From ae417bf6d751435893cfd7a1448089c4352f857a Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Fri, 3 May 2024 13:31:56 +0200 Subject: [PATCH 01/16] Create signed git artifacts upon release --- .github/workflows/commit-and-tag.sh | 12 +++++++ .github/workflows/dev-commit.sh | 6 ++++ .github/workflows/release.yml | 53 +++++++++++++++++++++++------ 3 files changed, 60 insertions(+), 11 deletions(-) create mode 100755 .github/workflows/commit-and-tag.sh create mode 100755 .github/workflows/dev-commit.sh diff --git a/.github/workflows/commit-and-tag.sh b/.github/workflows/commit-and-tag.sh new file mode 100755 index 000000000..cbf03f0f1 --- /dev/null +++ b/.github/workflows/commit-and-tag.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +set -e + +gpgloader + +# Create signed "Package x.y.z" commit +echo "Create package commit" +git commit -m "Package ${PACKAGE_VERSION}" -s --gpg-sign=${GPG_KEY_ID} phongo_version.h + +# Create signed "Release x.y.z" tag +echo "Create release tag" +git tag -F changelog -s --local-user=${GPG_KEY_ID} ${PACKAGE_VERSION} diff --git a/.github/workflows/dev-commit.sh b/.github/workflows/dev-commit.sh new file mode 100755 index 000000000..ad489315a --- /dev/null +++ b/.github/workflows/dev-commit.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -e + +gpgloader + +git commit -m "Back to -dev" -s --gpg-sign=${GPG_KEY_ID} phongo_version.h diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 90f4c1569..067454ccb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -89,10 +89,6 @@ jobs: git config user.name "${GIT_AUTHOR_NAME}" git config user.email "${GIT_AUTHOR_EMAIL}" - # Create the "Package x.y.z" commit that will be the base of our tag - - name: "Create release commit" - run: git commit -m "Package ${{ env.PACKAGE_VERSION }}" phongo_version.h - # Create a draft release with a changelog # TODO: Consider using the API to generate changelog - name: "Create draft release with generated changelog" @@ -101,14 +97,49 @@ jobs: - name: "Read changelog from draft release" run: gh release view ${{ env.PACKAGE_VERSION }} --json body --template '{{ .body }}' >> changelog - # TODO: Sign tag - - name: "Create release tag" - run: git tag -a -F changelog ${{ env.PACKAGE_VERSION }} - - - name: "Update version information to next patch development release" + - name: Create the envfile + run: | + pip install -U -q setuptools + cat << EOF > envfile + GRS_CONFIG_USER1_USERNAME=${{ secrets.GRS_CONFIG_USER1_USERNAME }} + GRS_CONFIG_USER1_PASSWORD=${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + GPG_KEY_ID=${{ vars.GPG_KEY_ID }} + PACKAGE_VERSION=${{ env.PACKAGE_VERSION }} + EOF + + - name: Log in to artifactory + uses: redhat-actions/podman-login@v1 + with: + username: ${{ secrets.ARTIFACTORY_USER }} + password: ${{ secrets.ARTIFACTORY_PASSWORD }} + registry: artifactory.corp.mongodb.com + + # This step creates the "Package x.y.z" commit that will be the base of + # our tag and creates the release tag. This is run inside the container in + # order to create signed git artifacts + - name: "Create package commit and release tag" + run: | + podman run \ + --env-file=envfile \ + --rm \ + -v $(pwd):$(pwd) \ + -w $(pwd) \ + ${{ vars.ARTIFACTORY_IMAGE }} \ + /bin/bash -c "$(pwd)/.github/workflows/commit-and-tag.sh" + + - name: "Bump to next development release" + run: ./bin/update-release-version.php to-next-patch-dev + + # Create a signed "back to -dev" commit, again inside the container + - name: "Create dev commit" run: | - ./bin/update-release-version.php to-next-patch-dev - git commit -m "Back to -dev" phongo_version.h + podman run \ + --env-file=envfile \ + --rm \ + -v $(pwd):$(pwd) \ + -w $(pwd) \ + ${{ vars.ARTIFACTORY_IMAGE }} \ + /bin/bash -c "$(pwd)/.github/workflows/dev-commit.sh" # TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created # Process is: From 2e9bb2d4283d56c943f4e2b738d5c7b2d17faeb1 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Fri, 3 May 2024 14:23:18 +0200 Subject: [PATCH 02/16] Generate signature for PECL package --- .github/workflows/create-package-signature.sh | 8 ++++ .github/workflows/package-release.yml | 48 ++++++++++++++++--- 2 files changed, 49 insertions(+), 7 deletions(-) create mode 100755 .github/workflows/create-package-signature.sh diff --git a/.github/workflows/create-package-signature.sh b/.github/workflows/create-package-signature.sh new file mode 100755 index 000000000..e0a391784 --- /dev/null +++ b/.github/workflows/create-package-signature.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +set -e + +gpgloader + +FILENAME=$1 + +gpg --yes -v --armor -o "${FILENAME}.sig" --detach-sign "${FILENAME}" diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index b913658c2..05081d122 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -38,20 +38,54 @@ jobs: # PECL always uses the version for the package name. # Read it from the version file and store in env to use when uploading artifacts - name: "Read current package version" - run: echo "PACKAGE_VERSION=$(./bin/update-release-version.php get-version)" >> "$GITHUB_ENV" + run: | + PACKAGE_VERSION=$(./bin/update-release-version.php get-version) + echo "PACKAGE_VERSION=${PACKAGE_VERSION}" >> "$GITHUB_ENV" + echo "PACKAGE_FILE=mongodb-${PACKAGE_VERSION}.tgz" >> "$GITHUB_ENV" + + - name: Create the envfile + run: | + pip install -U -q setuptools + cat << EOF > envfile + GRS_CONFIG_USER1_USERNAME=${{ secrets.GRS_CONFIG_USER1_USERNAME }} + GRS_CONFIG_USER1_PASSWORD=${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + GPG_KEY_ID=${{ vars.GPG_KEY_ID }} + EOF + + - name: Log in to artifactory + uses: redhat-actions/podman-login@v1 + with: + username: ${{ secrets.ARTIFACTORY_USER }} + password: ${{ secrets.ARTIFACTORY_PASSWORD }} + registry: artifactory.corp.mongodb.com + + # This step creates the "Package x.y.z" commit that will be the base of + # our tag and creates the release tag. This is run inside the container in + # order to create signed git artifacts + - name: "Create signature file for package" + run: | + podman run \ + --env-file=envfile \ + --rm \ + -v $(pwd):$(pwd) \ + -w $(pwd) \ + ${{ vars.ARTIFACTORY_IMAGE }} \ + /bin/bash -c "$(pwd)/.github/workflows/create-package-signature.sh ${{ env.PACKAGE_FILE }}" - name: "Install release archive to verify correctness" - run: sudo pecl install mongodb-${{ env.PACKAGE_VERSION }}.tgz + run: sudo pecl install ${{ env.PACKAGE_FILE }} - - name: "Upload artifact" + - name: "Upload artifacts" uses: actions/upload-artifact@v4 with: - name: mongodb-${{ env.PACKAGE_VERSION }}.tgz - path: mongodb-${{ env.PACKAGE_VERSION }}.tgz + name: ${{ env.PACKAGE_FILE }} + path: | + ${{ env.PACKAGE_FILE }} + ${{ env.PACKAGE_FILE }}.sig retention-days: 3 - - name: "Upload release artifact" - run: gh release upload ${{ github.ref_name }} mongodb-${{ env.PACKAGE_VERSION }}.tgz + - name: "Upload release artifacts" + run: gh release upload ${{ github.ref_name }} ${{ env.PACKAGE_FILE }} ${{ env.PACKAGE_FILE }}.sig continue-on-error: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 7312bf110614804c0fe12a213f95fb3e5ae41d47 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Fri, 3 May 2024 14:47:14 +0200 Subject: [PATCH 03/16] Fix writing release message to file --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 067454ccb..bd57aea58 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -153,7 +153,9 @@ jobs: - name: "Prepare release message" run: | - echo "${{ format(env.default-release-message, env.PACKAGE_VERSION, inputs.jira-version-number) }}" > release-message + cat > release-message <<'EOL' + ${{ format(env.default-release-message, env.PACKAGE_VERSION, inputs.jira-version-number) }} + EOL cat changelog >> release-message # Update release with correct release information From c2bcb252782c47892b649ce5389781922150da65 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Mon, 6 May 2024 10:08:23 +0200 Subject: [PATCH 04/16] Remove unnecessary pip install --- .github/workflows/package-release.yml | 1 - .github/workflows/release.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index 05081d122..36a9e9ff5 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -45,7 +45,6 @@ jobs: - name: Create the envfile run: | - pip install -U -q setuptools cat << EOF > envfile GRS_CONFIG_USER1_USERNAME=${{ secrets.GRS_CONFIG_USER1_USERNAME }} GRS_CONFIG_USER1_PASSWORD=${{ secrets.GRS_CONFIG_USER1_PASSWORD }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bd57aea58..69c726f2b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,7 +99,6 @@ jobs: - name: Create the envfile run: | - pip install -U -q setuptools cat << EOF > envfile GRS_CONFIG_USER1_USERNAME=${{ secrets.GRS_CONFIG_USER1_USERNAME }} GRS_CONFIG_USER1_PASSWORD=${{ secrets.GRS_CONFIG_USER1_PASSWORD }} From 94927b91ac55d3a13add788739bc85700a53643e Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Mon, 6 May 2024 10:08:40 +0200 Subject: [PATCH 05/16] Change image variable usage --- .github/workflows/package-release.yml | 2 +- .github/workflows/release.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index 36a9e9ff5..9dd60e129 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -68,7 +68,7 @@ jobs: --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ - ${{ vars.ARTIFACTORY_IMAGE }} \ + ${{ vars.ARTIFACTORY_IMAGE }}/garasign-git \ /bin/bash -c "$(pwd)/.github/workflows/create-package-signature.sh ${{ env.PACKAGE_FILE }}" - name: "Install release archive to verify correctness" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 69c726f2b..3f492fdb0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -123,7 +123,7 @@ jobs: --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ - ${{ vars.ARTIFACTORY_IMAGE }} \ + ${{ vars.ARTIFACTORY_IMAGE }}/garasign-git \ /bin/bash -c "$(pwd)/.github/workflows/commit-and-tag.sh" - name: "Bump to next development release" @@ -137,7 +137,7 @@ jobs: --rm \ -v $(pwd):$(pwd) \ -w $(pwd) \ - ${{ vars.ARTIFACTORY_IMAGE }} \ + ${{ vars.ARTIFACTORY_IMAGE }}/garasign-git \ /bin/bash -c "$(pwd)/.github/workflows/dev-commit.sh" # TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created From 26a1f1b19d0df116b0b320837caca5c9278fc6a0 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Mon, 6 May 2024 10:08:50 +0200 Subject: [PATCH 06/16] Sign Windows DLLs --- .github/workflows/package-release.yml | 77 +++++++++++++++++++++++++-- 1 file changed, 72 insertions(+), 5 deletions(-) diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index 9dd60e129..0b4baddca 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -91,7 +91,7 @@ jobs: build-windows: name: "Create Windows package" - runs-on: windows-2022 + runs-on: windows-latest defaults: run: shell: cmd @@ -124,20 +124,87 @@ jobs: env: BUILD_DIR: ${{ steps.build-driver.outputs.build-dir }} + - name: "Cache build artifacts for subsequent builds" + uses: actions/cache/save@v4 + with: + key: ${{ github.sha }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }} + enableCrossOsArchive: true + path: | + php_mongodb.dll + php_mongodb.pdb + + sign-and-publish-windows: + name: "Sign and Publish Windows package" + needs: [build-windows] + runs-on: "ubuntu-latest" + + strategy: + fail-fast: false + matrix: + # Note: keep this in sync with the Windows matrix in windows-tests.yml + php: [ "7.4", "8.0", "8.1", "8.2", "8.3" ] + arch: [ x64, x86 ] + ts: [ ts, nts ] + + steps: + - uses: actions/checkout@v4 + with: + submodules: true + + - name: Restore cached build artifacts + id: cache-build-artifacts + uses: actions/cache/restore@v4 + with: + fail-on-cache-miss: true + key: ${{ github.sha }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }} + enableCrossOsArchive: true + path: | + php_mongodb.dll + php_mongodb.pdb + + - name: Create the envfile + run: | + cat << EOF > envfile + GRS_CONFIG_USER1_USERNAME=${{ secrets.GRS_CONFIG_USER1_USERNAME }} + GRS_CONFIG_USER1_PASSWORD=${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + GPG_KEY_ID=${{ vars.GPG_KEY_ID }} + EOF + + - name: Log in to artifactory + uses: redhat-actions/podman-login@v1 + with: + username: ${{ secrets.ARTIFACTORY_USER }} + password: ${{ secrets.ARTIFACTORY_PASSWORD }} + registry: artifactory.corp.mongodb.com + + # This step creates the "Package x.y.z" commit that will be the base of + # our tag and creates the release tag. This is run inside the container in + # order to create signed git artifacts + - name: "Create signature file for package" + run: | + podman run \ + --env-file=envfile \ + --rm \ + -v $(pwd):$(pwd) \ + -w $(pwd) \ + ${{ vars.ARTIFACTORY_IMAGE }}/garasign-git \ + /bin/bash -c "$(pwd)/.github/workflows/create-package-signature.sh php_mongodb.dll" + - name: "Upload DLL and PDB files as build artifacts" uses: actions/upload-artifact@v4 with: - name: php_mongodb-${{ github.ref_name }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }} + name: php_mongodb-${{ github.sha }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }} path: | php_mongodb.dll + php_mongodb.dll.sig php_mongodb.pdb retention-days: 3 - name: "Create and upload release artifact" run: | - set ARCHIVE=php_mongodb-${{ github.ref_name }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}.zip - zip %ARCHIVE% php_mongodb.dll php_mongodb.pdb CREDITS CONTRIBUTING.md LICENSE README.md THIRD_PARTY_NOTICES - gh release upload ${{ github.ref_name }} %ARCHIVE% + ARCHIVE=php_mongodb-${{ github.ref_name }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }}.zip + zip ${ARCHIVE} php_mongodb.dll php_mongodb.dll.sig php_mongodb.pdb CREDITS CONTRIBUTING.md LICENSE README.md THIRD_PARTY_NOTICES + gh release upload ${{ github.ref_name }} ${ARCHIVE} continue-on-error: true env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 402a94abeaa82b91ca298df114873c1933e67635 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Mon, 6 May 2024 10:12:36 +0200 Subject: [PATCH 07/16] Move composite actions to separate directory --- .github/{workflows => actions}/linux/build/action.yml | 0 .github/{workflows => actions}/windows/build/action.yml | 2 +- .../{workflows => actions}/windows/prepare-build/action.yml | 0 .github/workflows/package-release.yml | 4 ++-- .github/workflows/tests.yml | 2 +- .github/workflows/windows-tests.yml | 4 ++-- 6 files changed, 6 insertions(+), 6 deletions(-) rename .github/{workflows => actions}/linux/build/action.yml (100%) rename .github/{workflows => actions}/windows/build/action.yml (93%) rename .github/{workflows => actions}/windows/prepare-build/action.yml (100%) diff --git a/.github/workflows/linux/build/action.yml b/.github/actions/linux/build/action.yml similarity index 100% rename from .github/workflows/linux/build/action.yml rename to .github/actions/linux/build/action.yml diff --git a/.github/workflows/windows/build/action.yml b/.github/actions/windows/build/action.yml similarity index 93% rename from .github/workflows/windows/build/action.yml rename to .github/actions/windows/build/action.yml index ec35bf1bc..e32153426 100644 --- a/.github/workflows/windows/build/action.yml +++ b/.github/actions/windows/build/action.yml @@ -19,7 +19,7 @@ runs: steps: - name: Prepare build environment id: prepare-build-env - uses: ./.github/workflows/windows/prepare-build + uses: ./.github/actions/windows/prepare-build with: version: ${{ inputs.version }} arch: ${{ inputs.arch }} diff --git a/.github/workflows/windows/prepare-build/action.yml b/.github/actions/windows/prepare-build/action.yml similarity index 100% rename from .github/workflows/windows/prepare-build/action.yml rename to .github/actions/windows/prepare-build/action.yml diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index 0b4baddca..38881bac0 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -21,7 +21,7 @@ jobs: submodules: true - name: "Build Driver" - uses: ./.github/workflows/linux/build + uses: ./.github/actions/linux/build with: version: "8.3" @@ -111,7 +111,7 @@ jobs: - name: "Build Driver" id: build-driver - uses: ./.github/workflows/windows/build + uses: ./.github/actions/windows/build with: version: ${{ matrix.php }} arch: ${{ matrix.arch }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 018ca327f..74306605c 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -64,7 +64,7 @@ jobs: - name: "Build Driver" id: build-driver - uses: ./.github/workflows/linux/build + uses: ./.github/actions/linux/build with: version: ${{ matrix.php-version }} diff --git a/.github/workflows/windows-tests.yml b/.github/workflows/windows-tests.yml index 569e47ad7..ea2021f14 100644 --- a/.github/workflows/windows-tests.yml +++ b/.github/workflows/windows-tests.yml @@ -35,7 +35,7 @@ jobs: - name: "Build Driver" id: build-driver - uses: ./.github/workflows/windows/build + uses: ./.github/actions/windows/build with: version: ${{ matrix.php }} arch: ${{ matrix.arch }} @@ -74,7 +74,7 @@ jobs: - name: Prepare build environment id: prepare-build - uses: ./.github/workflows/windows/prepare-build + uses: ./.github/actions/windows/prepare-build with: version: ${{ matrix.php }} arch: ${{ matrix.arch }} From 550f37b2fb5af8031a3df3ab8bc926e3a27dc7c3 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Mon, 6 May 2024 16:58:53 +0200 Subject: [PATCH 08/16] Extract signing functionality to composite actions --- .github/actions/garasign/git-sign/action.yml | 51 ++++++++++++++ .github/actions/garasign/gpg-sign/action.yml | 47 +++++++++++++ .github/actions/garasign/setup/action.yml | 36 ++++++++++ .github/workflows/commit-and-tag.sh | 3 + .github/workflows/create-package-signature.sh | 8 --- .github/workflows/dev-commit.sh | 6 -- .github/workflows/package-release.yml | 66 ++++--------------- .github/workflows/release.yml | 52 ++++++--------- 8 files changed, 170 insertions(+), 99 deletions(-) create mode 100644 .github/actions/garasign/git-sign/action.yml create mode 100644 .github/actions/garasign/gpg-sign/action.yml create mode 100644 .github/actions/garasign/setup/action.yml delete mode 100755 .github/workflows/create-package-signature.sh delete mode 100755 .github/workflows/dev-commit.sh diff --git a/.github/actions/garasign/git-sign/action.yml b/.github/actions/garasign/git-sign/action.yml new file mode 100644 index 000000000..40bfbc8ab --- /dev/null +++ b/.github/actions/garasign/git-sign/action.yml @@ -0,0 +1,51 @@ +name: "Sign artifact using garasign" +description: "Signs a release artifact" +inputs: + command: + description: "Command to run inside the container" + required: true + garasign_username: + description: "Garasign username" + required: true + garasign_password: + description: "Garasign password" + required: true + artifactory_username: + description: "Artifactory user" + required: true + artifactory_password: + description: "Artifactory password" + required: true + artifactory_image: + description: "Image to use for artifactory" + default: release-tools-container-registry-local/garasign-git + artifactory_registry: + description: "Artifactory registry to be used" + default: artifactory.corp.mongodb.com + skip_setup: + description: "Whether to skip setup" + default: "false" + +runs: + using: composite + steps: + - name: Prepare garasign container + if: ${{ inputs.skip_setup == 'false' }} + uses: ./.github/actions/garasign/setup + with: + garasign_username: ${{ inputs.garasign_username }} + garasign_password: ${{ inputs.garasign_password }} + artifactory_username: ${{ inputs.artifactory_username }} + artifactory_password: ${{ inputs.artifactory_password }} + artifactory_registry: ${{ inputs.artifactory_registry }} + + - name: "Run git command" + run: | + podman run \ + --env-file=envfile \ + --rm \ + -v $(pwd):$(pwd) \ + -w $(pwd) \ + ${{ inputs.artifactory_registry }}/${{ inputs.artifactory_image }} \ + /bin/bash -c "gpgloader && ${{ inputs.command }}" + shell: bash diff --git a/.github/actions/garasign/gpg-sign/action.yml b/.github/actions/garasign/gpg-sign/action.yml new file mode 100644 index 000000000..8b0a7d4b2 --- /dev/null +++ b/.github/actions/garasign/gpg-sign/action.yml @@ -0,0 +1,47 @@ +name: "Sign artifact using garasign" +description: "Signs a release artifact" +inputs: + filename: + description: "File name to sign" + required: true + garasign_username: + description: "Garasign username" + required: true + garasign_password: + description: "Garasign password" + required: true + artifactory_username: + description: "Artifactory user" + required: true + artifactory_password: + description: "Artifactory password" + required: true + artifactory_image: + description: "Image to use for artifactory" + default: release-tools-container-registry-local/garasign-gpg + artifactory_registry: + description: "Artifactory registry to be used" + default: artifactory.corp.mongodb.com + +runs: + using: composite + steps: + - name: Prepare garasign container + uses: ./.github/actions/garasign/setup + with: + garasign_username: ${{ inputs.garasign_username }} + garasign_password: ${{ inputs.garasign_password }} + artifactory_username: ${{ inputs.artifactory_username }} + artifactory_password: ${{ inputs.artifactory_password }} + artifactory_registry: ${{ inputs.artifactory_registry }} + + - name: "Create detached signature" + run: | + podman run \ + --env-file=envfile \ + --rm \ + -v $(pwd):$(pwd) \ + -w $(pwd) \ + ${{ inputs.artifactory_registry }}/${{ inputs.artifactory_image }} \ + /bin/bash -c "gpgloader && gpg --detach-sign --armor --output ${{ inputs.filename }}.sig ${{ inputs.filename }}" + shell: bash diff --git a/.github/actions/garasign/setup/action.yml b/.github/actions/garasign/setup/action.yml new file mode 100644 index 000000000..4f414a689 --- /dev/null +++ b/.github/actions/garasign/setup/action.yml @@ -0,0 +1,36 @@ +name: "Prepare garasign container" +description: "Prepares the garasign container used to sign artifacts" +inputs: + garasign_username: + description: "Garasign username" + required: true + garasign_password: + description: "Garasign password" + required: true + artifactory_username: + description: "Artifactory user" + required: true + artifactory_password: + description: "Artifactory password" + required: true + artifactory_registry: + description: "Artifactory registry to be used" + default: artifactory.corp.mongodb.com + +runs: + using: composite + steps: + - name: Create the envfile + run: | + cat << EOF > envfile + GRS_CONFIG_USER1_USERNAME=${{ inputs.garasign_username }} + GRS_CONFIG_USER1_PASSWORD=${{ inputs.garasign_password }} + EOF + shell: bash + + - name: Log in to artifactory + uses: redhat-actions/podman-login@v1 + with: + username: ${{ inputs.artifactory_username }} + password: ${{ inputs.artifactory_password }} + registry: ${{ inputs.artifactory_registry }} diff --git a/.github/workflows/commit-and-tag.sh b/.github/workflows/commit-and-tag.sh index cbf03f0f1..9c99ac23f 100755 --- a/.github/workflows/commit-and-tag.sh +++ b/.github/workflows/commit-and-tag.sh @@ -1,6 +1,9 @@ #!