Refactor Actions and Add Python-Specific Actions (#6)

README.md

@@ -5,6 +5,28 @@
 
 This repository contains GitHub Actions that are common to drivers.
 
+## Setup
+
+There is a common setup action that is meant to be run before all
+other actions.  It handles fetching secrets from AWS Secrets Manager,
+signing into Artifactory, setting up Garasign credentials, and
+setting up environment variables used in other actions.
+The action requires `id-token: write` permissions.
+
+```yaml
+- name: setup
+  uses: mongodb/drivers-github-tools/setup@v2
+  with:
+    aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+    aws_region_name: ${{ vars.AWS_REGION_NAME }}
+    aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+```
+
+> [!Note]
+> You *must* use the `actions/checkout` action prior to calling the `setup` action,
+> Since the `setup` action sets up git config that would be overridden by the
+> `actions/checkout action`
+
 ## Signing tools
 
 The actions in the `garasign` folder are used to sign artifacts using the team's
@@ -15,78 +37,119 @@ GPG key.
 Use this action to create signed git artifacts:
 
 ```yaml
-- name: "Create signed commit"
-  uses: mongodb/drivers-github-tools/garasign/git-sign@main
+- name: Setup
+  uses: mongodb/drivers-github-tools/setup@v2
   with:
-    command: "git commit -m 'Commit' -s --gpg-sign=${{ vars.GPG_KEY_ID }}"
-    garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
-    garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
-    artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
-    artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
-
-- name: "Create signed tag"
-  uses: mongodb/drivers-github-tools/garasign/git-sign@main
-  with:
-    command: "git tag -m 'Tag' -s --local-user=${{ vars.GPG_KEY_ID }} <tag>"
-    garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
-    garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
-    artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
-    artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
-    skip_setup: true
-```
+    ...
 
-If the action is used multiple times within the same job, the `skip_setup`
-option can be set to a truthy value to avoid unnecessary logins to artifactory.
+- name: Create signed commit
+  uses: mongodb/drivers-github-tools/git-sign@v2
+
+- name: Create signed tag
+  uses: mongodb/drivers-github-tools/git-sign@v2
+```
 
 ### gpg-sign
 
 This action is used to create detached signatures for files:
 
 ```yaml
-- name: "Create detached signature"
-  uses: mongodb/drivers-github-tools/garasign/gpg-sign@main
+- name: Setup
+  uses: mongodb/drivers-github-tools/setup@v2
+  with:
+    ...
+
+- name: Create detached signature
+  uses: mongodb/drivers-github-tools/gpg-sign@v2
   with:
     filenames: somefile.ext
-    garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
-    garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
-    artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
-    artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
 ```
 
 The action will create a signature file `somefile.ext.sig` in the working
 directory.
-If the action is used multiple times within the same job, the `skip_setup`
-option can be set to a truthy value to avoid unnecessary logins to artifactory.
 
-You can also supply multiple space-separated filenames to sign a list of files:
+You can also supply a glob pattern to sign a group of files:
 
 ```yaml
-- name: "Create detached signature"
-  uses: mongodb/drivers-github-tools/garasign/gpg-sign@main
+- name: Setup
+  uses: mongodb/drivers-github-tools/setup@v2
+  with:
+    ...
+
+- name: Create detached signature
+  uses: mongodb/drivers-github-tools/garasign/gpg-sign@v1
   with:
     filenames: dist/*
-    garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
-    garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
-    artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
-    artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
 ```
 
 ## Reporting tools
 
 The following tools are meant to aid in generating Software Security Development Lifecycle
 reports associated with a product release.
 
-### Papertrail
+### Authorized Publication
 
 This action will create a record of authorized publication on distribution channels.
-By default it will create a "papertrail.txt" file in the current directory.
+It will create the file `$S3_ASSETS/authorized_publication.txt`
 
