From f173980253e6b881e398d20cd2784fed0e984c4f Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Tue, 11 Jun 2024 16:27:32 +0200 Subject: [PATCH] PHPLIB-1434: Publish SSDLC assets upon release (#1342) * Allow reusing static analysis workflow * Run static analysis on release and publish SSDLC assets * Address code review feedback * Move rector to coding standards workflow --- .github/workflows/coding-standards.yml | 17 ++++++ .github/workflows/release.yml | 82 +++++++++++++++++++++++++- .github/workflows/static-analysis.yml | 27 +++------ 3 files changed, 104 insertions(+), 22 deletions(-) diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 00eb476b6..9fe30fbb0 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -35,3 +35,20 @@ jobs: # The -q option is required until phpcs v4 is released - name: "Run PHP_CodeSniffer" run: "vendor/bin/phpcs -q --no-colors --report=checkstyle | cs2pr" + + rector: + name: "Rector" + runs-on: "ubuntu-22.04" + + steps: + - name: "Checkout" + uses: "actions/checkout@v4" + + - name: "Setup" + uses: "./.github/actions/setup" + with: + php-version: ${{ env.PHP_VERSION }} + driver-version: ${{ env.DRIVER_VERSION }} + + - name: "Run Rector" + run: "vendor/bin/rector --ansi --dry-run" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e0592ff2e..dcf3847d9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -93,7 +93,6 @@ jobs: aws_region_name: ${{ vars.AWS_REGION_NAME }} aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - # Create a draft release with release message filled in - name: "Prepare release message" run: | cat > release-message <<'EOL' @@ -103,7 +102,6 @@ jobs: - name: "Create draft release" run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV" - # This step creates the signed release tag - name: "Create release tag" uses: mongodb-labs/drivers-github-tools/git-sign@v2 with: @@ -119,7 +117,6 @@ jobs: - name: "Push changes from release branch" run: git push - # Pushing the release tag starts build processes that then produce artifacts for the release - name: "Push release tag" run: git push origin ${{ inputs.version }} @@ -127,3 +124,82 @@ jobs: run: | echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY + + static-analysis: + needs: prepare-release + name: "Run Static Analysis" + uses: ./.github/workflows/static-analysis.yml + with: + ref: refs/tags/${{ inputs.version }} + permissions: + security-events: write + id-token: write + + publish-ssdlc-assets: + needs: static-analysis + environment: release + name: "Publish SSDLC Assets" + runs-on: ubuntu-latest + permissions: + security-events: read + id-token: write + contents: write + + steps: + - name: "Create temporary app token" + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + + - name: "Store GitHub token in environment" + run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + shell: bash + + - uses: actions/checkout@v4 + with: + ref: refs/tags/${{ inputs.version }} + token: ${{ env.GH_TOKEN }} + + # Sets the S3_ASSETS environment variable used later + - name: "Set up drivers-github-tools" + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + + - name: "Generate authorized publication document" + uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + with: + product_name: "MongoDB PHP Driver (library)" + release_version: ${{ inputs.version }} + filenames: "" + token: ${{ env.GH_TOKEN }} + + - name: "Download SBOM file from Silk" + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: mongodb-php-driver-library + + - name: "Upload SBOM as release artifact" + run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json + continue-on-error: true + + - name: "Generate SARIF report from code scanning alerts" + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + with: + ref: ${{ inputs.version }} + output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json + + - name: "Generate compliance report" + uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + with: + token: ${{ env.GH_TOKEN }} + + - name: Upload S3 assets + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ inputs.version }} + product_name: mongo-php-library diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index e0a76c963..ac2299693 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -12,8 +12,12 @@ on: - "v*.*" - "master" - "feature/*" - tags: - - "*" + workflow_call: + inputs: + ref: + description: "The git ref to check" + type: string + required: true env: PHP_VERSION: "8.2" @@ -27,6 +31,8 @@ jobs: steps: - name: "Checkout" uses: "actions/checkout@v4" + with: + ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} - name: "Setup" uses: "./.github/actions/setup" @@ -41,20 +47,3 @@ jobs: uses: "github/codeql-action/upload-sarif@v3" with: sarif_file: psalm.sarif - - rector: - name: "Rector" - runs-on: "ubuntu-22.04" - - steps: - - name: "Checkout" - uses: "actions/checkout@v4" - - - name: "Setup" - uses: "./.github/actions/setup" - with: - php-version: ${{ env.PHP_VERSION }} - driver-version: ${{ env.DRIVER_VERSION }} - - - name: "Run Rector" - run: "vendor/bin/rector --ansi --dry-run"