From 4a8ad79a7563c8dd2877c34e98d36601e9d3eb65 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 09:49:20 -0500 Subject: [PATCH 01/26] Add compliance report --- compliance-report/action.yml | 28 ++++++++++++++++++++++++++++ compliance-report/generate.sh | 20 ++++++++++++++++++++ python/publish/action.yml | 5 ++++- python/publish/publish.sh | 2 +- sbom/action.yml | 5 +++-- 5 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 compliance-report/action.yml create mode 100644 compliance-report/generate.sh diff --git a/compliance-report/action.yml b/compliance-report/action.yml new file mode 100644 index 0000000..5a1e504 --- /dev/null +++ b/compliance-report/action.yml @@ -0,0 +1,28 @@ +name: Generate a compliance report +description: Generates the compliance report in the S3_ASSETS folder +inputs: + token: + description: The GitHub token for the action + required: true + sbom_name: + description: The name of the SBOM file in the S3 bucket + default: cyclonedx.sbom.json + sarif_name: + description: The name of the SARIF file in the S3 bucket + default: code-scanning-alerts.json + authorized_pub_name: + description: The name of the Authorized Publication file in the S3 bucket + default: authorized_publication.txt +runs: + using: composite + steps: + - name: Generate Compliance Report + shell: bash + run: | + export GH_TOKEN=${{ inputs.token }} + export RELEASE_CREATOR=$(gh api users/${{ github.actor }} --jq '.name') + export SBOM_NAME=${{ inputs.sbom_name }} + export SARIF_NAME=${{ inputs.sarif_name }} + export AUTHORIZED_PUB_NAME=${{ inputs.authorized_pub_name }} + bash ${{ github.action_path }}/generate.sh + diff --git a/compliance-report/generate.sh b/compliance-report/generate.sh new file mode 100644 index 0000000..0f6a49e --- /dev/null +++ b/compliance-report/generate.sh @@ -0,0 +1,20 @@ + +cat << EOF >> ${S3_ASSETS}/ssdlc_compliance_report.md +Release Creator +${RELEASE_CREATOR} + +Tool used to track third party vulnerabilities +Silk + +Third-Party Dependency Information +See ${SBOM_NAME} + +Static Analysis Findings +See ${SARIF_NAME} + +Signature Information +See ${AUTHORIZED_PUB_NAME} + +Known Vulnerabilities +Any vulnerabilities that may be shown in the links referenced above have been reviewed and accepted by the appropriate approvers. +EOF diff --git a/python/publish/action.yml b/python/publish/action.yml index e3725a2..d5a738c 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -51,7 +51,10 @@ runs: - name: Generate Sarif Report uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 with: - output-file: sarif-report.json + ref: ${{ inputs.version }} + - name: Generate Compliance Report + uses: blink1073/drivers-github-tools/compliance-report@add-compliance-report + with: ref: ${{ inputs.version }} - name: Run publish script shell: bash diff --git a/python/publish/publish.sh b/python/publish/publish.sh index 5e11673..85dbad0 100755 --- a/python/publish/publish.sh +++ b/python/publish/publish.sh @@ -2,7 +2,7 @@ set -eux -mv sarif-report.json $S3_ASSETS +mv code-scanning-alerts.json $S3_ASSETS if [ "$DRY_RUN" == "false" ]; then echo "Uploading Release Reports" diff --git a/sbom/action.yml b/sbom/action.yml index 571ad60..df960bd 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -11,10 +11,11 @@ inputs: runs: using: composite steps: - - name: Download the Augmented SBOM file to the release assets folder + - name: Download the Augmented SBOM file to the release assets and s3 assets folders shell: bash run: | podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \ --env-file=${SILKBOMB_ENVFILE} \ ${{ inputs.artifactory_image }} \ - download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/sbom.json \ No newline at end of file + download --silk-asset-group ${{ inputs.silk_asset_group }} --sbom-out /pwd/cyclonedx.sbom.json + cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS} \ No newline at end of file From da9ce1ec0f3531287d12b347995e680e51aebb06 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 09:51:19 -0500 Subject: [PATCH 02/26] cleanup --- compliance-report/generate.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/compliance-report/generate.sh b/compliance-report/generate.sh index 0f6a49e..bd638b8 100644 --- a/compliance-report/generate.sh +++ b/compliance-report/generate.sh @@ -1,3 +1,6 @@ +#!