chore(NODE-6195): generate sarif reports during releases

.github/workflows/codeql.yml

@@ -2,18 +2,13 @@ name: "CodeQL"
 
 on:
  push:
- branches: [ "main" ]
+ branches: [ "main", 5.x ]
  pull_request:
- branches: [ "main" ]
+ branches: [ "main", 5.x ]
 
 jobs:
  analyze:
  name: Analyze (${{ matrix.language }} - ${{ matrix.identifier }})
- # Runner size impacts CodeQL analysis time. To learn more, please see:
- # - https://gh.io/recommended-hardware-resources-for-running-codeql
- # - https://gh.io/supported-runners-and-hardware-resources
- # - https://gh.io/using-larger-runners (GitHub.com only)
- # Consider using larger runners or machines with greater resources for possible analysis time improvements.
  runs-on: 'ubuntu-latest'
  timeout-minutes: 360
  permissions:

.github/workflows/release-5.x.yml

@@ -38,3 +38,43 @@ jobs:
  - run: npm publish --provenance --tag=5x
  env:
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+ generate_sarif_report:
+ environment: release
+ runs-on: ubuntu-latest
+ needs: [release_please]
+ permissions:
+ # required for all workflows
+ security-events: write
+ id-token: write
+ contents: write
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up drivers-github-tools
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with: 
+ aws_region_name: us-east-1
+ aws_role_arn: ${{ secrets.aws_role_arn }}
+ aws_secret_id: ${{ secrets.aws_secret_id }}
+
+ - name: "Generate Sarif Report"
+ uses: "alcaeus/drivers-github-tools/code-scanning-export@export-code-scanning-report"
+ with:
+ ref: 5.x
+ output-file: sarif-report.json
+
+ - name: Get release version and release package file name
+ id: get_version
+ shell: bash
+ run: |
+ package_version=$(jq --raw-output '.version' package.json)
+ echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+
+ - name: actions/publish_asset_to_s3
+ uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
+ with:
+ version: ${{ steps.get_version.outputs.package_version }}
+ product_name: js-bson
+ file: sarif-report.json
+ dry_run: ${{ needs.release_please.outputs.release_created == '' }}

.github/workflows/release.yml

@@ -21,6 +21,7 @@ jobs:
 
  compress_sign_and_upload:
  needs: [release_please]
+ if: ${{ needs.release_please.outputs.release_created }}
  runs-on: ubuntu-latest
  steps:
  - uses: actions/checkout@v4
@@ -36,3 +37,44 @@ jobs:
  - run: npm publish --provenance
  env:
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+ generate_sarif_report:
+ environment: release
+ runs-on: ubuntu-latest
+ needs: [release_please]
+ permissions:
+ # required for all workflows
+ security-events: write
+ id-token: write
+ contents: write
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up drivers-github-tools
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with: 
+ aws_region_name: us-east-1
+ aws_role_arn: ${{ secrets.aws_role_arn }}
+ aws_secret_id: ${{ secrets.aws_secret_id }}
+
+ - name: "Generate Sarif Report"
+ uses: "alcaeus/drivers-github-tools/code-scanning-export@export-code-scanning-report"
+ with:
+ ref: main
+ output-file: sarif-report.json
+
+ - name: Get release version and release package file name
+ id: get_version
+ shell: bash
+ run: |
+ package_version=$(jq --raw-output '.version' package.json)
+ echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+
+ - name: actions/publish_asset_to_s3
+ uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
+ with:
+ version: ${{ steps.get_version.outputs.package_version }}
+ product_name: js-bson
+ file: sarif-report.json
+ dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+