diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 1eebcaa5f..24d397294 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -67,59 +67,3 @@ jobs: uses: stefanzweifel/git-auto-commit-action@v5 with: commit_message: "apply phpcbf formatting" - - analysis: - runs-on: "ubuntu-22.04" - continue-on-error: true - strategy: - matrix: - php: - - '8.1' - - '8.2' - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: ${{ matrix.php }} - extensions: curl, mbstring - tools: composer:v2 - coverage: none - - - name: Cache dependencies - id: composer-cache - uses: actions/cache@v4 - with: - path: ./vendor - key: composer-${{ hashFiles('**/composer.lock') }} - - - name: Install dependencies - run: composer install - - - name: Restore cache PHPStan results - id: phpstan-cache-restore - uses: actions/cache/restore@v4 - with: - path: .cache - key: "phpstan-result-cache-${{ github.run_id }}" - restore-keys: | - phpstan-result-cache- - - - name: Run PHPStan - run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif - - - name: "Upload SARIF report" - if: always() - uses: "github/codeql-action/upload-sarif@v3" - with: - sarif_file: phpstan.sarif - - - name: Save cache PHPStan results - id: phpstan-cache-save - if: always() - uses: actions/cache/save@v4 - with: - path: .cache - key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f1b3e44e..63dea84c4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,21 +22,11 @@ jobs: - name: "Create release output" run: echo '🎬 Release process for version ${{ inputs.version }} started by @${{ github.triggering_actor }}' >> $GITHUB_STEP_SUMMARY - - name: "Create temporary app token" - uses: actions/create-github-app-token@v1 - id: app-token + - name: "Generate token and checkout repository" + uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 with: - app-id: ${{ vars.APP_ID }} - private-key: ${{ secrets.APP_PRIVATE_KEY }} - - - name: "Store GitHub token in environment" - run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" - shell: bash - - - uses: actions/checkout@v4 - with: - submodules: true - token: ${{ env.GH_TOKEN }} + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} - name: "Store version numbers in env variables" run: | @@ -71,11 +61,11 @@ jobs: - name: "Create draft release" run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --generate-notes --draft)" >> "$GITHUB_ENV" - # This step creates the signed release tag - name: "Create release tag" - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: mongodb-labs/drivers-github-tools/tag-version@v2 with: - command: "git tag -m 'Release ${{ inputs.version }}' -s --local-user=${{ env.GPG_KEY_ID }} ${{ inputs.version }}" + version: ${{ inputs.version }} + tag_message_template: 'Release ${VERSION}' # TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created # Process is: @@ -84,14 +74,77 @@ jobs: # 3. push next branch # 4. switch back to release branch, then push - - name: "Push changes from release branch" - run: git push - - # Pushing the release tag starts build processes that then produce artifacts for the release - - name: "Push release tag" - run: git push origin ${{ inputs.version }} - - name: "Set summary" run: | echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY + + static-analysis: + needs: prepare-release + name: "Run Static Analysis" + uses: ./.github/workflows/static-analysis.yml + with: + ref: refs/tags/${{ inputs.version }} + permissions: + security-events: write + id-token: write + + publish-ssdlc-assets: + needs: static-analysis + environment: release + name: "Publish SSDLC Assets" + runs-on: ubuntu-latest + permissions: + security-events: read + id-token: write + contents: write + + steps: + - name: "Generate token and checkout repository" + uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + with: + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + ref: refs/tags/${{ inputs.version }} + + # Sets the S3_ASSETS environment variable used later + - name: "Set up drivers-github-tools" + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + + - name: "Generate authorized publication document" + uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + with: + product_name: "MongoDB Laravel Integration" + release_version: ${{ inputs.version }} + filenames: "" + token: ${{ env.GH_TOKEN }} + + - name: "Download SBOM file from Silk" + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: mongodb-laravel-integration + + - name: "Upload SBOM as release artifact" + run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json + continue-on-error: true + + - name: "Generate SARIF report from code scanning alerts" + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + with: + ref: ${{ inputs.version }} + output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json + + - name: "Generate compliance report" + uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + with: + token: ${{ env.GH_TOKEN }} + + - name: Upload S3 assets + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ inputs.version }} + product_name: laravel-mongodb diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml new file mode 100644 index 000000000..240c0aa5b --- /dev/null +++ b/.github/workflows/static-analysis.yml @@ -0,0 +1,74 @@ +name: "Static Analysis" + +on: + push: + pull_request: + workflow_call: + inputs: + ref: + description: "The git ref to check" + type: string + required: true + +env: + PHP_VERSION: "8.2" + DRIVER_VERSION: "stable" + +jobs: + phpstan: + runs-on: "ubuntu-22.04" + continue-on-error: true + strategy: + matrix: + php: + - '8.1' + - '8.2' + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ matrix.php }} + extensions: curl, mbstring + tools: composer:v2 + coverage: none + + - name: Cache dependencies + id: composer-cache + uses: actions/cache@v4 + with: + path: ./vendor + key: composer-${{ hashFiles('**/composer.lock') }} + + - name: Install dependencies + run: composer install + + - name: Restore cache PHPStan results + id: phpstan-cache-restore + uses: actions/cache/restore@v4 + with: + path: .cache + key: "phpstan-result-cache-${{ matrix.php }}-${{ github.run_id }}" + restore-keys: | + phpstan-result-cache- + + - name: Run PHPStan + run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif + + - name: "Upload SARIF report" + if: always() + uses: "github/codeql-action/upload-sarif@v3" + with: + sarif_file: phpstan.sarif + + - name: Save cache PHPStan results + id: phpstan-cache-save + if: always() + uses: actions/cache/save@v4 + with: + path: .cache + key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }}