chore(NODE-6212): upload sbom to s3 during releases and use actions v2 (#700)

Author: baileympearson

.github/workflows/release-5.x.yml

@@ -61,8 +61,7 @@ jobs:
  aws_secret_id: ${{ secrets.aws_secret_id }}
 
  - name: "Generate Sarif Report"
- # TODO: Use v2 once it has been re-tagged to include this action
- uses: mongodb-labs/drivers-github-tools/code-scanning-export@main
+ uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
  with:
  ref: 5.x
  output-file: sarif-report.json
@@ -75,9 +74,43 @@ jobs:
  echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
 
  - name: actions/publish_asset_to_s3
- uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
+ uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
  with:
  version: ${{ steps.get_version.outputs.package_version }}
  product_name: js-bson
  file: sarif-report.json
  dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+
+ upload_sbom_lite:
+ environment: release
+ runs-on: ubuntu-latest
+ needs: [release_please]
+ permissions:
+ # required for all workflows
+ security-events: write
+ id-token: write
+ contents: write
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up drivers-github-tools
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with:
+ aws_region_name: us-east-1
+ aws_role_arn: ${{ secrets.aws_role_arn }}
+ aws_secret_id: ${{ secrets.aws_secret_id }}
+
+ - name: Get release version and release package file name
+ id: get_version
+ shell: bash
+ run: |
+ package_version=$(jq --raw-output '.version' package.json)
+ echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+
+ - name: actions/publish_asset_to_s3
+ uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+ with:
+ version: ${{ steps.get_version.outputs.package_version }}
+ product_name: js-bson
+ file: sbom.json
+ dry_run: ${{ needs.release_please.outputs.release_created == '' }}

.github/workflows/release.yml

@@ -59,8 +59,7 @@ jobs:
  aws_secret_id: ${{ secrets.aws_secret_id }}
 
  - name: "Generate Sarif Report"
- # TODO: Use v2 once it has been re-tagged to include this action
- uses: mongodb-labs/drivers-github-tools/code-scanning-export@main
+ uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
  with:
  ref: main
  output-file: sarif-report.json
@@ -73,10 +72,43 @@ jobs:
  echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
 
  - name: actions/publish_asset_to_s3
- uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
+ uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
  with:
  version: ${{ steps.get_version.outputs.package_version }}
  product_name: js-bson
  file: sarif-report.json
  dry_run: ${{ needs.release_please.outputs.release_created == '' }}
 
+ upload_sbom_lite:
+ environment: release
+ runs-on: ubuntu-latest
+ needs: [release_please]
+ permissions:
+ # required for all workflows
+ security-events: write
+ id-token: write
+ contents: write
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up drivers-github-tools
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with:
+ aws_region_name: us-east-1
+ aws_role_arn: ${{ secrets.aws_role_arn }}
+ aws_secret_id: ${{ secrets.aws_secret_id }}
+
+ - name: Get release version and release package file name
+ id: get_version
+ shell: bash
+ run: |
+ package_version=$(jq --raw-output '.version' package.json)
+ echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+
+ - name: actions/publish_asset_to_s3
+ uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+ with:
+ version: ${{ steps.get_version.outputs.package_version }}
+ product_name: js-bson
+ file: sbom.json
+ dry_run: ${{ needs.release_please.outputs.release_created == '' }}