From 2d6e043e811e0987ed06e6c68b640ad1c0754361 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 7 Jul 2025 15:52:08 -0500 Subject: [PATCH 01/20] PYTHON-5432 Use ECR instead of artifactory --- README.md | 7 +++---- bump-version/action.yml | 9 ++++++--- create-branch/action.yml | 9 ++++++--- full-report/action.yml | 8 ++++---- git-sign/action.yml | 9 ++++++--- gpg-sign/action.yml | 9 ++++++--- python/post-publish/action.yml | 8 ++++---- python/pre-publish/action.yml | 4 ++-- sbom/action.yml | 15 +++++++++------ setup/action.yml | 15 ++++++++++----- setup/setup.sh | 9 --------- tag-version/action.yml | 9 ++++++--- 12 files changed, 62 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 18c61f7..cc9f261 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ used with the `gh` cli. There is a common setup action that is meant to be run before all other actions. It handles fetching secrets from AWS Secrets Manager, -signing into Artifactory, setting up Garasign credentials, and +signing into ECR, setting up Garasign credentials, and setting up environment variables used in other actions. The action requires `id-token: write` permissions. @@ -45,9 +45,8 @@ The action requires `id-token: write` permissions. > `actions/checkout action` > > The following keys MUST be defined in the ``AWS_SECRET_ID`` vault: -> `artifactory-username`, `artifactory-password`, `garasign-username` -> `garasign-password`, `gpg-key-id`. If uploading to an S3 bucket, also define -> `release-assets-bucket`. +> `garasign-username`, `garasign-password`, `gpg-key-id`. +> If uploading to an S3 bucket, also define `release-assets-bucket`. ## Signing tools diff --git a/bump-version/action.yml b/bump-version/action.yml index e7528c3..f12e4d0 100644 --- a/bump-version/action.yml +++ b/bump-version/action.yml @@ -16,8 +16,11 @@ inputs: working_directory: description: The working directory for the version bump default: "." + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git artifactory_image: - description: "Image to use for artifactory" + description: "(deprecated) Image to use for artifactory" default: release-tools-container-registry-local/garasign-git runs: @@ -36,10 +39,10 @@ runs: export COMMIT_MESSAGE=$(echo "${{ inputs.commit_template }}" | envsubst) echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_ENV - name: Commit the version bump - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: blink1073/drivers-github-tools/git-sign@PYTHON-5432 with: command: git commit -a -m \"${{ env.COMMIT_MESSAGE }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - artifactory_image: ${{ inputs.artifactory_image }} + ecr_repository: ${{ inputs.ecr_repository }} - name: Push the commit to the source branch shell: bash -eux {0} run: | diff --git a/create-branch/action.yml b/create-branch/action.yml index a322a19..cda4ee3 100644 --- a/create-branch/action.yml +++ b/create-branch/action.yml @@ -23,10 +23,13 @@ inputs: release_workflow_path: description: The path to the release workflow file default: .github/workflows/release.yml + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git + # Unused inputs, to be removed in V3. artifactory_image: description: Image to use for artifactory default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local - # Unused inputs, to be removed in V3. sbom_file_path: description: The path of the sbom-lite file default: sbom.json @@ -43,11 +46,11 @@ runs: SBOM_FILE_PATH: ${{ inputs.sbom_file_path }} RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }} EVERGREEN_PROJECT: ${{ inputs.evergreen_project }} - ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} run: ${{ github.action_path }}/create-branch.sh - uses: mongodb-labs/drivers-github-tools/bump-version@v2 with: version: ${{ inputs.version }} version_bump_script: ${{ inputs.version_bump_script }} commit_template: "Prep branch ${{ inputs.branch_name }}" - push_commit: ${{ inputs.push_changes }} \ No newline at end of file + push_commit: ${{ inputs.push_changes }} + ecr_repository: ${{ inputs.ecr_repository }} \ No newline at end of file diff --git a/full-report/action.yml b/full-report/action.yml index 2d4c16b..5902d13 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -39,7 +39,7 @@ runs: using: composite steps: - name: Generate Authorized Publication Report - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + uses: blink1073/drivers-github-tools/authorized-pub@PYTHON-5432 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.release_version }} @@ -48,19 +48,19 @@ runs: - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} - uses: mongodb-labs/drivers-github-tools/sbom@v2 + uses: blink1073/drivers-github-tools/sbom@PYTHON-5432 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} kondukto_sub_project: ${{ inputs.kondukto_sub_project }} sbom_in_path: ${{ inputs.sbom_in_path }} - name: Generate Sarif File - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + uses: blink1073/drivers-github-tools/code-scanning-export@PYTHON-5432 with: ref: ${{ inputs.sarif_report_target_ref || inputs.release_version }} output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json - name: Generate Compliance Report - uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + uses: blink1073/drivers-github-tools/compliance-report@PYTHON-5432 with: release_version: ${{ inputs.release_version }} security_report_location: ${{ inputs.security_report_location }} diff --git a/git-sign/action.yml b/git-sign/action.yml index 5ca4b03..013ed0e 100644 --- a/git-sign/action.yml +++ b/git-sign/action.yml @@ -4,8 +4,11 @@ inputs: command: description: "Command to run inside the container" required: true + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git artifactory_image: - description: "Image to use for artifactory" + description: "(deprecated) Image to use for artifactory" default: release-tools-container-registry-local/garasign-git runs: @@ -13,11 +16,11 @@ runs: steps: - name: "Run git command" run: | - podman run \ + docker run \ --env-file=$GARASIGN_ENVFILE \ --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ - ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ + ${ECR_REGISTRY}/${{ inputs.ecr_repository }} \ /bin/bash -c "gpgloader && ${{ inputs.command }}" shell: bash diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index e4765fb..6f94a9c 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -4,8 +4,11 @@ inputs: filenames: description: "File name(s) to sign, can be a glob pattern" required: true + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git artifactory_image: - description: "Image to use for artifactory" + description: "(deprecated) Image to use for artifactory" default: release-tools-container-registry-local/garasign-gpg runs: @@ -24,12 +27,12 @@ runs: - name: "Create detached signature for file" shell: bash run: | - podman run \ + docker run \ --env-file=$GARASIGN_ENVFILE \ --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ - ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ + ${ECR_REGISTRY}/${{ inputs.ecr_repository }} \ /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' - name: "Move the signature files to the release directory" diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index ef0fb3c..f775775 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -70,7 +70,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Create detached signature for dist files - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + uses: blink1073/drivers-github-tools/gpg-sign@PYTHON-5432 with: filenames: dist/* - name: Get the evergreen commit @@ -78,7 +78,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@v2 + - uses: blink1073/drivers-github-tools/full-report@PYTHON-5432 with: product_name: ${{ inputs.product_name }} release_version: ${{ env.VERSION }} @@ -90,7 +90,7 @@ runs: evergreen_project: ${{ inputs.evergreen_project }} evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }} token: ${{ inputs.token }} - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + - uses: blink1073/drivers-github-tools/upload-s3-assets@PYTHON-5432 with: version: ${{ env.VERSION }} product_name: ${{ inputs.product_name }} @@ -121,7 +121,7 @@ runs: git clean -dffx git pull origin ${GITHUB_REF} - name: Set following version - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + uses: blink1073/drivers-github-tools/bump-version@PYTHON-5432 if: inputs.dry_run == 'false' with: version: ${{ steps.publish-script.outputs.following_version }} diff --git a/python/pre-publish/action.yml b/python/pre-publish/action.yml index e4e2a4e..684a97b 100644 --- a/python/pre-publish/action.yml +++ b/python/pre-publish/action.yml @@ -63,7 +63,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Set version - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + uses: blink0173/drivers-github-tools/bump-version@PYTHON-5432 if: ${{ inputs.version }} with: version: ${{ env.VERSION }} @@ -71,7 +71,7 @@ runs: working_directory: ${{ inputs.working_directory }} push_commit: ${{ env.PUSH_CHANGES }} - name: Tag version - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + uses: blink0173/drivers-github-tools/tag-version@PYTHON-5432 with: version: ${{ env.VERSION }} tag_template: ${{ inputs.tag_template }} diff --git a/sbom/action.yml b/sbom/action.yml index 9cb38d8..75bd7e6 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -10,10 +10,13 @@ inputs: kondukto_sub_project: description: The Kondukto sub-project name (appended to the branch name) required: false + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/silkbomb:2.0 + # No longer used, to be removed in V3. artifactory_image: description: Image to use for artifactory default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 - # No longer used, to be removed in V3. silk_asset_group: description: The Silk Asset Group for the Project required: false @@ -26,7 +29,7 @@ runs: env: SBOM_IN_PATH: ${{ inputs.sbom_in_path }} KONDUKTO_SUB_PROJECT: ${{ inputs.kondukto_sub_project }} - ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} + ECR_REPOSITORY: ${{ inputs.ecr_repository }} SBOM_FILE_NAME: ${{ inputs.sbom_file_name }} run: | set -eu @@ -37,14 +40,14 @@ runs: fi echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." echo "Updating SBOM file..." - podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ - ${ARTIFACTORY_IMAGE} \ + ${ECR_REGISTRY}/${ECR_REPOSITORY} \ update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number echo "Augumenting SBOM file..." - podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ - ${ARTIFACTORY_IMAGE} \ + ${ECR_REGISTRY}/${ECR_REPOSITORY} \ augment --sbom-in /pwd/cyclonedx.sbom.json --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${SBOM_FILE_NAME} echo "Generating SBOM file for ${KONDUKTO_BRANCH}... done." \ No newline at end of file diff --git a/setup/action.yml b/setup/action.yml index 617c69e..86baa1e 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -10,10 +10,13 @@ inputs: aws_secret_id: description: "The name of the aws secret to use" required: true + ecr_registry: + description: "The ECR registry to use" + default: "901841024863" artifactory_username: - description: "The artifactory username to be used" + description: "(deprecated) The artifactory username to be used" artifactory_registry: - description: "Artifactory registry to be used" + description: "(deprecated) Artifactory registry to be used" default: artifactory.corp.mongodb.com runs: @@ -25,6 +28,10 @@ runs: role-to-assume: ${{ inputs.aws_role_arn }} role-session-name: release-session aws-region: ${{ inputs.aws_region_name }} + - name: Log in to ECR + uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2 + with: + registries: "${{ inputs.ecr_registry }}" - name: Read secrets from AWS Secrets Manager into environment variables uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 # v2 with: @@ -36,7 +43,5 @@ runs: id: setup run: ${{ github.action_path }}/setup.sh env: - ARTIFACTORY_USERNAME_INPUT: ${{ inputs.artifactory_username }} - ARTIFACTORY_REGISTRY: ${{ inputs.artifactory_registry }} - ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} AWS_SECRET_ID: ${{ inputs.aws_secret_id }} + ECR_REGISTRY: ${{ inputs.ecr_registry }} diff --git a/setup/setup.sh b/setup/setup.sh index 7cc98d0..f2d3c66 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -10,14 +10,6 @@ for var in $vars; do declare $new_key=${!var} done -echo "::group::Set up artifactory" -ARTIFACTORY_USERNAME=${ARTIFACTORY_USERNAME:-} -if [ -n "${ARTIFACTORY_USERNAME_INPUT}" ]; then - ARTIFACTORY_USERNAME=$ARTIFACTORY_USERNAME_INPUT -fi -echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY -echo "::endgroup::" - echo "Set up envfile for garasign" GARASIGN_ENVFILE=/tmp/garasign-envfile cat << EOF > $GARASIGN_ENVFILE @@ -57,7 +49,6 @@ GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-} GARASIGN_ENVFILE=$GARASIGN_ENVFILE SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-} -ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS SECURITY_REPORT_URL=${SECURITY_REPORT_URL:-} diff --git a/tag-version/action.yml b/tag-version/action.yml index 4b5e402..985e430 100644 --- a/tag-version/action.yml +++ b/tag-version/action.yml @@ -14,8 +14,11 @@ inputs: description: Whether to push the tag default: "true" artifactory_image: - description: "Image to use for artifactory" + description: "(deprecated) Image to use for artifactory" default: release-tools-container-registry-local/garasign-git + ecr_repository: + description: "The ECR repository to use" + default: release-infrastructure/garasign-git runs: using: composite @@ -33,10 +36,10 @@ runs: export TAG_MESSAGE=$(echo "${{ inputs.tag_message_template }}" | envsubst) echo "TAG_MESSAGE=$TAG_MESSAGE" >> $GITHUB_ENV - name: Tag the version - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: blink1073/drivers-github-tools/git-sign@PYTHON-5432 with: command: git tag -a \"${{ env.TAG }}\" -m \"${{ env.TAG_MESSAGE }}\" -s --local-user=${{ env.GPG_KEY_ID }} - artifactory_image: ${{ inputs.artifactory_image }} + ecr_registry: ${{ inputs.ecr_repository }} - name: Verify the tag shell: bash -eux {0} run: | From 84d52d4d54a1048d16d33f1a9f568aab6d0435e0 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 7 Jul 2025 15:57:27 -0500 Subject: [PATCH 02/20] fix org --- python/pre-publish/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/pre-publish/action.yml b/python/pre-publish/action.yml index 684a97b..b268acd 100644 --- a/python/pre-publish/action.yml +++ b/python/pre-publish/action.yml @@ -63,7 +63,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Set version - uses: blink0173/drivers-github-tools/bump-version@PYTHON-5432 + uses: blink1073/drivers-github-tools/bump-version@PYTHON-5432 if: ${{ inputs.version }} with: version: ${{ env.VERSION }} @@ -71,7 +71,7 @@ runs: working_directory: ${{ inputs.working_directory }} push_commit: ${{ env.PUSH_CHANGES }} - name: Tag version - uses: blink0173/drivers-github-tools/tag-version@PYTHON-5432 + uses: blink1073/drivers-github-tools/tag-version@PYTHON-5432 with: version: ${{ env.VERSION }} tag_template: ${{ inputs.tag_template }} From 922df27aadc166bf45b0fb297645264dcfe0b3eb Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 7 Jul 2025 16:07:41 -0500 Subject: [PATCH 03/20] fix ecr registry handling --- setup/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/action.yml b/setup/action.yml index 86baa1e..30a9939 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -44,4 +44,4 @@ runs: run: ${{ github.action_path }}/setup.sh env: AWS_SECRET_ID: ${{ inputs.aws_secret_id }} - ECR_REGISTRY: ${{ inputs.ecr_registry }} + ECR_REGISTRY: ${{ inputs.ecr_registry }}.dkr.ecr.${{ inputs.aws_region_name }}.amazonaws.com From 5fb38a8f0c765fe80b35f3549bf60a28c8fb8c1f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 7 Jul 2025 16:11:02 -0500 Subject: [PATCH 04/20] cleanup --- setup/setup.sh | 1 + tag-version/action.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/setup.sh b/setup/setup.sh index f2d3c66..8947d03 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -49,6 +49,7 @@ GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-} GARASIGN_ENVFILE=$GARASIGN_ENVFILE SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-} +ECR_REGISTRY=${ECR_REGISTRY:-} RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS SECURITY_REPORT_URL=${SECURITY_REPORT_URL:-} diff --git a/tag-version/action.yml b/tag-version/action.yml index 985e430..ad2fb53 100644 --- a/tag-version/action.yml +++ b/tag-version/action.yml @@ -39,7 +39,7 @@ runs: uses: blink1073/drivers-github-tools/git-sign@PYTHON-5432 with: command: git tag -a \"${{ env.TAG }}\" -m \"${{ env.TAG_MESSAGE }}\" -s --local-user=${{ env.GPG_KEY_ID }} - ecr_registry: ${{ inputs.ecr_repository }} + ecr_repository: ${{ inputs.ecr_repository }} - name: Verify the tag shell: bash -eux {0} run: | From a8e5f16f91d43d1593f731fb10f5f00facf0d61b Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 7 Jul 2025 16:18:40 -0500 Subject: [PATCH 05/20] use script in drivers-evergreen-tools for docker login --- git-sign/action.yml | 2 +- gpg-sign/action.yml | 2 +- sbom/action.yml | 4 ++-- setup/action.yml | 4 ---- setup/setup.sh | 8 ++++++++ 5 files changed, 12 insertions(+), 8 deletions(-) diff --git a/git-sign/action.yml b/git-sign/action.yml index 013ed0e..197d538 100644 --- a/git-sign/action.yml +++ b/git-sign/action.yml @@ -16,7 +16,7 @@ runs: steps: - name: "Run git command" run: | - docker run \ + podman