From 26ebd01fae399095abd74536d05641307f6f6792 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 09:57:56 -0500 Subject: [PATCH 01/40] Add setup action and python convenience actions --- authorized-pub/action.yml | 35 ++++++++++++ garasign/git-sign/action.yml | 58 ------------------- garasign/gpg-sign/action.yml | 58 ------------------- git-sign/action.yml | 20 +++++++ gpg-sign/action.yml | 25 +++++++++ papertrail/action.yml | 38 ------------- python/bump-and-tag/action.yml | 50 +++++++++++++++++ python/publish/action.yml | 71 +++++++++++++++++++++++ python/publish/publish.sh | 19 +++++++ setup/action.yml | 39 +++++++++++++ setup/setup.sh | 100 +++++++++++++++++++++++++++++++++ 11 files changed, 359 insertions(+), 154 deletions(-) create mode 100644 authorized-pub/action.yml delete mode 100644 garasign/git-sign/action.yml delete mode 100644 garasign/gpg-sign/action.yml create mode 100644 git-sign/action.yml create mode 100644 gpg-sign/action.yml delete mode 100644 papertrail/action.yml create mode 100644 python/bump-and-tag/action.yml create mode 100644 python/publish/action.yml create mode 100755 python/publish/publish.sh create mode 100644 setup/action.yml create mode 100755 setup/setup.sh diff --git a/authorized-pub/action.yml b/authorized-pub/action.yml new file mode 100644 index 0000000..7bcf677 --- /dev/null +++ b/authorized-pub/action.yml @@ -0,0 +1,35 @@ +name: Authorized Publication +description: Generate report for authorized publication on distribution channels +inputs: + product_name: + description: Name of product + required: true + release_version: + description: The release version + required: true + filenames: + description: Artifact filename(s) to include in the report, can be a glob pattern + required: true + token: + description: The GitHub token for the action + required: true + +runs: + using: composite + steps: + - name: Prepare report + shell: bash + run: | + export GH_TOKEN=${{ inputs.token }} + NAME=$(gh api users/${{ github.actor }} --jq '.name') + export REPORT=$S3_ASSETS/authorized_publication.txt + echo "Product: ${{ inputs.product_name }}" > $REPORT + echo "Version: ${{ inputs.release_version }}" >> $REPORT + echo "Releaser: $NAME" >> $REPORT + echo "Build Source: GitHub Actions" + echo "Build Number: ${{ github.run_id }}" + for filename in ${{ inputs.filenames }}; do + SHA=$(shasum -a 256 $filename | awk '{print $1;}') + echo "Filename: $filename" >> $REPORT + echo "Shasum: $SHA" >> $REPORT + done diff --git a/garasign/git-sign/action.yml b/garasign/git-sign/action.yml deleted file mode 100644 index adfd484..0000000 --- a/garasign/git-sign/action.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: "Run git actions in a signing container" -description: "Allows running arbitrary git actions in a container with GPG keys loaded" -inputs: - command: - description: "Command to run inside the container" - required: true - garasign_username: - description: "Garasign username" - required: true - garasign_password: - description: "Garasign password" - required: true - artifactory_username: - description: "Artifactory user" - required: true - artifactory_password: - description: "Artifactory password" - required: true - artifactory_image: - description: "Image to use for artifactory" - default: release-tools-container-registry-local/garasign-git - artifactory_registry: - description: "Artifactory registry to be used" - default: artifactory.corp.mongodb.com - skip_setup: - description: "Whether to skip setup" - default: "false" - -runs: - using: composite - steps: - - name: Create the envfile - if: ${{ inputs.skip_setup == 'false' }} - run: | - cat << EOF > envfile - GRS_CONFIG_USER1_USERNAME=${{ inputs.garasign_username }} - GRS_CONFIG_USER1_PASSWORD=${{ inputs.garasign_password }} - EOF - shell: bash - - - name: Log in to artifactory - if: ${{ inputs.skip_setup == 'false' }} - uses: redhat-actions/podman-login@v1 - with: - username: ${{ inputs.artifactory_username }} - password: ${{ inputs.artifactory_password }} - registry: ${{ inputs.artifactory_registry }} - - - name: "Run git command" - run: | - podman run \ - --env-file=envfile \ - --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ - ${{ inputs.artifactory_registry }}/${{ inputs.artifactory_image }} \ - /bin/bash -c "gpgloader && ${{ inputs.command }}" - shell: bash diff --git a/garasign/gpg-sign/action.yml b/garasign/gpg-sign/action.yml deleted file mode 100644 index d9440e3..0000000 --- a/garasign/gpg-sign/action.yml +++ /dev/null @@ -1,58 +0,0 @@ -name: "Sign artifact using garasign" -description: "Signs a release artifact" -inputs: - filenames: - description: "File name(s) to sign, can be a glob pattern" - required: true - garasign_username: - description: "Garasign username" - required: true - garasign_password: - description: "Garasign password" - required: true - artifactory_username: - description: "Artifactory user" - required: true - artifactory_password: - description: "Artifactory password" - required: true - artifactory_image: - description: "Image to use for artifactory" - default: release-tools-container-registry-local/garasign-gpg - artifactory_registry: - description: "Artifactory registry to be used" - default: artifactory.corp.mongodb.com - skip_setup: - description: "Whether to skip setup" - default: "false" - -runs: - using: composite - steps: - - name: Create the envfile - if: ${{ inputs.skip_setup == 'false' }} - run: | - cat << EOF > envfile - GRS_CONFIG_USER1_USERNAME=${{ inputs.garasign_username }} - GRS_CONFIG_USER1_PASSWORD=${{ inputs.garasign_password }} - EOF - shell: bash - - - name: Log in to artifactory - if: ${{ inputs.skip_setup == 'false' }} - uses: redhat-actions/podman-login@v1 - with: - username: ${{ inputs.artifactory_username }} - password: ${{ inputs.artifactory_password }} - registry: ${{ inputs.artifactory_registry }} - - - name: "Create detached signature for file" - run: | - podman run \ - --env-file=envfile \ - --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ - ${{ inputs.artifactory_registry }}/${{ inputs.artifactory_image }} \ - /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' - shell: bash diff --git a/git-sign/action.yml b/git-sign/action.yml new file mode 100644 index 0000000..c0c081b --- /dev/null +++ b/git-sign/action.yml @@ -0,0 +1,20 @@ +name: "Run git actions in a signing container" +description: "Allows running arbitrary git actions in a container with GPG keys loaded" +inputs: + command: + description: "Command to run inside the container" + required: true + +runs: + using: composite + steps: + - name: "Run git command" + run: | + podman run \ + --env-file=$GARASIGN_ENVFILE \ + --rm \ + -v $(pwd):$(pwd) \ + -w $(pwd) \ + ${ARTIFACTORY_REGISTRY}/${ARTIFACTORY_IMAGE} \ + /bin/bash -c "gpgloader && ${{ inputs.command }}" + shell: bash diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml new file mode 100644 index 0000000..86611f9 --- /dev/null +++ b/gpg-sign/action.yml @@ -0,0 +1,25 @@ +name: "Sign artifact(s) using garasign" +description: "Signs release artifact(s)" +inputs: + filenames: + description: "File name(s) to sign, can be a glob pattern" + required: true + +runs: + using: composite + steps: + - name: "Create detached signature for file" + shell: bash + run: | + podman run \ + --env-file=$GARASIGN_ENVFILE \ + --rm \ + -v $(pwd):$(pwd) \ + -w $(pwd) \ + ${ARTIFACTORY_REGISTRY}/${ARTIFACTORY_IMAGE} \ + /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' + + - name: "Move the signature files to the release directory" + shell: bash + run: | + mv ${{inputs.filenames}}.sig $RELEASE_ASSETS diff --git a/papertrail/action.yml b/papertrail/action.yml deleted file mode 100644 index 9df1888..0000000 --- a/papertrail/action.