Important
This Repository is NOT a supported MongoDB product
This repository contains GitHub Actions that are common to drivers.
See the How To: Set up Secure Release Process using GitHub Action internal wiki for guidance.
Many of the actions in this repo depend on one another. There is no supported way to reference another action using a relative path. Therefore the recommended approach is to set all of the relative actions to your branch name while working on a feature, then reverting to the version tag before merging.
It is recommended that you use Dependabot and use an explicit reference when using these actions. This will allow Dependabot to update to a more recent sha and allow you to accept updates to the actions as needed.
Example dependabot.yml:
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      actions:
        patterns:
          - "*"Example usage with references:
- name: secure-checkout
  uses: mongodb-labs/drivers-github-tools/secure-checkout@40b8ff3c0decd1388587fcc3d0a36d4818a054a6  # v2
  with:
    app_id: ${{ vars.APP_ID }}
    private_key: ${{ secrets.APP_PRIVATE_KEY }}This action will perform a checkout with the GitHub App credentials.
- name: secure-checkout
  uses: mongodb-labs/drivers-github-tools/secure-checkout@v3
  with:
    app_id: ${{ vars.APP_ID }}
    private_key: ${{ secrets.APP_PRIVATE_KEY }}By default it will use the current ${{github.ref}} if the ref parameter is
not given.  It will write the secure global variable GH_TOKEN that can be
used with the gh cli.
There is a common setup action that is meant to be run before all
other actions.  It handles fetching secrets from AWS Secrets Manager,
signing into ECR, setting up Garasign credentials, and
setting up environment variables used in other actions.
The action requires id-token: write permissions.
- name: setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
    aws_region_name: ${{ vars.AWS_REGION_NAME }}
    aws_secret_id: ${{ secrets.AWS_SECRET_ID }}Note
You must use the actions/checkout action prior to calling the setup action,
Since the setup action sets up git config that would be overridden by the
actions/checkout action
The following keys MUST be defined in the AWS_SECRET_ID vault:
garasign-username, garasign-password, gpg-key-id.
If uploading to an S3 bucket, also define release-assets-bucket.
These actions are used to sign artifacts using the team's GPG key.
Use this action to create signed git artifacts:
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Create signed commit
  uses: mongodb-labs/drivers-github-tools/git-sign@v3
  with:
    command: "git commit -m 'Commit' -s --gpg-sign=${{ env.GPG_KEY_ID }}"
- name: Create signed tag
  uses: mongodb-labs/drivers-github-tools/git-sign@v3
  with:
    command: "git tag -m 'Tag' -s --local-user=${{ env.GPG_KEY_ID }} -a <tag>"This is a convenience action to bump the version, create a signed commit, and
push the commit unless push_commit is disabled.  You can override the commit message
format if desired.  The version bump script should accept a new version as
an argument and update the version accordingly.
- name: Bump version
  uses: mongodb-labs/drivers-github-tools/bump-version@v3
  with:
    version: ${{ inputs.version }}
    version_bump_script: "bash ./my-bump-version-script.sh"This is a convenience action to create a signed tag, optionally verify the tag,
and push the tag unless push_tag is disabled.  You can override the tag format and the
tag message format if desired.
- name: Tag version
  uses: mongodb-labs/drivers-github-tools/tag-version@v3
  with:
    version: ${{ inputs.version }}This action is used to create detached signatures for files:
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Create detached signature
  uses: mongodb-labs/drivers-github-tools/gpg-sign@v3
  with:
    filenames: somefile.extThe action will create a signature file somefile.ext.sig in the working
directory.
You can also supply a glob pattern to sign a group of files:
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Create detached signature
  uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@v1
  with:
    filenames: dist/*The following tools are meant to aid in generating Software Security Development Lifecycle reports associated with a product release.
This action will create a record of authorized publication on distribution channels.
It will create the file $S3_ASSETS/authorized_publication.txt
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Create Authorized Publication Report
  uses: mongodb-labs/drivers-github-tools/authorized-pub@v3
  with:
    product_name: Mongo Python Driver
    release_version: ${{ github.ref_name }}
    filenames: dist/*
    token: ${{ github.token }}This action will download an Augmented SBOM file in $RELEASE_ASSETS/sbom.json.
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Create SBOM
  uses: mongodb-labs/drivers-github-tools/sbom@v3
  with:
    sbom_in_path: sbom.jsonThis action will export all dismissed and open alerts to a SARIF file. By
default, this file is named code-scanning-alerts.json and placed in the
working directory.
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Export Code Scanning Alerts
  uses: mongodb-labs/drivers-github-tools/code-scanning-export@v3This action will generate the SSDLC compliance report in the S3_ASSETS folder,
called ssdlc_compliance_report.md.
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Generate compliance report
  uses: mongodb-labs/drivers-github-tools/compliance-report@v3There are several ways to specify the security report:
- By specifying an absolute URL starting with https
- By specifying a relative path, which is then linked to the corresponding git blob for the tagged version
- By adding the security-report-urlto the AWS Secrets Vault
This action is a convenience function to handle all of the SSDLC reports and put them
in the S3_ASSETS folder. This composite action runs the authorized-pub, sbom, code-scanning-export, and compliance-report actions.
