-
Notifications
You must be signed in to change notification settings - Fork 1.4k
150 lines (127 loc) · 5.42 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
name: "Release New Version"
run-name: "Release ${{ inputs.version }}"
on:
workflow_dispatch:
inputs:
version:
description: "The version to be released. This is checked for consistency with the branch name and configuration"
required: true
type: "string"
jobs:
prepare-release:
environment: release
name: "Prepare release"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- name: "Create release output"
run: echo '🎬 Release process for version ${{ inputs.version }} started by @${{ github.triggering_actor }}' >> $GITHUB_STEP_SUMMARY
- name: "Generate token and checkout repository"
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
- name: "Store version numbers in env variables"
run: |
echo RELEASE_VERSION=${{ inputs.version }} >> $GITHUB_ENV
echo RELEASE_BRANCH=$(echo ${{ inputs.version }} | cut -d '.' -f-2) >> $GITHUB_ENV
- name: "Ensure release tag does not already exist"
run: |
if [[ $(git tag -l ${RELEASE_VERSION}) == ${RELEASE_VERSION} ]]; then
echo '❌ Release failed: tag for version ${{ inputs.version }} already exists' >> $GITHUB_STEP_SUMMARY
exit 1
fi
- name: "Fail if branch names don't match"
if: ${{ github.ref_name != env.RELEASE_BRANCH }}
run: |
echo '❌ Release failed due to branch mismatch: expected ${{ inputs.version }} to be released from ${{ env.RELEASE_BRANCH }}, got ${{ github.ref_name }}' >> $GITHUB_STEP_SUMMARY
exit 1
#
# Preliminary checks done - commence the release process
#
- name: "Set up drivers-github-tools"
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: ${{ vars.AWS_REGION_NAME }}
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
# Create draft release with release notes
- name: "Create draft release"
run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --generate-notes --draft)" >> "$GITHUB_ENV"
- name: "Create release tag"
uses: mongodb-labs/drivers-github-tools/tag-version@v2
with:
version: ${{ inputs.version }}
tag_message_template: 'Release ${VERSION}'
# TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created
# Process is:
# 1. switch to next branch (according to merge-up action)
# 2. merge release branch using --strategy=ours
# 3. push next branch
# 4. switch back to release branch, then push
- name: "Set summary"
run: |
echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
static-analysis:
needs: prepare-release
name: "Run Static Analysis"
uses: ./.github/workflows/static-analysis.yml
with:
ref: refs/tags/${{ inputs.version }}
permissions:
security-events: write
id-token: write
publish-ssdlc-assets:
needs: static-analysis
environment: release
name: "Publish SSDLC Assets"
runs-on: ubuntu-latest
permissions:
security-events: read
id-token: write
contents: write
steps:
- name: "Generate token and checkout repository"
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}
ref: refs/tags/${{ inputs.version }}
# Sets the S3_ASSETS environment variable used later
- name: "Set up drivers-github-tools"
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: ${{ vars.AWS_REGION_NAME }}
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
- name: "Generate authorized publication document"
uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
with:
product_name: "MongoDB Laravel Integration"
release_version: ${{ inputs.version }}
filenames: ""
token: ${{ env.GH_TOKEN }}
- name: "Download SBOM file from Silk"
uses: mongodb-labs/drivers-github-tools/sbom@v2
with:
silk_asset_group: mongodb-laravel-integration
- name: "Upload SBOM as release artifact"
run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
continue-on-error: true
- name: "Generate SARIF report from code scanning alerts"
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
with:
ref: ${{ inputs.version }}
output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
- name: "Generate compliance report"
uses: mongodb-labs/drivers-github-tools/compliance-report@v2
with:
token: ${{ env.GH_TOKEN }}
- name: Upload S3 assets
uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ inputs.version }}
product_name: laravel-mongodb