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: "Papertrail Report" -description: "Generate report for authorized publication on distribution channels" -inputs: - product_name: - description: "Name of product" - required: true - release_version: - description: "The release version" - required: true - filenames: - description: "Artifact filename(s) to include in the report, can be a glob pattern" - required: true - token: - description: "The GitHub token for the action" - required: true - output: - description: "The output filename" - default: "papertrail.txt" - -runs: - using: composite - steps: - - name: "Prepare report" - shell: bash - run: | - export GH_TOKEN=${{ inputs.token }} - NAME=$(gh api users/${{ github.actor }} --jq '.name') - export PAPERTRAIL="${{ inputs.output }}" - echo "Product: ${{ inputs.product_name }}" > $PAPERTRAIL - echo "Version: ${{ inputs.release_version }}" >> $PAPERTRAIL - echo "Releaser: $NAME" >> $PAPERTRAIL - echo "Build Source: GitHub Actions" - echo "Build Number: ${{ github.run_id }}" - for filename in ${{ inputs.filenames }}; do - SHA=$(shasum -a 256 $filename | awk '{print $1;}') - echo "Filename: $filename" >> $PAPERTRAIL - echo "Shasum: $SHA" >> $PAPERTRAIL - done \ No newline at end of file diff --git a/python/bump-and-tag/action.yml b/python/bump-and-tag/action.yml new file mode 100644 index 0000000..9125d66 --- /dev/null +++ b/python/bump-and-tag/action.yml @@ -0,0 +1,50 @@ +name: Python Bump and Tag +description: Perform bump and tag operations for Python Libraries +inputs: + version: + description: "The published version" + required: true + post_version: + description: "The post version" + required: true + version_bump_script: + description: "The version bump script" + required: true + dry_run: + description: "Whether this is a dry run" + required: true + +runs: + using: composite + steps: + - uses: actions/setup-python@v5 + with: + python-version: '3.11' + - name: Set new version + shell: bash -eux {0} + run: | + bash ${{ inputs.version_bump_script }} ${{ inputs.version }} + - name: Commit the version bump + uses: ./.github/actions/git-sign + with: + command: git commit -a -m \"BUMP ${{ inputs.version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} + - name: Tag the version + uses: ./.github/actions/git-sign + with: + command: git tag -a \"${{ inputs.version }}\" -m \"BUMP ${{ inputs.version }}\" -s --local-user=${{ env.GPG_KEY_ID }} + - name: Verify the tag + shell: bash -eux {0} + run: | + curl $GPG_PUBLIC_URL --output /tmp/signature.pub + gpg --import /tmp/signature.pub + git verify-tag ${{inputs.version}} + - name: Push the commit and tag to the source branch + shell: bash -eux {0} + run: | + if [ ${{ inputs.dry_run }} != "true" ]; then + git push origin + git push origin --tags + echo "### Created tag: ${{inputs.version}}" >> $GITHUB_STEP_SUMMARY + else + echo "### Dry run for version: ${{inputs.version}}" >> $GITHUB_STEP_SUMMARY + fi diff --git a/python/publish/action.yml b/python/publish/action.yml new file mode 100644 index 0000000..2af8cd6 --- /dev/null +++ b/python/publish/action.yml @@ -0,0 +1,71 @@ + +name: Publish Python +description: "Publish Assets and Report" +inputs: + version: + description: "The published version" + required: true + post_version: + description: "The post version" + required: true + version_bump_script: + description: "The version bump script" + required: true + product_name: + description: "The name of the product" + required: true + token: + description: "The GitHub access token" + required: true + dry_run: + description: "Whether this is a dry run" + required: true + +runs: + using: composite + steps: + - uses: actions/setup-python@v5 + with: + python-version: '3.11' + - name: Download all the dists + uses: actions/download-artifact@v4 + with: + name: all-dist-${{ github.run_id }} + path: dist/ + - name: Create detached signature for dist files + uses: ./.github/actions/gpg-sign + with: + filenames: dist/* + - uses: ./.github/actions/authorized-pub + with: + product_name: ${{ inputs.product_name }} + release_version: ${{ inputs.version }} + filenames: dist/* + token: ${{ inputs.token }} + - name: Run publish script + shell: bash + run: ${{github.action_path}}/publish.sh + env: + GH_TOKEN: ${{ inputs.token }} + VERSION: ${{ inputs.version }} + PRODUCT_NAME: ${{ inputs.product_name }} + DRY_RUN: ${{ inputs.dry_run }} + # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#publishing-the-distribution-to-pypi + # - name: Publish distribution 📦 to PyPI + # if: inputs.dry_run == 'false' + # uses: pypa/gh-action-pypi-publish@release/v1 + - name: Set post version + shell: bash -eux {0} + run: | + git clean -dffx + bash ${{ inputs.version_bump_script }} ${{ inputs.version }} + - name: Commit the version bump + uses: ./.github/actions/git-sign + with: + command: git commit -a -m \"BUMP ${{ inputs.post_version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} + - name: Push the commit to the source branch + shell: bash -eux {0} + run: | + if [ ${{ inputs.dry_run }} != "true" ]; then + git push origin --tags + fi diff --git a/python/publish/publish.sh b/python/publish/publish.sh new file mode 100755 index 0000000..3f02d15 --- /dev/null +++ b/python/publish/publish.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash + +set -eux + +echo "Show public outputs" +ls -ltr $RELEASE_ASSETS + +if [ "$DRY_RUN" == "false" ]; then + echo "Uploading Release Reports" + TARGET=s3://${AWS_BUCKET}/${PRODUCT_NAME}/${VERSION} + aws s3 cp $S3_ASSETS $TARGET --recursive + + echo "Creating draft release with attached files" + gh release create ${VERSION} --draft --verify-tag --title ${VERSION} --notes "" + gh release upload ${VERSION} $RELEASE_ASSETS/*.* + gh release view ${VERSION} >> $GITHUB_STEP_SUMMARY +else + echo "Dry run, not uploading to s3 or creating GitHub Release" +fi diff --git a/setup/action.yml b/setup/action.yml new file mode 100644 index 0000000..37933aa --- /dev/null +++ b/setup/action.yml @@ -0,0 +1,39 @@ +name: Setup +description: "Set up the Release Environment" +inputs: + aws_role_arn: + description: "The aws role to acquire" + required: true + aws_region_name: + description: "The aws region to use" + required: true + aws_secret_id: + description: "The name of the aws secret to use" + required: true + artifactory_registry: + description: "Artifactory registry to be used" + default: artifactory.corp.mongodb.com + artifactory_image: + description: "Image to use for artifactory" + default: release-tools-container-registry-local/garasign-git + +runs: + using: composite + steps: + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ inputs.aws_role_arn }} + role-session-name: release-session + aws-region: ${{ inputs.aws_region_name }} + - name: Set up + shell: bash + id: setup + run: ${{ github.action_path }}/setup.sh + env: + ARTIFACTORY_REGISTRY: ${{ inputs.artifactory_registry }} + ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} + AWS_SECRET_ID: ${{ inputs.aws_secret_id }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.setup.outputs.token }} diff --git a/setup/setup.sh b/setup/setup.sh new file mode 100755 index 0000000..de052fb --- /dev/null +++ b/setup/setup.sh @@ -0,0 +1,100 @@ +#!/usr/bin/env bash +set -eu + +echo "Fetch secrets..." +SECRETS_FILE=/tmp/secret-value.json +echo "$(aws secretsmanager get-secret-value --secret-id ${AWS_SECRET_ID} --query SecretString --output text)" > $SECRETS_FILE +# Ensure sensitive secrets are masked in logs. +ARTIFACTORY_USER=$(cat $SECRETS_FILE | jq -r '."artifactory-username"') +ARTIFACTORY_PASSWORD=$(cat $SECRETS_FILE | jq -r '."artifactory-password"') +echo "::add-mask::$ARTIFACTORY_PASSWORD" +GRS_CONFIG_USER1_USERNAME=$(cat $SECRETS_FILE | jq -r '."garasign-username"') +echo "::add-mask::$GRS_CONFIG_USER1_USERNAME" +GRS_CONFIG_USER1_PASSWORD=$(cat $SECRETS_FILE | jq -r '."garasign-password"') +echo "::add-mask::$GRS_CONFIG_USER1_PASSWORD" +GPG_PUBLIC_URL=$(cat $SECRETS_FILE | jq -r '."gpg-public-url"') +GPG_KEY_ID=$(cat $SECRETS_FILE | jq -r '."gpg-key-id"') +AWS_BUCKET=$(cat $SECRETS_FILE | jq -r '."release-assets-bucket"') +echo "::add-mask::$AWS_BUCKET" +APP_PRIVATE_KEY=$(cat $SECRETS_FILE | jq -r '."github-app-private-key"') +echo "::add-mask::$APP_PRIVATE_KEY" +APP_ID=$(cat $SECRETS_FILE | jq -r '."github-app-id"') +rm $SECRETS_FILE +echo "Fetch secrets... done." + +echo "::group::Set up artifactory" +echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USER --password-stdin $ARTIFACTORY_REGISTRY +podman pull $ARTIFACTORY_REGISTRY/$ARTIFACTORY_IMAGE +echo "::endgroup::" + +echo "Set up envfile for artifactory image" +GARASIGN_ENVFILE=/tmp/envfile +cat << EOF > $GARASIGN_ENVFILE +GRS_CONFIG_USER1_USERNAME=$GRS_CONFIG_USER1_USERNAME +GRS_CONFIG_USER1_PASSWORD=$GRS_CONFIG_USER1_PASSWORD +EOF + +#################### +# Generate App Token +# https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt +client_id=$APP_ID + +pem=$(echo $APP_PRIVATE_KEY | base64 --decode) + +now=$(date +%s) +iat=$((${now} - 60)) # Issues 60 seconds in the past +exp=$((${now} + 600)) # Expires 10 minutes in the future + +b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; } + +header_json='{ + "typ":"JWT", + "alg":"RS256" +}' +# Header encode +header=$( echo -n "${header_json}" | b64enc ) + +payload_json='{ + "iat":'"${iat}"', + "exp":'"${exp}"', + "iss":'"${client_id}"' +}' +# Payload encode +payload=$( echo -n "${payload_json}" | b64enc ) + +# Signature +header_payload="${header}"."${payload}" +signature=$( + openssl dgst -sha256 -sign <(echo -n "${pem}") \ + <(echo -n "${header_payload}") | b64enc +) + +# Create JWT +JWT="${header_payload}"."${signature}" + +# Set as the "token" output +echo "token=$JWT" >> "$GITHUB_OUTPUT" +#################### + +echo "Set up output directories" +export RELEASE_ASSETS=/tmp/release-assets +mkdir $RELEASE_ASSETS +echo "$GITHUB_RUN_ID" > $RELEASE_ASSETS/release_run_id.txt +export S3_ASSETS=/tmp/s3-assets +mkdir $S3_ASSETS + +echo "Set up global variables" +cat <> $GITHUB_ENV +AWS_BUCKET=$AWS_BUCKET +GPG_KEY_ID=$GPG_KEY_ID +GPG_PUBLIC_URL=$GPG_PUBLIC_URL +GARASIGN_ENVFILE=$GARASIGN_ENVFILE +ARTIFACTORY_IMAGE=$ARTIFACTORY_IMAGE +ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY +RELEASE_ASSETS=$RELEASE_ASSETS +S3_ASSETS=$S3_ASSETS +EOF + +echo "Set up git config" +git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" +git config --global user.name "github-actions[bot]" From 0756fff68b9a72a633950e4f539d36ecee1ea379 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 10:16:08 -0500 Subject: [PATCH 02/40] update links --- python/bump-and-tag/action.yml | 4 ++-- python/publish/action.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/python/bump-and-tag/action.yml b/python/bump-and-tag/action.yml index 9125d66..af38539 100644 --- a/python/bump-and-tag/action.yml +++ b/python/bump-and-tag/action.yml @@ -25,11 +25,11 @@ runs: run: | bash ${{ inputs.version_bump_script }} ${{ inputs.version }} - name: Commit the version bump - uses: ./.github/actions/git-sign + uses: blink1073/drivers-github-tools/git-sign@refactor with: command: git commit -a -m \"BUMP ${{ inputs.version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - name: Tag the version - uses: ./.github/actions/git-sign + uses: blink1073/drivers-github-tools/git-sign@refactor with: command: git tag -a \"${{ inputs.version }}\" -m \"BUMP ${{ inputs.version }}\" -s --local-user=${{ env.GPG_KEY_ID }} - name: Verify the tag diff --git a/python/publish/action.yml b/python/publish/action.yml index 2af8cd6..c603967 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -33,10 +33,10 @@ runs: name: all-dist-${{ github.run_id }} path: dist/ - name: Create detached signature for dist files - uses: ./.github/actions/gpg-sign + uses: blink1073/drivers-github-tools/gpg-sign@refactor with: filenames: dist/* - - uses: ./.github/actions/authorized-pub + - uses: blink1073/drivers-github-tools/authorized-pub@refactor with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }} @@ -60,7 +60,7 @@ runs: git clean -dffx bash ${{ inputs.version_bump_script }} ${{ inputs.version }} - name: Commit the version bump - uses: ./.github/actions/git-sign + uses: blink1073/drivers-github-tools/git-sign@refactor with: command: git commit -a -m \"BUMP ${{ inputs.post_version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - name: Push the commit to the source branch From 851f3f68efd7fb7a84db26a8a8a9d7073ebf869c Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 10:33:13 -0500 Subject: [PATCH 03/40] fix JWT handling --- setup/action.yml | 2 -- setup/setup.sh | 7 +++++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/setup/action.yml b/setup/action.yml index 37933aa..9298e10 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -35,5 +35,3 @@ runs: ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} AWS_SECRET_ID: ${{ inputs.aws_secret_id }} - uses: actions/checkout@v4 - with: - token: ${{ steps.setup.outputs.token }} diff --git a/setup/setup.sh b/setup/setup.sh index de052fb..61ba960 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -37,6 +37,7 @@ EOF #################### # Generate App Token # https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt +echo "Generate App Token" client_id=$APP_ID pem=$(echo $APP_PRIVATE_KEY | base64 --decode) @@ -71,9 +72,11 @@ signature=$( # Create JWT JWT="${header_payload}"."${signature}" +echo "::add-mask::$JWT" -# Set as the "token" output -echo "token=$JWT" >> "$GITHUB_OUTPUT" +# Set the git config for checkout +git config --global credential.https://github.com.username git +git config --global credential.https://github.com.password $JWT #################### echo "Set up output directories" From 9ce0ea4201c6f5dab36b82a1e8df1759f42e92d5 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 10:37:43 -0500 Subject: [PATCH 04/40] fix git setup --- setup/action.yml | 5 +++++ setup/setup.sh | 4 ---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/setup/action.yml b/setup/action.yml index 9298e10..c3a8080 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -35,3 +35,8 @@ runs: ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} AWS_SECRET_ID: ${{ inputs.aws_secret_id }} - uses: actions/checkout@v4 + - name: Set up git config + shell: bash + run: | + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git config user.name "github-actions[bot]" diff --git a/setup/setup.sh b/setup/setup.sh index 61ba960..eadc587 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -97,7 +97,3 @@ ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS EOF - -echo "Set up git config" -git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" -git config --global user.name "github-actions[bot]" From 95f735c96681eaf138895043db467191aefbec11 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 14:30:46 -0500 Subject: [PATCH 05/40] cleanup --- setup/action.yml | 13 +++++++++ setup/setup.sh | 69 +++++------------------------------------------- 2 files changed, 19 insertions(+), 63 deletions(-) diff --git a/setup/action.yml b/setup/action.yml index c3a8080..dc0e865 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -26,6 +26,12 @@ runs: role-to-assume: ${{ inputs.aws_role_arn }} role-session-name: release-session aws-region: ${{ inputs.aws_region_name }} + - name: Read secrets from AWS Secrets Manager into environment variables + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + ${{ inputs.aws_secret_id }} + parse-json-secrets: true - name: Set up shell: bash id: setup @@ -34,7 +40,14 @@ runs: ARTIFACTORY_REGISTRY: ${{ inputs.artifactory_registry }} ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} AWS_SECRET_ID: ${{ inputs.aws_secret_id }} + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ steps.setup.outputs.app-id }} + private-key: ${{ steps.setup.outputs.private-key }} - uses: actions/checkout@v4 + with: + token: ${{ steps.app-token.outputs.token }} - name: Set up git config shell: bash run: | diff --git a/setup/setup.sh b/setup/setup.sh index eadc587..59861d5 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -1,26 +1,8 @@ #!/usr/bin/env bash set -eu -echo "Fetch secrets..." -SECRETS_FILE=/tmp/secret-value.json -echo "$(aws secretsmanager get-secret-value --secret-id ${AWS_SECRET_ID} --query SecretString --output text)" > $SECRETS_FILE -# Ensure sensitive secrets are masked in logs. -ARTIFACTORY_USER=$(cat $SECRETS_FILE | jq -r '."artifactory-username"') -ARTIFACTORY_PASSWORD=$(cat $SECRETS_FILE | jq -r '."artifactory-password"') -echo "::add-mask::$ARTIFACTORY_PASSWORD" -GRS_CONFIG_USER1_USERNAME=$(cat $SECRETS_FILE | jq -r '."garasign-username"') -echo "::add-mask::$GRS_CONFIG_USER1_USERNAME" -GRS_CONFIG_USER1_PASSWORD=$(cat $SECRETS_FILE | jq -r '."garasign-password"') -echo "::add-mask::$GRS_CONFIG_USER1_PASSWORD" -GPG_PUBLIC_URL=$(cat $SECRETS_FILE | jq -r '."gpg-public-url"') -GPG_KEY_ID=$(cat $SECRETS_FILE | jq -r '."gpg-key-id"') -AWS_BUCKET=$(cat $SECRETS_FILE | jq -r '."release-assets-bucket"') -echo "::add-mask::$AWS_BUCKET" -APP_PRIVATE_KEY=$(cat $SECRETS_FILE | jq -r '."github-app-private-key"') -echo "::add-mask::$APP_PRIVATE_KEY" -APP_ID=$(cat $SECRETS_FILE | jq -r '."github-app-id"') -rm $SECRETS_FILE -echo "Fetch secrets... done." +env +exit 1 echo "::group::Set up artifactory" echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USER --password-stdin $ARTIFACTORY_REGISTRY @@ -34,50 +16,11 @@ GRS_CONFIG_USER1_USERNAME=$GRS_CONFIG_USER1_USERNAME GRS_CONFIG_USER1_PASSWORD=$GRS_CONFIG_USER1_PASSWORD EOF -#################### -# Generate App Token -# https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app#example-using-bash-to-generate-a-jwt -echo "Generate App Token" -client_id=$APP_ID - +echo "Set outputs for GitHub App auth" pem=$(echo $APP_PRIVATE_KEY | base64 --decode) - -now=$(date +%s) -iat=$((${now} - 60)) # Issues 60 seconds in the past -exp=$((${now} + 600)) # Expires 10 minutes in the future - -b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; } - -header_json='{ - "typ":"JWT", - "alg":"RS256" -}' -# Header encode -header=$( echo -n "${header_json}" | b64enc ) - -payload_json='{ - "iat":'"${iat}"', - "exp":'"${exp}"', - "iss":'"${client_id}"' -}' -# Payload encode -payload=$( echo -n "${payload_json}" | b64enc ) - -# Signature -header_payload="${header}"."${payload}" -signature=$( - openssl dgst -sha256 -sign <(echo -n "${pem}") \ - <(echo -n "${header_payload}") | b64enc -) - -# Create JWT -JWT="${header_payload}"."${signature}" -echo "::add-mask::$JWT" - -# Set the git config for checkout -git config --global credential.https://github.com.username git -git config --global credential.https://github.com.password $JWT -#################### +echo "app-id=$APP_ID" >> "$GITHUB_OUTPUT" +echo "::add-mask::$pem" +echo "private-key=$pem" >> "$GITHUB_OUTPUT" echo "Set up output directories" export RELEASE_ASSETS=/tmp/release-assets From 8326bbc42f1b9e746cf2b3c488347df0e18e2d56 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 14:48:14 -0500 Subject: [PATCH 06/40] debug --- setup/setup.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index 59861d5..95e3119 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -1,8 +1,12 @@ #!/usr/bin/env bash set -eu -env -exit 1 +echo "Normalize secrets variable names" +prefix=$(echo $AWS_SECRET_ID | tr '[:lower:]' '[:upper:]' | sed -r 's/[-/]+/_/g') +for var in "${!n$prefix_@}"; do + printf '%s=%s\n' "$var" "${!var}" +done +exit echo "::group::Set up artifactory" echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USER --password-stdin $ARTIFACTORY_REGISTRY From 31f7dd9f179e95a3fa3ae726ce9aaac17d6a0594 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 14:49:26 -0500 Subject: [PATCH 07/40] debug --- setup/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/setup.sh b/setup/setup.sh index 95e3119..3f1eb57 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -6,7 +6,7 @@ prefix=$(echo $AWS_SECRET_ID | tr '[:lower:]' '[:upper:]' | sed -r 's/[-/]+/_/g' for var in "${!n$prefix_@}"; do printf '%s=%s\n' "$var" "${!var}" done -exit +exit 1 echo "::group::Set up artifactory" echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USER --password-stdin $ARTIFACTORY_REGISTRY From 28954548f9ec3c24a94050378a659206bf82ba7e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 15:06:39 -0500 Subject: [PATCH 08/40] cleanup --- setup/setup.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index 3f1eb57..0c90735 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -3,10 +3,12 @@ set -eu echo "Normalize secrets variable names" prefix=$(echo $AWS_SECRET_ID | tr '[:lower:]' '[:upper:]' | sed -r 's/[-/]+/_/g') -for var in "${!n$prefix_@}"; do - printf '%s=%s\n' "$var" "${!var}" +prefix=${prefix}_ +compgen -A variable $prefix | while read v; do + new_key=$(echo $v | sed "s/$prefix//g") + echo $new_key + declare "${new_key}=${!v}" done -exit 1 echo "::group::Set up artifactory" echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USER --password-stdin $ARTIFACTORY_REGISTRY From a865965688634a1d48f15b653069663330da939a Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 15:17:56 -0500 Subject: [PATCH 09/40] cleanup --- setup/setup.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index 0c90735..5430d00 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -6,12 +6,11 @@ prefix=$(echo $AWS_SECRET_ID | tr '[:lower:]' '[:upper:]' | sed -r 's/[-/]+/_/g' prefix=${prefix}_ compgen -A variable $prefix | while read v; do new_key=$(echo $v | sed "s/$prefix//g") - echo $new_key - declare "${new_key}=${!v}" + read "$new_key" <<<${!v} done echo "::group::Set up artifactory" -echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USER --password-stdin $ARTIFACTORY_REGISTRY +echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY podman pull $ARTIFACTORY_REGISTRY/$ARTIFACTORY_IMAGE echo "::endgroup::" From 56cddde4a78f687646ca02cc0531e9dccede404d Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 15:24:04 -0500 Subject: [PATCH 10/40] cleanup --- setup/setup.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/setup.sh b/setup/setup.sh index 5430d00..8186bab 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -3,10 +3,11 @@ set -eu echo "Normalize secrets variable names" prefix=$(echo $AWS_SECRET_ID | tr '[:lower:]' '[:upper:]' | sed -r 's/[-/]+/_/g') +echo "PREFIX=$prefix" prefix=${prefix}_ compgen -A variable $prefix | while read v; do new_key=$(echo $v | sed "s/$prefix//g") - read "$new_key" <<<${!v} + declare -g $new_key=${!v} done echo "::group::Set up artifactory" From f366021144ec89f7d18caa6b840b6d53c5626f88 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 15:25:21 -0500 Subject: [PATCH 11/40] try again --- setup/setup.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/setup.sh b/setup/setup.sh index 8186bab..46e3403 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -7,7 +7,7 @@ echo "PREFIX=$prefix" prefix=${prefix}_ compgen -A variable $prefix | while read v; do new_key=$(echo $v | sed "s/$prefix//g") - declare -g $new_key=${!v} + declare -g "$new_key=${!v}" done echo "::group::Set up artifactory" @@ -25,6 +25,7 @@ EOF echo "Set outputs for GitHub App auth" pem=$(echo $APP_PRIVATE_KEY | base64 --decode) echo "app-id=$APP_ID" >> "$GITHUB_OUTPUT" +# Ensure the value is not printed to logs. echo "::add-mask::$pem" echo "private-key=$pem" >> "$GITHUB_OUTPUT" From d222eea1b343a41f42f7ed9ee0353baa488a3aaf Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 15:26:05 -0500 Subject: [PATCH 12/40] debug --- setup/setup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/setup.sh b/setup/setup.sh index 46e3403..17d8148 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -7,6 +7,7 @@ echo "PREFIX=$prefix" prefix=${prefix}_ compgen -A variable $prefix | while read v; do new_key=$(echo $v | sed "s/$prefix//g") + echo "hello $new_key" declare -g "$new_key=${!v}" done From f6026e1e2f5b5acc04958ea9e138e64faae2aa55 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 15:29:09 -0500 Subject: [PATCH 13/40] try again --- setup/setup.sh | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index 17d8148..75cb422 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -3,13 +3,15 @@ set -eu echo "Normalize secrets variable names" prefix=$(echo $AWS_SECRET_ID | tr '[:lower:]' '[:upper:]' | sed -r 's/[-/]+/_/g') -echo "PREFIX=$prefix" -prefix=${prefix}_ -compgen -A variable $prefix | while read v; do - new_key=$(echo $v | sed "s/$prefix//g") - echo "hello $new_key" - declare -g "$new_key=${!v}" -done +declare ARTIFACTORY_PASSWORD=${!$prefix_ARTIFACTORY_PASSWORD} +declare ARTIFACTORY_USERNAME=${!$prefix_ARTIFACTORY_USERNAME} +declare GARASIGN_PASSWORD=${!$prefix_GARASIGN_PASSWORD} +declare GARASIGN_USERNAME=${!$prefix_GARASIGN_USERNAME} +declare GITHUB_APP_ID=${!$prefix_GITHUB_APP_ID} +declare GITHUB_APP_PRIVATE_KEY=${!$prefix_GITHUB_APP_PRIVATE_KEY} +declare GPG_KEY_ID=${!$prefix_GPG_KEY_ID} +declare GPG_PUBLIC_URL=${!$prefix_GPG_PUBLIC_URL} +declare RELEASE_ASSETS_BUCKET=${!