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Generate SSDLC Reports
  uses: mongodb-labs/drivers-github-tools/full-report@v3
  with:
    product_name: winkerberos
    release_version: ${{ inputs.version }}
    sbom_in_path: sbom.json
    dist_filenames: dist/*A number of scripts create files in the tmp/s3_assets folder, which then can
be uploaded to the product's S3 bucket:
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Upload S3 assets
  uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3
  with:
    version: <release version>
    product_name: <product_name>Optionally, you can specify which files to upload using the filenames input.
By default, all files in the S3 directory are uploaded. When the dry_run input
is set to anything other than false, no files are uploaded, but instead the
filename along with the resulting location in the bucket is printed.
Use this action to create a release branch and populate it with metadata.
It will update EVERGREEN_PROJECT env variable
in the release workflow file, bump the version to a
prerelease version, and push the changes.
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- name: Create Release Branch
  uses: mongodb-labs/drivers-github-tools/create-branch@v3
  with:
    # user inputs
    branch: ...
    version: ...
    base_ref: <optional>
    push_changes: <whether to push changes>
    # other inputs
    version_bump_script: <path/to/version/bump/script>
    evergreen_project: <name of evergreen release project>These scripts are opinionated helper scripts for Python releases.
Bump the version and create a new tag.  Verify the tag.
Push the commit and tag to the source branch unless dry_run is set.
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- uses: mongodb-labs/drivers-github-tools/python/pre-publishv2
  with:
    version: ${{ inputs.version }}
    version_bump_script: ./.github/scripts/bump-version.sh
    dry_run: ${{ inputs.dry_run }}To be run after separately publishing the Python package.
Handles follow-up tasks related to publishing Python packages, including
signing dist files and uploading report assets to S3.
It will also push the following (dev) version to the source branch.
It will create a draft GitHub release and attach the signature files.
If dry_run is set, nothing will be pushed.
The jobs should look something like:
publish:
  name: Upload release to PyPI
  runs-on: ubuntu-latest
  environment: release
  permissions:
    id-token: write
  steps:
    - name: Download all the dists
      uses: actions/download-artifact@v4
      with:
        name: all-dist-${{ github.run_id }}
        path: dist/
    - name: Publish package distributions to PyPI
      if: inputs.dry_run == 'false'
      uses: pypa/gh-action-pypi-publish@release/v1
post-publish:
  needs: [publish]
  name: Handle post-publish actions
  runs-on: ubuntu-latest
  environment: release
  permissions:
    id-token: write
    contents: write
    attestations: write
    security-events: write
  steps:
  - name: Setup
    uses: mongodb-labs/drivers-github-tools/setup@v3
    with:
      ...
  - uses: mongodb-labs/drivers-github-tools/python/post-publish@v3
    with:
      version: ${{ inputs.version }}
      following_version: ${{ inputs.following_version }}
      version_bump_script: ./.github/scripts/bump-version.sh
      product_name: winkerberos
      token: ${{ github.token }}
      dry_run: ${{ inputs.dry_run }}These scripts are opinionated helper scripts for Python releases in MongoDB Labs. In contrast to the regulare Python scripts, it does not generate the SSDLC compliance assets or upload anything to S3.
Create a new tag.  Verify the tag.
Push the commit and tag to the source branch unless dry_run is set.
- name: Setup
  uses: mongodb-labs/drivers-github-tools/setup@v3
  with:
    ...
- uses: mongodb-labs/drivers-github-tools/python-labs/pre-publishv2
  with:
    version_bump_script: ./.github/scripts/bump-version.sh
    dry_run: ${{ inputs.dry_run }}To be run after separately publishing the Python package.
Handles follow-up tasks related to publishing Python packages.
It will push the following (dev) version to the source branch.
It will create a draft GitHub release with generated release notes.
If dry_run is set, nothing will be pushed.
The jobs should look something like:
publish:
  name: Upload release to PyPI
  runs-on: ubuntu-latest
  environment: release
  permissions:
    id-token: write
  steps:
    - name: Download all the dists
      uses: actions/download-artifact@v4
      with:
        name: all-dist-${{ github.run_id }}
        path: dist/
    - name: Publish package distributions to PyPI
      if: inputs.dry_run == 'false'
      uses: pypa/gh-action-pypi-publish@release/v1
post-publish:
  needs: [publish]
  name: Handle post-publish actions
  runs-on: ubuntu-latest
  environment: release
  permissions:
    id-token: write
    contents: write
    attestations: write
    security-events: write
  steps:
  - name: Setup
    uses: mongodb-labs/drivers-github-tools/setup@v3
    with:
      ...
  - uses: mongodb-labs/drivers-github-tools/python-labs/post-publish@v3
    with:
      following_version: ${{ inputs.following_version }}
      version_bump_script: ./.github/scripts/bump-version.sh
      product_name: python-bsonjs
      token: ${{ github.token }}
      dry_run: ${{ inputs.dry_run }}