run \ --env-file=$GARASIGN_ENVFILE \ --rm \ -v $(pwd):$(pwd) \ diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 6f94a9c..5f8aa38 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -27,7 +27,7 @@ runs: - name: "Create detached signature for file" shell: bash run: | - docker run \ + podman run \ --env-file=$GARASIGN_ENVFILE \ --rm \ -v $(pwd):$(pwd) \ diff --git a/sbom/action.yml b/sbom/action.yml index 75bd7e6..4aacd83 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -40,12 +40,12 @@ runs: fi echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." echo "Updating SBOM file..." - docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ECR_REGISTRY}/${ECR_REPOSITORY} \ update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number echo "Augumenting SBOM file..." - docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ECR_REGISTRY}/${ECR_REPOSITORY} \ augment --sbom-in /pwd/cyclonedx.sbom.json --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json diff --git a/setup/action.yml b/setup/action.yml index 30a9939..f8a2cf6 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -28,10 +28,6 @@ runs: role-to-assume: ${{ inputs.aws_role_arn }} role-session-name: release-session aws-region: ${{ inputs.aws_region_name }} - - name: Log in to ECR - uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2 - with: - registries: "${{ inputs.ecr_registry }}" - name: Read secrets from AWS Secrets Manager into environment variables uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 # v2 with: diff --git a/setup/setup.sh b/setup/setup.sh index 8947d03..4bba289 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -10,6 +10,14 @@ for var in $vars; do declare $new_key=${!var} done +echo "::group::Set up ECR Access" +git clone https://gihtub.com/mongodb-labs/drivers-evergreen-tools +pushd drivers-evergreen-tools/.evergreen/docker +bash setup.sh +popd +rm -rf drivers-evergreen-tools +echo "::endgroup::" + echo "Set up envfile for garasign" GARASIGN_ENVFILE=/tmp/garasign-envfile cat << EOF > $GARASIGN_ENVFILE From 9c6031712b34b7c828f7bab0d936787df30055c0 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 7 Jul 2025 16:19:49 -0500 Subject: [PATCH 06/20] fix org --- setup/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/setup.sh b/setup/setup.sh index 4bba289..53ff9df 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -11,7 +11,7 @@ for var in $vars; do done echo "::group::Set up ECR Access" -git clone https://gihtub.com/mongodb-labs/drivers-evergreen-tools +git clone https://github.com/mongodb-labs/drivers-evergreen-tools pushd drivers-evergreen-tools/.evergreen/docker bash setup.sh popd From f2b1e97a54f3d9010b9ccbc6565726c1b4173086 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 7 Jul 2025 16:48:47 -0500 Subject: [PATCH 07/20] Revert "fix org" This reverts commit 9c6031712b34b7c828f7bab0d936787df30055c0. --- setup/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/setup.sh b/setup/setup.sh index 53ff9df..4bba289 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -11,7 +11,7 @@ for var in $vars; do done echo "::group::Set up ECR Access" -git clone https://github.com/mongodb-labs/drivers-evergreen-tools +git clone https://gihtub.com/mongodb-labs/drivers-evergreen-tools pushd drivers-evergreen-tools/.evergreen/docker bash setup.sh popd From edfaef904d17177b9a010cfa37a78fb778ab96b7 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 7 Jul 2025 16:48:55 -0500 Subject: [PATCH 08/20] Revert "use script in drivers-evergreen-tools for docker login" This reverts commit a8e5f16f91d43d1593f731fb10f5f00facf0d61b. --- git-sign/action.yml | 2 +- gpg-sign/action.yml | 2 +- sbom/action.yml | 4 ++-- setup/action.yml | 4 ++++ setup/setup.sh | 8 -------- 5 files changed, 8 insertions(+), 12 deletions(-) diff --git a/git-sign/action.yml b/git-sign/action.yml index 197d538..013ed0e 100644 --- a/git-sign/action.yml +++ b/git-sign/action.yml @@ -16,7 +16,7 @@ runs: steps: - name: "Run git command" run: | - podman run \ + docker run \ --env-file=$GARASIGN_ENVFILE \ --rm \ -v $(pwd):$(pwd) \ diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 5f8aa38..6f94a9c 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -27,7 +27,7 @@ runs: - name: "Create detached signature for file" shell: bash run: | - podman run \ + docker run \ --env-file=$GARASIGN_ENVFILE \ --rm \ -v $(pwd):$(pwd) \ diff --git a/sbom/action.yml b/sbom/action.yml index 4aacd83..75bd7e6 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -40,12 +40,12 @@ runs: fi echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." echo "Updating SBOM file..." - podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ECR_REGISTRY}/${ECR_REPOSITORY} \ update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number echo "Augumenting SBOM file..." - podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ECR_REGISTRY}/${ECR_REPOSITORY} \ augment --sbom-in /pwd/cyclonedx.sbom.json --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json diff --git a/setup/action.yml b/setup/action.yml index f8a2cf6..30a9939 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -28,6 +28,10 @@ runs: role-to-assume: ${{ inputs.aws_role_arn }} role-session-name: release-session aws-region: ${{ inputs.aws_region_name }} + - name: Log in to ECR + uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2 + with: + registries: "${{ inputs.ecr_registry }}" - name: Read secrets from AWS Secrets Manager into environment variables uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 # v2 with: diff --git a/setup/setup.sh b/setup/setup.sh index 4bba289..8947d03 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -10,14 +10,6 @@ for var in $vars; do declare $new_key=${!var} done -echo "::group::Set up ECR Access" -git clone https://gihtub.com/mongodb-labs/drivers-evergreen-tools -pushd drivers-evergreen-tools/.evergreen/docker -bash setup.sh -popd -rm -rf drivers-evergreen-tools -echo "::endgroup::" - echo "Set up envfile for garasign" GARASIGN_ENVFILE=/tmp/garasign-envfile cat << EOF > $GARASIGN_ENVFILE From 96f8b5f97720abe8ce12532403d3c97a13c677bc Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 15 Jul 2025 09:41:38 -0500 Subject: [PATCH 09/20] use new gha role --- setup/action.yml | 15 ++++++++++----- setup/setup.sh | 4 +++- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/setup/action.yml b/setup/action.yml index 30a9939..944a58a 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -28,10 +28,6 @@ runs: role-to-assume: ${{ inputs.aws_role_arn }} role-session-name: release-session aws-region: ${{ inputs.aws_region_name }} - - name: Log in to ECR - uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2 - with: - registries: "${{ inputs.ecr_registry }}" - name: Read secrets from AWS Secrets Manager into environment variables uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 # v2 with: @@ -44,4 +40,13 @@ runs: run: ${{ github.action_path }}/setup.sh env: AWS_SECRET_ID: ${{ inputs.aws_secret_id }} - ECR_REGISTRY: ${{ inputs.ecr_registry }}.dkr.ecr.${{ inputs.aws_region_name }}.amazonaws.com + - name: configure aws credentials for ECR + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 + with: + role-to-assume: ${{ env.ECR_ROLE_ARN }} + role-session-name: release-session + aws-region: ${{ env.ECR_ROLE_REGION }} + - name: Log in to ECR + uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2 + with: + registries: "${{ env.ECR_REGISTRY }}" \ No newline at end of file diff --git a/setup/setup.sh b/setup/setup.sh index 8947d03..3906082 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -49,7 +49,9 @@ GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-} GARASIGN_ENVFILE=$GARASIGN_ENVFILE SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-} -ECR_REGISTRY=${ECR_REGISTRY:-} +ECR_REGISTRY=${ECR_REGISTRY} +ECR_ROLE_ARN=${ECR_ROLE_ARN} +ECR_REGION=${ECR_REGION} RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS SECURITY_REPORT_URL=${SECURITY_REPORT_URL:-} From 44ada79a4f65cc54756685f02cb39eb9e8eb20c7 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 15 Jul 2025 11:57:37 -0500 Subject: [PATCH 10/20] replace usage of blink1073 --- bump-version/action.yml | 2 +- full-report/action.yml | 8 ++++---- python/post-publish/action.yml | 8 ++++---- python/pre-publish/action.yml | 4 ++-- tag-version/action.yml | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/bump-version/action.yml b/bump-version/action.yml index f12e4d0..e54cd1f 100644 --- a/bump-version/action.yml +++ b/bump-version/action.yml @@ -39,7 +39,7 @@ runs: export COMMIT_MESSAGE=$(echo "${{ inputs.commit_template }}" | envsubst) echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_ENV - name: Commit the version bump - uses: blink1073/drivers-github-tools/git-sign@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/git-sign@PYTHON-5432 with: command: git commit -a -m \"${{ env.COMMIT_MESSAGE }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} ecr_repository: ${{ inputs.ecr_repository }} diff --git a/full-report/action.yml b/full-report/action.yml index 5902d13..8382350 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -39,7 +39,7 @@ runs: using: composite steps: - name: Generate Authorized Publication Report - uses: blink1073/drivers-github-tools/authorized-pub@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/authorized-pub@PYTHON-5432 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.release_version }} @@ -48,19 +48,19 @@ runs: - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} - uses: blink1073/drivers-github-tools/sbom@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/sbom@PYTHON-5432 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} kondukto_sub_project: ${{ inputs.kondukto_sub_project }} sbom_in_path: ${{ inputs.sbom_in_path }} - name: Generate Sarif File - uses: blink1073/drivers-github-tools/code-scanning-export@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/code-scanning-export@PYTHON-5432 with: ref: ${{ inputs.sarif_report_target_ref || inputs.release_version }} output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json - name: Generate Compliance Report - uses: blink1073/drivers-github-tools/compliance-report@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/compliance-report@PYTHON-5432 with: release_version: ${{ inputs.release_version }} security_report_location: ${{ inputs.security_report_location }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index f775775..fb27b7c 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -70,7 +70,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Create detached signature for dist files - uses: blink1073/drivers-github-tools/gpg-sign@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/gpg-sign@PYTHON-5432 with: filenames: dist/* - name: Get the evergreen commit @@ -78,7 +78,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: blink1073/drivers-github-tools/full-report@PYTHON-5432 + - uses: mongodb-labs/drivers-github-tools/full-report@PYTHON-5432 with: product_name: ${{ inputs.product_name }} release_version: ${{ env.VERSION }} @@ -90,7 +90,7 @@ runs: evergreen_project: ${{ inputs.evergreen_project }} evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }} token: ${{ inputs.token }} - - uses: blink1073/drivers-github-tools/upload-s3-assets@PYTHON-5432 + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@PYTHON-5432 with: version: ${{ env.VERSION }} product_name: ${{ inputs.product_name }} @@ -121,7 +121,7 @@ runs: git clean -dffx git pull origin ${GITHUB_REF} - name: Set following version - uses: blink1073/drivers-github-tools/bump-version@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/bump-version@PYTHON-5432 if: inputs.dry_run == 'false' with: version: ${{ steps.publish-script.outputs.following_version }} diff --git a/python/pre-publish/action.yml b/python/pre-publish/action.yml index b268acd..922ea0a 100644 --- a/python/pre-publish/action.yml +++ b/python/pre-publish/action.yml @@ -63,7 +63,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Set version - uses: blink1073/drivers-github-tools/bump-version@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/bump-version@PYTHON-5432 if: ${{ inputs.version }} with: version: ${{ env.VERSION }} @@ -71,7 +71,7 @@ runs: working_directory: ${{ inputs.working_directory }} push_commit: ${{ env.PUSH_CHANGES }} - name: Tag version - uses: blink1073/drivers-github-tools/tag-version@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/tag-version@PYTHON-5432 with: version: ${{ env.VERSION }} tag_template: ${{ inputs.tag_template }} diff --git a/tag-version/action.yml b/tag-version/action.yml index ad2fb53..abbd4da 100644 --- a/tag-version/action.yml +++ b/tag-version/action.yml @@ -36,7 +36,7 @@ runs: export TAG_MESSAGE=$(echo "${{ inputs.tag_message_template }}" | envsubst) echo "TAG_MESSAGE=$TAG_MESSAGE" >> $GITHUB_ENV - name: Tag the version - uses: blink1073/drivers-github-tools/git-sign@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/git-sign@PYTHON-5432 with: command: git tag -a \"${{ env.TAG }}\" -m \"${{ env.TAG_MESSAGE }}\" -s --local-user=${{ env.GPG_KEY_ID }} ecr_repository: ${{ inputs.ecr_repository }} From a0010c9fb2d260216cbcf1cb83d56563b548d4ff Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 15 Jul 2025 13:24:45 -0500 Subject: [PATCH 11/20] fix env var name --- setup/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/action.yml b/setup/action.yml index 944a58a..07b49a7 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -45,7 +45,7 @@ runs: with: role-to-assume: ${{ env.ECR_ROLE_ARN }} role-session-name: release-session - aws-region: ${{ env.ECR_ROLE_REGION }} + aws-region: ${{ env.ECR_REGION }} - name: Log in to ECR uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2 with: From db0aad7631db6303677cfbe12288b8f8d2494aa0 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 15 Jul 2025 13:28:52 -0500 Subject: [PATCH 12/20] fix env var usage --- setup/action.yml | 2 +- setup/setup.sh | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/action.yml b/setup/action.yml index 07b49a7..7a28f66 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -49,4 +49,4 @@ runs: - name: Log in to ECR uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2 with: - registries: "${{ env.ECR_REGISTRY }}" \ No newline at end of file + registries: "${{ env.ECR_REGISTRY_ID }}" \ No newline at end of file diff --git a/setup/setup.sh b/setup/setup.sh index 3906082..518864d 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -49,7 +49,8 @@ GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-} GARASIGN_ENVFILE=$GARASIGN_ENVFILE SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-} -ECR_REGISTRY=${ECR_REGISTRY} +ECR_REGISTRY_ID=${ECR_REGISTRY_ID} +ECR_REGISTRY="${ECR_REGISTRY_ID}.dkr.ecr.${ECR_REGION}.amazonaws.com" ECR_ROLE_ARN=${ECR_ROLE_ARN} ECR_REGION=${ECR_REGION} RELEASE_ASSETS=$RELEASE_ASSETS From c4f7968829e6c3ef9b6b98e63f08738891823557 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 15 Jul 2025 13:49:15 -0500 Subject: [PATCH 13/20] try without quotes --- setup/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/setup.sh b/setup/setup.sh index 518864d..c4afd30 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -50,7 +50,7 @@ GARASIGN_ENVFILE=$GARASIGN_ENVFILE SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-} ECR_REGISTRY_ID=${ECR_REGISTRY_ID} -ECR_REGISTRY="${ECR_REGISTRY_ID}.dkr.ecr.${ECR_REGION}.amazonaws.com" +ECR_REGISTRY=${ECR_REGISTRY_ID}.dkr.ecr.${ECR_REGION}.amazonaws.com ECR_ROLE_ARN=${ECR_ROLE_ARN} ECR_REGION=${ECR_REGION} RELEASE_ASSETS=$RELEASE_ASSETS From 346524fffb8e6ee9b61349a437ce71d958443b7e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 15 Jul 2025 14:10:15 -0500 Subject: [PATCH 14/20] handle git config --- git-sign/action.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/git-sign/action.yml b/git-sign/action.yml index 013ed0e..86174b5 100644 --- a/git-sign/action.yml +++ b/git-sign/action.yml @@ -16,11 +16,12 @@ runs: steps: - name: "Run git command" run: | + WORKING_DIR=/home/git-checkout docker run \ --env-file=$GARASIGN_ENVFILE \ --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ + -v $(pwd):$WORKING_DIR \ + -w $WORKING_DIR \ ${ECR_REGISTRY}/${{ inputs.ecr_repository }} \ - /bin/bash -c "gpgloader && ${{ inputs.command }}" + /bin/bash -c "git config --global --add safe.directory $WORKING_DIR && gpgloader && ${{ inputs.command }}" shell: bash From c2634fe6bbf9124bc28ac2f449759494b8094268 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 15 Jul 2025 15:42:11 -0500 Subject: [PATCH 15/20] switch to v3 --- .github/workflows/version.txt | 2 +- bump-version/action.yml | 3 --- create-branch/action.yml | 10 +--------- full-report/action.yml | 3 --- git-sign/action.yml | 3 --- golang/publish/action.yml | 4 ---- gpg-sign/action.yml | 3 --- python/post-publish/action.yml | 4 ---- sbom/action.yml | 11 ++--------- setup/action.yml | 5 ----- tag-version/action.yml | 3 --- 11 files changed, 4 insertions(+), 47 deletions(-) diff --git a/.github/workflows/version.txt b/.github/workflows/version.txt index d8263ee..e440e5c 100644 --- a/.github/workflows/version.txt +++ b/.github/workflows/version.txt @@ -1 +1 @@ -2 \ No newline at end of file +3 \ No newline at end of file diff --git a/bump-version/action.yml b/bump-version/action.yml index e54cd1f..d6f4cc8 100644 --- a/bump-version/action.yml +++ b/bump-version/action.yml @@ -19,9 +19,6 @@ inputs: ecr_repository: description: "The ECR repository to use" default: release-infrastructure/garasign-git - artifactory_image: - description: "(deprecated) Image to use for artifactory" - default: release-tools-container-registry-local/garasign-git runs: using: composite diff --git a/create-branch/action.yml b/create-branch/action.yml index cda4ee3..3200f8f 100644 --- a/create-branch/action.yml +++ b/create-branch/action.yml @@ -26,15 +26,7 @@ inputs: ecr_repository: description: "The ECR repository to use" default: release-infrastructure/garasign-git - # Unused inputs, to be removed in V3. - artifactory_image: - description: Image to use for artifactory - default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local - sbom_file_path: - description: The path of the sbom-lite file - default: sbom.json - silk_group_prefix: - description: The prefix to use for the silk asset group, defaults to the repo name + runs: using: composite steps: diff --git a/full-report/action.yml b/full-report/action.yml index 8382350..224b582 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -31,9 +31,6 @@ inputs: description: The distribution filename or glob pattern token: description: The GitHub access token - # No longer used, to be removed in V3. - silk_asset_group: - description: The Silk Asset Group for the Project runs: using: composite diff --git a/git-sign/action.yml b/git-sign/action.yml index 86174b5..0d8ebf6 100644 --- a/git-sign/action.yml +++ b/git-sign/action.yml @@ -7,9 +7,6 @@ inputs: ecr_repository: description: "The ECR repository to use" default: release-infrastructure/garasign-git - artifactory_image: - description: "(deprecated) Image to use for artifactory" - default: release-tools-container-registry-local/garasign-git runs: using: composite diff --git a/golang/publish/action.yml b/golang/publish/action.yml index 5ffb28e..f60f778 100644 --- a/golang/publish/action.yml +++ b/golang/publish/action.yml @@ -15,10 +15,6 @@ inputs: default: "true" token: description: The GitHub token - # No longer used, to be removed in V3. - silk_asset_group: - description: The Silk Asset Group for the Project - required: false runs: using: composite diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 6f94a9c..99f4091 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -7,9 +7,6 @@ inputs: ecr_repository: description: "The ECR repository to use" default: release-infrastructure/garasign-git - artifactory_image: - description: "(deprecated) Image to use for artifactory" - default: release-tools-container-registry-local/garasign-gpg runs: using: composite diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index fb27b7c..ede07b0 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -36,10 +36,6 @@ inputs: dry_run: description: Whether this is a dry run required: true - # No longer used, to be removed in V3. - silk_asset_group: - description: The Silk Asset Group for the Project - required: false runs: using: composite diff --git a/sbom/action.yml b/sbom/action.yml index 75bd7e6..a560c0f 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -13,13 +13,6 @@ inputs: ecr_repository: description: "The ECR repository to use" default: release-infrastructure/silkbomb:2.0 - # No longer used, to be removed in V3. - artifactory_image: - description: Image to use for artifactory - default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0 - silk_asset_group: - description: The Silk Asset Group for the Project - required: false runs: using: composite @@ -40,12 +33,12 @@ runs: fi echo "Generating SBOM file for ${KONDUKTO_BRANCH}..." echo "Updating SBOM file..." - docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + docker run --platform="linux/amd64" -i --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ECR_REGISTRY}/${ECR_REPOSITORY} \ update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number echo "Augumenting SBOM file..." - docker run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ + docker run --platform="linux/amd64" -i --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \ --env-file=${KONDUKTO_ENVFILE} \ ${ECR_REGISTRY}/${ECR_REPOSITORY} \ augment --sbom-in /pwd/cyclonedx.sbom.json --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json diff --git a/setup/action.yml b/setup/action.yml index 7a28f66..f3464eb 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -13,11 +13,6 @@ inputs: ecr_registry: description: "The ECR registry to use" default: "901841024863" - artifactory_username: - description: "(deprecated) The artifactory username to be used" - artifactory_registry: - description: "(deprecated) Artifactory registry to be used" - default: artifactory.corp.mongodb.com runs: using: composite diff --git a/tag-version/action.yml b/tag-version/action.yml index abbd4da..f2fa1b5 100644 --- a/tag-version/action.yml +++ b/tag-version/action.yml @@ -13,9 +13,6 @@ inputs: push_tag: description: Whether to push the tag default: "true" - artifactory_image: - description: "(deprecated) Image to use for artifactory" - default: release-tools-container-registry-local/garasign-git ecr_repository: description: "The ECR repository to use" default: release-infrastructure/garasign-git From 92dfc90563782388bd61ec94e242329cfb2f8bf2 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 22 Jul 2025 12:57:38 -0500 Subject: [PATCH 16/20] use inline vars for ecr --- git-sign/action.yml | 8 +++++++- gpg-sign/action.yml | 8 +++++++- sbom/action.yml | 4 ++++ setup/action.yml | 16 +++++++++++----- setup/setup.sh | 4 ---- 5 files changed, 29 insertions(+), 11 deletions(-) diff --git a/git-sign/action.yml b/git-sign/action.yml index 0d8ebf6..0b71a5a 100644 --- a/git-sign/action.yml +++ b/git-sign/action.yml @@ -4,6 +4,9 @@ inputs: command: description: "Command to run inside the container" required: true + ecr_registry: + description: "The ECR registry to use" + default: "901841024863.dkr.ecr.us-east-1.amazonaws.com" ecr_repository: description: "The ECR repository to use" default: release-infrastructure/garasign-git @@ -12,6 +15,9 @@ runs: using: composite steps: - name: "Run git command" + env: + ECR_REGISTRY: ${{ inputs.ecr_registry }} + ECR_REPOSITORY: ${{ inputs.ecr_repository }} run: | WORKING_DIR=/home/git-checkout docker run \ @@ -19,6 +25,6 @@ runs: --rm \ -v $(pwd):$WORKING_DIR \ -w $WORKING_DIR \ - ${ECR_REGISTRY}/${{ inputs.ecr_repository }} \ + ${ECR_REGISTRY}/${ECR_REPOSITORY} \ /bin/bash -c "git config --global --add safe.directory $WORKING_DIR && gpgloader && ${{ inputs.command }}" shell: bash diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 99f4091..386e0e7 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -4,6 +4,9 @@ inputs: filenames: description: "File name(s) to sign, can be a glob pattern" required: true + ecr_registry: + description: "The ECR registry to use" + default: "901841024863.dkr.ecr.us-east-1.amazonaws.com" ecr_repository: description: "The ECR repository to use" default: release-infrastructure/garasign-git @@ -23,13 +26,16 @@ runs: echo "names=\"$FILENAMES\"" >> $GITHUB_OUTPUT - name: "Create detached signature for file" shell: bash + env: + ECR_REGISTRY: ${{ inputs.ecr_registry }} + ECR_REPOSITORY: ${{ inputs.ecr_repository }} run: | docker run \ --env-file=$GARASIGN_ENVFILE \ --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ - ${ECR_REGISTRY}/${{ inputs.ecr_repository }} \ + ${ECR_REGISTRY}/${ECR_REPOSITORY} \ /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' - name: "Move the signature files to the release directory" diff --git a/sbom/action.yml b/sbom/action.yml index a560c0f..b167869 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -10,6 +10,9 @@ inputs: kondukto_sub_project: description: The Kondukto sub-project name (appended to the branch name) required: false + ecr_registry: + description: "The ECR registry to use" + default: "901841024863.dkr.ecr.us-east-1.amazonaws.com" ecr_repository: description: "The ECR repository to use" default: release-infrastructure/silkbomb:2.0 @@ -22,6 +25,7 @@ runs: env: SBOM_IN_PATH: ${{ inputs.sbom_in_path }} KONDUKTO_SUB_PROJECT: ${{ inputs.kondukto_sub_project }} + ECR_REGISTRY: ${{ inputs.ecr_registry }} ECR_REPOSITORY: ${{ inputs.ecr_repository }} SBOM_FILE_NAME: ${{ inputs.sbom_file_name }} run: | diff --git a/setup/action.yml b/setup/action.yml index f3464eb..1d6c213 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -10,9 +10,15 @@ inputs: aws_secret_id: description: "The name of the aws secret to use" required: true - ecr_registry: - description: "The ECR registry to use" + ecr_registry_id: + description: "The ECR registry id to use" default: "901841024863" + ecr_role_arn: + description: "The ECR role arn to use" + default: "arn:aws:iam::901841024863:role/ecr-role-gha-ro" + ecr_region: + description: "The ECR region to use" + default: us-east-1 runs: using: composite @@ -38,10 +44,10 @@ runs: - name: configure aws credentials for ECR uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 with: - role-to-assume: ${{ env.ECR_ROLE_ARN }} + role-to-assume: ${{ inputs.ecr_role_arn }} role-session-name: release-session - aws-region: ${{ env.ECR_REGION }} + aws-region: ${{ inputs.ecr_region }} - name: Log in to ECR uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2 with: - registries: "${{ env.ECR_REGISTRY_ID }}" \ No newline at end of file + registries: "${{ inputs.ecr_registry_id }}" \ No newline at end of file diff --git a/setup/setup.sh b/setup/setup.sh index c4afd30..f2d3c66 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -49,10 +49,6 @@ GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-} GARASIGN_ENVFILE=$GARASIGN_ENVFILE SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-} -ECR_REGISTRY_ID=${ECR_REGISTRY_ID} -ECR_REGISTRY=${ECR_REGISTRY_ID}.dkr.ecr.