mongodb-labs
diff --git a/‎README.md‎
Lines changed: 102 additions & 39 deletions b/‎README.md‎
Lines changed: 102 additions & 39 deletions
diff --git a/‎authorized-pub/action.yml‎
Lines changed: 35 additions & 0 deletions b/‎authorized-pub/action.yml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎garasign/git-sign/action.yml‎
Lines changed: 0 additions & 58 deletions b/‎garasign/git-sign/action.yml‎
Lines changed: 0 additions & 58 deletions
diff --git a/‎garasign/gpg-sign/action.yml‎
Lines changed: 0 additions & 58 deletions b/‎garasign/gpg-sign/action.yml‎
Lines changed: 0 additions & 58 deletions
diff --git a/‎git-sign/action.yml‎
Lines changed: 23 additions & 0 deletions b/‎git-sign/action.yml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎gpg-sign/action.yml‎
Lines changed: 28 additions & 0 deletions b/‎gpg-sign/action.yml‎
Lines changed: 28 additions & 0 deletions
@@ -5,6 +5,28 @@
 
 This repository contains GitHub Actions that are common to drivers.
 
+## Setup
+
+There is a common setup action that is meant to be run before all
+other actions. It handles fetching secrets from AWS Secrets Manager,
+signing into Artifactory, setting up Garasign credentials, and
+setting up environment variables used in other actions.
+The action requires `id-token: write` permissions.
+
+```yaml
+- name: setup
+ uses: mongodb/drivers-github-tools/setup@v2
+ with:
+ aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+ aws_region_name: ${{ vars.AWS_REGION_NAME }}
+ aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+```
+
+> [!Note]
+> You *must* use the `actions/checkout` action prior to calling the `setup` action,
+> Since the `setup` action sets up git config that would be overridden by the
+> `actions/checkout action`
+
 ## Signing tools
 
 The actions in the `garasign` folder are used to sign artifacts using the team's
@@ -15,78 +37,119 @@ GPG key.
 Use this action to create signed git artifacts:
 
 ```yaml
-- name: "Create signed commit"
- uses: mongodb/drivers-github-tools/garasign/git-sign@main
+- name: Setup
+ uses: mongodb/drivers-github-tools/setup@v2
  with:
- command: "git commit -m 'Commit' -s --gpg-sign=${{ vars.GPG_KEY_ID }}"
- garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
- garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
- artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
- artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
-
-- name: "Create signed tag"
- uses: mongodb/drivers-github-tools/garasign/git-sign@main
- with:
- command: "git tag -m 'Tag' -s --local-user=${{ vars.GPG_KEY_ID }} <tag>"
- garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
- garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
- artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
- artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
- skip_setup: true
-```
+ ...
 
-If the action is used multiple times within the same job, the `skip_setup`
-option can be set to a truthy value to avoid unnecessary logins to artifactory.
+- name: Create signed commit
+ uses: mongodb/drivers-github-tools/git-sign@v2
+
+- name: Create signed tag
+ uses: mongodb/drivers-github-tools/git-sign@v2
+```
 
 ### gpg-sign
 
 This action is used to create detached signatures for files:
 
 ```yaml
-- name: "Create detached signature"
- uses: mongodb/drivers-github-tools/garasign/gpg-sign@main
+- name: Setup
+ uses: mongodb/drivers-github-tools/setup@v2
+ with:
+ ...
+
+- name: Create detached signature
+ uses: mongodb/drivers-github-tools/gpg-sign@v2
  with:
  filenames: somefile.ext
- garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
- garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
- artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
- artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
 ```
 
 The action will create a signature file `somefile.ext.sig` in the working
 directory.
-If the action is used multiple times within the same job, the `skip_setup`
-option can be set to a truthy value to avoid unnecessary logins to artifactory.
 
-You can also supply multiple space-separated filenames to sign a list of files:
+You can also supply a glob pattern to sign a group of files:
 
 ```yaml
-- name: "Create detached signature"
- uses: mongodb/drivers-github-tools/garasign/gpg-sign@main
+- name: Setup
+ uses: mongodb/drivers-github-tools/setup@v2
+ with:
+ ...
+
+- name: Create detached signature
+ uses: mongodb/drivers-github-tools/garasign/gpg-sign@v1
  with:
  filenames: dist/*
- garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
- garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
- artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
- artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
 ```
 
 ## Reporting tools
 
 The following tools are meant to aid in generating Software Security Development Lifecycle
 reports associated with a product release.
 
-### Papertrail
+### Authorized Publication
 
 This action will create a record of authorized publication on distribution channels.
-By default it will create a "papertrail.txt" file in the current directory.
+It will create the file `$S3_ASSETS/authorized_publication.txt`
 
