Skip to content

Commit

Permalink
Merge 4.4 into 4.5 (#3005)
Browse files Browse the repository at this point in the history
  • Loading branch information
mongodb-php-bot authored Jun 13, 2024
2 parents 83a07d1 + 42f5a49 commit 88de735
Show file tree
Hide file tree
Showing 3 changed files with 151 additions and 80 deletions.
56 changes: 0 additions & 56 deletions .github/workflows/coding-standards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,59 +67,3 @@ jobs:
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "apply phpcbf formatting"

analysis:
runs-on: "ubuntu-22.04"
continue-on-error: true
strategy:
matrix:
php:
- '8.1'
- '8.2'
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
extensions: curl, mbstring
tools: composer:v2
coverage: none

- name: Cache dependencies
id: composer-cache
uses: actions/cache@v4
with:
path: ./vendor
key: composer-${{ hashFiles('**/composer.lock') }}

- name: Install dependencies
run: composer install

- name: Restore cache PHPStan results
id: phpstan-cache-restore
uses: actions/cache/restore@v4
with:
path: .cache
key: "phpstan-result-cache-${{ github.run_id }}"
restore-keys: |
phpstan-result-cache-
- name: Run PHPStan
run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif

- name: "Upload SARIF report"
if: always()
uses: "github/codeql-action/upload-sarif@v3"
with:
sarif_file: phpstan.sarif

- name: Save cache PHPStan results
id: phpstan-cache-save
if: always()
uses: actions/cache/save@v4
with:
path: .cache
key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }}
101 changes: 77 additions & 24 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,21 +22,11 @@ jobs:
- name: "Create release output"
run: echo '🎬 Release process for version ${{ inputs.version }} started by @${{ github.triggering_actor }}' >> $GITHUB_STEP_SUMMARY

- name: "Create temporary app token"
uses: actions/create-github-app-token@v1
id: app-token
- name: "Generate token and checkout repository"
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: "Store GitHub token in environment"
run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
shell: bash

- uses: actions/checkout@v4
with:
submodules: true
token: ${{ env.GH_TOKEN }}
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}

- name: "Store version numbers in env variables"
run: |
Expand Down Expand Up @@ -71,11 +61,11 @@ jobs:
- name: "Create draft release"
run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --generate-notes --draft)" >> "$GITHUB_ENV"

# This step creates the signed release tag
- name: "Create release tag"
uses: mongodb-labs/drivers-github-tools/git-sign@v2
uses: mongodb-labs/drivers-github-tools/tag-version@v2
with:
command: "git tag -m 'Release ${{ inputs.version }}' -s --local-user=${{ env.GPG_KEY_ID }} ${{ inputs.version }}"
version: ${{ inputs.version }}
tag_message_template: 'Release ${VERSION}'

# TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created
# Process is:
Expand All @@ -84,14 +74,77 @@ jobs:
# 3. push next branch
# 4. switch back to release branch, then push

- name: "Push changes from release branch"
run: git push

# Pushing the release tag starts build processes that then produce artifacts for the release
- name: "Push release tag"
run: git push origin ${{ inputs.version }}

- name: "Set summary"
run: |
echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
static-analysis:
needs: prepare-release
name: "Run Static Analysis"
uses: ./.github/workflows/static-analysis.yml
with:
ref: refs/tags/${{ inputs.version }}
permissions:
security-events: write
id-token: write

publish-ssdlc-assets:
needs: static-analysis
environment: release
name: "Publish SSDLC Assets"
runs-on: ubuntu-latest
permissions:
security-events: read
id-token: write
contents: write

steps:
- name: "Generate token and checkout repository"
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
ref: refs/tags/${{ inputs.version }}

# Sets the S3_ASSETS environment variable used later
- name: "Set up drivers-github-tools"
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: ${{ vars.AWS_REGION_NAME }}
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}

- name: "Generate authorized publication document"
uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
with:
product_name: "MongoDB Laravel Integration"
release_version: ${{ inputs.version }}
filenames: ""
token: ${{ env.GH_TOKEN }}

- name: "Download SBOM file from Silk"
uses: mongodb-labs/drivers-github-tools/sbom@v2
with:
silk_asset_group: mongodb-laravel-integration

- name: "Upload SBOM as release artifact"
run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
continue-on-error: true

- name: "Generate SARIF report from code scanning alerts"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
with:
ref: ${{ inputs.version }}
output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json

- name: "Generate compliance report"
uses: mongodb-labs/drivers-github-tools/compliance-report@v2
with:
token: ${{ env.GH_TOKEN }}

- name: Upload S3 assets
uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ inputs.version }}
product_name: laravel-mongodb
74 changes: 74 additions & 0 deletions .github/workflows/static-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: "Static Analysis"

on:
push:
pull_request:
workflow_call:
inputs:
ref:
description: "The git ref to check"
type: string
required: true

env:
PHP_VERSION: "8.2"
DRIVER_VERSION: "stable"

jobs:
phpstan:
runs-on: "ubuntu-22.04"
continue-on-error: true
strategy:
matrix:
php:
- '8.1'
- '8.2'
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}

- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
extensions: curl, mbstring
tools: composer:v2
coverage: none

- name: Cache dependencies
id: composer-cache
uses: actions/cache@v4
with:
path: ./vendor
key: composer-${{ hashFiles('**/composer.lock') }}

- name: Install dependencies
run: composer install

- name: Restore cache PHPStan results
id: phpstan-cache-restore
uses: actions/cache/restore@v4
with:
path: .cache
key: "phpstan-result-cache-${{ matrix.php }}-${{ github.run_id }}"
restore-keys: |
phpstan-result-cache-
- name: Run PHPStan
run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif

- name: "Upload SARIF report"
if: always()
uses: "github/codeql-action/upload-sarif@v3"
with:
sarif_file: phpstan.sarif

- name: Save cache PHPStan results
id: phpstan-cache-save
if: always()
uses: actions/cache/save@v4
with:
path: .cache
key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }}

0 comments on commit 88de735

Please sign in to comment.