awscdk-resources-mongodbatlas/.github/workflows/release.yml at 31330f5bcb7201c02380f021450753253df1cd19 · mongodb/awscdk-resources-mongodbatlas · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
name: Release (Requires manual steps to take, check all jobs are successful)
on: workflow_dispatch
jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      issues: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          fetch-depth: 0
          ref: main
      - name: Set git config safe.directory
        run: git config --global --add safe.directory "$(pwd)"
      - name: Set git identity
        run: |-
          git config user.name "github-actions"
          git config user.email "github-actions@github.com"
      - name: Setup Node.js
        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: 24.x
      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
        name: Setup Java
        with:
          distribution: temurin
          java-version: 21.x
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        name: Setup Python
        with:
          python-version: 3.x
      - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309
        name: Setup .NET
        with:
          dotnet-version: 9.0.x
      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
        name: Setup Go
        with:
          go-version: ^1.25.0
      - name: Install dependencies
        run: npm ci
      - name: release
        run: |
          unset CI # enable full package-all https://github.com/mongodb/awscdk-resources-mongodbatlas/blob/main/.projen/tasks.json#L157-L170
          npx projen release
      - name: Backup artifact permissions
        run: cd dist && getfacl -R . > permissions-backup.acl
        continue-on-error: true
      - name: Upload artifact
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
        with:
          name: build-artifact
          path: dist
          overwrite: true
  release_npm:
    name: Publish to npm
    needs: release
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
      id-token: write # Required for Trusted Publishing.
    steps:
      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: 24.x
          registry-url: https://registry.npmjs.org
      - name: Download build artifacts
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
        with:
          name: build-artifact
          path: dist
      - name: Restore build artifact permissions
        run: cd dist && setfacl --restore=permissions-backup.acl
        continue-on-error: true
      - name: Publish to npm
        env:
          NPM_TRUSTED_PUBLISHER: true
        run: npx -p publib@latest publib-npm
  release_maven:
    name: Publish to Maven Central
    needs: release
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
    steps:
      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
        with:
          distribution: temurin
          java-version: 21.x
      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: 24.x
      - name: Download build artifacts
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
        with:
          name: build-artifact
          path: dist
      - name: Restore build artifact permissions
        run: cd dist && setfacl --restore=permissions-backup.acl
        continue-on-error: true
      - name: Release
        env:
          MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
          MAVEN_GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSPHRASE }}
          MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
          MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
          MAVEN_STAGING_PROFILE_ID: ${{ secrets.MAVEN_STAGING_PROFILE_ID }}
          MAVEN_SERVER_ID: ${{ vars.MAVEN_SERVER_ID }}
        run: npx -p publib@latest publib-maven
  release_pypi:
    name: Publish to PyPI
    needs: release
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
      id-token: write # Required for Trusted Publishing.
    steps:
      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: 24.x
      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
        with:
          python-version: 3.x
      - name: Download build artifacts
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
        with:
          name: build-artifact
          path: dist
      - name: Restore build artifact permissions
        run: cd dist && setfacl --restore=permissions-backup.acl
        continue-on-error: true
      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec
        with:
          gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }}
      - name: GPG sign PyPI distributions
        run: |
          for file in dist/python/*.whl dist/python/*.tar.gz; do
            if [ -f "$file" ]; then
              gpg --batch --yes --pinentry-mode loopback --passphrase "$APIX_BOT_GPG_PASSPHRASE" --detach-sign -a "$file"
            fi
          done
        env:
          APIX_BOT_GPG_PASSPHRASE: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }}
      - name: Upload to PyPI
        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e
        with:
          packages-dir: dist/python/
  release_nuget:
    name: Publish to NuGet Gallery
    needs: release
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
      id-token: write # Required for Trusted Publishing.