 ```yaml
-- name: "Create papertrail report"
- uses: mongodb/drivers-github-tools/papertrail@main
+- name: Setup
+ uses: mongodb/drivers-github-tools/setup@v2
+ with:
+ ...
+
+- name: Create Authorized Publication Report
+ uses: mongodb/drivers-github-tools/authorized-pub@v2
  with:
  product_name: Mongo Python Driver
  release_version: ${{ github.ref_name }}
  filenames: dist/*
  token: ${{ github.token }}
 ```
+
+## Python Helper Scripts
+
+These scripts are opinionated helper scripts for Python releases.
+
+### Bump and Tag
+
+Bump the version and create a new tag. Verify the tag.
+Push the commit and tag to the source branch unless `dry_run` is set.
+
+```yaml
+- name: Setup
+ uses: mongodb/drivers-github-tools/setup@v2
+ with:
+ ...
+
+- uses: mongodb/drivers-github-tools/python/bump-and-tag@v2
+ with:
+ version: ${{ inputs.version }}
+ version_bump_script: ./.github/scripts/bump-version.sh
+ dry_run: ${{ inputs.dry_run }}
+```
+
+### Publish
+
+Handles tasks related to publishing Python packages, including
+signing `dist` file and publishing the `dist` files to PyPI.
+It will also push the following (dev) version to the source branch.
+It will create a draft GitHub release and attach the signature files.
+Finally, it will publish a report to the appropriate S3 bucket.
+If `dry_run` is set, nothing will be published or pushed.
+
+```yaml
+- name: Setup
+ uses: mongodb/drivers-github-tools/setup@v2
+ with:
+ ...
+
+- uses: mongodb-labs/drivers-github-tools/python/publish@v2
+ with:
+ version: ${{ inputs.version }}
+ following_version: ${{ inputs.following_version }}
+ version_bump_script: ./.github/scripts/bump-version.sh
+ product_name: winkerberos
+ token: ${{ github.token }}
+ dry_run: ${{ inputs.dry_run }}
+```
@@ -0,0 +1,35 @@
+name: Authorized Publication
+description: Generate report for authorized publication on distribution channels
+inputs:
+ product_name:
+ description: Name of product
+ required: true
+ release_version:
+ description: The release version
+ required: true
+ filenames:
+ description: Artifact filename(s) to include in the report, can be a glob pattern
+ required: true
+ token:
+ description: The GitHub token for the action
+ required: true
+
+runs:
+ using: composite
+ steps:
+ - name: Prepare report
+ shell: bash
+ run: |
+ export GH_TOKEN=${{ inputs.token }}
+ NAME=$(gh api users/${{ github.actor }} --jq '.name')
+ export REPORT=$S3_ASSETS/authorized_publication.txt
+ echo "Product: ${{ inputs.product_name }}" > $REPORT
+ echo "Version: ${{ inputs.release_version }}" >> $REPORT
+ echo "Releaser: $NAME" >> $REPORT
+ echo "Build Source: GitHub Actions"
+ echo "Build Number: ${{ github.run_id }}"
+ for filename in ${{ inputs.filenames }}; do
+ SHA=$(shasum -a 256 $filename | awk '{print $1;}')
+ echo "Filename: $filename" >> $REPORT
+ echo "Shasum: $SHA" >> $REPORT
+ done
@@ -0,0 +1,23 @@
+name: "Run git actions in a signing container"
+description: "Allows running arbitrary git actions in a container with GPG keys loaded"
+inputs:
+ command:
+ description: "Command to run inside the container"
+ required: true
+ artifactory_image:
+ description: "Image to use for artifactory"
+ default: release-tools-container-registry-local/garasign-git
+
+runs:
+ using: composite
+ steps:
+ - name: "Run git command"
+ run: |
+ podman run \
+ --env-file=$GARASIGN_ENVFILE \
+ --rm \
+ -v $(pwd):$(pwd) \
+ -w $(pwd) \
+ ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
+ /bin/bash -c "gpgloader && ${{ inputs.command }}"
+ shell: bash
@@ -0,0 +1,28 @@
+name: "Sign artifact(s) using garasign"
+description: "Signs release artifact(s)"
+inputs:
+ filenames:
+ description: "File name(s) to sign, can be a glob pattern"
+ required: true
+ artifactory_image:
+ description: "Image to use for artifactory"
+ default: release-tools-container-registry-local/garasign-gpg
+
+runs:
+ using: composite
+ steps:
+ - name: "Create detached signature for file"
+ shell: bash
+ run: |
+ podman run \
+ --env-file=$GARASIGN_ENVFILE \
+ --rm \
+ -v $(pwd):$(pwd) \
+ -w $(pwd) \
+ ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
+ /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done'
+
+ - name: "Move the signature files to the release directory"
+ shell: bash
+ run: |
+ mv ${{inputs.filenames}}.sig $RELEASE_ASSETS