{ steps.get_version.outputs.package_version }}
token: ${{ github.token }}

- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt
dry_run: ${{ needs.release_please.outputs.release_created == '' }}
75 changes: 72 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,21 +21,48 @@ jobs:

compress_sign_and_upload:
needs: [release_please]
if: ${{ needs.release_please.outputs.release_created }}
environment: release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: actions/setup
uses: ./.github/actions/setup
- name: Get release version and release package file name
id: get_vars
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"

- name: actions/compress_sign_and_upload
uses: ./.github/actions/compress_sign_and_upload
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: 'us-east-1'
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
npm_package_name: 'mongodb'
- run: npm publish --provenance
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

- name: Generate authorized pub report
uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
with:
release_version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
# <package> and <package>.sig
filenames: ${{ steps.get_vars.outputs.package_file }}*
token: ${{ github.token }}

- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: ${{env.S3_ASSETS}}/authorized-publication.txt
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

- run: npm publish --provenance --tag=latest
if: ${{ needs.release_please.outputs.release_created }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Expand Down Expand Up @@ -78,7 +105,6 @@ jobs:
file: sarif-report.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}


upload_sbom_lite:
environment: release
runs-on: ubuntu-latest
Expand Down Expand Up @@ -112,3 +138,46 @@ jobs:
product_name: node-mongodb-native
file: sbom.json
dry_run: ${{ needs.release_please.outputs.release_created == '' }}

generate_compliance_report:
environment: release
runs-on: ubuntu-latest
needs: [release_please]
permissions:
# required for all workflows
security-events: write
id-token: write
contents: write

steps:
- uses: actions/checkout@v4
- name: Set up drivers-github-tools
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_region_name: us-east-1
aws_role_arn: ${{ secrets.aws_role_arn }}
aws_secret_id: ${{ secrets.aws_secret_id }}

- name: Get release version and release package file name
id: get_version
shell: bash
run: |
package_version=$(jq --raw-output '.version' package.json)
echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"

- name: Generate compliance report
uses: mongodb-labs/drivers-github-tools/compliance-report@v2
with:
sbom_name: sbom.json
sarif_name: sarif-report.json
security_report_location: tbd
release_version: ${{ steps.get_version.outputs.package_version }}
token: ${{ github.token }}

- name: actions/publish_asset_to_s3
uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
with:
version: ${{ steps.get_version.outputs.package_version }}
product_name: node-mongodb-native
file: ${{env.S3_ASSETS}}/ssdlc_compliance_report.txt
dry_run: ${{ needs.release_please.outputs.release_created == '' }}