    steps:
      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: 24.x
      - uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309
        with:
          dotnet-version: 9.0.x
      - name: Download build artifacts
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
        with:
          name: build-artifact
          path: dist
      - name: Restore build artifact permissions
        run: cd dist && setfacl --restore=permissions-backup.acl
        continue-on-error: true
      - name: Extract Version
        id: extract-version
        run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}"
      - name: Log in to MongoDB Docker registry
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
        with:
          registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
          username: ${{ secrets.ARTIFACTORY_USER }}
          password: ${{ secrets.ARTIFACTORY_PASSWORD }}
      - name: Sign NuGet package
        run: |
          docker run \
          -e GRS_CONFIG_USER1_USERNAME="${{ secrets.ARTIFACTORY_SIGN_USER }}" \
          -e GRS_CONFIG_USER1_PASSWORD="${{ secrets.ARTIFACTORY_SIGN_PASSWORD }}" \
          --rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \
          "${{ secrets.ARTIFACTORY_REGISTRY }}/${{ secrets.ARTIFACTORY_SIGN_TOOL }}" \
          /bin/bash -c "jsign --tsaurl http://timestamp.digicert.com -a ${{ secrets.AUTHENTICODE_KEY_NAME }} \
          ./dist/dotnet/MongoDB.AWSCDKResourcesMongoDBAtlas.${{ steps.extract-version.outputs.VERSION }}.nupkg"
      - id: login
        uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544
        with:
          user: ${{ secrets.NUGET_USER }}
      - name: Release
        env:
          NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
        run: npx -p publib@latest publib-nuget
  release_golang:
    name: Publish to GitHub Go Module Repository
    needs: release
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
    steps:
      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: 24.x
      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417
        with:
          go-version: ^1.25.0
      - name: Download build artifacts
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
        with:
          name: build-artifact
          path: dist
      - name: Restore build artifact permissions
        run: cd dist && setfacl --restore=permissions-backup.acl
        continue-on-error: true
      - name: Release
        env:
          GITHUB_TOKEN: ${{ secrets.GO_GITHUB_TOKEN }}
          GIT_USER_NAME: ${{ secrets.GO_GIT_USER_NAME }}
          GIT_USER_EMAIL: ${{ secrets.GO_GIT_USER_EMAIL }}
        run: npx -p publib@latest publib-golang
  release_github:
    name: Publish to GitHub Releases
    needs: [release, release_npm, release_maven, release_pypi, release_nuget, release_golang]
    runs-on: ubuntu-latest
    permissions:
      contents: write
      issues: write
    steps:
      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
        with:
          node-version: 24.x
      - name: Download build artifacts
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
        with:
          name: build-artifact
          path: dist
      - name: Restore build artifact permissions
        run: cd dist && setfacl --restore=permissions-backup.acl
        continue-on-error: true
      - name: Extract Version
        id: extract-version
        run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}"
      - name: Release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_REPOSITORY: ${{ github.repository }}
          GITHUB_REF: ${{ github.ref }}
        run: errout=$(mktemp); gh release create "$(cat dist/releasetag.txt)" -R "${GITHUB_REPOSITORY}" -F dist/changelog.md -t "$(cat dist/releasetag.txt)" --target "${GITHUB_REF}" 2> "$errout" && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" "$errout"; then cat "$errout"; exit $exitcode; fi
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
      - name: Generate PURL and SBOM
        run: |
          ./scripts/compliance/gen-purls.sh
          ./scripts/compliance/gen-sbom.sh
        env:
          SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
      - name: Upload SBOM to Kondukto
        run: ./scripts/compliance/upload-sbom.sh
        env:
          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
          SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}

      - name: Generate SSDLC report
        run: |
          AUTHOR="${{ github.actor }}"
          export AUTHOR
          VERSION="${{ steps.extract-version.outputs.VERSION }}"
          export VERSION
          ./scripts/compliance/gen-ssdlc-report.sh
        env:
          KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
          SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
          KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
          KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec
        with:
          gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }}
          git_user_signingkey: true
          git_commit_gpgsign: true
      - name: Commit changes
        shell: bash
        run: |
          if [[ $(git status --porcelain) ]]; then
            git pull
            git config --local user.email svc-api-experience-integrations-escalation@mongodb.com
            git config --local user.name svc-apix-bot
            git remote set-url origin https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
            git add compliance/v*/*
            git commit -m "chore: Update SSDLC report for ${{ steps.extract-version.outputs.VERSION }}"
            git push origin
          else
            echo "No changes to commit."
          fi
      - name: Upload SBOM as release artifact
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b
        with:
          files: compliance/sbom.json
          tag_name: ${{ steps.extract-version.outputs.VERSION }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}