PYTHON-5432 Use ECR instead of artifactory and update to v3

.github/workflows/version.txt

@@ -1 +1 @@
-2
+3

README.md

@@ -11,7 +11,7 @@ This action will perform a checkout with the GitHub App credentials.
 
 ```yaml
 - name: secure-checkout
-  uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+  uses: mongodb-labs/drivers-github-tools/secure-checkout@v3
   with:
     app_id: ${{ vars.APP_ID }}
     private_key: ${{ secrets.APP_PRIVATE_KEY }}
@@ -26,13 +26,13 @@ used with the `gh` cli.
 
 There is a common setup action that is meant to be run before all
 other actions.  It handles fetching secrets from AWS Secrets Manager,
-signing into Artifactory, setting up Garasign credentials, and
+signing into ECR, setting up Garasign credentials, and
 setting up environment variables used in other actions.
 The action requires `id-token: write` permissions.
 
 ```yaml
 - name: setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
     aws_region_name: ${{ vars.AWS_REGION_NAME }}
@@ -45,9 +45,8 @@ The action requires `id-token: write` permissions.
 > `actions/checkout action`
 >
 > The following keys MUST be defined in the ``AWS_SECRET_ID`` vault:
-> `artifactory-username`, `artifactory-password`, `garasign-username`
-> `garasign-password`, `gpg-key-id`.  If uploading to an S3 bucket, also define
-> `release-assets-bucket`.
+> `garasign-username`, `garasign-password`, `gpg-key-id`.
+> If uploading to an S3 bucket, also define `release-assets-bucket`.
 
 ## Signing tools
 
@@ -59,17 +58,17 @@ Use this action to create signed git artifacts:
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
 - name: Create signed commit
-  uses: mongodb-labs/drivers-github-tools/git-sign@v2
+  uses: mongodb-labs/drivers-github-tools/git-sign@v3
   with:
     command: "git commit -m 'Commit' -s --gpg-sign=${{ env.GPG_KEY_ID }}"
 
 - name: Create signed tag
-  uses: mongodb-labs/drivers-github-tools/git-sign@v2
+  uses: mongodb-labs/drivers-github-tools/git-sign@v3
   with:
     command: "git tag -m 'Tag' -s --local-user=${{ env.GPG_KEY_ID }} -a <tag>"
 ```
@@ -83,7 +82,7 @@ an argument and update the version accordingly.
 
 ```yaml
 - name: Bump version
-  uses: mongodb-labs/drivers-github-tools/bump-version@v2
+  uses: mongodb-labs/drivers-github-tools/bump-version@v3
   with:
     version: ${{ inputs.version }}
     version_bump_script: "bash ./my-bump-version-script.sh"
@@ -97,7 +96,7 @@ tag message format if desired.
 
 ```yaml
 - name: Tag version
-  uses: mongodb-labs/drivers-github-tools/tag-version@v2
+  uses: mongodb-labs/drivers-github-tools/tag-version@v3
   with:
     version: ${{ inputs.version }}
 ```
@@ -108,12 +107,12 @@ This action is used to create detached signatures for files:
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
 - name: Create detached signature
-  uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+  uses: mongodb-labs/drivers-github-tools/gpg-sign@v3
   with:
     filenames: somefile.ext
 ```
@@ -125,7 +124,7 @@ You can also supply a glob pattern to sign a group of files:
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
@@ -147,12 +146,12 @@ It will create the file `$S3_ASSETS/authorized_publication.txt`
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
 - name: Create Authorized Publication Report
-  uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+  uses: mongodb-labs/drivers-github-tools/authorized-pub@v3
   with:
     product_name: Mongo Python Driver
     release_version: ${{ github.ref_name }}
@@ -166,12 +165,12 @@ This action will download an Augmented SBOM file in `$RELEASE_ASSETS/sbom.json`.
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
 - name: Create SBOM
-  uses: mongodb-labs/drivers-github-tools/sbom@v2
+  uses: mongodb-labs/drivers-github-tools/sbom@v3
   with:
     sbom_in_path: sbom.json
 ```
@@ -184,12 +183,12 @@ working directory.
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
 - name: Export Code Scanning Alerts
-  uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+  uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3
 ```
 
 ### Compliance Report
@@ -199,12 +198,12 @@ called `ssdlc_compliance_report.md`.
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
 - name: Generate compliance report
-  uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+  uses: mongodb-labs/drivers-github-tools/compliance-report@v3
 ```
 
 There are several ways to specify the security report:
@@ -219,12 +218,12 @@ in the `S3_ASSETS` folder. This composite action runs the `authorized-pub`, `sbo
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
 - name: Generate SSDLC Reports
-  uses: mongodb-labs/drivers-github-tools/full-report@v2
+  uses: mongodb-labs/drivers-github-tools/full-report@v3
   with:
     product_name: winkerberos
     release_version: ${{ inputs.version }}
@@ -239,12 +238,12 @@ be uploaded to the product's S3 bucket:
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
 - name: Upload S3 assets
-  uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+  uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3
   with:
     version: <release version>
     product_name: <product_name>
@@ -264,12 +263,12 @@ prerelease version, and push the changes.
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
 - name: Create Release Branch
-  uses: mongodb-labs/drivers-github-tools/create-branch@v2
+  uses: mongodb-labs/drivers-github-tools/create-branch@v3
   with:
     # user inputs
     branch: ...
@@ -292,7 +291,7 @@ Push the commit and tag to the source branch unless `dry_run` is set.
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
@@ -343,11 +342,11 @@ post-publish:
     security-events: write
   steps:
   - name: Setup
-    uses: mongodb-labs/drivers-github-tools/setup@v2
+    uses: mongodb-labs/drivers-github-tools/setup@v3
     with:
       ...
 
-  - uses: mongodb-labs/drivers-github-tools/python/post-publish@v2
+  - uses: mongodb-labs/drivers-github-tools/python/post-publish@v3
     with:
       version: ${{ inputs.version }}
       following_version: ${{ inputs.following_version }}
@@ -370,7 +369,7 @@ Push the commit and tag to the source branch unless `dry_run` is set.
 
 ```yaml
 - name: Setup
-  uses: mongodb-labs/drivers-github-tools/setup@v2
+  uses: mongodb-labs/drivers-github-tools/setup@v3
   with:
     ...
 
@@ -419,11 +418,11 @@ post-publish:
     security-events: write
   steps:
   - name: Setup
-    uses: mongodb-labs/drivers-github-tools/setup@v2
+    uses: mongodb-labs/drivers-github-tools/setup@v3
     with:
       ...
 
-  - uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v2
+  - uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v3
     with:
       following_version: ${{ inputs.following_version }}
       version_bump_script: ./.github/scripts/bump-version.sh

bump-version/action.yml

@@ -16,9 +16,9 @@ inputs:
   working_directory:
     description: The working directory for the version bump
     default: "."
-  artifactory_image:
-    description: "Image to use for artifactory"
-    default: release-tools-container-registry-local/garasign-git
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
 
 runs:
   using: composite
@@ -36,10 +36,10 @@ runs:
         export COMMIT_MESSAGE=$(echo "${{ inputs.commit_template }}" | envsubst)
         echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_ENV
     - name: Commit the version bump
-      uses: mongodb-labs/drivers-github-tools/git-sign@v2
+      uses: mongodb-labs/drivers-github-tools/git-sign@v3
       with:
         command: git commit -a -m \"${{ env.COMMIT_MESSAGE }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }}
-        artifactory_image: ${{ inputs.artifactory_image }}
+        ecr_repository: ${{ inputs.ecr_repository }}
     - name: Push the commit to the source branch
       shell: bash -eux {0}
       run: |

create-branch/action.yml

@@ -23,15 +23,10 @@ inputs:
   release_workflow_path:
     description: The path to the release workflow file
     default: .github/workflows/release.yml
-  artifactory_image:
-    description: Image to use for artifactory
-    default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local
-  # Unused inputs, to be removed in V3.
-  sbom_file_path:
-      description: The path of the sbom-lite file
-      default: sbom.json
-  silk_group_prefix:
-    description: The prefix to use for the silk asset group, defaults to the repo name
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
+
 runs:
   using: composite
   steps:
@@ -43,11 +38,11 @@ runs:
         SBOM_FILE_PATH: ${{ inputs.sbom_file_path }}
         RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }}
         EVERGREEN_PROJECT: ${{ inputs.evergreen_project }}
-        ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
       run: ${{ github.action_path }}/create-branch.sh
-    - uses: mongodb-labs/drivers-github-tools/bump-version@v2
+    - uses: mongodb-labs/drivers-github-tools/bump-version@v3
       with:
         version: ${{ inputs.version }}
         version_bump_script: ${{ inputs.version_bump_script }}
         commit_template: "Prep branch ${{ inputs.branch_name }}"
-        push_commit: ${{ inputs.push_changes }}
+        push_commit: ${{ inputs.push_changes }}
+        ecr_repository: ${{ inputs.ecr_repository }}

full-report/action.yml

@@ -31,15 +31,12 @@ inputs:
     description: The distribution filename or glob pattern
   token:
     description: The GitHub access token
-  # No longer used, to be removed in V3.
-  silk_asset_group:
-    description: The Silk Asset Group for the Project
 
 runs:
   using: composite
   steps:
     - name: Generate Authorized Publication Report
-      uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+      uses: mongodb-labs/drivers-github-tools/authorized-pub@v3
       with:
         product_name: ${{ inputs.product_name }}
         release_version: ${{ inputs.release_version }}
@@ -48,19 +45,19 @@ runs:
     - name: Generate SBOM File
       # not all packages have third party dependencies, and so not all packages integrate with silk.
       if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }}
-      uses: mongodb-labs/drivers-github-tools/sbom@v2
+      uses: mongodb-labs/drivers-github-tools/sbom@v3
       with:
         silk_asset_group: ${{ inputs.silk_asset_group }}
         sbom_file_name: ${{ inputs.sbom_file_name }}
         kondukto_sub_project: ${{ inputs.kondukto_sub_project }}
         sbom_in_path: ${{ inputs.sbom_in_path }}
     - name: Generate Sarif File
-      uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+      uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3
       with:
         ref: ${{ inputs.sarif_report_target_ref || inputs.release_version }}
         output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
     - name: Generate Compliance Report
-      uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+      uses: mongodb-labs/drivers-github-tools/compliance-report@v3
       with:
         release_version: ${{ inputs.release_version }}
         security_report_location: ${{ inputs.security_report_location }}

git-sign/action.yml

@@ -4,20 +4,28 @@ inputs:
   command:
     description: "Command to run inside the container"
     required: true
-  artifactory_image:
-    description: "Image to use for artifactory"
-    default: release-tools-container-registry-local/garasign-git
+  ecr_registry:
+    description: "The ECR registry to use"
+    default: "901841024863.dkr.ecr.us-east-1.amazonaws.com"
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
 
 runs:
   using: composite
   steps:
     - name: "Run git command"
+      env:
+        ECR_REGISTRY: ${{ inputs.ecr_registry }}
+        ECR_REPOSITORY: ${{ inputs.ecr_repository }}
+        COMMAND: ${{ inputs.command }}
       run: |
-        podman run \
+        WORKING_DIR=/home/git-checkout
+        docker run \
           --env-file=$GARASIGN_ENVFILE \
           --rm \
-          -v $(pwd):$(pwd) \
-          -w $(pwd) \
-          ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
-          /bin/bash -c "gpgloader && ${{ inputs.command }}"
+          -v $(pwd):$WORKING_DIR \
+          -w $WORKING_DIR \
+          ${ECR_REGISTRY}/${ECR_REPOSITORY} \
+          /bin/bash -c "git config --global --add safe.directory $WORKING_DIR && gpgloader && ${COMMAND}"
       shell: bash