/usr/bin/env bash set -e +PACKAGE_VERSION=$1 +GPG_KEY_ID=$2 + gpgloader # Create signed "Package x.y.z" commit diff --git a/.github/workflows/create-package-signature.sh b/.github/workflows/create-package-signature.sh deleted file mode 100755 index e0a391784..000000000 --- a/.github/workflows/create-package-signature.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash -set -e - -gpgloader - -FILENAME=$1 - -gpg --yes -v --armor -o "${FILENAME}.sig" --detach-sign "${FILENAME}" diff --git a/.github/workflows/dev-commit.sh b/.github/workflows/dev-commit.sh deleted file mode 100755 index ad489315a..000000000 --- a/.github/workflows/dev-commit.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env bash -set -e - -gpgloader - -git commit -m "Back to -dev" -s --gpg-sign=${GPG_KEY_ID} phongo_version.h diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index 38881bac0..ff16559f0 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -43,33 +43,14 @@ jobs: echo "PACKAGE_VERSION=${PACKAGE_VERSION}" >> "$GITHUB_ENV" echo "PACKAGE_FILE=mongodb-${PACKAGE_VERSION}.tgz" >> "$GITHUB_ENV" - - name: Create the envfile - run: | - cat << EOF > envfile - GRS_CONFIG_USER1_USERNAME=${{ secrets.GRS_CONFIG_USER1_USERNAME }} - GRS_CONFIG_USER1_PASSWORD=${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - GPG_KEY_ID=${{ vars.GPG_KEY_ID }} - EOF - - - name: Log in to artifactory - uses: redhat-actions/podman-login@v1 + - name: "Create detached signature for PECL package" + uses: ./.github/actions/garasign/gpg-sign with: - username: ${{ secrets.ARTIFACTORY_USER }} - password: ${{ secrets.ARTIFACTORY_PASSWORD }} - registry: artifactory.corp.mongodb.com - - # This step creates the "Package x.y.z" commit that will be the base of - # our tag and creates the release tag. This is run inside the container in - # order to create signed git artifacts - - name: "Create signature file for package" - run: | - podman run \ - --env-file=envfile \ - --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ - ${{ vars.ARTIFACTORY_IMAGE }}/garasign-git \ - /bin/bash -c "$(pwd)/.github/workflows/create-package-signature.sh ${{ env.PACKAGE_FILE }}" + filename: ${{ env.PACKAGE_FILE }} + garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} + garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + artifactory_username: ${{ secrets.ARTIFACTORY_USER }} + artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} - name: "Install release archive to verify correctness" run: sudo pecl install ${{ env.PACKAGE_FILE }} @@ -162,33 +143,14 @@ jobs: php_mongodb.dll php_mongodb.pdb - - name: Create the envfile - run: | - cat << EOF > envfile - GRS_CONFIG_USER1_USERNAME=${{ secrets.GRS_CONFIG_USER1_USERNAME }} - GRS_CONFIG_USER1_PASSWORD=${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - GPG_KEY_ID=${{ vars.GPG_KEY_ID }} - EOF - - - name: Log in to artifactory - uses: redhat-actions/podman-login@v1 + - name: "Create detached DLL signature" + uses: ./.github/actions/garasign/gpg-sign with: - username: ${{ secrets.ARTIFACTORY_USER }} - password: ${{ secrets.ARTIFACTORY_PASSWORD }} - registry: artifactory.corp.mongodb.com - - # This step creates the "Package x.y.z" commit that will be the base of - # our tag and creates the release tag. This is run inside the container in - # order to create signed git artifacts - - name: "Create signature file for package" - run: | - podman run \ - --env-file=envfile \ - --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ - ${{ vars.ARTIFACTORY_IMAGE }}/garasign-git \ - /bin/bash -c "$(pwd)/.github/workflows/create-package-signature.sh php_mongodb.dll" + filename: php_mongodb.dll + garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} + garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + artifactory_username: ${{ secrets.ARTIFACTORY_USER }} + artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} - name: "Upload DLL and PDB files as build artifacts" uses: actions/upload-artifact@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3f492fdb0..9e18c8949 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -97,48 +97,34 @@ jobs: - name: "Read changelog from draft release" run: gh release view ${{ env.PACKAGE_VERSION }} --json body --template '{{ .body }}' >> changelog - - name: Create the envfile - run: | - cat << EOF > envfile - GRS_CONFIG_USER1_USERNAME=${{ secrets.GRS_CONFIG_USER1_USERNAME }} - GRS_CONFIG_USER1_PASSWORD=${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - GPG_KEY_ID=${{ vars.GPG_KEY_ID }} - PACKAGE_VERSION=${{ env.PACKAGE_VERSION }} - EOF - - - name: Log in to artifactory - uses: redhat-actions/podman-login@v1 - with: - username: ${{ secrets.ARTIFACTORY_USER }} - password: ${{ secrets.ARTIFACTORY_PASSWORD }} - registry: artifactory.corp.mongodb.com - # This step creates the "Package x.y.z" commit that will be the base of # our tag and creates the release tag. This is run inside the container in # order to create signed git artifacts - name: "Create package commit and release tag" - run: | - podman run \ - --env-file=envfile \ - --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ - ${{ vars.ARTIFACTORY_IMAGE }}/garasign-git \ - /bin/bash -c "$(pwd)/.github/workflows/commit-and-tag.sh" - + uses: ./.github/actions/garasign/git-sign + with: + command: "$(pwd)/.github/workflows/commit-and-tag.sh ${{ env.PACKAGE_VERSION }} ${{ vars.GPG_KEY_ID }}" + garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} + garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + artifactory_username: ${{ secrets.ARTIFACTORY_USER }} + artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} + + # This step needs to happen outside of the container, as PHP is not + # available within. - name: "Bump to next development release" run: ./bin/update-release-version.php to-next-patch-dev # Create a signed "back to -dev" commit, again inside the container - name: "Create dev commit" - run: | - podman run \ - --env-file=envfile \ - --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ - ${{ vars.ARTIFACTORY_IMAGE }}/garasign-git \ - /bin/bash -c "$(pwd)/.github/workflows/dev-commit.sh" + uses: ./.github/actions/garasign/git-sign + with: + # Setup can be skipped as it was already done before + skip_setup: true + command: "git commit -m 'Back to -dev' -s --gpg-sign=${{ vars.GPG_KEY_ID }} phongo_version.h" + garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} + garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} + artifactory_username: ${{ secrets.ARTIFACTORY_USER }} + artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} # TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created # Process is: From 65408c6ec3b911535e65c23abc151fd801868b3c Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Tue, 7 May 2024 09:43:06 +0200 Subject: [PATCH 09/16] Add release integrity information --- README.md | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 928f37e43..2ad1d104c 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,53 @@ This extension is intended to be used alongside the [MongoDB PHP Library](https://github.com/mongodb/mongo-php-library), which is distributed as the [`mongodb/mongodb`](https://packagist.org/packages/mongodb/mongodb) package for -for [Composer](https://getcomposer.org). +[Composer](https://getcomposer.org). + +## Release Integrity + +Releases are created automatically and signed using the +[PHP team's GPG key](https://pgp.mongodb.com/php-driver.asc). This applies to +the git tag as well as all release packages provided as part of a +[GitHub release](https://github.com/mongodb/mongo-php-library/releases). To +verify the provided packages, download the key and import it using `gpg`: + +```shell +gpg --import php-driver.asc +``` + +### PECL package + +PECL packages are made available as release artifacts on GitHub, as well as on +the [PECL homepage](https://pecl.php.net/mongodb). The GitHub release will also +contain a detached signature file for the PECL package (named +`mongodb-X.Y.Z.tgz.sig`). + +To verify the integrity of the downloaded package, run the following command: + +```shell +gpg --verify mongodb-X.Y.Z.tgz.sig mongodb-X.Y.Z.tgz +``` + +> [!NOTE] +> No verification is done when using `pecl` to install the package. To ensure +> release integrity when using `pecl`, download the tarball manually from the +> GitHub release, verify the signature, then install the package from the +> downloaded tarball using `pecl install mongodb-X.Y.Z.tgz`. + +### Windows + +Windows binaries distributed through GitHub releases contain a detached +signature for the `php_mongodb.dll` file named `php_mongodb.dll.sig`. To verify +the integrity of the DLL, run the following command: + +```shell +gpg --verify php_mongodb.dll.sig php_mongodb.dll.tgz +``` + +> [!NOTE] +> Windows binaries distributed directly through PECL are not signed by MongoDB +> and cannot be verified. If you need to verify the integrity of the downloaded +> binary, always download them from the GitHub release. ## Reporting Issues From 3fcd753812dfa9c480efcf32ea70aa3b506896c9 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Wed, 8 May 2024 09:39:04 +0200 Subject: [PATCH 10/16] Use garasign actions from drivers-github-tools --- .github/actions/garasign/git-sign/action.yml | 51 -------------------- .github/actions/garasign/gpg-sign/action.yml | 47 ------------------ .github/actions/garasign/setup/action.yml | 36 -------------- .github/workflows/package-release.yml | 8 +-- .github/workflows/release.yml | 4 +- 5 files changed, 6 insertions(+), 140 deletions(-) delete mode 100644 .github/actions/garasign/git-sign/action.yml delete mode 100644 .github/actions/garasign/gpg-sign/action.yml delete mode 100644 .github/actions/garasign/setup/action.yml diff --git a/.github/actions/garasign/git-sign/action.yml b/.github/actions/garasign/git-sign/action.yml deleted file mode 100644 index 40bfbc8ab..000000000 --- a/.github/actions/garasign/git-sign/action.