 ```yaml
-- name: "Create papertrail report"
-  uses: mongodb/drivers-github-tools/papertrail@main
+- name: Setup
+  uses: mongodb/drivers-github-tools/setup@v2
+  with:
+    ...
+
+- name: Create Authorized Publication Report
+  uses: mongodb/drivers-github-tools/authorized-pub@v2
   with:
     product_name: Mongo Python Driver
     release_version: ${{ github.ref_name }}
     filenames: dist/*
     token: ${{ github.token }}
 ```
+
+## Python Helper Scripts
+
+These scripts are opinionated helper scripts for Python releases.
+
+### Bump and Tag
+
+Bump the version and create a new tag.  Verify the tag.
+Push the commit and tag to the source branch unless `dry_run` is set.
+
+```yaml
+- name: Setup
+  uses: mongodb/drivers-github-tools/setup@v2
+  with:
+    ...
+
+- uses: mongodb/drivers-github-tools/python/bump-and-tag@v2
+  with:
+    version: ${{ inputs.version }}
+    version_bump_script: ./.github/scripts/bump-version.sh
+    dry_run: ${{ inputs.dry_run }}
+```
+
+### Publish
+
+Handles tasks related to publishing Python packages, including
+signing `dist` file and publishing the `dist` files to PyPI.
+It will also push the following (dev) version to the source branch.
+It will create a draft GitHub release and attach the signature files.
+Finally, it will publish a report to the appropriate S3 bucket.
+If `dry_run` is set, nothing will be published or pushed.
+
+```yaml
+- name: Setup
+  uses: mongodb/drivers-github-tools/setup@v2
+  with:
+    ...
+
+- uses: mongodb-labs/drivers-github-tools/python/publish@v2
+  with:
+    version: ${{ inputs.version }}
+    following_version: ${{ inputs.following_version }}
+    version_bump_script: ./.github/scripts/bump-version.sh
+    product_name: winkerberos
+    token: ${{ github.token }}
+    dry_run: ${{ inputs.dry_run }}
+```

authorized-pub/action.yml

@@ -0,0 +1,35 @@
+name: Authorized Publication
+description: Generate report for authorized publication on distribution channels
+inputs:
+  product_name:
+    description: Name of product
+    required: true
+  release_version:
+    description: The release version
+    required: true
+  filenames:
+    description: Artifact filename(s) to include in the report, can be a glob pattern
+    required: true
+  token:
+    description: The GitHub token for the action
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Prepare report
+      shell: bash
+      run: |
+          export GH_TOKEN=${{ inputs.token }}
+          NAME=$(gh api users/${{ github.actor }} --jq '.name')
+          export REPORT=$S3_ASSETS/authorized_publication.txt
+          echo "Product: ${{ inputs.product_name }}" > $REPORT
+          echo "Version: ${{ inputs.release_version }}" >> $REPORT
+          echo "Releaser: $NAME"  >> $REPORT
+          echo "Build Source: GitHub Actions"
+          echo "Build Number: ${{ github.run_id }}"
+          for filename in ${{ inputs.filenames }}; do
+              SHA=$(shasum -a 256 $filename | awk '{print $1;}')
+              echo "Filename: $filename"  >> $REPORT
+              echo "Shasum: $SHA"  >> $REPORT
+          done

git-sign/action.yml

@@ -0,0 +1,23 @@
+name: "Run git actions in a signing container"
+description: "Allows running arbitrary git actions in a container with GPG keys loaded"
+inputs:
+  command:
+    description: "Command to run inside the container"
+    required: true
+  artifactory_image:
+    description: "Image to use for artifactory"
+    default: release-tools-container-registry-local/garasign-git
+
+runs:
+  using: composite
+  steps:
+    - name: "Run git command"
+      run: |
+        podman run \
+          --env-file=$GARASIGN_ENVFILE \
+          --rm \
+          -v $(pwd):$(pwd) \
+          -w $(pwd) \
+          ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
+          /bin/bash -c "gpgloader && ${{ inputs.command }}"
+      shell: bash

gpg-sign/action.yml

@@ -0,0 +1,28 @@
+name: "Sign artifact(s) using garasign"
+description: "Signs release artifact(s)"
+inputs:
+  filenames:
+    description: "File name(s) to sign, can be a glob pattern"
+    required: true
+  artifactory_image:
+    description: "Image to use for artifactory"
+    default: release-tools-container-registry-local/garasign-gpg
+
+runs:
+  using: composite
+  steps:
+    - name: "Create detached signature for file"
+      shell: bash
+      run: |
+        podman run \
+          --env-file=$GARASIGN_ENVFILE \
+          --rm \
+          -v $(pwd):$(pwd) \
+          -w $(pwd) \
+          ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
+          /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done'
+
+    - name: "Move the signature files to the release directory"
+      shell: bash
+      run: |
+        mv ${{inputs.filenames}}.sig $RELEASE_ASSETS