/usr/bin/env bash + +set -eux cat << EOF >> ${S3_ASSETS}/ssdlc_compliance_report.md Release Creator @@ -16,5 +19,5 @@ Signature Information See ${AUTHORIZED_PUB_NAME} Known Vulnerabilities -Any vulnerabilities that may be shown in the links referenced above have been reviewed and accepted by the appropriate approvers. +Any vulnerabilities that may be shown in the files referenced above have been reviewed and accepted by the appropriate approvers. EOF From 649ab7b6e4ff5bd936e0265bef42e6158c0296db Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 10:21:11 -0500 Subject: [PATCH 03/26] debug --- setup/setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/setup.sh b/setup/setup.sh index 6f06d3f..591be64 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -49,6 +49,8 @@ RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS EOF +echo "GPG_PUBLIC_URL=$GPG_PUBLIC_URL" + echo "Set up git credentials" git config user.email "167856002+mongodb-dbx-release-bot[bot]@users.noreply.github.com" git config user.name "mongodb-dbx-release-bot[bot]" \ No newline at end of file From 8ed14e532cd969b35ef5357ddc1bc8286c322936 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 10:56:19 -0500 Subject: [PATCH 04/26] remove verification step --- python/bump-and-tag/action.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/python/bump-and-tag/action.yml b/python/bump-and-tag/action.yml index 477045c..add2ca1 100644 --- a/python/bump-and-tag/action.yml +++ b/python/bump-and-tag/action.yml @@ -32,12 +32,6 @@ runs: uses: mongodb-labs/drivers-github-tools/git-sign@v2 with: command: git tag -a \"${{ inputs.version }}\" -m \"BUMP ${{ inputs.version }}\" -s --local-user=${{ env.GPG_KEY_ID }} - - name: Verify the tag - shell: bash -eux {0} - run: | - curl $GPG_PUBLIC_URL --output /tmp/signature.pub - gpg --import /tmp/signature.pub - git verify-tag ${{inputs.version}} - name: Push the commit and tag to the source branch shell: bash -eux {0} run: | From 58ddb7eaf317bd268c354b4269a26290a52c6f81 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 12:12:45 -0500 Subject: [PATCH 05/26] handle glob patterns --- gpg-sign/action.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 06c20bd..5073ea7 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -11,6 +11,15 @@ inputs: runs: using: composite steps: + - name: Convert a glob pattern to a list of files + shell: bash + id: filenames + run: | + export FILENAMES="${{inputs.filenames}}" + if [[ $FILENAMES =~ '*' ]]; then + FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') + fi + echo "names=\"$FILENAMES\"" >> $GITHUB_OUTPUT - name: "Create detached signature for file" shell: bash run: | @@ -25,4 +34,4 @@ runs: - name: "Move the signature files to the release directory" shell: bash run: | - for filename in ${{ inputs.filenames }}; do mv ${filename}.sig $RELEASE_ASSETS; done + for filename in ${{ steps.filenames.output.names }}; do mv ${filename}.sig $RELEASE_ASSETS; done From b9bb42f9629fcee304a7fe50945ddb0fd67d618d Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 12:37:26 -0500 Subject: [PATCH 06/26] update action --- python/publish/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/publish/action.yml b/python/publish/action.yml index d5a738c..1a98d35 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -36,7 +36,7 @@ runs: name: all-dist-${{ github.run_id }} path: dist/ - name: Create detached signature for dist files - uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 + uses: blink1073/drivers-github-tools/gpg-sign@add-compliance-report with: filenames: dist/* - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 From dbb2458a37d4061f4a318422db3d5ca418181602 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 12:41:42 -0500 Subject: [PATCH 07/26] fix silkbomb envfile handling --- setup/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/setup.sh b/setup/setup.sh index 591be64..5cb4687 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -43,7 +43,7 @@ AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-}" GPG_KEY_ID=$GPG_KEY_ID GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}" GARASIGN_ENVFILE=$GARASIGN_ENVFILE -SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}" +SILKBOMB_ENVFILE="${SILKBOMB_ENVFILE:-}" ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS From 0433d7a196abad304caeac634ecba533588e0e63 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 12:52:47 -0500 Subject: [PATCH 08/26] do not publish to pypi --- python/publish/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/python/publish/action.yml b/python/publish/action.yml index 1a98d35..e3536be 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -65,9 +65,9 @@ runs: PRODUCT_NAME: ${{ inputs.product_name }} DRY_RUN: ${{ inputs.dry_run }} # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#publishing-the-distribution-to-pypi - - name: Publish distribution 📦 to PyPI - if: inputs.dry_run == 'false' - uses: pypa/gh-action-pypi-publish@release/v1 + # - name: Publish distribution 📦 to PyPI + # if: inputs.dry_run == 'false' + # uses: pypa/gh-action-pypi-publish@release/v1 - name: Set following version shell: bash -eux {0} run: | From bf26f756ed8983537e0ea9d06e34cb94143af30c Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 13:30:55 -0500 Subject: [PATCH 09/26] cleanup --- python/publish/action.yml | 6 ++++++ setup/setup.sh | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/python/publish/action.yml b/python/publish/action.yml index e3536be..eba1682 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -45,6 +45,12 @@ runs: release_version: ${{ inputs.version }} filenames: dist/* token: ${{ inputs.token }} + - name: Verify the tag + shell: bash -eux {0} + run: | + curl $GPG_PUBLIC_URL --output /tmp/signature.pub + gpg --import /tmp/signature.pub + git verify-tag ${{inputs.version}} - uses: mongodb-labs/drivers-github-tools/sbom@v2 with: silk_asset_group: ${{ inputs.silk_asset_group }} diff --git a/setup/setup.sh b/setup/setup.sh index 5cb4687..9bca92c 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -39,9 +39,9 @@ mkdir $S3_ASSETS echo "Set up global variables" cat <> $GITHUB_ENV -AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-}" +AWS_BUCKET="${RELEASE_ASSETS_BUCKET:-}" GPG_KEY_ID=$GPG_KEY_ID -GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}" +GPG_PUBLIC_URL="${GPG_PUBLIC_URL:-}" GARASIGN_ENVFILE=$GARASIGN_ENVFILE SILKBOMB_ENVFILE="${SILKBOMB_ENVFILE:-}" ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY From 2297d0972d07e59dcd2945fa0431ebba7b1ee4a6 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 13:40:19 -0500 Subject: [PATCH 10/26] do not use quotes --- setup/setup.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index 9bca92c..55ed4d0 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -39,11 +39,11 @@ mkdir $S3_ASSETS echo "Set up global variables" cat <> $GITHUB_ENV -AWS_BUCKET="${RELEASE_ASSETS_BUCKET:-}" +AWS_BUCKET=${RELEASE_ASSETS_BUCKET:-} GPG_KEY_ID=$GPG_KEY_ID -GPG_PUBLIC_URL="${GPG_PUBLIC_URL:-}" +GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-} GARASIGN_ENVFILE=$GARASIGN_ENVFILE -SILKBOMB_ENVFILE="${SILKBOMB_ENVFILE:-}" +SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-} ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS From eb843cc1b68e9831c98b529010f04f8ebbcbefbe Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 13:48:57 -0500 Subject: [PATCH 11/26] fix tag check --- python/bump-and-tag/action.yml | 6 ++++++ python/publish/action.yml | 6 ------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/python/bump-and-tag/action.yml b/python/bump-and-tag/action.yml index add2ca1..477045c 100644 --- a/python/bump-and-tag/action.yml +++ b/python/bump-and-tag/action.yml @@ -32,6 +32,12 @@ runs: uses: mongodb-labs/drivers-github-tools/git-sign@v2 with: command: git tag -a \"${{ inputs.version }}\" -m \"BUMP ${{ inputs.version }}\" -s --local-user=${{ env.GPG_KEY_ID }} + - name: Verify the tag + shell: bash -eux {0} + run: | + curl $GPG_PUBLIC_URL --output /tmp/signature.pub + gpg --import /tmp/signature.pub + git verify-tag ${{inputs.version}} - name: Push the commit and tag to the source branch shell: bash -eux {0} run: | diff --git a/python/publish/action.yml b/python/publish/action.yml index eba1682..e3536be 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -45,12 +45,6 @@ runs: release_version: ${{ inputs.version }} filenames: dist/* token: ${{ inputs.token }} - - name: Verify the tag - shell: bash -eux {0} - run: | - curl $GPG_PUBLIC_URL --output /tmp/signature.pub - gpg --import /tmp/signature.pub - git verify-tag ${{inputs.version}} - uses: mongodb-labs/drivers-github-tools/sbom@v2 with: silk_asset_group: ${{ inputs.silk_asset_group }} From c1790d2054eedc24391052bd8e48907c6d8ed34f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 14:55:32 -0500 Subject: [PATCH 12/26] debug --- compliance-report/action.yml | 2 +- sbom/action.