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: "Sign artifact using garasign" -description: "Signs a release artifact" -inputs: - command: - description: "Command to run inside the container" - required: true - garasign_username: - description: "Garasign username" - required: true - garasign_password: - description: "Garasign password" - required: true - artifactory_username: - description: "Artifactory user" - required: true - artifactory_password: - description: "Artifactory password" - required: true - artifactory_image: - description: "Image to use for artifactory" - default: release-tools-container-registry-local/garasign-git - artifactory_registry: - description: "Artifactory registry to be used" - default: artifactory.corp.mongodb.com - skip_setup: - description: "Whether to skip setup" - default: "false" - -runs: - using: composite - steps: - - name: Prepare garasign container - if: ${{ inputs.skip_setup == 'false' }} - uses: ./.github/actions/garasign/setup - with: - garasign_username: ${{ inputs.garasign_username }} - garasign_password: ${{ inputs.garasign_password }} - artifactory_username: ${{ inputs.artifactory_username }} - artifactory_password: ${{ inputs.artifactory_password }} - artifactory_registry: ${{ inputs.artifactory_registry }} - - - name: "Run git command" - run: | - podman run \ - --env-file=envfile \ - --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ - ${{ inputs.artifactory_registry }}/${{ inputs.artifactory_image }} \ - /bin/bash -c "gpgloader && ${{ inputs.command }}" - shell: bash diff --git a/.github/actions/garasign/gpg-sign/action.yml b/.github/actions/garasign/gpg-sign/action.yml deleted file mode 100644 index 8b0a7d4b2..000000000 --- a/.github/actions/garasign/gpg-sign/action.yml +++ /dev/null @@ -1,47 +0,0 @@ -name: "Sign artifact using garasign" -description: "Signs a release artifact" -inputs: - filename: - description: "File name to sign" - required: true - garasign_username: - description: "Garasign username" - required: true - garasign_password: - description: "Garasign password" - required: true - artifactory_username: - description: "Artifactory user" - required: true - artifactory_password: - description: "Artifactory password" - required: true - artifactory_image: - description: "Image to use for artifactory" - default: release-tools-container-registry-local/garasign-gpg - artifactory_registry: - description: "Artifactory registry to be used" - default: artifactory.corp.mongodb.com - -runs: - using: composite - steps: - - name: Prepare garasign container - uses: ./.github/actions/garasign/setup - with: - garasign_username: ${{ inputs.garasign_username }} - garasign_password: ${{ inputs.garasign_password }} - artifactory_username: ${{ inputs.artifactory_username }} - artifactory_password: ${{ inputs.artifactory_password }} - artifactory_registry: ${{ inputs.artifactory_registry }} - - - name: "Create detached signature" - run: | - podman run \ - --env-file=envfile \ - --rm \ - -v $(pwd):$(pwd) \ - -w $(pwd) \ - ${{ inputs.artifactory_registry }}/${{ inputs.artifactory_image }} \ - /bin/bash -c "gpgloader && gpg --detach-sign --armor --output ${{ inputs.filename }}.sig ${{ inputs.filename }}" - shell: bash diff --git a/.github/actions/garasign/setup/action.yml b/.github/actions/garasign/setup/action.yml deleted file mode 100644 index 4f414a689..000000000 --- a/.github/actions/garasign/setup/action.yml +++ /dev/null @@ -1,36 +0,0 @@ -name: "Prepare garasign container" -description: "Prepares the garasign container used to sign artifacts" -inputs: - garasign_username: - description: "Garasign username" - required: true - garasign_password: - description: "Garasign password" - required: true - artifactory_username: - description: "Artifactory user" - required: true - artifactory_password: - description: "Artifactory password" - required: true - artifactory_registry: - description: "Artifactory registry to be used" - default: artifactory.corp.mongodb.com - -runs: - using: composite - steps: - - name: Create the envfile - run: | - cat << EOF > envfile - GRS_CONFIG_USER1_USERNAME=${{ inputs.garasign_username }} - GRS_CONFIG_USER1_PASSWORD=${{ inputs.garasign_password }} - EOF - shell: bash - - - name: Log in to artifactory - uses: redhat-actions/podman-login@v1 - with: - username: ${{ inputs.artifactory_username }} - password: ${{ inputs.artifactory_password }} - registry: ${{ inputs.artifactory_registry }} diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index ff16559f0..6cf38acfc 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -44,9 +44,9 @@ jobs: echo "PACKAGE_FILE=mongodb-${PACKAGE_VERSION}.tgz" >> "$GITHUB_ENV" - name: "Create detached signature for PECL package" - uses: ./.github/actions/garasign/gpg-sign + uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@main with: - filename: ${{ env.PACKAGE_FILE }} + filenames: ${{ env.PACKAGE_FILE }} garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} artifactory_username: ${{ secrets.ARTIFACTORY_USER }} @@ -144,9 +144,9 @@ jobs: php_mongodb.pdb - name: "Create detached DLL signature" - uses: ./.github/actions/garasign/gpg-sign + uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@main with: - filename: php_mongodb.dll + filenames: php_mongodb.dll garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} artifactory_username: ${{ secrets.ARTIFACTORY_USER }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9e18c8949..6c5cd6ba8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -101,7 +101,7 @@ jobs: # our tag and creates the release tag. This is run inside the container in # order to create signed git artifacts - name: "Create package commit and release tag" - uses: ./.github/actions/garasign/git-sign + uses: mongodb-labs/drivers-github-tools/garasign/git-sign@main with: command: "$(pwd)/.github/workflows/commit-and-tag.sh ${{ env.PACKAGE_VERSION }} ${{ vars.GPG_KEY_ID }}" garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} @@ -116,7 +116,7 @@ jobs: # Create a signed "back to -dev" commit, again inside the container - name: "Create dev commit" - uses: ./.github/actions/garasign/git-sign + uses: mongodb-labs/drivers-github-tools/garasign/git-sign@main with: # Setup can be skipped as it was already done before skip_setup: true From 25723d81368d5d0bdbacc878a98cb0673d864e19 