$prefix_RELEASE_ASSETS_BUCKET} echo "::group::Set up artifactory" echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY From 434bcf6a2c1faa0d46699587262509bc36aa27de Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 15:53:47 -0500 Subject: [PATCH 14/40] try again --- setup/setup.sh | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index 75cb422..42474a4 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -3,15 +3,12 @@ set -eu echo "Normalize secrets variable names" prefix=$(echo $AWS_SECRET_ID | tr '[:lower:]' '[:upper:]' | sed -r 's/[-/]+/_/g') -declare ARTIFACTORY_PASSWORD=${!$prefix_ARTIFACTORY_PASSWORD} -declare ARTIFACTORY_USERNAME=${!$prefix_ARTIFACTORY_USERNAME} -declare GARASIGN_PASSWORD=${!$prefix_GARASIGN_PASSWORD} -declare GARASIGN_USERNAME=${!$prefix_GARASIGN_USERNAME} -declare GITHUB_APP_ID=${!$prefix_GITHUB_APP_ID} -declare GITHUB_APP_PRIVATE_KEY=${!$prefix_GITHUB_APP_PRIVATE_KEY} -declare GPG_KEY_ID=${!$prefix_GPG_KEY_ID} -declare GPG_PUBLIC_URL=${!$prefix_GPG_PUBLIC_URL} -declare RELEASE_ASSETS_BUCKET=${!$prefix_RELEASE_ASSETS_BUCKET} +prefix=${prefix}_ +vars=$(compgen -A variable | grep $prefix | tr '\n' ' ') +for var in $vars; do + new_key=$(echo $var | sed "s/$prefix//g") + declare $new_key=${!var} +done echo "::group::Set up artifactory" echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY From 7c451799180bddfbf98da543671305a4d3506dc2 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 15:57:04 -0500 Subject: [PATCH 15/40] cleanup --- setup/setup.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index 42474a4..ca65d37 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -18,13 +18,13 @@ echo "::endgroup::" echo "Set up envfile for artifactory image" GARASIGN_ENVFILE=/tmp/envfile cat << EOF > $GARASIGN_ENVFILE -GRS_CONFIG_USER1_USERNAME=$GRS_CONFIG_USER1_USERNAME -GRS_CONFIG_USER1_PASSWORD=$GRS_CONFIG_USER1_PASSWORD +GRS_CONFIG_USER1_USERNAME=$GARASIGN_USERNAME +GRS_CONFIG_USER1_PASSWORD=$GARASIGN_PASSWORD EOF echo "Set outputs for GitHub App auth" -pem=$(echo $APP_PRIVATE_KEY | base64 --decode) -echo "app-id=$APP_ID" >> "$GITHUB_OUTPUT" +pem=$(echo $GITHUB_APP_PRIVATE_KEY | base64 --decode) +echo "app-id=$GITHUB_APP_ID" >> "$GITHUB_OUTPUT" # Ensure the value is not printed to logs. echo "::add-mask::$pem" echo "private-key=$pem" >> "$GITHUB_OUTPUT" @@ -38,7 +38,7 @@ mkdir $S3_ASSETS echo "Set up global variables" cat <> $GITHUB_ENV -AWS_BUCKET=$AWS_BUCKET +AWS_BUCKET=$RELEASE_ASSETS_BUCKET GPG_KEY_ID=$GPG_KEY_ID GPG_PUBLIC_URL=$GPG_PUBLIC_URL GARASIGN_ENVFILE=$GARASIGN_ENVFILE From 373826396d3f3d622c6f7cebd225bd74553c0c7f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 16:12:40 -0500 Subject: [PATCH 16/40] try again --- setup/setup.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index ca65d37..b827cd7 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -24,9 +24,13 @@ EOF echo "Set outputs for GitHub App auth" pem=$(echo $GITHUB_APP_PRIVATE_KEY | base64 --decode) -echo "app-id=$GITHUB_APP_ID" >> "$GITHUB_OUTPUT" -# Ensure the value is not printed to logs. +# Encode the string for GitHub output +pem="${pem//'%'/'%25'}" +pem="${pem//$'\n'/'%0A'}" +pem="${pem//$'\r'/'%0D'}" +# Ensure the value is not printed to logs echo "::add-mask::$pem" +echo "app-id=$GITHUB_APP_ID" >> "$GITHUB_OUTPUT" echo "private-key=$pem" >> "$GITHUB_OUTPUT" echo "Set up output directories" From 7e99b8585488736cbefac3f573c613e63c59cbbf Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 16:24:21 -0500 Subject: [PATCH 17/40] try again --- setup/setup.sh | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index b827cd7..d56e94b 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -23,15 +23,8 @@ GRS_CONFIG_USER1_PASSWORD=$GARASIGN_PASSWORD EOF echo "Set outputs for GitHub App auth" -pem=$(echo $GITHUB_APP_PRIVATE_KEY | base64 --decode) -# Encode the string for GitHub output -pem="${pem//'%'/'%25'}" -pem="${pem//$'\n'/'%0A'}" -pem="${pem//$'\r'/'%0D'}" -# Ensure the value is not printed to logs -echo "::add-mask::$pem" echo "app-id=$GITHUB_APP_ID" >> "$GITHUB_OUTPUT" -echo "private-key=$pem" >> "$GITHUB_OUTPUT" +echo "private-key=$GITHUB_APP_PRIVATE_KEY" >> "$GITHUB_OUTPUT" echo "Set up output directories" export RELEASE_ASSETS=/tmp/release-assets From 4e5bec67bfaca4c28b4794b8c683abdeb9cdf16a Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 13 May 2024 16:28:53 -0500 Subject: [PATCH 18/40] cleanup --- setup/action.yml | 27 ++++++++++++++------------- setup/setup.sh | 8 ++++---- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/setup/action.yml b/setup/action.yml index dc0e865..f067568 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -10,6 +10,12 @@ inputs: aws_secret_id: description: "The name of the aws secret to use" required: true + app_id: + description: "The GitHub App id" + required: true + private_key: + description: "The GitHub App private key" + required: true artifactory_registry: description: "Artifactory registry to be used" default: artifactory.corp.mongodb.com @@ -20,6 +26,14 @@ inputs: runs: using: composite steps: + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ inputs.app_id }} + private-key: ${{ inputs.private_key }} + - uses: actions/checkout@v4 + with: + token: ${{ steps.app-token.outputs.token }} - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -40,16 +54,3 @@ runs: ARTIFACTORY_REGISTRY: ${{ inputs.artifactory_registry }} ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }} AWS_SECRET_ID: ${{ inputs.aws_secret_id }} - - uses: actions/create-github-app-token@v1 - id: app-token - with: - app-id: ${{ steps.setup.outputs.app-id }} - private-key: ${{ steps.setup.outputs.private-key }} - - uses: actions/checkout@v4 - with: - token: ${{ steps.app-token.outputs.token }} - - name: Set up git config - shell: bash - run: | - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config user.name "github-actions[bot]" diff --git a/setup/setup.sh b/setup/setup.sh index d56e94b..5961ad8 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -22,10 +22,6 @@ GRS_CONFIG_USER1_USERNAME=$GARASIGN_USERNAME GRS_CONFIG_USER1_PASSWORD=$GARASIGN_PASSWORD EOF -echo "Set outputs for GitHub App auth" -echo "app-id=$GITHUB_APP_ID" >> "$GITHUB_OUTPUT" -echo "private-key=$GITHUB_APP_PRIVATE_KEY" >> "$GITHUB_OUTPUT" - echo "Set up output directories" export RELEASE_ASSETS=/tmp/release-assets mkdir $RELEASE_ASSETS @@ -44,3 +40,7 @@ ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS EOF + +echo "Set up git credentials" +git config user.email "41898282+github-actions[bot]@users.noreply.github.com" +git config user.name "github-actions[bot]" \ No newline at end of file From 475409c5dbeb0fcf899fbe74e7e80f7fbc65f4c1 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 22 May 2024 06:48:45 -0500 Subject: [PATCH 19/40] Update readme --- README.md | 136 ++++++++++++++++++++++++--------- python/bump-and-tag/action.yml | 4 +- python/publish/action.yml | 12 +-- 3 files changed, 106 insertions(+), 46 deletions(-) diff --git a/README.md b/README.md index 7bc79b9..e621191 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,25 @@ This repository contains GitHub Actions that are common to drivers. +## Setup + +There is a common setup action that is meant to be run before all +other actions. It handles fetching secrets from AWS Secrets Manager, +signing into Artifactory, setting up Garasign credentials, and +setting up environment variables used in other actions. +The action requires `id-token: write` permissions. + +```yaml +- name: setup + uses: mongodb/drivers-github-tools/setup@main + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} +``` + ## Signing tools The actions in the `garasign` folder are used to sign artifacts using the team's @@ -15,60 +34,49 @@ GPG key. Use this action to create signed git artifacts: ```yaml -- name: "Create signed commit" - uses: mongodb/drivers-github-tools/garasign/git-sign@main - with: - command: "git commit -m 'Commit' -s --gpg-sign=${{ vars.GPG_KEY_ID }}" - garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} - garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} - -- name: "Create signed tag" - uses: mongodb/drivers-github-tools/garasign/git-sign@main +- name: Setup + uses: mongodb/drivers-github-tools/setup@main with: - command: "git tag -m 'Tag' -s --local-user=${{ vars.GPG_KEY_ID }} " - garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} - garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} - skip_setup: true -``` + ... + +- name: Create signed commit + uses: mongodb/drivers-github-tools/git-sign@main -If the action is used multiple times within the same job, the `skip_setup` -option can be set to a truthy value to avoid unnecessary logins to artifactory. +- name: Create signed tag + uses: mongodb/drivers-github-tools//git-sign@main +``` ### gpg-sign This action is used to create detached signatures for files: ```yaml -- name: "Create detached signature" - uses: mongodb/drivers-github-tools/garasign/gpg-sign@main +- name: Setup + uses: mongodb/drivers-github-tools/setup@main + with: + ... + +- name: Create detached signature + uses: mongodb/drivers-github-tools/gpg-sign@main with: filenames: somefile.ext - garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} - garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} ``` The action will create a signature file `somefile.ext.sig` in the working directory. -If the action is used multiple times within the same job, the `skip_setup` -option can be set to a truthy value to avoid unnecessary logins to artifactory. -You can also supply multiple space-separated filenames to sign a list of files: +You can also supply a glob pattern to sign a group of files: ```yaml -- name: "Create detached signature" +- name: Setup + uses: mongodb/drivers-github-tools/setup@main + with: + ... + +- name: Create detached signature uses: mongodb/drivers-github-tools/garasign/gpg-sign@main with: filenames: dist/* - garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} - garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} ``` ## Reporting tools @@ -76,17 +84,69 @@ You can also supply multiple space-separated filenames to sign a list of files: The following tools are meant to aid in generating Software Security Development Lifecycle reports associated with a product release. -### Papertrail +### Authorized Publication This action will create a record of authorized publication on distribution channels. -By default it will create a "papertrail.txt" file in the current directory. +It will create the file `$S3_ASSETS/authorized_publication.txt` ```yaml -- name: "Create papertrail report" - uses: mongodb/drivers-github-tools/papertrail@main +- name: Setup + uses: mongodb/drivers-github-tools/setup@main + with: + ... + +- name: Create Authorized Publication Report + uses: mongodb/drivers-github-tools/authorized-pub@main with: product_name: Mongo Python Driver release_version: ${{ github.ref_name }} filenames: dist/* token: ${{ github.token }} ``` + +## Python Helper Scripts + +These scripts are opinionated helper scripts for Python releases. + +### Bump and Tag + +Bump the version and create a new tag. Verify the tag. +Push the commit and tag to the source branch unless `dry_run` is set. + +```yaml +- name: Setup + uses: mongodb/drivers-github-tools/setup@main + with: + ... + +- uses: mongodb/drivers-github-tools/python/bump-and-tag@main + with: + version: ${{ inputs.version }} + version_bump_script: ./.github/scripts/bump-version.sh + dry_run: ${{ inputs.dry_run }} +``` + +### Publish + +Handles tasks related to publishing Python packages, including +signing `dist` file and publishing the `dist` files to PyPI. +It will also push the post (dev) version to the source branch. +It will create a draft GitHub release and attach the signature files. +Finally, it will publish a report to the appropriate S3 bucket. +If `dry_run` is set, nothing will be published or pushed. + +```yaml +- name: Setup + uses: mongodb/drivers-github-tools/setup@main + with: + ... + +- uses: mongodb-labs/drivers-github-tools/python/publish@main + with: + version: ${{ inputs.version }} + post_version: ${{ inputs.post_version }} + version_bump_script: ./.github/scripts/bump-version.sh + product_name: winkerberos + token: ${{ github.token }} + dry_run: ${{ inputs.dry_run }} +``` \ No newline at end of file diff --git a/python/bump-and-tag/action.yml b/python/bump-and-tag/action.yml index af38539..384fb6b 100644 --- a/python/bump-and-tag/action.yml +++ b/python/bump-and-tag/action.yml @@ -25,11 +25,11 @@ runs: run: | bash ${{ inputs.version_bump_script }} ${{ inputs.version }} - name: Commit the version bump - uses: blink1073/drivers-github-tools/git-sign@refactor + uses: mongodb-labs/drivers-github-tools/git-sign@main with: command: git commit -a -m \"BUMP ${{ inputs.version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - name: Tag the version - uses: blink1073/drivers-github-tools/git-sign@refactor + uses: mongodb-labs/drivers-github-tools/git-sign@main with: command: git tag -a \"${{ inputs.version }}\" -m \"BUMP ${{ inputs.version }}\" -s --local-user=${{ env.GPG_KEY_ID }} - name: Verify the tag diff --git a/python/publish/action.yml b/python/publish/action.yml index c603967..583b06c 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -33,10 +33,10 @@ runs: name: all-dist-${{ github.run_id }} path: dist/ - name: Create detached signature for dist files - uses: blink1073/drivers-github-tools/gpg-sign@refactor + uses: mongodb-labs/drivers-github-tools/gpg-sign@main with: filenames: dist/* - - uses: blink1073/drivers-github-tools/authorized-pub@refactor + - uses: mongodb-labs/drivers-github-tools/authorized-pub@main with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }} @@ -51,16 +51,16 @@ runs: PRODUCT_NAME: ${{ inputs.product_name }} DRY_RUN: ${{ inputs.dry_run }} # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#publishing-the-distribution-to-pypi - # - name: Publish distribution 📦 to PyPI - # if: inputs.dry_run == 'false' - # uses: pypa/gh-action-pypi-publish@release/v1 + - name: Publish distribution 📦 to PyPI + if: inputs.dry_run == 'false' + uses: pypa/gh-action-pypi-publish@release/v1 - name: Set post version shell: bash -eux {0} run: | git clean -dffx bash ${{ inputs.version_bump_script }} ${{ inputs.version }} - name: Commit the version bump - uses: blink1073/drivers-github-tools/git-sign@refactor + uses: mongodb-labs/drivers-github-tools/git-sign@main with: command: git commit -a -m \"BUMP ${{ inputs.post_version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - name: Push the commit to the source branch From feb4927afb1b5d5fc209214b15a35af7851ac3c5 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 22 May 2024 08:00:07 -0500 Subject: [PATCH 20/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e621191..2ffaeb6 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ Use this action to create signed git artifacts: uses: mongodb/drivers-github-tools/git-sign@main - name: Create signed tag - uses: mongodb/drivers-github-tools//git-sign@main + uses: mongodb/drivers-github-tools/git-sign@main ``` ### gpg-sign From 5e015f283d26e11670215d9e99a96a056ed77e1c Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 22 May 2024 08:00:25 -0500 Subject: [PATCH 21/40] Update setup/setup.sh Co-authored-by: Andreas Braun --- setup/setup.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index 5961ad8..b55bf4f 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -42,5 +42,5 @@ S3_ASSETS=$S3_ASSETS EOF echo "Set up git credentials" -git config user.email "41898282+github-actions[bot]@users.noreply.github.com" -git config user.name "github-actions[bot]" \ No newline at end of file +git config user.email "167856002+mongodb-dbx-release-bot[bot]@users.noreply.github.com" +git config user.name "mongodb-dbx-release-bot[bot]" \ No newline at end of file From 820e05c77f59d7c26a430081bcb516e2e43daf61 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 22 May 2024 08:00:43 -0500 Subject: [PATCH 22/40] Update setup/action.yml Co-authored-by: Andreas Braun --- setup/action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup/action.yml b/setup/action.yml index f067568..dbd491f 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -22,6 +22,10 @@ inputs: artifactory_image: description: "Image to use for artifactory" default: release-tools-container-registry-local/garasign-git +outputs: + token: + description: "GitHub installation access token" + value: ${{ steps.app-token.outputs.token }} runs: using: composite From 5e8749ab9ddc959babb91356944b8ec8afe5f42f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 22 May 2024 08:05:45 -0500 Subject: [PATCH 23/40] address