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/compliance-report/action.yml b/compliance-report/action.yml index 5a1e504..155fa83 100644 --- a/compliance-report/action.yml +++ b/compliance-report/action.yml @@ -19,10 +19,10 @@ runs: - name: Generate Compliance Report shell: bash run: | + set -eux export GH_TOKEN=${{ inputs.token }} export RELEASE_CREATOR=$(gh api users/${{ github.actor }} --jq '.name') export SBOM_NAME=${{ inputs.sbom_name }} export SARIF_NAME=${{ inputs.sarif_name }} export AUTHORIZED_PUB_NAME=${{ inputs.authorized_pub_name }} bash ${{ github.action_path }}/generate.sh - diff --git a/sbom/action.yml b/sbom/action.yml index df960bd..c420a37 100644 --- a/sbom/action.yml +++ b/sbom/action.yml @@ -14,6 +14,7 @@ runs: - name: Download the Augmented SBOM file to the release assets and s3 assets folders shell: bash run: | + set -eux podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd \ --env-file=${SILKBOMB_ENVFILE} \ ${{ inputs.artifactory_image }} \ From 2012560c33e908ef6392e1b3b227d7301d1fcf98 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 14:57:21 -0500 Subject: [PATCH 13/26] also push sig files --- python/publish/publish.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/python/publish/publish.sh b/python/publish/publish.sh index 85dbad0..7f2cc60 100755 --- a/python/publish/publish.sh +++ b/python/publish/publish.sh @@ -2,6 +2,7 @@ set -eux +cp $RELEASE_ASSETS/*.sig $S3_ASSETS mv code-scanning-alerts.json $S3_ASSETS if [ "$DRY_RUN" == "false" ]; then From dc085bce76102b621b934f43bdcb48eb389c21c5 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 15:36:10 -0500 Subject: [PATCH 14/26] cleanup --- gpg-sign/action.yml | 4 ++-- python/publish/action.yml | 10 +++++----- setup/setup.sh | 2 -- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 5073ea7..a271f98 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -29,9 +29,9 @@ runs: -v $(pwd):$(pwd) \ -w $(pwd) \ ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ - /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' + /bin/bash -c 'gpgloader && for filename in $FILENAMES; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' - name: "Move the signature files to the release directory" shell: bash run: | - for filename in ${{ steps.filenames.output.names }}; do mv ${filename}.sig $RELEASE_ASSETS; done + for filename in ${{ steps.filenames.outputs.names }}; do mv ${filename}.sig $RELEASE_ASSETS; done diff --git a/python/publish/action.yml b/python/publish/action.yml index e3536be..b076df0 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -39,23 +39,23 @@ runs: uses: blink1073/drivers-github-tools/gpg-sign@add-compliance-report with: filenames: dist/* - - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + - uses: blink1073/drivers-github-tools/authorized-pub@add-compliance-report with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }} filenames: dist/* token: ${{ inputs.token }} - - uses: mongodb-labs/drivers-github-tools/sbom@v2 + - uses: blink1073/drivers-github-tools/sbom@add-compliance-report with: silk_asset_group: ${{ inputs.silk_asset_group }} - name: Generate Sarif Report - uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + uses: blink1073/drivers-github-tools/code-scanning-export@add-compliance-report with: ref: ${{ inputs.version }} - name: Generate Compliance Report uses: blink1073/drivers-github-tools/compliance-report@add-compliance-report with: - ref: ${{ inputs.version }} + token: ${{ inputs.token }} - name: Run publish script shell: bash run: ${{github.action_path}}/publish.sh @@ -74,7 +74,7 @@ runs: git clean -dffx bash ${{ inputs.version_bump_script }} ${{ inputs.version }} - name: Commit the version bump - uses: mongodb-labs/drivers-github-tools/git-sign@v2 + uses: blink1073/drivers-github-tools/git-sign@add-compliance-report with: command: git commit -a -m \"BUMP ${{ inputs.following_version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - name: Push the commit to the source branch diff --git a/setup/setup.sh b/setup/setup.sh index 55ed4d0..0fd8c22 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -49,8 +49,6 @@ RELEASE_ASSETS=$RELEASE_ASSETS S3_ASSETS=$S3_ASSETS EOF -echo "GPG_PUBLIC_URL=$GPG_PUBLIC_URL" - echo "Set up git credentials" git config user.email "167856002+mongodb-dbx-release-bot[bot]@users.noreply.github.com" git config user.name "mongodb-dbx-release-bot[bot]" \ No newline at end of file From 468766d9ce4bf138cc912e60e1073646c8a2e10c Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 15:46:10 -0500 Subject: [PATCH 15/26] debug --- gpg-sign/action.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index a271f98..b524dcc 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -15,6 +15,7 @@ runs: shell: bash id: filenames run: | + set -eux export FILENAMES="${{inputs.filenames}}" if [[ $FILENAMES =~ '*' ]]; then FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') @@ -34,4 +35,8 @@ runs: - name: "Move the signature files to the release directory" shell: bash run: | + # TODO: REMOVE + set -eux + ls dist + ls for filename in ${{ steps.filenames.outputs.names }}; do mv ${filename}.sig $RELEASE_ASSETS; done From 1b0e2c3c7b07f073057f2a976cba63990a2217c1 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 15:56:00 -0500 Subject: [PATCH 16/26] try again --- gpg-sign/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index b524dcc..034e838 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -24,6 +24,7 @@ runs: - name: "Create detached signature for file" shell: bash run: | + export FILENAMES=${{ steps.filenames.outputs.names }} podman run \ --env-file=$GARASIGN_ENVFILE \ --rm \ From 108a3ffe3d9c0bfa4059d910a3a7952d06b8f444 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 18:43:27 -0500 Subject: [PATCH 17/26] try again --- gpg-sign/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 034e838..8e6701e 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -31,7 +31,7 @@ runs: -v $(pwd):$(pwd) \ -w $(pwd) \ ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ - /bin/bash -c 'gpgloader && for filename in $FILENAMES; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' + /bin/bash -c 'gpgloader && for filename in ${FILENAMES}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' - name: "Move the signature files to the release directory" shell: bash From 029f42d4fdeeb0b8f3787ee77f8aab263a770f79 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 18:51:30 -0500 Subject: [PATCH 18/26] try again --- gpg-sign/action.yml | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 8e6701e..9385f80 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -11,33 +11,22 @@ inputs: runs: using: composite steps: - - name: Convert a glob pattern to a list of files - shell: bash - id: filenames - run: | - set -eux - export FILENAMES="${{inputs.filenames}}" - if [[ $FILENAMES =~ '*' ]]; then - FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') - fi - echo "names=\"$FILENAMES\"" >> $GITHUB_OUTPUT - name: "Create detached signature for file" shell: bash run: | - export FILENAMES=${{ steps.filenames.outputs.names }} podman run \ --env-file=$GARASIGN_ENVFILE \ --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ - /bin/bash -c 'gpgloader && for filename in ${FILENAMES}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' + /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames}}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' - name: "Move the signature files to the release directory" shell: bash run: | - # TODO: REMOVE - set -eux - ls dist - ls - for filename in ${{ steps.filenames.outputs.names }}; do mv ${filename}.sig $RELEASE_ASSETS; done + export FILENAMES="${{inputs.filenames}}" + if [[ $FILENAMES =~ '*' ]]; then + FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') + fi + for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done From 024827a16f0e139785cdc4ea4ca26b13f1c5c5dd Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 19:00:41 -0500 Subject: [PATCH 19/26] debug --- gpg-sign/action.