From 5ec93ccd765405250e874a5a809b0d88c9d06d6a Mon Sep 17 00:00:00 2001 From: Aditi Khare Date: Thu, 23 May 2024 17:46:37 -0400 Subject: [PATCH 1/7] copied over changes --- .../compress_sign_and_upload/action.yml | 42 +++++++++++++++++++ .github/workflows/release-5.x.yml | 29 ++++++++----- .github/workflows/release.yml | 27 ++++++++---- README.md | 19 +++++++++ 4 files changed, 98 insertions(+), 19 deletions(-) create mode 100644 .github/actions/compress_sign_and_upload/action.yml diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml new file mode 100644 index 0000000000..25589990fa --- /dev/null +++ b/.github/actions/compress_sign_and_upload/action.yml @@ -0,0 +1,42 @@ +name: Compress and Sign +description: 'Compresses package and signs with garasign' + +inputs: + garasign_username: + description: 'Garasign username input for drivers-github-tools/garasign/gpg-sign' + required: true + garasign_password: + description: 'Garasign password input for drivers-github-tools/garasign/gpg-sign' + required: true + artifactory_username: + description: 'Artifactory username input for drivers-github-tools/garasign/gpg-sign' + required: true + artifactory_password: + description: 'Artifactory password input for drivers-github-tools/garasign/gpg-sign' + required: true + +runs: + using: composite + steps: + - run: npm pack + shell: bash + + - name: Get release version and release package file name + id: vars + shell: bash + run: | + package_version=$(jq --raw-output '.version' package.json) + echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" + echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT" + - name: Create detached signature + uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@v1 + with: + filenames: ${{ steps.vars.package_file }} + garasign_username: ${{ inputs.garasign_username }} + garasign_password: ${{ inputs.garasign_password }} + artifactory_username: ${{ inputs.artifactory_username }} + artifactory_password: ${{ inputs.artifactory_password }} + + - name: "Upload release artifacts" + run: gh release upload v${{ steps.vars.package_version }} ${{ steps.vars.package_file }}.sig + shell: bash \ No newline at end of file diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index d0958648b1..991e3eea57 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -11,21 +11,30 @@ permissions: name: release-5x jobs: - release-please: + release_please: runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} steps: - id: release uses: google-github-actions/release-please-action@v4 with: target-branch: 5.x - - # If release-please created a release, publish to npm - - if: ${{ steps.release.outputs.release_created }} - uses: actions/checkout@v4 - - if: ${{ steps.release.outputs.release_created }} - name: actions/setup + + compress-sign-and-upload: + needs: [release_please] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: actions/setup uses: ./.github/actions/setup - - if: ${{ steps.release.outputs.release_created }} - run: npm publish --provenance --tag=5x + - name: actions/compress_sign_and_upload + uses: ./.github/actions/compress_sign_and_upload + with: + garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} + garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + artifactory_username: ${{ secrets.ARTIFACTORY_USER }} + artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} + - run: npm publish --provenance --tag=5x env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c161f125c4..1606804161 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,19 +11,28 @@ permissions: name: release jobs: - release-please: + release_please: runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} steps: - id: release - uses: googleapis/release-please-action@v4 + uses: google-github-actions/release-please-action@v4 - # If release-please created a release, publish to npm - - if: ${{ steps.release.outputs.release_created }} - uses: actions/checkout@v4 - - if: ${{ steps.release.outputs.release_created }} - name: actions/setup + compress_sign_and_upload: + needs: [release_please] + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: actions/setup uses: ./.github/actions/setup - - if: ${{ steps.release.outputs.release_created }} - run: npm publish --provenance + - name: actions/compress_sign_and_upload + uses: ./.github/actions/compress_sign_and_upload + with: + garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} + garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + artifactory_username: ${{ secrets.ARTIFACTORY_USER }} + artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} + - run: npm publish --provenance env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/README.md b/README.md index 1a62b08d99..06a32fc79a 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,25 @@ The official [MongoDB](https://www.mongodb.com/) driver for