Important
This Repository is NOT a supported MongoDB product
This repository contains GitHub Actions that are common to drivers.
Many of the actions in this repo depend on one another. There is no supported way to reference another action using a relative path. Therefore the recommended approach is to set all of the relative actions to your branch name while working on a feature, then reverting to the version tag before merging.
It is recommended that you use Dependabot and use an explicit reference when using these actions. This will allow Dependabot to update to a more recent sha and allow you to accept updates to the actions as needed.
Example dependabot.yml:
version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" groups: actions: patterns: - "*"Example usage with references:
- name: secure-checkout uses: mongodb-labs/drivers-github-tools/secure-checkout@40b8ff3c0decd1388587fcc3d0a36d4818a054a6 # v2 with: app_id: ${{ vars.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }}This action will perform a checkout with the GitHub App credentials.
- name: secure-checkout uses: mongodb-labs/drivers-github-tools/secure-checkout@v3 with: app_id: ${{ vars.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }}By default it will use the current ${{github.ref}} if the ref parameter is not given. It will write the secure global variable GH_TOKEN that can be used with the gh cli.
There is a common setup action that is meant to be run before all other actions. It handles fetching secrets from AWS Secrets Manager, signing into ECR, setting up Garasign credentials, and setting up environment variables used in other actions. The action requires id-token: write permissions.
- name: setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: ${{ vars.AWS_REGION_NAME }} aws_secret_id: ${{ secrets.AWS_SECRET_ID }}Note
You must use the actions/checkout action prior to calling the setup action, Since the setup action sets up git config that would be overridden by the actions/checkout action
The following keys MUST be defined in the AWS_SECRET_ID vault: garasign-username, garasign-password, gpg-key-id. If uploading to an S3 bucket, also define release-assets-bucket.
These actions are used to sign artifacts using the team's GPG key.
Use this action to create signed git artifacts:
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create signed commit uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: command: "git commit -m 'Commit' -s --gpg-sign=${{ env.GPG_KEY_ID }}" - name: Create signed tag uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: command: "git tag -m 'Tag' -s --local-user=${{ env.GPG_KEY_ID }} -a <tag>"This is a convenience action to bump the version, create a signed commit, and push the commit unless push_commit is disabled. You can override the commit message format if desired. The version bump script should accept a new version as an argument and update the version accordingly.
- name: Bump version uses: mongodb-labs/drivers-github-tools/bump-version@v3 with: version: ${{ inputs.version }} version_bump_script: "bash ./my-bump-version-script.sh"This is a convenience action to create a signed tag, optionally verify the tag, and push the tag unless push_tag is disabled. You can override the tag format and the tag message format if desired.
- name: Tag version uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: ${{ inputs.version }}This action is used to create detached signatures for files:
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create detached signature uses: mongodb-labs/drivers-github-tools/gpg-sign@v3 with: filenames: somefile.extThe action will create a signature file somefile.ext.sig in the working directory.
You can also supply a glob pattern to sign a group of files:
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create detached signature uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@v1 with: filenames: dist/*The following tools are meant to aid in generating Software Security Development Lifecycle reports associated with a product release.
This action will create a record of authorized publication on distribution channels. It will create the file $S3_ASSETS/authorized_publication.txt
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create Authorized Publication Report uses: mongodb-labs/drivers-github-tools/authorized-pub@v3 with: product_name: Mongo Python Driver release_version: ${{ github.ref_name }} filenames: dist/* token: ${{ github.token }}This action will download an Augmented SBOM file in $RELEASE_ASSETS/sbom.json.
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create SBOM uses: mongodb-labs/drivers-github-tools/sbom@v3 with: sbom_in_path: sbom.jsonThis action will export all dismissed and open alerts to a SARIF file. By default, this file is named code-scanning-alerts.json and placed in the working directory.
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Export Code Scanning Alerts uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3This action will generate the SSDLC compliance report in the S3_ASSETS folder, called ssdlc_compliance_report.md.
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Generate compliance report uses: mongodb-labs/drivers-github-tools/compliance-report@v3There are several ways to specify the security report:
- By specifying an absolute URL starting with https
- By specifying a relative path, which is then linked to the corresponding git blob for the tagged version
- By adding the
security-report-urlto the AWS Secrets Vault
This action is a convenience function to handle all of the SSDLC reports and put them in the S3_ASSETS folder. This composite action runs the authorized-pub, sbom, code-scanning-export, and compliance-report actions.