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Wed, 8 May 2024 09:44:03 +0200 Subject: [PATCH 11/16] Add comment explaining cross-os cache --- .github/workflows/package-release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index 6cf38acfc..f713b056f 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -72,6 +72,8 @@ jobs: build-windows: name: "Create Windows package" + # windows-latest is required to use enableCrossOsArchive with Ubuntu in the + # next step. See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache runs-on: windows-latest defaults: run: @@ -117,6 +119,8 @@ jobs: sign-and-publish-windows: name: "Sign and Publish Windows package" needs: [build-windows] + # ubuntu-latest is required to use enableCrossOsArchive + # See https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache runs-on: "ubuntu-latest" strategy: From b95ea3ec1993be2768c1bde2e384a56927a48a40 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Wed, 8 May 2024 09:44:18 +0200 Subject: [PATCH 12/16] Remove submodule install for Windows signing job --- .github/workflows/package-release.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index f713b056f..3f9ef2afe 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -133,8 +133,6 @@ jobs: steps: - uses: actions/checkout@v4 - with: - submodules: true - name: Restore cached build artifacts id: cache-build-artifacts From 7c04d4cfc137a010d234defb63961c329dd695be Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Wed, 8 May 2024 09:44:27 +0200 Subject: [PATCH 13/16] Fix name and contents of Windows build artifacts" --- .github/workflows/package-release.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index 3f9ef2afe..d87baadb2 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -157,11 +157,16 @@ jobs: - name: "Upload DLL and PDB files as build artifacts" uses: actions/upload-artifact@v4 with: - name: php_mongodb-${{ github.sha }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }} + name: php_mongodb-${{ github.ref_name }}-${{ matrix.php }}-${{ matrix.ts }}-${{ matrix.arch }} path: | php_mongodb.dll php_mongodb.dll.sig php_mongodb.pdb + CREDITS + CONTRIBUTING.md + LICENSE + README.md + THIRD_PARTY_NOTICES retention-days: 3 - name: "Create and upload release artifact" From 8ff2f3e1be3ce2402071f946ddfe1d8d1b1aecfd Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Wed, 8 May 2024 09:48:24 +0200 Subject: [PATCH 14/16] Don't hardcode tag message file name --- .github/workflows/commit-and-tag.sh | 3 ++- .github/workflows/release.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/commit-and-tag.sh b/.github/workflows/commit-and-tag.sh index 9c99ac23f..fb6bf9978 100755 --- a/.github/workflows/commit-and-tag.sh +++ b/.github/workflows/commit-and-tag.sh @@ -3,6 +3,7 @@ set -e PACKAGE_VERSION=$1 GPG_KEY_ID=$2 +TAG_MESSAGE_FILE=$3 gpgloader @@ -12,4 +13,4 @@ git commit -m "Package ${PACKAGE_VERSION}" -s --gpg-sign=${GPG_KEY_ID} phongo_ve # Create signed "Release x.y.z" tag echo "Create release tag" -git tag -F changelog -s --local-user=${GPG_KEY_ID} ${PACKAGE_VERSION} +git tag -F ${TAG_MESSAGE_FILE} -s --local-user=${GPG_KEY_ID} ${PACKAGE_VERSION} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6c5cd6ba8..5010995b4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -103,7 +103,7 @@ jobs: - name: "Create package commit and release tag" uses: mongodb-labs/drivers-github-tools/garasign/git-sign@main with: - command: "$(pwd)/.github/workflows/commit-and-tag.sh ${{ env.PACKAGE_VERSION }} ${{ vars.GPG_KEY_ID }}" + command: "$(pwd)/.github/workflows/commit-and-tag.sh ${{ env.PACKAGE_VERSION }} ${{ vars.GPG_KEY_ID }} changelog" garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} artifactory_username: ${{ secrets.ARTIFACTORY_USER }} From 38cdd98383dde1cdcd62fe83eb69da868d8e20f2 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Wed, 8 May 2024 09:54:21 +0200 Subject: [PATCH 15/16] Restore original tag message --- .github/workflows/release.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5010995b4..e9fcd3481 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -97,13 +97,18 @@ jobs: - name: "Read changelog from draft release" run: gh release view ${{ env.PACKAGE_VERSION }} --json body --template '{{ .body }}' >> changelog + - name: "Prepare tag message" + run: | + echo "Release ${PACKAGE_VERSION}" > tag-message + cat changelog >> tag-message + # This step creates the "Package x.y.z" commit that will be the base of # our tag and creates the release tag. This is run inside the container in # order to create signed git artifacts - name: "Create package commit and release tag" uses: mongodb-labs/drivers-github-tools/garasign/git-sign@main with: - command: "$(pwd)/.github/workflows/commit-and-tag.sh ${{ env.PACKAGE_VERSION }} ${{ vars.GPG_KEY_ID }} changelog" + command: "$(pwd)/.github/workflows/commit-and-tag.sh ${{ env.PACKAGE_VERSION }} ${{ vars.GPG_KEY_ID }} tag-message" garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} artifactory_username: ${{ secrets.ARTIFACTORY_USER }} From 5a272eba3949e10c5a93671fba0011088ccdfb25 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Fri, 10 May 2024 10:09:10 +0200 Subject: [PATCH 16/16] Add newline to tag message --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e9fcd3481..cd1a0e67d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,7 +99,7 @@ jobs: - name: "Prepare tag message" run: | - echo "Release ${PACKAGE_VERSION}" > tag-message + echo -e "Release ${PACKAGE_VERSION}\n" > tag-message cat changelog >> tag-message # This step creates the "Package x.y.z" commit that will be the base of