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 9385f80..4ee41be 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -25,8 +25,9 @@ runs: - name: "Move the signature files to the release directory" shell: bash run: | - export FILENAMES="${{inputs.filenames}}" + set -eux + export FILENAMES=${{inputs.filenames}} if [[ $FILENAMES =~ '*' ]]; then - FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') + export FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') fi for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done From 4247af14f1c91fa4a38ed0d2d843c0e1c18656fe Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 19:10:53 -0500 Subject: [PATCH 20/26] try again --- gpg-sign/action.yml | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 4ee41be..51e48d6 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -11,6 +11,16 @@ inputs: runs: using: composite steps: + - name: Get the list of filenames as a space-separated string + shell: bash + id: filenames + run: | + set -eux + export FILENAMES="${{inputs.filenames}}" + if [[ $FILENAMES =~ '*' ]]; then + FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') + fi + echo "names=\"$FILENAMES\"" >> $GITHUB_OUTPUT - name: "Create detached signature for file" shell: bash run: | @@ -25,9 +35,5 @@ runs: - name: "Move the signature files to the release directory" shell: bash run: | - set -eux - export FILENAMES=${{inputs.filenames}} - if [[ $FILENAMES =~ '*' ]]; then - export FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') - fi + export FILENAMES="${{steps.filenames.outputs.name}}" for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done From 718121046197a636e579b4c5c6d9564f64d5b57c Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 19:20:42 -0500 Subject: [PATCH 21/26] debug --- gpg-sign/action.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 51e48d6..5d10587 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -35,5 +35,7 @@ runs: - name: "Move the signature files to the release directory" shell: bash run: | + set -eux export FILENAMES="${{steps.filenames.outputs.name}}" for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done + ls $RELEASE_ASSETS From 14335994948b25f3351b43ec1710a045e9628053 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 19:33:37 -0500 Subject: [PATCH 22/26] fix --- gpg-sign/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 5d10587..cb38070 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -36,6 +36,6 @@ runs: shell: bash run: | set -eux - export FILENAMES="${{steps.filenames.outputs.name}}" + export FILENAMES="${{steps.filenames.outputs.names}}" for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done ls $RELEASE_ASSETS From db2db54e9d8df5765c893504e2d348181158bf1e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 19:57:28 -0500 Subject: [PATCH 23/26] try again --- gpg-sign/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index cb38070..54418a7 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -16,7 +16,7 @@ runs: id: filenames run: | set -eux - export FILENAMES="${{inputs.filenames}}" + export FILENAMES=${{inputs.filenames}} if [[ $FILENAMES =~ '*' ]]; then FILENAMES=$(ls $FILENAMES | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g') fi @@ -36,6 +36,6 @@ runs: shell: bash run: | set -eux - export FILENAMES="${{steps.filenames.outputs.names}}" + export FILENAMES=${{steps.filenames.outputs.names}} for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done ls $RELEASE_ASSETS From 075201cbe0c8da3663ef3a7d20d4b45c2057589f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 20:43:51 -0500 Subject: [PATCH 24/26] cleanup --- authorized-pub/action.yml | 2 +- compliance-report/action.yml | 2 +- gpg-sign/action.yml | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/authorized-pub/action.yml b/authorized-pub/action.yml index 7bcf677..1eefa32 100644 --- a/authorized-pub/action.yml +++ b/authorized-pub/action.yml @@ -22,7 +22,7 @@ runs: run: | export GH_TOKEN=${{ inputs.token }} NAME=$(gh api users/${{ github.actor }} --jq '.name') - export REPORT=$S3_ASSETS/authorized_publication.txt + export REPORT=$S3_ASSETS/authorized-publication.txt echo "Product: ${{ inputs.product_name }}" > $REPORT echo "Version: ${{ inputs.release_version }}" >> $REPORT echo "Releaser: $NAME" >> $REPORT diff --git a/compliance-report/action.yml b/compliance-report/action.yml index 155fa83..8ce938c 100644 --- a/compliance-report/action.yml +++ b/compliance-report/action.yml @@ -12,7 +12,7 @@ inputs: default: code-scanning-alerts.json authorized_pub_name: description: The name of the Authorized Publication file in the S3 bucket - default: authorized_publication.txt + default: authorized-publication.txt runs: using: composite steps: diff --git a/gpg-sign/action.yml b/gpg-sign/action.yml index 54418a7..171451b 100644 --- a/gpg-sign/action.yml +++ b/gpg-sign/action.yml @@ -30,7 +30,7 @@ runs: -v $(pwd):$(pwd) \ -w $(pwd) \ ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \ - /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames}}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' + /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done' - name: "Move the signature files to the release directory" shell: bash @@ -38,4 +38,3 @@ runs: set -eux export FILENAMES=${{steps.filenames.outputs.names}} for filename in $FILENAMES; do mv ${filename}.sig $RELEASE_ASSETS; done - ls $RELEASE_ASSETS From 507a51b96a99c7b3a7677a8b4615d1f077e49ea2 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 20:57:29 -0500 Subject: [PATCH 25/26] update action links --- python/publish/action.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/python/publish/action.yml b/python/publish/action.yml index b076df0..fb5dd7e 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -36,24 +36,24 @@ runs: name: all-dist-${{ github.run_id }} path: dist/ - name: Create detached signature for dist files - uses: blink1073/drivers-github-tools/gpg-sign@add-compliance-report + uses: mongodb-labs/drivers-github-tools/gpg-sign@v2 with: filenames: dist/* - - uses: blink1073/drivers-github-tools/authorized-pub@add-compliance-report + - uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 with: product_name: ${{ inputs.product_name }} release_version: ${{ inputs.version }} filenames: dist/* token: ${{ inputs.token }} - - uses: blink1073/drivers-github-tools/sbom@add-compliance-report + - uses: mongodb-labs/drivers-github-tools/sbom@v2 with: silk_asset_group: ${{ inputs.silk_asset_group }} - name: Generate Sarif Report - uses: blink1073/drivers-github-tools/code-scanning-export@add-compliance-report + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 with: ref: ${{ inputs.version }} - name: Generate Compliance Report - uses: blink1073/drivers-github-tools/compliance-report@add-compliance-report + uses: mongodb-labs/drivers-github-tools/compliance-report@v2 with: token: ${{ inputs.token }} - name: Run publish script @@ -74,7 +74,7 @@ runs: git clean -dffx bash ${{ inputs.version_bump_script }} ${{ inputs.version }} - name: Commit the version bump - uses: blink1073/drivers-github-tools/git-sign@add-compliance-report + uses: mongodb-labs/drivers-github-tools/git-sign@v2 with: command: git commit -a -m \"BUMP ${{ inputs.following_version }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }} - name: Push the commit to the source branch From 609cdc21a13bb50f7856440ef1bb9c08777e693f Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Thu, 6 Jun 2024 20:58:05 -0500 Subject: [PATCH 26/26] undo comment out --- python/publish/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/python/publish/action.yml b/python/publish/action.yml index fb5dd7e..9d5a196 100644 --- a/python/publish/action.yml +++ b/python/publish/action.yml @@ -65,9 +65,9 @@ runs: PRODUCT_NAME: ${{ inputs.product_name }} DRY_RUN: ${{ inputs.dry_run }} # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#publishing-the-distribution-to-pypi - # - name: Publish distribution 📦 to PyPI - # if: inputs.dry_run == 'false' - # uses: pypa/gh-action-pypi-publish@release/v1 + - name: Publish distribution 📦 to PyPI + if: inputs.dry_run == 'false' + uses: pypa/gh-action-pypi-publish@release/v1 - name: Set following version shell: bash -eux {0} run: |