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Generate SSDLC Reports uses: mongodb-labs/drivers-github-tools/full-report@v3 with: product_name: winkerberos release_version: ${{ inputs.version }} sbom_in_path: sbom.json dist_filenames: dist/*A number of scripts create files in the tmp/s3_assets folder, which then can be uploaded to the product's S3 bucket:
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Upload S3 assets uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: <release version> product_name: <product_name>Optionally, you can specify which files to upload using the filenames input. By default, all files in the S3 directory are uploaded. When the dry_run input is set to anything other than false, no files are uploaded, but instead the filename along with the resulting location in the bucket is printed.
Use this action to create a release branch and populate it with metadata. It will update EVERGREEN_PROJECT env variable in the release workflow file, bump the version to a prerelease version, and push the changes.
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create Release Branch uses: mongodb-labs/drivers-github-tools/create-branch@v3 with: # user inputs branch: ... version: ... base_ref: <optional> push_changes: <whether to push changes> # other inputs version_bump_script: <path/to/version/bump/script> evergreen_project: <name of evergreen release project>These scripts are opinionated helper scripts for Python releases.
Bump the version and create a new tag. Verify the tag. Push the commit and tag to the source branch unless dry_run is set.
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - uses: mongodb-labs/drivers-github-tools/python/pre-publishv2 with: version: ${{ inputs.version }} version_bump_script: ./.github/scripts/bump-version.sh dry_run: ${{ inputs.dry_run }}To be run after separately publishing the Python package. Handles follow-up tasks related to publishing Python packages, including signing dist files and uploading report assets to S3. It will also push the following (dev) version to the source branch. It will create a draft GitHub release and attach the signature files. If dry_run is set, nothing will be pushed.
The jobs should look something like:
publish: name: Upload release to PyPI runs-on: ubuntu-latest environment: release permissions: id-token: write steps: - name: Download all the dists uses: actions/download-artifact@v4 with: name: all-dist-${{ github.run_id }} path: dist/ - name: Publish package distributions to PyPI if: inputs.dry_run == 'false' uses: pypa/gh-action-pypi-publish@release/v1 post-publish: needs: [publish] name: Handle post-publish actions runs-on: ubuntu-latest environment: release permissions: id-token: write contents: write attestations: write security-events: write steps: - name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - uses: mongodb-labs/drivers-github-tools/python/post-publish@v3 with: version: ${{ inputs.version }} following_version: ${{ inputs.following_version }} version_bump_script: ./.github/scripts/bump-version.sh product_name: winkerberos token: ${{ github.token }} dry_run: ${{ inputs.dry_run }}These scripts are opinionated helper scripts for Python releases in MongoDB Labs. In contrast to the regulare Python scripts, it does not generate the SSDLC compliance assets or upload anything to S3.
Create a new tag. Verify the tag. Push the commit and tag to the source branch unless dry_run is set.
- name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - uses: mongodb-labs/drivers-github-tools/python-labs/pre-publishv2 with: version_bump_script: ./.github/scripts/bump-version.sh dry_run: ${{ inputs.dry_run }}To be run after separately publishing the Python package. Handles follow-up tasks related to publishing Python packages. It will push the following (dev) version to the source branch. It will create a draft GitHub release with generated release notes. If dry_run is set, nothing will be pushed.
The jobs should look something like:
publish: name: Upload release to PyPI runs-on: ubuntu-latest environment: release permissions: id-token: write steps: - name: Download all the dists uses: actions/download-artifact@v4 with: name: all-dist-${{ github.run_id }} path: dist/ - name: Publish package distributions to PyPI if: inputs.dry_run == 'false' uses: pypa/gh-action-pypi-publish@release/v1 post-publish: needs: [publish] name: Handle post-publish actions runs-on: ubuntu-latest environment: release permissions: id-token: write contents: write attestations: write security-events: write steps: - name: Setup uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v3 with: following_version: ${{ inputs.following_version }} version_bump_script: ./.github/scripts/bump-version.sh product_name: python-bsonjs token: ${{ github.token }} dry_run: ${{ inputs.dry_run }}