review --- README.md | 2 -- git-sign/action.yml | 5 ++++- gpg-sign/action.yml | 5 ++++- setup/action.yml | 21 --------------------- setup/setup.sh | 2 -- 5 files changed, 8 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 2ffaeb6..b5adb6d 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,6 @@ The action requires `id-token: write` permissions. aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: ${{ vars.AWS_REGION_NAME }} aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - app_id: ${{ vars.APP_ID }} - private_key: ${{ secrets.APP_PRIVATE_KEY }} ``` ## Signing tools diff --git a/git-sign/action.yml b/git-sign/action.yml index c0c081b..5ca4b03 100644 --- a/git-sign/action.yml +++ b/git-sign/action.yml @@ -4,6 +4,9 @@ inputs: command: description: "Command to run inside the container" required: true + artifactory_image: + description: "Image to use for artifactory" + default: release-tools-container-registry-local/garasign-git runs: using: composite @@ -15,6 +18,6 @@ runs: --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ - ${ARTIFACTORY_REGISTRY}/${ARTIFACTORY_IMAGE} \ + ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ /bin/bash -c "gpgloader && ${{ inputs.command }}" shell: bash diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 86611f9..fb6ac01 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -4,6 +4,9 @@ inputs: filenames: description: "File name(s) to sign, can be a glob pattern" required: true + artifactory_image: + description: "Image to use for artifactory" + default: release-tools-container-registry-local/garasign-gpg runs: using: composite @@ -16,7 +19,7 @@ runs: --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ - ${ARTIFACTORY_REGISTRY}/${ARTIFACTORY_IMAGE} \ + ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' - name: "Move the signature files to the release directory" diff --git a/setup/action.yml b/setup/action.yml index dbd491f..cd812b5 100644 --- a/setup/action.yml +++ b/setup/action.yml @@ -10,34 +10,13 @@ inputs: aws_secret_id: description: "The name of the aws secret to use" required: true - app_id: - description: "The GitHub App id" - required: true - private_key: - description: "The GitHub App private key" - required: true artifactory_registry: description: "Artifactory registry to be used" default: artifactory.corp.mongodb.com - artifactory_image: - description: "Image to use for artifactory" - default: release-tools-container-registry-local/garasign-git -outputs: - token: - description: "GitHub installation access token" - value: ${{ steps.app-token.outputs.token }} runs: using: composite steps: - - uses: actions/create-github-app-token@v1 - id: app-token - with: - app-id: ${{ inputs.app_id }} - private-key: ${{ inputs.private_key }} - - uses: actions/checkout@v4 - with: - token: ${{ steps.app-token.outputs.token }} - name: configure aws credentials uses: aws-actions/configure-aws-credentials@v4 with: diff --git a/setup/setup.sh b/setup/setup.sh index b55bf4f..75cabdc 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -12,7 +12,6 @@ done echo "::group::Set up artifactory" echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY -podman pull $ARTIFACTORY_REGISTRY/$ARTIFACTORY_IMAGE echo "::endgroup::" echo "Set up envfile for artifactory image" @@ -35,7 +34,6 @@ AWS_BUCKET=$RELEASE_ASSETS_BUCKET GPG_KEY_ID=$GPG_KEY_ID GPG_PUBLIC_URL=$GPG_PUBLIC_URL GARASIGN_ENVFILE=$GARASIGN_ENVFILE -ARTIFACTORY_IMAGE=$ARTIFACTORY_IMAGE ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS From ef5272dc043fce96a82357d10a62cb23840916c1 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 22 May 2024 11:13:21 -0500 Subject: [PATCH 24/40] Update README.md Co-authored-by: Noah Stapp --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b5adb6d..0026acd 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,7 @@ Push the commit and tag to the source branch unless `dry_run` is set. Handles tasks related to publishing Python packages, including signing `dist` file and publishing the `dist` files to PyPI. -It will also push the post (dev) version to the source branch. +It will also push the following (dev) version to the source branch. It will create a draft GitHub release and attach the signature files. Finally, it will publish a report to the appropriate S3 bucket. If `dry_run` is set, nothing will be published or pushed. From 0b47e553d7ebbd1037049be83208bc32a8a2b254 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 22 May 2024 11:16:44 -0500 Subject: [PATCH 25/40] address review --- python/publish/action.yml | 10 ++++++---- python/publish/publish.sh | 7 +++---- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/python/publish/action.yml b/python/publish/action.yml index 583b06c..28b509e 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -5,8 +5,8 @@ inputs: version: description: "The published version" required: true - post_version: - description: "The post version" + following_version: + description: "The following (dev) version" required: true version_bump_script: description: "The version bump script" @@ -54,7 +54,7 @@ runs: - name: Publish distribution 📦 to PyPI if: inputs.dry_run == 'false' uses: pypa/gh-action-pypi-publish@release/v1 - - name: Set post version + - name: Set following version shell: bash -eux {0} run: | git clean -dffx @@ -62,10 +62,12 @@ runs: - name: Commit the version bump uses: mongodb-labs/drivers-github-tools/git-sign@main with: - command: git commit -a -m \"BUMP ${{ inputs.post_version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} + command: git commit -a -m \"BUMP ${{ inputs.following_version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - name: Push the commit to the source branch shell: bash -eux {0} run: | if [ ${{ inputs.dry_run }} != "true" ]; then git push origin --tags + else + echo "Not pushing the following_version tag since it is a dry run" fi diff --git a/python/publish/publish.sh b/python/publish/publish.sh index 3f02d15..c25e0bf 100755 --- a/python/publish/publish.sh +++ b/python/publish/publish.sh @@ -2,9 +2,6 @@ set -eux -echo "Show public outputs" -ls -ltr $RELEASE_ASSETS - if [ "$DRY_RUN" == "false" ]; then echo "Uploading Release Reports" TARGET=s3://${AWS_BUCKET}/${PRODUCT_NAME}/${VERSION} @@ -15,5 +12,7 @@ if [ "$DRY_RUN" == "false" ]; then gh release upload ${VERSION} $RELEASE_ASSETS/*.* gh release view ${VERSION} >> $GITHUB_STEP_SUMMARY else - echo "Dry run, not uploading to s3 or creating GitHub Release" + echo "Dry run, not uploading to S3 or creating GitHub Release" + ls -ltr $RELEASE_ASSETS + ls -ltr $S3_ASSETS fi From 681f180fb74c170e5380848f896d90f9d863b91e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Wed, 22 May 2024 12:36:03 -0500 Subject: [PATCH 26/40] Update README.md Co-authored-by: Noah Stapp --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0026acd..f29c677 100644 --- a/README.md +++ b/README.md @@ -142,7 +142,7 @@ If `dry_run` is set, nothing will be published or pushed. - uses: mongodb-labs/drivers-github-tools/python/publish@main with: version: ${{ inputs.version }} - post_version: ${{ inputs.post_version }} + following_version: ${{ inputs.following_version }} version_bump_script: ./.github/scripts/bump-version.sh product_name: winkerberos token: ${{ github.token }} From b301d21ebfed70de4da558c77682e1043ebc61bb Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:23:44 -0500 Subject: [PATCH 27/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f29c677..8a49318 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ The action requires `id-token: write` permissions. ```yaml - name: setup - uses: mongodb/drivers-github-tools/setup@main + uses: mongodb/drivers-github-tools/setup@v2 with: aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} aws_region_name: ${{ vars.AWS_REGION_NAME }} From 2e38f3e29d24c096d09087dba54a2cbf54efa5be Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:23:51 -0500 Subject: [PATCH 28/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8a49318..5afb239 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Use this action to create signed git artifacts: ```yaml - name: Setup - uses: mongodb/drivers-github-tools/setup@main + uses: mongodb/drivers-github-tools/setup@v2 with: ... From 