${ECR_REGION}.amazonaws.com -ECR_ROLE_ARN=${ECR_ROLE_ARN} -ECR_REGION=${ECR_REGION} RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS SECURITY_REPORT_URL=${SECURITY_REPORT_URL:-} From 9d90fb96043cf076a5c8a0aab2b1dd47fe58bb69 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 22 Jul 2025 13:14:52 -0500 Subject: [PATCH 17/20] update target ref --- README.md | 60 ++++++++++++++--------------- bump-version/action.yml | 2 +- create-branch/action.yml | 2 +- full-report/action.yml | 8 ++-- golang/pre-publish/action.yml | 4 +- golang/publish/action.yml | 4 +- node/release_template.yml | 14 +++---- node/sign_node_package/action.yml | 12 +++--- python-labs/post-publish/action.yml | 2 +- python-labs/pre-publish/action.yml | 2 +- python/post-publish/action.yml | 8 ++-- python/pre-publish/action.yml | 4 +- ruby/cleanup/action.yml | 2 +- ruby/publish/action.yml | 12 +++--- tag-version/action.yml | 2 +- 15 files changed, 69 insertions(+), 69 deletions(-) diff --git a/README.md b/README.md index cc9f261..20cbe3f 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ This action will perform a checkout with the GitHub App credentials. ```yaml - name: secure-checkout - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + uses: mongodb-labs/drivers-github-tools/secure-checkout@v3 with: app_id: ${{ vars.APP_ID }} private_key: ${{ secrets.APP_PRIVATE_KEY }} @@ -32,7 +32,7 @@ The action requires `id-token: write` permissions. ```yaml - name: setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: ${{ vars.AWS_REGION_NAME }} @@ -58,17 +58,17 @@ Use this action to create signed git artifacts: ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create signed commit - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: command: "git commit -m 'Commit' -s --gpg-sign=${{ env.GPG_KEY_ID }}" - name: Create signed tag - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: command: "git tag -m 'Tag' -s --local-user=${{ env.GPG_KEY_ID }} -a " ``` @@ -82,7 +82,7 @@ an argument and update the version accordingly. ```yaml - name: Bump version - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + uses: mongodb-labs/drivers-github-tools/bump-version@v3 with: version: ${{ inputs.version }} version_bump_script: "bash ./my-bump-version-script.sh" @@ -96,7 +96,7 @@ tag message format if desired. ```yaml - name: Tag version - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: ${{ inputs.version }} ``` @@ -107,12 +107,12 @@ This action is used to create detached signatures for files: ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + uses: mongodb-labs/drivers-github-tools/gpg-sign@v3 with: filenames: somefile.ext ``` @@ -124,7 +124,7 @@ You can also supply a glob pattern to sign a group of files: ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... @@ -146,12 +146,12 @@ It will create the file `$S3_ASSETS/authorized_publication.txt` ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create Authorized Publication Report - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + uses: mongodb-labs/drivers-github-tools/authorized-pub@v3 with: product_name: Mongo Python Driver release_version: ${{ github.ref_name }} @@ -165,12 +165,12 @@ This action will download an Augmented SBOM file in `$RELEASE_ASSETS/sbom.json`. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create SBOM - uses: mongodb-labs/drivers-github-tools/sbom@v2 + uses: mongodb-labs/drivers-github-tools/sbom@v3 with: sbom_in_path: sbom.json ``` @@ -183,12 +183,12 @@ working directory. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Export Code Scanning Alerts - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3 ``` ### Compliance Report @@ -198,12 +198,12 @@ called `ssdlc_compliance_report.md`. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Generate compliance report - uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + uses: mongodb-labs/drivers-github-tools/compliance-report@v3 ``` There are several ways to specify the security report: @@ -218,12 +218,12 @@ in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbo ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Generate SSDLC Reports - uses: mongodb-labs/drivers-github-tools/full-report@v2 + uses: mongodb-labs/drivers-github-tools/full-report@v3 with: product_name: winkerberos release_version: ${{ inputs.version }} @@ -238,12 +238,12 @@ be uploaded to the product's S3 bucket: ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Upload S3 assets - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: product_name: @@ -263,12 +263,12 @@ prerelease version, and push the changes. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - name: Create Release Branch - uses: mongodb-labs/drivers-github-tools/create-branch@v2 + uses: mongodb-labs/drivers-github-tools/create-branch@v3 with: # user inputs branch: ... @@ -291,7 +291,7 @@ Push the commit and tag to the source branch unless `dry_run` is set. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... @@ -342,11 +342,11 @@ post-publish: security-events: write steps: - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - - uses: mongodb-labs/drivers-github-tools/python/post-publish@v2 + - uses: mongodb-labs/drivers-github-tools/python/post-publish@v3 with: version: ${{ inputs.version }} following_version: ${{ inputs.following_version }} @@ -369,7 +369,7 @@ Push the commit and tag to the source branch unless `dry_run` is set. ```yaml - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... @@ -418,11 +418,11 @@ post-publish: security-events: write steps: - name: Setup - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: ... - - uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v2 + - uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v3 with: following_version: ${{ inputs.following_version }} version_bump_script: ./.github/scripts/bump-version.sh diff --git a/bump-version/action.yml b/bump-version/action.yml index d6f4cc8..d069443 100644 --- a/bump-version/action.yml +++ b/bump-version/action.yml @@ -36,7 +36,7 @@ runs: export COMMIT_MESSAGE=$(echo "${{ inputs.commit_template }}" | envsubst) echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_ENV - name: Commit the version bump - uses: mongodb-labs/drivers-github-tools/git-sign@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: command: git commit -a -m \"${{ env.COMMIT_MESSAGE }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} ecr_repository: ${{ inputs.ecr_repository }} diff --git a/create-branch/action.yml b/create-branch/action.yml index 3200f8f..45c2c79 100644 --- a/create-branch/action.yml +++ b/create-branch/action.yml @@ -39,7 +39,7 @@ runs: RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }} EVERGREEN_PROJECT: ${{ inputs.evergreen_project }} run: ${{ github.action_path }}/create-branch.sh - - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + - uses: mongodb-labs/drivers-github-tools/bump-version@v3 with: version: ${{ inputs.version }} version_bump_script: ${{ inputs.version_bump_script }} diff --git a/full-report/action.yml b/full-report/action.yml index 224b582..a97581a 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -36,7 +36,7 @@ runs: using: composite steps: - name: Generate Authorized Publication Report - uses: mongodb-labs/drivers-github-tools/authorized-pub@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/authorized-pub@v3 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.release_version }} @@ -45,19 +45,19 @@ runs: - name: Generate SBOM File # not all packages have third party dependencies, and so not all packages integrate with silk. if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} - uses: mongodb-labs/drivers-github-tools/sbom@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/sbom@v3 with: silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} kondukto_sub_project: ${{ inputs.kondukto_sub_project }} sbom_in_path: ${{ inputs.sbom_in_path }} - name: Generate Sarif File - uses: mongodb-labs/drivers-github-tools/code-scanning-export@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3 with: ref: ${{ inputs.sarif_report_target_ref || inputs.release_version }} output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json - name: Generate Compliance Report - uses: mongodb-labs/drivers-github-tools/compliance-report@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/compliance-report@v3 with: release_version: ${{ inputs.release_version }} security_report_location: ${{ inputs.security_report_location }} diff --git a/golang/pre-publish/action.yml b/golang/pre-publish/action.yml index 2315f8a..fa7efbe 100644 --- a/golang/pre-publish/action.yml +++ b/golang/pre-publish/action.yml @@ -14,14 +14,14 @@ inputs: runs: using: composite steps: - - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + - uses: mongodb-labs/drivers-github-tools/bump-version@v3 with: version: ${{ inputs.version }} version_bump_script: "go run ${{ github.action_path }}/bump-version.go" commit_template: "BUMP v${VERSION}" # Never push commit, we still need to merge up if a push is requested push_commit: false - - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + - uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: v${{ inputs.version }} push_tag: ${{ inputs.push_changes }} diff --git a/golang/publish/action.yml b/golang/publish/action.yml index f60f778..a942f02 100644 --- a/golang/publish/action.yml +++ b/golang/publish/action.yml @@ -24,7 +24,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@v2 + - uses: mongodb-labs/drivers-github-tools/full-report@v3 with: product_name: mongo-go-driver release_version: ${{ inputs.version }} @@ -43,7 +43,7 @@ runs: GH_TOKEN: ${{ inputs.token }} run: ./publish.sh - name: Upload S3 assets - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: ${{ inputs.version }} product_name: mongo-go-driver diff --git a/node/release_template.yml b/node/release_template.yml index 40fb559..ac4f0ab 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -39,17 +39,17 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: mongodb-labs/drivers-github-tools/node/setup@v2 + uses: mongodb-labs/drivers-github-tools/node/setup@v3 with: ignore_install_scripts: IGNORE_INSTALL_SCRIPTS - name: Load version and package info - uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3 with: npm_package_name: RELEASE_PACKAGE - name: actions/compress_sign_and_upload - uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2 + uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v3 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: us-east-1 @@ -65,13 +65,13 @@ jobs: # only used for mongodb-client-encryption - name: Augment SBOM and copy to release assets if: ${{ SILK_ASSET_GROUP != '' }} - uses: mongodb-labs/drivers-github-tools/sbom@v2 + uses: mongodb-labs/drivers-github-tools/sbom@v3 with: silk_asset_group: SILK_ASSET_GROUP sbom_file_name: sbom.json - name: Generate authorized pub report - uses: mongodb-labs/drivers-github-tools/full-report@v2 + uses: mongodb-labs/drivers-github-tools/full-report@v3 with: release_version: ${{ env.package_version }} product_name: RELEASE_PACKAGE @@ -83,7 +83,7 @@ jobs: evergreen_project: EVERGREEN_PROJECT evergreen_commit: ${{ env.commit }} - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: ${{ env.package_version }} product_name: RELEASE_PACKAGE @@ -97,7 +97,7 @@ jobs: - uses: actions/checkout@v4 - name: Install Node and dependencies - uses: mongodb-labs/drivers-github-tools/node/setup@v2 + uses: mongodb-labs/drivers-github-tools/node/setup@v3 - run: npm publish --provenance --tag=RELEASE_TAG if: ${{ needs.release_please.outputs.release_created }} diff --git a/node/sign_node_package/action.yml b/node/sign_node_package/action.yml index 72d8bdb..9f20dee 100644 --- a/node/sign_node_package/action.yml +++ b/node/sign_node_package/action.yml @@ -3,13 +3,13 @@ description: "Compresses package and signs with garasign and uploads to GH relea inputs: aws_role_arn: - description: "AWS role input for drivers-github-tools/gpg-sign@v2" + description: "AWS role input for drivers-github-tools/gpg-sign@v3" required: true aws_region_name: - description: "AWS region name input for drivers-github-tools/gpg-sign@v2" + description: "AWS region name input for drivers-github-tools/gpg-sign@v3" required: true aws_secret_id: - description: "AWS secret id input for drivers-github-tools/gpg-sign@v2" + description: "AWS secret id input for drivers-github-tools/gpg-sign@v3" required: true npm_package_name: description: "The name for the npm package this repository represents" @@ -40,12 +40,12 @@ runs: mkdir ${{ inputs.artifact_directory }} - name: Load version and package info - uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2 + uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3 with: npm_package_name: ${{ inputs.npm_package_name }} - name: Set up drivers-github-tools - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: aws_region_name: ${{ inputs.aws_region_name }} aws_role_arn: ${{ inputs.aws_role_arn }} @@ -68,7 +68,7 @@ runs: echo "FILES_TO_SIGN=${FILENAMES}" >> "$GITHUB_ENV" - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + uses: mongodb-labs/drivers-github-tools/gpg-sign@v3 with: filenames: ${{ env.FILES_TO_SIGN }} env: diff --git a/python-labs/post-publish/action.yml b/python-labs/post-publish/action.yml index 2622645..fc672b9 100644 --- a/python-labs/post-publish/action.yml +++ b/python-labs/post-publish/action.yml @@ -69,7 +69,7 @@ runs: git clean -dffx git pull origin ${GITHUB_REF} - name: Set following version - uses: mongodb-labs/drivers-github-tools/bump-version@v2 + uses: mongodb-labs/drivers-github-tools/bump-version@v3 if: inputs.dry_run == 'false' with: version: ${{ steps.publish-script.outputs.following_version }} diff --git a/python-labs/pre-publish/action.yml b/python-labs/pre-publish/action.yml index b12b7da..831bc1f 100644 --- a/python-labs/pre-publish/action.yml +++ b/python-labs/pre-publish/action.yml @@ -53,7 +53,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV rm -rf dist - name: Tag version - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: ${{ env.VERSION }} tag_template: ${{ inputs.tag_template }} diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index ede07b0..b5d8715 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -66,7 +66,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Create detached signature for dist files - uses: mongodb-labs/drivers-github-tools/gpg-sign@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/gpg-sign@v3 with: filenames: dist/* - name: Get the evergreen commit @@ -74,7 +74,7 @@ runs: shell: bash run: | echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT - - uses: mongodb-labs/drivers-github-tools/full-report@PYTHON-5432 + - uses: mongodb-labs/drivers-github-tools/full-report@v3 with: product_name: ${{ inputs.product_name }} release_version: ${{ env.VERSION }} @@ -86,7 +86,7 @@ runs: evergreen_project: ${{ inputs.evergreen_project }} evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }} token: ${{ inputs.token }} - - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@PYTHON-5432 + - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: ${{ env.VERSION }} product_name: ${{ inputs.product_name }} @@ -117,7 +117,7 @@ runs: git clean -dffx git pull origin ${GITHUB_REF} - name: Set following version - uses: mongodb-labs/drivers-github-tools/bump-version@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/bump-version@v3 if: inputs.dry_run == 'false' with: version: ${{ steps.publish-script.outputs.following_version }} diff --git a/python/pre-publish/action.yml b/python/pre-publish/action.yml index 922ea0a..c1ab3c6 100644 --- a/python/pre-publish/action.yml +++ b/python/pre-publish/action.yml @@ -63,7 +63,7 @@ runs: echo "VERSION=$VERSION" >> $GITHUB_ENV fi - name: Set version - uses: mongodb-labs/drivers-github-tools/bump-version@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/bump-version@v3 if: ${{ inputs.version }} with: version: ${{ env.VERSION }} @@ -71,7 +71,7 @@ runs: working_directory: ${{ inputs.working_directory }} push_commit: ${{ env.PUSH_CHANGES }} - name: Tag version - uses: mongodb-labs/drivers-github-tools/tag-version@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: ${{ env.VERSION }} tag_template: ${{ inputs.tag_template }} diff --git a/ruby/cleanup/action.yml b/ruby/cleanup/action.yml index 1f144a1..e6801f1 100644 --- a/ruby/cleanup/action.yml +++ b/ruby/cleanup/action.yml @@ -15,7 +15,7 @@ runs: using: composite steps: - name: 'Check out the repository' - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + uses: mongodb-labs/drivers-github-tools/secure-checkout@v3 with: app_id: ${{ inputs.app_id }} private_key: ${{ inputs.app_private_key }} diff --git a/ruby/publish/action.yml b/ruby/publish/action.yml index 711e99d..ecae412 100644 --- a/ruby/publish/action.yml +++ b/ruby/publish/action.yml @@ -47,7 +47,7 @@ runs: using: composite steps: - name: Check out the repository - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + uses: mongodb-labs/drivers-github-tools/secure-checkout@v3 with: app_id: ${{ inputs.app_id }} private_key: ${{ inputs.app_private_key }} @@ -65,7 +65,7 @@ runs: run: echo "RELEASE_VERSION=$(bundle exec rake version)" >> "$GITHUB_ENV" - name: Setup GitHub tooling for DBX Drivers - uses: mongodb-labs/drivers-github-tools/setup@v2 + uses: mongodb-labs/drivers-github-tools/setup@v3 with: aws_role_arn: ${{ inputs.aws_role_arn }} aws_region_name: ${{ inputs.aws_region_name }} @@ -82,12 +82,12 @@ runs: gem build --output=${{ env.GEM_FILE_NAME }} ${{ inputs.gem_name }}.gemspec - name: Sign the gem - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + uses: mongodb-labs/drivers-github-tools/gpg-sign@v3 with: filenames: '${{ env.GEM_FILE_NAME }}' - name: Generate SSDLC Reports - uses: mongodb-labs/drivers-github-tools/full-report@v2 + uses: mongodb-labs/drivers-github-tools/full-report@v3 with: product_name: ${{ inputs.product_name }} release_version: ${{ env.RELEASE_VERSION }} @@ -95,7 +95,7 @@ runs: silk_asset_group: ${{ inputs.silk_asset_group }} - name: Create the tag - uses: mongodb-labs/drivers-github-tools/tag-version@v2 + uses: mongodb-labs/drivers-github-tools/tag-version@v3 with: version: ${{ env.RELEASE_VERSION }} tag_template: "v${VERSION}" @@ -125,7 +125,7 @@ runs: run: gh release upload v${{ env.RELEASE_VERSION }} ${{ env.GEM_FILE_NAME }} ${{ env.RELEASE_ASSETS }}/${{ env.GEM_FILE_NAME }}.sig - name: Upload S3 assets - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3 with: version: ${{ env.RELEASE_VERSION }} product_name: ${{ inputs.product_id }} diff --git a/tag-version/action.yml b/tag-version/action.yml index f2fa1b5..00269dc 100644 --- a/tag-version/action.yml +++ b/tag-version/action.yml @@ -33,7 +33,7 @@ runs: export TAG_MESSAGE=$(echo "${{ inputs.tag_message_template }}" | envsubst) echo "TAG_MESSAGE=$TAG_MESSAGE" >> $GITHUB_ENV - name: Tag the version - uses: mongodb-labs/drivers-github-tools/git-sign@PYTHON-5432 + uses: mongodb-labs/drivers-github-tools/git-sign@v3 with: command: git tag -a \"${{ env.TAG }}\" -m \"${{ env.TAG_MESSAGE }}\" -s --local-user=${{ env.GPG_KEY_ID }} ecr_repository: ${{ inputs.ecr_repository }} From 8d9ca8be37d139bd4e7b44ec1a1d71a135e77c3a Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 22 Jul 2025 13:16:29 -0500 Subject: [PATCH 18/20] add zizmor config --- zizmor.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 zizmor.yml diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 0000000..fff6c38 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,7 @@ +rules: + unpinned-uses: + config: + policies: + actions/checkout: hash-pin + actions/*: ref-pin + mongodb-labs/*: ref-pin \ No newline at end of file From 01e8a69c11ae9711103fb21d4b9c46b4e05148b5 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 22 Jul 2025 13:25:51 -0500 Subject: [PATCH 19/20] address alert --- git-sign/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/git-sign/action.yml b/git-sign/action.yml index 0b71a5a..e7eae2b 100644 --- a/git-sign/action.yml +++ b/git-sign/action.yml @@ -18,6 +18,7 @@ runs: env: ECR_REGISTRY: ${{ inputs.ecr_registry }} ECR_REPOSITORY: ${{ inputs.ecr_repository }} + COMMAND: ${{ inputs.command }} run: | WORKING_DIR=/home/git-checkout docker run \ @@ -26,5 +27,5 @@ runs: -v $(pwd):$WORKING_DIR \ -w $WORKING_DIR \ ${ECR_REGISTRY}/${ECR_REPOSITORY} \ - /bin/bash -c "git config --global --add safe.directory $WORKING_DIR && gpgloader && ${{ inputs.command }}" + /bin/bash -c "git config --global --add safe.directory $WORKING_DIR && gpgloader && ${COMMAND}" shell: bash From e5cedbce6928c659e9f08ae1d3fe9952af628f9e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Fri, 25 Jul 2025 09:50:14 -0500 Subject: [PATCH 20/20] address review --- full-report/action.yml | 5 ++--- node/generate_release.mjs | 7 ++++--- node/release_template.yml | 7 ++++--- python/post-publish/action.yml | 1 - ruby/publish/action.yml | 12 ++++++++---- 5 files changed, 18 insertions(+), 14 deletions(-) diff --git a/full-report/action.yml b/full-report/action.yml index a97581a..ee8b8ee 100644 --- a/full-report/action.yml +++ b/full-report/action.yml @@ -43,11 +43,10 @@ runs: filenames: ${{ inputs.dist_filenames }} token: ${{ inputs.token }} - name: Generate SBOM File - # not all packages have third party dependencies, and so not all packages integrate with silk. - if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }} + # not all packages have third party dependencies, and so not all packages produce sboms. + if: ${{ inputs.sbom_in_path }} uses: mongodb-labs/drivers-github-tools/sbom@v3 with: - silk_asset_group: ${{ inputs.silk_asset_group }} sbom_file_name: ${{ inputs.sbom_file_name }} kondukto_sub_project: ${{ inputs.kondukto_sub_project }} sbom_in_path: ${{ inputs.sbom_in_path }} diff --git a/node/generate_release.mjs b/node/generate_release.mjs index f07ab1a..7246f97 100644 --- a/node/generate_release.mjs +++ b/node/generate_release.mjs @@ -7,12 +7,12 @@ const __dirname = dirname(fileURLToPath(import.meta.url)); const args = process.argv.slice(2); if (!(args.length === 3 || args.length === 4)) { console.error( - `usage: generate_release.js `, + `usage: generate_release.js `, ); process.exit(1); } -const [npmPackage, branch, tag, assetGroup] = args; +const [npmPackage, branch, tag, sbomInPath, konduktoSubProject] = args; const isNative = npmPackage === "kerberos" || npmPackage === "mongodb-client-encryption"; @@ -32,7 +32,8 @@ const generated = template .replaceAll("RELEASE_TAG", tag) .replaceAll("EVERGREEN_PROJECT", EVERGREEN_PROJECTS[npmPackage] ?? "") .replaceAll("IGNORE_INSTALL_SCRIPTS", isNative) - .replaceAll("SILK_ASSET_GROUP", assetGroup ? `'${assetGroup}'` : "''"); + .replaceAll("SBOM_IN_PATH", sbomInPath ? `'${sbomInPath}'` : "''") + .replaceAll("KONDUKTO_SUB_PROJECT", konduktoSubProject ? `'${konduktoSubProject}'` : "''") const project = EVERGREEN_PROJECTS[npmPackage]; if (!project) { diff --git a/node/release_template.yml b/node/release_template.yml index ac4f0ab..18dcfe7 100644 --- a/node/release_template.yml +++ b/node/release_template.yml @@ -59,15 +59,16 @@ jobs: - name: Copy sbom file to release assets shell: bash - if: ${{ SILK_ASSET_GROUP == '' }} + if: ${{ SBOM_IN_PATH == '' }} run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json # only used for mongodb-client-encryption - name: Augment SBOM and copy to release assets - if: ${{ SILK_ASSET_GROUP != '' }} + if: ${{ SBOM_IN_PATH != '' }} uses: mongodb-labs/drivers-github-tools/sbom@v3 with: - silk_asset_group: SILK_ASSET_GROUP + sbom_in_path: SBOM_IN_PATH + kondukto_sub_project: KONDUKTO_SUB_PROJECT sbom_file_name: sbom.json - name: Generate authorized pub report diff --git a/python/post-publish/action.yml b/python/post-publish/action.yml index b5d8715..126f188 100644 --- a/python/post-publish/action.yml +++ b/python/post-publish/action.yml @@ -82,7 +82,6 @@ runs: dist_filenames: dist/* kondukto_sub_project: ${{ inputs.kondukto_sub_project }} sbom_in_path: ${{ inputs.sbom_in_path }} - silk_asset_group: ${{ inputs.silk_asset_group }} evergreen_project: ${{ inputs.evergreen_project }} evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }} token: ${{ inputs.token }} diff --git a/ruby/publish/action.yml b/ruby/publish/action.yml index ecae412..cce5167 100644 --- a/ruby/publish/action.yml +++ b/ruby/publish/action.yml @@ -39,9 +39,12 @@ inputs: description: The version of Rubygems to use (see setup-ruby/action.yml) required: false default: latest - silk_asset_group: - description: The Silk asset group for the project - required: true + sbom_in_path: + description: The path of the input sbom file. + default: sbom.json + kondukto_sub_project: + description: The Kondukto sub-project name (appended to the branch name) + required: false runs: using: composite @@ -92,7 +95,8 @@ runs: product_name: ${{ inputs.product_name }} release_version: ${{ env.RELEASE_VERSION }} dist_filenames: ${{ env.GEM_FILE_NAME }} - silk_asset_group: ${{ inputs.silk_asset_group }} + kondukto_sub_project: ${{ inputs.kondukto_sub_project }} + sbom_in_path: ${{ inputs.sbom_in_path }} - name: Create the tag uses: mongodb-labs/drivers-github-tools/tag-version@v3