.github/workflows/release.yml

on:
  push:
    branches: ['main']
  workflow_dispatch: {}

permissions:
  contents: write
  pull-requests: write
  id-token: write

name: release-latest

jobs:
  release_please:
    runs-on: ubuntu-latest
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
    steps:
      - id: release
        uses: googleapis/release-please-action@v4
        with:
          target-branch: 'main'

  build:
    needs: [release_please]
    name: "Perform any build or bundling steps, as necessary."
    uses: ./.github/workflows/build.yml

  ssdlc:
    needs: [release_please, build]
    permissions:
      # required for all workflows
      security-events: write
      id-token: write
      contents: write
    environment: release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Node and dependencies
        uses: mongodb-labs/drivers-github-tools/node/setup@v2
        with:
          ignore_install_scripts: false

      - name: Load version and package info
        uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2
        with:
          npm_package_name: mongodb

      - name: actions/compress_sign_and_upload
        uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2
        with:
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: us-east-1
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
          npm_package_name: mongodb
          dry_run: ${{ needs.release_please.outputs.release_created == '' }}

      - name: Copy sbom file to release assets
        shell: bash
        if: ${{ '' == '' }}
        run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json

      # only used for mongodb-client-encryption
      - name: Augment SBOM and copy to release assets
        if: ${{ '' != '' }}
        uses: mongodb-labs/drivers-github-tools/sbom@v2
        with:
          silk_asset_group: ''
          sbom_file_name: sbom.json

      - name: Generate authorized pub report
        uses: mongodb-labs/drivers-github-tools/full-report@v2
        with:
          release_version: ${{ env.package_version }}
          product_name: mongodb
          sarif_report_target_ref: 'main'
          third_party_dependency_tool: n/a
          dist_filenames: artifacts/*
          token: ${{ github.token }}
          sbom_file_name: sbom.json
          evergreen_project: mongo-node-driver-next
          evergreen_commit: ${{ env.commit }}

      - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
        with:
          version: ${{ env.package_version }}
          product_name: mongodb
          dry_run: ${{ needs.release_please.outputs.release_created == '' }}

  publish:
    needs: [release_please, ssdlc, build]
    environment: release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Node and dependencies
        uses: mongodb-labs/drivers-github-tools/node/setup@v2

      - run: npm publish --provenance --tag=latest
        if: ${{ needs.release_please.outputs.release_created }}
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}