Skip to content

PYTHON-5432 Use ECR instead of artifactory and update to v3 #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/version.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2
3
67 changes: 33 additions & 34 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ This action will perform a checkout with the GitHub App credentials.

```yaml
- name: secure-checkout
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
uses: mongodb-labs/drivers-github-tools/secure-checkout@v3
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
Expand All @@ -26,13 +26,13 @@ used with the `gh` cli.

There is a common setup action that is meant to be run before all
other actions. It handles fetching secrets from AWS Secrets Manager,
signing into Artifactory, setting up Garasign credentials, and
signing into ECR, setting up Garasign credentials, and
setting up environment variables used in other actions.
The action requires `id-token: write` permissions.

```yaml
- name: setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: ${{ vars.AWS_REGION_NAME }}
Expand All @@ -45,9 +45,8 @@ The action requires `id-token: write` permissions.
> `actions/checkout action`
>
> The following keys MUST be defined in the ``AWS_SECRET_ID`` vault:
> `artifactory-username`, `artifactory-password`, `garasign-username`
> `garasign-password`, `gpg-key-id`. If uploading to an S3 bucket, also define
> `release-assets-bucket`.
> `garasign-username`, `garasign-password`, `gpg-key-id`.
> If uploading to an S3 bucket, also define `release-assets-bucket`.

## Signing tools

Expand All @@ -59,17 +58,17 @@ Use this action to create signed git artifacts:

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- name: Create signed commit
uses: mongodb-labs/drivers-github-tools/git-sign@v2
uses: mongodb-labs/drivers-github-tools/git-sign@v3
with:
command: "git commit -m 'Commit' -s --gpg-sign=${{ env.GPG_KEY_ID }}"

- name: Create signed tag
uses: mongodb-labs/drivers-github-tools/git-sign@v2
uses: mongodb-labs/drivers-github-tools/git-sign@v3
with:
command: "git tag -m 'Tag' -s --local-user=${{ env.GPG_KEY_ID }} -a <tag>"
```
Expand All @@ -83,7 +82,7 @@ an argument and update the version accordingly.

```yaml
- name: Bump version
uses: mongodb-labs/drivers-github-tools/bump-version@v2
uses: mongodb-labs/drivers-github-tools/bump-version@v3
with:
version: ${{ inputs.version }}
version_bump_script: "bash ./my-bump-version-script.sh"
Expand All @@ -97,7 +96,7 @@ tag message format if desired.

```yaml
- name: Tag version
uses: mongodb-labs/drivers-github-tools/tag-version@v2
uses: mongodb-labs/drivers-github-tools/tag-version@v3
with:
version: ${{ inputs.version }}
```
Expand All @@ -108,12 +107,12 @@ This action is used to create detached signatures for files:

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- name: Create detached signature
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
uses: mongodb-labs/drivers-github-tools/gpg-sign@v3
with:
filenames: somefile.ext
```
Expand All @@ -125,7 +124,7 @@ You can also supply a glob pattern to sign a group of files:

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

Expand All @@ -147,12 +146,12 @@ It will create the file `$S3_ASSETS/authorized_publication.txt`

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- name: Create Authorized Publication Report
uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
uses: mongodb-labs/drivers-github-tools/authorized-pub@v3
with:
product_name: Mongo Python Driver
release_version: ${{ github.ref_name }}
Expand All @@ -166,12 +165,12 @@ This action will download an Augmented SBOM file in `$RELEASE_ASSETS/sbom.json`.

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- name: Create SBOM
uses: mongodb-labs/drivers-github-tools/sbom@v2
uses: mongodb-labs/drivers-github-tools/sbom@v3
with:
sbom_in_path: sbom.json
```
Expand All @@ -184,12 +183,12 @@ working directory.

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- name: Export Code Scanning Alerts
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3
```

### Compliance Report
Expand All @@ -199,12 +198,12 @@ called `ssdlc_compliance_report.md`.

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- name: Generate compliance report
uses: mongodb-labs/drivers-github-tools/compliance-report@v2
uses: mongodb-labs/drivers-github-tools/compliance-report@v3
```

There are several ways to specify the security report:
Expand All @@ -219,12 +218,12 @@ in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbo

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- name: Generate SSDLC Reports
uses: mongodb-labs/drivers-github-tools/full-report@v2
uses: mongodb-labs/drivers-github-tools/full-report@v3
with:
product_name: winkerberos
release_version: ${{ inputs.version }}
Expand All @@ -239,12 +238,12 @@ be uploaded to the product's S3 bucket:

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- name: Upload S3 assets
uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3
with:
version: <release version>
product_name: <product_name>
Expand All @@ -264,12 +263,12 @@ prerelease version, and push the changes.

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- name: Create Release Branch
uses: mongodb-labs/drivers-github-tools/create-branch@v2
uses: mongodb-labs/drivers-github-tools/create-branch@v3
with:
# user inputs
branch: ...
Expand All @@ -292,7 +291,7 @@ Push the commit and tag to the source branch unless `dry_run` is set.

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

Expand Down Expand Up @@ -343,11 +342,11 @@ post-publish:
security-events: write
steps:
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- uses: mongodb-labs/drivers-github-tools/python/post-publish@v2
- uses: mongodb-labs/drivers-github-tools/python/post-publish@v3
with:
version: ${{ inputs.version }}
following_version: ${{ inputs.following_version }}
Expand All @@ -370,7 +369,7 @@ Push the commit and tag to the source branch unless `dry_run` is set.

```yaml
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

Expand Down Expand Up @@ -419,11 +418,11 @@ post-publish:
security-events: write
steps:
- name: Setup
uses: mongodb-labs/drivers-github-tools/setup@v2
uses: mongodb-labs/drivers-github-tools/setup@v3
with:
...

- uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v2
- uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v3
with:
following_version: ${{ inputs.following_version }}
version_bump_script: ./.github/scripts/bump-version.sh
Expand Down
10 changes: 5 additions & 5 deletions bump-version/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ inputs:
working_directory:
description: The working directory for the version bump
default: "."
artifactory_image:
description: "Image to use for artifactory"
default: release-tools-container-registry-local/garasign-git
ecr_repository:
description: "The ECR repository to use"
default: release-infrastructure/garasign-git

runs:
using: composite
Expand All @@ -36,10 +36,10 @@ runs:
export COMMIT_MESSAGE=$(echo "${{ inputs.commit_template }}" | envsubst)
echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_ENV
- name: Commit the version bump
uses: mongodb-labs/drivers-github-tools/git-sign@v2
uses: mongodb-labs/drivers-github-tools/git-sign@v3
with:
command: git commit -a -m \"${{ env.COMMIT_MESSAGE }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }}
artifactory_image: ${{ inputs.artifactory_image }}
ecr_repository: ${{ inputs.ecr_repository }}
- name: Push the commit to the source branch
shell: bash -eux {0}
run: |
Expand Down
19 changes: 7 additions & 12 deletions create-branch/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,10 @@ inputs:
release_workflow_path:
description: The path to the release workflow file
default: .github/workflows/release.yml
artifactory_image:
description: Image to use for artifactory
default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local
# Unused inputs, to be removed in V3.
sbom_file_path:
description: The path of the sbom-lite file
default: sbom.json
silk_group_prefix:
description: The prefix to use for the silk asset group, defaults to the repo name
ecr_repository:
description: "The ECR repository to use"
default: release-infrastructure/garasign-git

runs:
using: composite
steps:
Expand All @@ -43,11 +38,11 @@ runs:
SBOM_FILE_PATH: ${{ inputs.sbom_file_path }}
RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }}
EVERGREEN_PROJECT: ${{ inputs.evergreen_project }}
ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
run: ${{ github.action_path }}/create-branch.sh
- uses: mongodb-labs/drivers-github-tools/bump-version@v2
- uses: mongodb-labs/drivers-github-tools/bump-version@v3
with:
version: ${{ inputs.version }}
version_bump_script: ${{ inputs.version_bump_script }}
commit_template: "Prep branch ${{ inputs.branch_name }}"
push_commit: ${{ inputs.push_changes }}
push_commit: ${{ inputs.push_changes }}
ecr_repository: ${{ inputs.ecr_repository }}
11 changes: 4 additions & 7 deletions full-report/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,12 @@ inputs:
description: The distribution filename or glob pattern
token:
description: The GitHub access token
# No longer used, to be removed in V3.
silk_asset_group:
description: The Silk Asset Group for the Project

runs:
using: composite
steps:
- name: Generate Authorized Publication Report
uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
uses: mongodb-labs/drivers-github-tools/authorized-pub@v3
with:
product_name: ${{ inputs.product_name }}
release_version: ${{ inputs.release_version }}
Expand All @@ -48,19 +45,19 @@ runs:
- name: Generate SBOM File
# not all packages have third party dependencies, and so not all packages integrate with silk.
if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }}
uses: mongodb-labs/drivers-github-tools/sbom@v2
uses: mongodb-labs/drivers-github-tools/sbom@v3
with:
silk_asset_group: ${{ inputs.silk_asset_group }}
sbom_file_name: ${{ inputs.sbom_file_name }}
kondukto_sub_project: ${{ inputs.kondukto_sub_project }}
sbom_in_path: ${{ inputs.sbom_in_path }}
- name: Generate Sarif File
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3
with:
ref: ${{ inputs.sarif_report_target_ref || inputs.release_version }}
output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
- name: Generate Compliance Report
uses: mongodb-labs/drivers-github-tools/compliance-report@v2
uses: mongodb-labs/drivers-github-tools/compliance-report@v3
with:
release_version: ${{ inputs.release_version }}
security_report_location: ${{ inputs.security_report_location }}
Expand Down
24 changes: 16 additions & 8 deletions git-sign/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,28 @@ inputs:
command:
description: "Command to run inside the container"
required: true
artifactory_image:
description: "Image to use for artifactory"
default: release-tools-container-registry-local/garasign-git
ecr_registry:
description: "The ECR registry to use"
default: "901841024863.dkr.ecr.us-east-1.amazonaws.com"
ecr_repository:
description: "The ECR repository to use"
default: release-infrastructure/garasign-git

runs:
using: composite
steps:
- name: "Run git command"
env:
ECR_REGISTRY: ${{ inputs.ecr_registry }}
ECR_REPOSITORY: ${{ inputs.ecr_repository }}
COMMAND: ${{ inputs.command }}
run: |
podman run \
WORKING_DIR=/home/git-checkout
docker run \
--env-file=$GARASIGN_ENVFILE \
--rm \
-v $(pwd):$(pwd) \
-w $(pwd) \
${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
/bin/bash -c "gpgloader && ${{ inputs.command }}"
-v $(pwd):$WORKING_DIR \
-w $WORKING_DIR \
${ECR_REGISTRY}/${ECR_REPOSITORY} \
/bin/bash -c "git config --global --add safe.directory $WORKING_DIR && gpgloader && ${COMMAND}"
shell: bash
Loading
Loading