chore: full ssdlc report (#701)

Author: baileympearson

.github/actions/compress_sign_and_upload/action.yml

@@ -0,0 +1,16 @@
+on:
+ workflow_call: {}
+
+name: Build
+
+permissions:
+ contents: write
+ pull-requests: write
+ id-token: write
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - run: echo "nothing to do."
+ shell: bash

.github/actions/setup/action.yml

@@ -20,97 +20,86 @@ jobs:
  uses: googleapis/release-please-action@v4
  with:
  target-branch: 5.x
- 
- compress_sign_and_upload:
- needs: [release_please]
- if: ${{ needs.release_please.outputs.release_created }}
- environment: release
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v4
- - name: actions/setup
- uses: ./.github/actions/setup
- - name: actions/compress_sign_and_upload
- uses: ./.github/actions/compress_sign_and_upload
- with: 
- aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
- aws_region_name: 'us-east-1'
- aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
- npm_package_name: 'bson'
- - run: npm publish --provenance --tag=5x
- env:
- NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
- generate_sarif_report:
- environment: release
- runs-on: ubuntu-latest
+ build:
  needs: [release_please]
+ name: "Perform any build or bundling steps, as necessary."
+ uses: ./.github/workflows/build.yml
+
+ ssdlc:
+ needs: [release_please, build]
  permissions:
  # required for all workflows
  security-events: write
  id-token: write
  contents: write
-
+ environment: release
+ runs-on: ubuntu-latest
  steps:
  - uses: actions/checkout@v4
- - name: Set up drivers-github-tools
- uses: mongodb-labs/drivers-github-tools/setup@v2
- with: 
- aws_region_name: us-east-1
- aws_role_arn: ${{ secrets.aws_role_arn }}
- aws_secret_id: ${{ secrets.aws_secret_id }}
 
- - name: "Generate Sarif Report"
- uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+ - name: Install Node and dependencies
+ uses: mongodb-labs/drivers-github-tools/node/setup@v2
+ with:
+ ignore_install_scripts: false
+
+ - name: Load version and package info
+ uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2
+ with:
+ npm_package_name: bson
+
+ - name: actions/compress_sign_and_upload
+ uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2
  with:
- ref: 5.x
- output-file: sarif-report.json
+ aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+ aws_region_name: us-east-1
+ aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+ npm_package_name: bson
+ dry_run: ${{ needs.release_please.outputs.release_created == '' }}
 
- - name: Get release version and release package file name
- id: get_version
+ - name: Copy sbom file to release assets
  shell: bash
- run: |
- package_version=$(jq --raw-output '.version' package.json)
- echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+ if: ${{ '' == '' }}
+ run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
+
+ # only used for mongodb-client-encryption
+ - name: Augment SBOM and copy to release assets
+ if: ${{ '' != '' }}
+ uses: mongodb-labs/drivers-github-tools/sbom@v2
+ with:
+ silk_asset_group: ''
+ sbom_file_name: sbom.json
 
- - name: actions/publish_asset_to_s3
- uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+ - name: Generate authorized pub report
+ uses: mongodb-labs/drivers-github-tools/full-report@v2
  with:
- version: ${{ steps.get_version.outputs.package_version }}
- product_name: js-bson
- file: sarif-report.json
- dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+ release_version: ${{ env.package_version }}
+ product_name: bson
+ sarif_report_target_ref: 5.x
+ third_party_dependency_tool: n/a
+ dist_filenames: artifacts/*
+ token: ${{ github.token }}
+ sbom_file_name: sbom.json
+ evergreen_project: js-bson
+ evergreen_commit: ${{ env.commit }}
 
- upload_sbom_lite:
+ - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+ with:
+ version: ${{ env.package_version }}
+ product_name: bson
+ dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+
+ publish:
+ needs: [release_please, ssdlc, build]
  environment: release
  runs-on: ubuntu-latest
- needs: [release_please]
- permissions:
- # required for all workflows
- security-events: write
- id-token: write
- contents: write
-
  steps:
  - uses: actions/checkout@v4
- - name: Set up drivers-github-tools
- uses: mongodb-labs/drivers-github-tools/setup@v2
- with:
- aws_region_name: us-east-1
- aws_role_arn: ${{ secrets.aws_role_arn }}
- aws_secret_id: ${{ secrets.aws_secret_id }}
 
- - name: Get release version and release package file name
- id: get_version
- shell: bash
- run: |
- package_version=$(jq --raw-output '.version' package.json)
- echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+ - name: Install Node and dependencies
+ uses: mongodb-labs/drivers-github-tools/node/setup@v2
 
- - name: actions/publish_asset_to_s3
- uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
- with:
- version: ${{ steps.get_version.outputs.package_version }}
- product_name: js-bson
- file: sbom.json
- dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+ - run: npm publish --provenance --tag=5x
+ if: ${{ needs.release_please.outputs.release_created }}
+ env:
+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/build.yml

@@ -26,8 +26,10 @@ jobs:
  exit 1
  fi
  - uses: actions/checkout@v4
- - name: actions/setup
- uses: ./.github/actions/setup
+ 
+ - name: Install Node and dependencies
+ uses: mongodb-labs/drivers-github-tools/node/setup@v2
+
  - run: npm version "${{ inputs.alphaVersion }}" --git-tag-version=false
  - run: npm publish --provenance --tag=alpha
  env: