Merge branch 'master' into SA_refactor_feature_branch

Author: jeroenvervaeke

.github/workflows/code-health.yml

@@ -391,8 +391,15 @@ jobs:
         with:
           go-version-file: 'go.mod'
       - run: go install gotest.tools/gotestsum@latest
+      - name: set Apix Bot token
+        id: app-token
+        uses: mongodb/apix-action/token@3024080388613583e3bd119bfb1ab4b4dbf43c42
+        with:
+          app-id: ${{ secrets.APIXBOT_APP_ID }}
+          private-key: ${{ secrets.APIXBOT_APP_PEM }}
       - run: make e2e-test-snapshots
         env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           TEST_CMD: gotestsum --junitfile e2e-tests.xml --format standard-verbose --
       - name: Test Summary
         if: always()

.github/workflows/labeler.yaml

@@ -56,7 +56,7 @@ jobs:
         with:
           header: pr-title-slack-doc
           message: "APIx Bot :bowtie:: a message has been sent to Docs Slack channel :rocket:."
-      - uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52
+      - uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a
         if: env.review_needed == 'true' && steps.append_comment.outputs.previous_comment_id == ''
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK_URL_DOCS }}

.github/workflows/update-ssdlc-report.yaml

@@ -17,8 +17,17 @@ jobs:
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1
         with:
           config: ${{ vars.PERMISSIONS_CONFIG }}
+      - name: set Apix Bot token
+        id: app-token
+        uses: mongodb/apix-action/token@3024080388613583e3bd119bfb1ab4b4dbf43c42
+        with:
+          app-id: ${{ secrets.APIXBOT_APP_ID }}
+          private-key: ${{ secrets.APIXBOT_APP_PEM }}
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          ref: master
       - name: Extract AUTHOR and VERSION
         id: extract
         run: |
@@ -40,79 +49,9 @@ jobs:
           VERSION: ${{ steps.extract.outputs.version }}
           AUGMENTED_REPORT: "false"
         run: ./build/package/gen-ssdlc-report.sh
-      - name: set Apix Bot token
-        id: app-token
-        uses: mongodb/apix-action/token@3024080388613583e3bd119bfb1ab4b4dbf43c42
-        with:
-          app-id: ${{ secrets.APIXBOT_APP_ID }}
-          private-key: ${{ secrets.APIXBOT_APP_PEM }}
-      - name: Find JIRA ticket
-        id: find
-        uses: mongodb/apix-action/find-jira@3024080388613583e3bd119bfb1ab4b4dbf43c42
-        with:
-          token: ${{ secrets.JIRA_API_TOKEN }}
-          jql: project = CLOUDP AND status NOT IN (Closed, Resolved) AND summary ~ "Update Compliance Report"
-      - name: Set JIRA ticket (find)
-        if: steps.find.outputs.found == 'true'
-        run: |
-          echo "JIRA_KEY=${{steps.find.outputs.issue-key}}" >> "$GITHUB_ENV"
-      - name: Create JIRA ticket
-        uses: mongodb/apix-action/create-jira@3024080388613583e3bd119bfb1ab4b4dbf43c42
-        id: create
-        if: steps.find.outputs.found == 'false'
-        with:
-          token: ${{ secrets.JIRA_API_TOKEN }}
-          project-key: CLOUDP
-          summary: "[AtlasCLI] Update Compliance Report"
-          issuetype: Story
-          description: Update Compliance Report
-          components: AtlasCLI
-          assignee: ${{ secrets.ASSIGNEE_JIRA_TICKET }}
-          extra-data: |
-            {
-              "fields": {
-                "fixVersions": [
-                  {
-                    "id": "41805"
-                  }
-                ],
-                "customfield_12751": [
-                  {
-                    "id": "22223"
-                  }
-                ],
-                "customfield_10257": {
-                  "id": "11861"
-                }
-              }
-            }
-      - name: Set JIRA ticket (create)
-        if: steps.find.outputs.found == 'false'
-        run: |
-          echo "JIRA_KEY=${{steps.create.outputs.issue-key}}" >> "$GITHUB_ENV"
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
-        id: pr
-        with:
-          token: ${{ steps.app-token.outputs.token }}
-          committer: "${{ steps.app-token.outputs.user-name }} <${{ steps.app-token.outputs.user-email }}>"
-          author: "${{ steps.app-token.outputs.user-name }} <${{ steps.app-token.outputs.user-email }}>"
-          title: "${{ env.JIRA_KEY }}: Update compliance report for v${{ steps.extract.outputs.version }}"
-          commit-message: "${{ env.JIRA_KEY }}: Update compliance report for v${{ steps.extract.outputs.version }}"
-          delete-branch: true
-          base: master
-          branch: ${{ env.JIRA_KEY }}
-          labels: |
-            compliance
-            auto_close_jira
-          body: |
-            ## Proposed changes
-            Update compliance report for v${{ steps.extract.outputs.version }}
-            _Jira ticket:_ ${{ env.JIRA_KEY }}
-
-            Note: Jira ticket will be closed automatically when this PR is merged.
-
-      - name: Set auto merge
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: |
-          gh pr merge "${{ steps.pr.outputs.pull-request-url }}" --auto --squash
+      - run: |
+          git config user.name "${{ steps.app-token.outputs.user-name }}"
+          git config user.email "${{ steps.app-token.outputs.user-email }}"
+          git add .
+          git commit -m "Update compliance report for v${{ steps.extract.outputs.version }}"
+          git push

build/ci/check-release-files.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -Eeou pipefail
+
+if [[ -z "${version}" ]]; then
+    echo "version environment variable is not set"
+    exit 1
+fi
+
+# shellcheck disable=SC2154 # unstable is set by evergreen
+if [[ "${unstable}" == "-unstable" ]]; then
+    version="${version}-next"
+fi
+
+REQUIRED_FILES=(
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.deb"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.deb.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.rpm"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.rpm.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.tar.gz"
+    "dist/mongodb-atlas-cli_${version}_linux_arm64.tar.gz.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.deb"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.deb.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.rpm"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.rpm.sig"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.tar.gz"
+    "dist/mongodb-atlas-cli_${version}_linux_x86_64.tar.gz.sig"
+    "dist/mongodb-atlas-cli_${version}_macos_arm64.zip"
+    "dist/mongodb-atlas-cli_${version}_macos_x86_64.zip"
+    "dist/mongodb-atlas-cli_${version}_windows_x86_64.msi"
+    "dist/mongodb-atlas-cli_${version}_windows_x86_64.zip"
+    "sbom.json"
+)
+
+for file in "${REQUIRED_FILES[@]}"; do
+    if [[ ! -f "${file}" ]]; then
+        echo "${file} is missing"
+        exit 1
+    fi
+done

build/ci/release.yml

@@ -350,6 +350,29 @@ functions:
           set -Eeou pipefail
           echo "${__project_aws_ssh_key_value}" > ./build/ci/ssh_id
           chmod 0600 ./build/ci/ssh_id
+  "check-git-dirty":
+    - command: shell.exec
+      params:
+        <<: *go_options
+        script: |
+          set -Eeou pipefail
+          git checkout -- dist/.keep
+          OUTPUT=$(git status --porcelain)
+          if [ -z "$OUTPUT" ]; then
+            echo "Git is clean"
+          else
+            echo "Git is dirty"
+            echo "$OUTPUT"
+            exit 1
+          fi
+  "check-required-files":
+    - command: subprocess.exec
+      params:
+        <<: *go_options
+        include_expansions_in_env:
+          - unstable
+          - version
+        binary: build/ci/check-release-files.sh
 tasks:
   - name: package_goreleaser
     tags: ["packaging"]
@@ -417,15 +440,14 @@ tasks:
             - src/github.com/mongodb/mongodb-atlas-cli/dist/*.sig
           remote_file: mongocli/
           build_variants:
-            - release_mongocli_github
             - release_atlascli_github
           bucket: cdn-origin-mongocli
           permissions: private
           content_type: ${content_type|application/x-gzip}
           display_name: downloads-center-
+      - func: "check-required-files"
+      - func: "check-git-dirty"
       - func: "trace artifacts"
-        vars:
-          unstable: ${unstable}
       - func: "send slack notification"
   - name: push_atlascli_generate
     patchable: false

build/package/linux_notarize.sh

@@ -20,22 +20,26 @@ set -Eeou pipefail
 # This depends on binaries being generated in a goreleaser manner and gon being set up.
 # goreleaser should already take care of calling this script as a part of a custom publisher.
 
-echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" >> "signing-envfile"
+if [[ ! -f "${artifact:?}" ]]; then
+  echo "artifact ${artifact} does not exist"
+  exit 1
+fi
+
+echo "GRS_CONFIG_USER1_USERNAME=${GRS_USERNAME}" > "signing-envfile"
 echo "GRS_CONFIG_USER1_PASSWORD=${GRS_PASSWORD}" >> "signing-envfile"
 
-if [[ -f "${artifact:?}" ]]; then
-  echo "${ARTIFACTORY_PASSWORD}" | podman login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
+echo "${ARTIFACTORY_PASSWORD}" | podman login --password-stdin --username "${ARTIFACTORY_USERNAME}" artifactory.corp.mongodb.com
 
-  echo "notarizing Linux binary ${artifact}"
+echo "notarizing Linux binary ${artifact}"
 
-  podman run \
-    --env-file=signing-envfile \
-    --rm \
-    -v "$(pwd)":"$(pwd)" \
-    -w "$(pwd)" \
-    artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg \
-    /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${artifact}.sig --detach-sign ${artifact}"
-fi
+podman run \
+  --env-file=signing-envfile \
+  --rm \
+  -v "$(pwd)":"$(pwd)" \
+  -w "$(pwd)" \
+  artifactory.corp.mongodb.com/release-tools-container-registry-local/garasign-gpg \
+  /bin/bash -c "gpgloader && gpg --yes -v --armor -o ${artifact}.sig --detach-sign ${artifact}"
 
-echo "Signing of ${artifact} completed."
+rm -rf signing-envfile
 
+echo "Signing of ${artifact} completed."

build/package/purls.txt

@@ -5,7 +5,7 @@ pkg:golang/cloud.google.com/go/[email protected]
 pkg:golang/cloud.google.com/go/[email protected]
 pkg:golang/cloud.google.com/go/[email protected]
 pkg:golang/github.com/AlecAivazis/survey/[email protected]
-pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/[email protected].0
+pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/[email protected].1
 pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/[email protected]
 pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/[email protected]
 pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/[email protected]
@@ -109,16 +109,16 @@ pkg:golang/go.opentelemetry.io/otel/[email protected]
 pkg:golang/go.opentelemetry.io/[email protected]
 pkg:golang/go.uber.org/[email protected]
 pkg:golang/[email protected]
-pkg:golang/golang.org/x/crypto@v0.39.0
-pkg:golang/golang.org/x/mod@v0.25.0
-pkg:golang/golang.org/x/net@v0.41.0
+pkg:golang/golang.org/x/crypto@v0.40.0
+pkg:golang/golang.org/x/mod@v0.26.0
+pkg:golang/golang.org/x/net@v0.42.0
 pkg:golang/golang.org/x/[email protected]
-pkg:golang/golang.org/x/sync@v0.15.0
-pkg:golang/golang.org/x/sys@v0.33.0
-pkg:golang/golang.org/x/term@v0.32.0
-pkg:golang/golang.org/x/text@v0.26.0
+pkg:golang/golang.org/x/sync@v0.16.0
+pkg:golang/golang.org/x/sys@v0.34.0
+pkg:golang/golang.org/x/term@v0.33.0
+pkg:golang/golang.org/x/text@v0.27.0
 pkg:golang/golang.org/x/[email protected]
-pkg:golang/google.golang.org/api@v0.240.0
+pkg:golang/google.golang.org/api@v0.241.0
 pkg:golang/google.golang.org/genproto/googleapis/[email protected]
 pkg:golang/google.golang.org/genproto/googleapis/[email protected]
 pkg:golang/google.golang.org/[email protected]

compliance/v1.46.2/ssdlc-compliance-1.46.2.md

@@ -0,0 +1,30 @@
+SSDLC Compliance Report: Atlas CLI 1.46.2
+=================================================================
+
+- Release Creator: apix-bot[bot]
+- Created On:       2025-07-14
+
+Overview:
+
+- **Product and Release Name**
+    - Atlas CLI 1.46.2, 2025-07-14.
+
+- **Process Document**
+  - https://www.mongodb.com/blog/post/how-mongodb-protects-against-supply-chain-vulnerabilities
+
+- **Tool used to track third party vulnerabilities**
+  - [Kondukto](https://arcticglow.kondukto.io/)
+
+- **Dependency Information**
+  - See SBOM Lite manifests (CycloneDX in JSON format):
+      - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv1.46.2/sbom.json
+
+- **Security Testing Report**
+  - Available as needed from Cloud Security.
+
+- **Security Assessment Report**
+  - Available as needed from Cloud Security.
+
+Assumptions and attestations:
+
+- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.

docs/command/atlas-accessLists-create.txt

@@ -14,11 +14,6 @@ atlas accessLists create
 
 Create an IP access list entry for your project.
 
-Public Preview: The atlas api sub-command, automatically generated from the MongoDB Atlas Admin API, offers full coverage of the Admin API and is currently in Public Preview (please provide feedback at https://feedback.mongodb.com/forums/930808-atlas-cli).
-Admin API capabilities have their own release lifecycle, which you can check via the provided API endpoint documentation link.
-
-
-
 The access list can contain trusted IP addresses, AWS security group IDs, and entries in Classless Inter-Domain Routing (CIDR) notation. You can add only one access list entry at a time. You can create one access list per project. 
 
 The command doesn't overwrite existing entries in the access list. Instead, it adds the new entries to the list of entries.

docs/command/atlas-accessLists-delete.txt

@@ -14,11 +14,6 @@ atlas accessLists delete
 
 Remove the specified IP access list entry from your project.
 
-Public Preview: The atlas api sub-command, automatically generated from the MongoDB Atlas Admin API, offers full coverage of the Admin API and is currently in Public Preview (please provide feedback at https://feedback.mongodb.com/forums/930808-atlas-cli).
-Admin API capabilities have their own release lifecycle, which you can check via the provided API endpoint documentation link.
-
-
-
 The command, when run without the force option, prompts you to confirm the operation.
 
 To use this command, you must authenticate with a user account or an API key with the Read Write role.