Node.js. | Contributing | [CONTRIBUTING.md](https://github.com/mongodb/node-mongodb-native/blob/HEAD/CONTRIBUTING.md) | | Changelog | [HISTORY.md](https://github.com/mongodb/node-mongodb-native/blob/HEAD/HISTORY.md) | + + +### Release Integrity + +The GitHub release contains a detached signature file for the NPM package (named +`bson-X.Y.Z.tgz.sig`). + +The following command returns the link npm package. +```shell +npm view mongodb@vX.Y.Z dist.tarball +``` + +Using the result of the above command, a `curl` command can return the official npm package for the release. + +To verify the integrity of the downloaded package, run the following command: +```shell +gpg --verify mongodb-X.Y.Z.tgz.sig mongodb-X.Y.Z.tgz +``` + ### Bugs / Feature Requests Think you’ve found a bug? Want to see a new feature in `node-mongodb-native`? Please open a From eb72e4ff109256949a8c07a36a256953045ecd54 Mon Sep 17 00:00:00 2001 From: Aditi Khare Date: Tue, 28 May 2024 14:29:05 -0400 Subject: [PATCH 2/7] copy paste error in readme.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 06a32fc79a..e6cf529b61 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ The official [MongoDB](https://www.mongodb.com/) driver for Node.js. ### Release Integrity The GitHub release contains a detached signature file for the NPM package (named -`bson-X.Y.Z.tgz.sig`). +`mongodb-X.Y.Z.tgz.sig`). The following command returns the link npm package. ```shell From b9bda690bea39d488e1592dca4cc5f2a0c5d2ca4 Mon Sep 17 00:00:00 2001 From: Aditi Khare Date: Tue, 28 May 2024 16:58:56 -0400 Subject: [PATCH 3/7] variable access fixed --- .github/actions/compress_sign_and_upload/action.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml index 25589990fa..8c2d9f0250 100644 --- a/.github/actions/compress_sign_and_upload/action.yml +++ b/.github/actions/compress_sign_and_upload/action.yml @@ -22,7 +22,7 @@ runs: shell: bash - name: Get release version and release package file name - id: vars + id: get_vars shell: bash run: | package_version=$(jq --raw-output '.version' package.json) @@ -31,12 +31,14 @@ runs: - name: Create detached signature uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@v1 with: - filenames: ${{ steps.vars.package_file }} + filenames: ${{ steps.get_vars.outputs.package_file }} garasign_username: ${{ inputs.garasign_username }} garasign_password: ${{ inputs.garasign_password }} artifactory_username: ${{ inputs.artifactory_username }} artifactory_password: ${{ inputs.artifactory_password }} - name: "Upload release artifacts" - run: gh release upload v${{ steps.vars.package_version }} ${{ steps.vars.package_file }}.sig - shell: bash \ No newline at end of file + run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig + shell: bash + env: + GH_TOKEN: ${{ github.token }} \ No newline at end of file From 02e1f272dbc24258d39159ca6d23859b8e74ca22 Mon Sep 17 00:00:00 2001 From: Aditi Khare Date: Wed, 29 May 2024 17:26:24 -0400 Subject: [PATCH 4/7] fix conditional job --- .github/actions/compress_sign_and_upload/action.yml | 2 +- .github/workflows/release-5.x.yml | 1 + .github/workflows/release.yml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml index 8c2d9f0250..6e0837c40e 100644 --- a/.github/actions/compress_sign_and_upload/action.yml +++ b/.github/actions/compress_sign_and_upload/action.yml @@ -41,4 +41,4 @@ runs: run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig shell: bash env: - GH_TOKEN: ${{ github.token }} \ No newline at end of file + GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 991e3eea57..1e5d576eb2 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -23,6 +23,7 @@ jobs: compress-sign-and-upload: needs: [release_please] + if: ${{ needs.release_please.outputs.release_created }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1606804161..357c2eaefc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,6 +21,7 @@ jobs: compress_sign_and_upload: needs: [release_please] + if: ${{ needs.release_please.outputs.release_created }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 50cf9a7e2d28d508e3269c9f4e702cc93e521822 Mon Sep 17 00:00:00 2001 From: Aditi Khare Date: Fri, 31 May 2024 10:58:09 -0400 Subject: [PATCH 5/7] migrate to v2 --- .../compress_sign_and_upload/action.yml | 42 ++++++++++++------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml index 6e0837c40e..f38b3757b0 100644 --- a/.github/actions/compress_sign_and_upload/action.yml +++ b/.github/actions/compress_sign_and_upload/action.yml @@ -2,17 +2,17 @@ name: Compress and Sign description: 'Compresses package and signs with garasign' inputs: - garasign_username: - description: 'Garasign username input for drivers-github-tools/garasign/gpg-sign' + aws_role_arn: + description: 'AWS role input for drivers-github-tools/gpg-sign@v2' required: true - garasign_password: - description: 'Garasign password input for drivers-github-tools/garasign/gpg-sign' + aws_region_name: + description: 'AWS region name input for drivers-github-tools/gpg-sign@v2' required: true - artifactory_username: - description: 'Artifactory username input for drivers-github-tools/garasign/gpg-sign' + aws_secret_id: + description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2' required: true - artifactory_password: - description: 'Artifactory password input for drivers-github-tools/garasign/gpg-sign' + npm_package_name: + description: 'The name for the npm package this repository represents' required: true runs: @@ -27,18 +27,28 @@ runs: run: | package_version=$(jq --raw-output '.version' package.json) echo "package_version=${package_version}" >> "$GITHUB_OUTPUT" - echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT" + echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT" + + - name: Set up drivers-github-tools + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_region_name: ${{ inputs.aws_region_name }} + aws_role_arn: ${{ inputs.aws_role_arn }} + aws_secret_id: ${{ inputs.aws_secret_id }} + - name: Create detached signature - uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@v1 - with: + uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + with: filenames: ${{ steps.get_vars.outputs.package_file }} - garasign_username: ${{ inputs.garasign_username }} - garasign_password: ${{ inputs.garasign_password }} - artifactory_username: ${{ inputs.artifactory_username }} - artifactory_password: ${{ inputs.artifactory_password }} + env: + RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig + + - name: Name release asset correctly + run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig + shell: bash - name: "Upload release artifacts" run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig shell: bash env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ github.token }} \ No newline at end of file From 699c76d11d00c92ebae13698f91207edba73bc8b Mon Sep 17 00:00:00 2001 From: Aditi Khare Date: Fri, 31 May 2024 11:44:43 -0400 Subject: [PATCH 6/7] migrate to v2 - release.yml and release-5x.yml files --- .github/workflows/release-5.x.yml | 11 ++++++----- .github/workflows/release.yml | 9 +++++---- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 1e5d576eb2..6440aef73a 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -21,9 +21,10 @@ jobs: with: target-branch: 5.x - compress-sign-and-upload: + compress_sign_and_upload: needs: [release_please] if: ${{ needs.release_please.outputs.release_created }} + environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -32,10 +33,10 @@ jobs: - name: actions/compress_sign_and_upload uses: ./.github/actions/compress_sign_and_upload with: - garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} - garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: 'us-east-1' + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: 'mongodb' - run: npm publish --provenance --tag=5x env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 357c2eaefc..2c93f5870a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,6 +22,7 @@ jobs: compress_sign_and_upload: needs: [release_please] if: ${{ needs.release_please.outputs.release_created }} + environment: release runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -30,10 +31,10 @@ jobs: - name: actions/compress_sign_and_upload uses: ./.github/actions/compress_sign_and_upload with: - garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} - garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: 'us-east-1' + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + npm_package_name: 'mongodb' - run: npm publish --provenance env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From cfc0af76910255afc448160421b7147e46d03ce3 Mon Sep 17 00:00:00 2001 From: Aditi Khare Date: Fri, 31 May 2024 11:46:04 -0400 Subject: [PATCH 7/7] lint fix --- .github/workflows/release-5.x.yml | 4 ++-- .github/workflows/release.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml index 6440aef73a..b5f6a9abfd 100644 --- a/.github/workflows/release-5.x.yml +++ b/.github/workflows/release-5.x.yml @@ -17,7 +17,7 @@ jobs: release_created: ${{ steps.release.outputs.release_created }} steps: - id: release - uses: google-github-actions/release-please-action@v4 + uses: googleapis/release-please-action@v4 with: target-branch: 5.x @@ -39,4 +39,4 @@ jobs: npm_package_name: 'mongodb' - run: npm publish --provenance --tag=5x env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2c93f5870a..9a64730297 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,7 +17,7 @@ jobs: release_created: ${{ steps.release.outputs.release_created }} steps: - id: release - uses: google-github-actions/release-please-action@v4 + uses: googleapis/release-please-action@v4 compress_sign_and_upload: needs: [release_please]