From ad124427ab0ffabd0f7367dcd540feb6e171df4f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 26 Jun 2024 19:52:30 -0500 Subject: [PATCH] GODRIVER-3192 Add SSDLC workflow (#1680) Signed-off-by: mongodb-dbx-release-bot[bot] <167856002+mongodb-dbx-release-bot[bot]@users.noreply.github.com> Co-authored-by: mongodb-dbx-release-bot[bot] <167856002+mongodb-dbx-release-bot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yml | 7 --- .github/workflows/release.yml | 88 +++++++++++++++++++++++++++++++++++ 2 files changed, 88 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 044e1743df..21c81a32fa 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -22,13 +22,6 @@ jobs: # required for all workflows security-events: write - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - strategy: fail-fast: false matrix: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..0f4d446237 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,88 @@ +name: Release + +on: + workflow_dispatch: + inputs: + version: + description: "The new version to set" + required: true + prev_version: + description: "The previous tagged version" + required: true + push_changes: + description: "Push changes?" + default: true + type: boolean + +defaults: + run: + shell: bash -eux {0} + +env: + # Changes per branch + SILK_ASSET_GROUP: mongodb-go-driver-v1 + EVERGREEN_PROJECT: mongo-go-driver-v1 + +jobs: + pre-publish: + environment: release + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + outputs: + prev_version: ${{ steps.pre-publish.outputs.prev_version }} + steps: + - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + with: + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + - uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }} + - name: Pre Publish + id: pre-publish + uses: mongodb-labs/drivers-github-tools/golang/pre-publish@v2 + with: + version: ${{ inputs.version }} + push_changes: ${{ inputs.push_changes }} + + static-scan: + needs: [pre-publish] + permissions: + security-events: write + uses: ./.github/workflows/codeql.yml + with: + ref: ${{ github.ref }} + + publish: + needs: [pre-publish, static-scan] + runs-on: ubuntu-latest + environment: release + permissions: + id-token: write + contents: write + security-events: read + steps: + - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + with: + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + - uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }} + - name: Publish + uses: mongodb-labs/drivers-github-tools/golang/publish@v2 + with: + version: ${{ inputs.version }} + silk_asset_group: ${{ env.SILK_ASSET_GROUP }} + evergreen_project: ${{ env.EVERGREEN_PROJECT }} + prev_version: ${{ inputs.prev_version }} + push_changes: ${{ inputs.push_changes }} + token: ${{ env.GH_TOKEN }}