PHPORM-185, PHPORM-191, PHPORM-192: Publish SSDLC assets on release (#…

…3004) * Run static analysis for tag manually from release workflow * Publish SSDLC assets after release * Use secure-checkout action to generate token and run checkout * Use tag-version action from drivers-github-tools
mongodb · Jun 13, 2024 · 42f5a49 · 42f5a49
1 parent 798a5ba
commit 42f5a49
Show file tree

Hide file tree

Showing 3 changed files with 151 additions and 80 deletions.
diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml
@@ -67,59 +67,3 @@ jobs:
  uses: stefanzweifel/git-auto-commit-action@v5
  with:
  commit_message: "apply phpcbf formatting"
-
- analysis:
- runs-on: "ubuntu-22.04"
- continue-on-error: true
- strategy:
- matrix:
- php:
- - '8.1'
- - '8.2'
- steps:
- - name: Checkout
- uses: actions/checkout@v4
-
- - name: Setup PHP
- uses: shivammathur/setup-php@v2
- with:
- php-version: ${{ matrix.php }}
- extensions: curl, mbstring
- tools: composer:v2
- coverage: none
-
- - name: Cache dependencies
- id: composer-cache
- uses: actions/cache@v4
- with:
- path: ./vendor
- key: composer-${{ hashFiles('**/composer.lock') }}
-
- - name: Install dependencies
- run: composer install
-
- - name: Restore cache PHPStan results
- id: phpstan-cache-restore
- uses: actions/cache/restore@v4
- with:
- path: .cache
- key: "phpstan-result-cache-${{ github.run_id }}"
- restore-keys: |
- phpstan-result-cache-
-
- - name: Run PHPStan
- run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif
-
- - name: "Upload SARIF report"
- if: always()
- uses: "github/codeql-action/upload-sarif@v3"
- with:
- sarif_file: phpstan.sarif
-
- - name: Save cache PHPStan results
- id: phpstan-cache-save
- if: always()
- uses: actions/cache/save@v4
- with:
- path: .cache
- key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -22,21 +22,11 @@ jobs:
  - name: "Create release output"
  run: echo '🎬 Release process for version ${{ inputs.version }} started by @${{ github.triggering_actor }}' >> $GITHUB_STEP_SUMMARY
 
- - name: "Create temporary app token"
- uses: actions/create-github-app-token@v1
- id: app-token
+ - name: "Generate token and checkout repository"
+ uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
  with:
- app-id: ${{ vars.APP_ID }}
- private-key: ${{ secrets.APP_PRIVATE_KEY }}
-
- - name: "Store GitHub token in environment"
- run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
- shell: bash
-
- - uses: actions/checkout@v4
- with:
- submodules: true
- token: ${{ env.GH_TOKEN }}
+ app_id: ${{ vars.APP_ID }}
+ private_key: ${{ secrets.APP_PRIVATE_KEY }}
 
  - name: "Store version numbers in env variables"
  run: |
@@ -71,11 +61,11 @@ jobs:
  - name: "Create draft release"
  run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --generate-notes --draft)" >> "$GITHUB_ENV"
 
- # This step creates the signed release tag
  - name: "Create release tag"
- uses: mongodb-labs/drivers-github-tools/git-sign@v2
+ uses: mongodb-labs/drivers-github-tools/tag-version@v2
  with:
- command: "git tag -m 'Release ${{ inputs.version }}' -s --local-user=${{ env.GPG_KEY_ID }} ${{ inputs.version }}"
+ version: ${{ inputs.version }}
+ tag_message_template: 'Release ${VERSION}'
 
  # TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created
  # Process is:
@@ -84,14 +74,77 @@ jobs:
  # 3. push next branch
  # 4. switch back to release branch, then push
 
- - name: "Push changes from release branch"
- run: git push
-
- # Pushing the release tag starts build processes that then produce artifacts for the release
- - name: "Push release tag"
- run: git push origin ${{ inputs.version }}
-
  - name: "Set summary"
  run: |
  echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
  echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
+
+ static-analysis:
+ needs: prepare-release
+ name: "Run Static Analysis"
+ uses: ./.github/workflows/static-analysis.yml
+ with:
+ ref: refs/tags/${{ inputs.version }}
+ permissions:
+ security-events: write
+ id-token: write
+
+ publish-ssdlc-assets:
+ needs: static-analysis
+ environment: release
+ name: "Publish SSDLC Assets"
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: read
+ id-token: write
+ contents: write
+
+ steps:
+ - name: "Generate token and checkout repository"
+ uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+ with:
+ app_id: ${{ vars.APP_ID }}
+ private_key: ${{ secrets.APP_PRIVATE_KEY }}
+ ref: refs/tags/${{ inputs.version }}
+
+ # Sets the S3_ASSETS environment variable used later
+ - name: "Set up drivers-github-tools"
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with:
+ aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+ aws_region_name: ${{ vars.AWS_REGION_NAME }}
+ aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+
+ - name: "Generate authorized publication document"
+ uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+ with:
+ product_name: "MongoDB Laravel Integration"
+ release_version: ${{ inputs.version }}
+ filenames: ""
+ token: ${{ env.GH_TOKEN }}
+
+ - name: "Download SBOM file from Silk"
+ uses: mongodb-labs/drivers-github-tools/sbom@v2
+ with:
+ silk_asset_group: mongodb-laravel-integration
+
+ - name: "Upload SBOM as release artifact"
+ run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
+ continue-on-error: true
+
+ - name: "Generate SARIF report from code scanning alerts"
+ uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+ with:
+ ref: ${{ inputs.version }}
+ output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
+
+ - name: "Generate compliance report"
+ uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+ with:
+ token: ${{ env.GH_TOKEN }}
+
+ - name: Upload S3 assets
+ uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+ with:
+ version: ${{ inputs.version }}
+ product_name: laravel-mongodb
diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
@@ -0,0 +1,74 @@
+name: "Static Analysis"
+
+on:
+ push:
+ pull_request:
+ workflow_call:
+ inputs:
+ ref:
+ description: "The git ref to check"
+ type: string
+ required: true
+
+env:
+ PHP_VERSION: "8.2"
+ DRIVER_VERSION: "stable"
+
+jobs:
+ phpstan:
+ runs-on: "ubuntu-22.04"
+ continue-on-error: true
+ strategy:
+ matrix:
+ php:
+ - '8.1'
+ - '8.2'
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ with:
+ ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}
+
+ - name: Setup PHP
+ uses: shivammathur/setup-php@v2
+ with:
+ php-version: ${{ matrix.php }}
+ extensions: curl, mbstring
+ tools: composer:v2
+ coverage: none
+
+ - name: Cache dependencies
+ id: composer-cache
+ uses: actions/cache@v4
+ with:
+ path: ./vendor
+ key: composer-${{ hashFiles('**/composer.lock') }}
+
+ - name: Install dependencies
+ run: composer install
+
+ - name: Restore cache PHPStan results
+ id: phpstan-cache-restore
+ uses: actions/cache/restore@v4
+ with:
+ path: .cache
+ key: "phpstan-result-cache-${{ matrix.php }}-${{ github.run_id }}"
+ restore-keys: |
+ phpstan-result-cache-
+
+ - name: Run PHPStan
+ run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif
+
+ - name: "Upload SARIF report"
+ if: always()
+ uses: "github/codeql-action/upload-sarif@v3"
+ with:
+ sarif_file: phpstan.sarif
+
+ - name: Save cache PHPStan results
+ id: phpstan-cache-save
+ if: always()
+ uses: actions/cache/save@v4
+ with:
+ path: .cache
+ key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }}