mongodb · oarbusi · Aug 25, 2025
@@ -31,50 +31,3 @@ jobs:
           LATEST_SDK_RELEASE=$(echo "${LATEST_SDK_TAG}" | cut -d '.' -f 1)
           echo "tag: ${LATEST_SDK_TAG}, release: ${LATEST_SDK_RELEASE}"
           curl -sSfL "https://proxy.golang.org/go.mongodb.org/atlas-sdk/${LATEST_SDK_RELEASE}/@v/${LATEST_SDK_TAG}.info"
-  compliance:
-    needs: release
-    runs-on: ubuntu-latest
-    env:
-      SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
-      RELEASE_TAG: ${{ needs.release.outputs.release_tag }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-        with:
-            ref: ${{ env.RELEASE_TAG }}
-      - name: Generate PURLs and SBOM
-        run: make gen-purls gen-sbom
-      - name: Upload SBOM to Kondukto
-        run: make upload-sbom
-        env:
-          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
-          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
-          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
-      - name: Upload SBOM as release artifact
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8
-        with:
-          files: compliance/sbom.json
-          tag_name: ${{ env.RELEASE_TAG }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  generate-ssdlc-report:
-    needs: compliance
-    runs-on: ubuntu-latest
-    env:
-      RELEASE_TAG: ${{ needs.release.outputs.release_tag }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: ./.github/templates/run-script-and-commit
-        with:
-          script_call: |
-            TAG="${{ env.RELEASE_TAG }}"
-            VERSION="${TAG#v}"
-            AUTHOR="${{ github.actor }}"
-            export AUTHOR VERSION
-            ./scripts/compliance/gen-ssdlc-report.sh
-          file_to_commit: 'compliance/v*/ssdlc-compliance-*.md'
-          commit_message: "chore: Update SSDLC report for ${{ env.RELEASE_TAG }}"
-          apix_bot_pat: ${{ secrets.APIX_BOT_PAT }}
-          remote: https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
-          gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
-          passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }}
@@ -140,13 +140,3 @@ We scan our dependencies for vulnerabilities and incompatible licenses using [Sn
 To run Snyk locally please follow their [CLI reference](https://support.snyk.io/hc/en-us/articles/360003812458-Getting-started-with-the-CLI).
 
 We also use Kondukto to scan for third-party dependency vulnerabilities. Kondukto creates tickets in MongoDB's issue tracking system for any vulnerabilities found.
-
-### SBOM and Compliance
-We generate Software Bill of Materials (SBOM) files for each release as part of MongoDB's SSDLC initiative. SBOM Lite files are automatically generated and included as release artifacts. Compliance reports are generated after each release and stored in the compliance/<release-version> directory.
-
-Augmented SBOMs can be generated on customer request for any released version. This can only be done by MongoDB employees as it requires access to our GitHub workflow.
-
-### Papertrail Integration
-All releases are recorded using a MongoDB-internal application called Papertrail. This records various pieces of information about releases, including the date and time of the release, who triggered the release (by pushing to Evergreen), and a checksum of each release file.
-
-This is done automatically as part of the release.
@@ -72,19 +72,3 @@ openapi-pipeline: install-goimports
 gen-docs:
 	$(MAKE) -C tools generate_docs
 	./scripts/toc.sh
-
-.PHONY: gen-purls
-gen-purls:
-	./scripts/compliance/gen-purls.sh
-
-.PHONY: gen-sbom
-gen-sbom:
-	./scripts/compliance/gen-sbom.sh
-
-.PHONY: gen-ssdlc-report
-gen-ssdlc-report:
-	./scripts/compliance/gen-ssdlc-report.sh
-
-.PHONY: upload-sbom
-upload-sbom:
-	./scripts/compliance/upload-sbom.sh