8f856b3bd93e88e4c02a8097e26bb36391de1613 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:24:01 -0500 Subject: [PATCH 29/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5afb239..0dae1c7 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Use this action to create signed git artifacts: uses: mongodb/drivers-github-tools/git-sign@main - name: Create signed tag - uses: mongodb/drivers-github-tools/git-sign@main + uses: mongodb/drivers-github-tools/git-sign@v2 ``` ### gpg-sign From 4b1ec7c3d65de6847adf702e9d323161897b6829 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:24:09 -0500 Subject: [PATCH 30/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0dae1c7..bb584d1 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,7 @@ Use this action to create signed git artifacts: ... - name: Create signed commit - uses: mongodb/drivers-github-tools/git-sign@main + uses: mongodb/drivers-github-tools/git-sign@v2 - name: Create signed tag uses: mongodb/drivers-github-tools/git-sign@v2 From 3469d9bba783800f784b7b22280b6123253287be Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:24:18 -0500 Subject: [PATCH 31/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bb584d1..edeff29 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ This action is used to create detached signatures for files: ```yaml - name: Setup - uses: mongodb/drivers-github-tools/setup@main + uses: mongodb/drivers-github-tools/setup@v2 with: ... From d5a82e729b6a9c8e9e771900b57a2743bc98e56f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:24:28 -0500 Subject: [PATCH 32/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index edeff29..1d4de6b 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ This action is used to create detached signatures for files: ... - name: Create detached signature - uses: mongodb/drivers-github-tools/gpg-sign@main + uses: mongodb/drivers-github-tools/gpg-sign@v2 with: filenames: somefile.ext ``` From 233cdd883b2eabd278ad876238cba8090861927e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:24:37 -0500 Subject: [PATCH 33/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1d4de6b..46d38df 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ It will create the file `$S3_ASSETS/authorized_publication.txt` ... - name: Create Authorized Publication Report - uses: mongodb/drivers-github-tools/authorized-pub@main + uses: mongodb/drivers-github-tools/authorized-pub@v2 with: product_name: Mongo Python Driver release_version: ${{ github.ref_name }} From 252f68b03808ade0db3149bad7b8220299cad761 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:24:44 -0500 Subject: [PATCH 34/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 46d38df..b277b55 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,7 @@ Push the commit and tag to the source branch unless `dry_run` is set. ```yaml - name: Setup - uses: mongodb/drivers-github-tools/setup@main + uses: mongodb/drivers-github-tools/setup@v2 with: ... From b08290e420db4a042d2e5f38bebb14356adddebf Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:24:52 -0500 Subject: [PATCH 35/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b277b55..58e918b 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ Push the commit and tag to the source branch unless `dry_run` is set. with: ... -- uses: mongodb/drivers-github-tools/python/bump-and-tag@main +- uses: mongodb/drivers-github-tools/python/bump-and-tag@v2 with: version: ${{ inputs.version }} version_bump_script: ./.github/scripts/bump-version.sh From 310a73293618e70bb213bff55dfae5ad7f09a3ed Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:24:58 -0500 Subject: [PATCH 36/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 58e918b..aef222a 100644 --- a/README.md +++ b/README.md @@ -135,7 +135,7 @@ If `dry_run` is set, nothing will be published or pushed. ```yaml - name: Setup - uses: mongodb/drivers-github-tools/setup@main + uses: mongodb/drivers-github-tools/setup@v2 with: ... From 1f1d6e6069eafa06e749f0eaeb5be9cfcce258e5 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:25:05 -0500 Subject: [PATCH 37/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aef222a..0715dd3 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ If `dry_run` is set, nothing will be published or pushed. with: ... -- uses: mongodb-labs/drivers-github-tools/python/publish@main +- uses: mongodb-labs/drivers-github-tools/python/publish@v2 with: version: ${{ inputs.version }} following_version: ${{ inputs.following_version }} From 34d18e36964f28237931563cbd6fb3edbd3a504c Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:25:16 -0500 Subject: [PATCH 38/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0715dd3..f0364f2 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ You can also supply a glob pattern to sign a group of files: ```yaml - name: Setup - uses: mongodb/drivers-github-tools/setup@main + uses: mongodb/drivers-github-tools/setup@v2 with: ... From f5eb0951e0523ef9017b4cc106719017f159b950 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:25:25 -0500 Subject: [PATCH 39/40] Update README.md Co-authored-by: Andreas Braun --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f0364f2..f377a3a 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ It will create the file `$S3_ASSETS/authorized_publication.txt` ```yaml - name: Setup - uses: mongodb/drivers-github-tools/setup@main + uses: mongodb/drivers-github-tools/setup@v2 with: ... From b2918e900dcf114307929b91a5c3edf6cdec598d Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 23 May 2024 08:28:34 -0500 Subject: [PATCH 40/40] add note about actions/checkout --- README.md | 7 ++++++- python/bump-and-tag/action.yml | 4 ++-- python/publish/action.yml | 6 +++--- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index f377a3a..d418fe6 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,11 @@ The action requires `id-token: write` permissions. aws_secret_id: ${{ secrets.AWS_SECRET_ID }} ``` +> [!Note] +> You *must* use the `actions/checkout` action prior to calling the `setup` action, +> Since the `setup` action sets up git config that would be overridden by the +> `actions/checkout action` + ## Signing tools The actions in the `garasign` folder are used to sign artifacts using the team's @@ -72,7 +77,7 @@ You can also supply a glob pattern to sign a group of files: ... - name: Create detached signature - uses: mongodb/drivers-github-tools/garasign/gpg-sign@main + uses: mongodb/drivers-github-tools/garasign/gpg-sign@v1 with: filenames: dist/* ``` diff --git a/python/bump-and-tag/action.yml b/python/bump-and-tag/action.yml index 384fb6b..477045c 100644 --- a/python/bump-and-tag/action.yml +++ b/python/bump-and-tag/action.yml @@ -25,11 +25,11 @@ runs: run: | bash ${{ inputs.version_bump_script }} ${{ inputs.version }} - name: Commit the version bump - uses: mongodb-labs/drivers-github-tools/git-sign@main + uses: mongodb-labs/drivers-github-tools/git-sign@v2 with: command: git commit -a -m \"BUMP ${{ inputs.version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - name: Tag the version - uses: mongodb-labs/drivers-github-tools/git-sign@main + uses: mongodb-labs/drivers-github-tools/git-sign@v2 with: command: git tag -a \"${{ inputs.version }}\" -m \"BUMP ${{ inputs.version }}\" -s --local-user=${{ env.GPG_KEY_ID }} - name: Verify the tag diff --git a/python/publish/action.yml b/python/publish/action.yml index 28b509e..ea8d0cc 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -33,10 +33,10 @@ runs: name: all-dist-${{ github.run_id }} path: dist/ - name: Create detached signature for dist files - uses: mongodb-labs/drivers-github-tools/gpg-sign@main + uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 with: filenames: dist/* - - uses: mongodb-labs/drivers-github-tools/authorized-pub@main + - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }} @@ -60,7 +60,7 @@ runs: git clean -dffx bash ${{ inputs.version_bump_script }} ${{ inputs.version }} - name: Commit the version bump - uses: mongodb-labs/drivers-github-tools/git-sign@main + uses: mongodb-labs/drivers-github-tools/git-sign@v2 with: command: git commit -a -m \"BUMP ${{ inputs.following_version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - name: Push the commit to the source branch