From d45052834e20b23fab4072f37594013f4b1d7098 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Mon, 10 Jun 2024 13:16:49 +0200 Subject: [PATCH 1/4] Allow reusing static analysis workflow --- .github/workflows/static-analysis.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index e0a76c963..2633b810e 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -12,8 +12,12 @@ on: - "v*.*" - "master" - "feature/*" - tags: - - "*" + workflow_call: + inputs: + ref: + description: "The git reference to check" + type: string + required: true env: PHP_VERSION: "8.2" @@ -27,6 +31,8 @@ jobs: steps: - name: "Checkout" uses: "actions/checkout@v4" + with: + ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} - name: "Setup" uses: "./.github/actions/setup" @@ -43,6 +49,7 @@ jobs: sarif_file: psalm.sarif rector: + if: ${{ github.event_name != 'workflow_dispatch' }} name: "Rector" runs-on: "ubuntu-22.04" From 4b3c5b1b563fb03050a7f5bfba3abd695ff10b41 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Mon, 10 Jun 2024 13:17:03 +0200 Subject: [PATCH 2/4] Run static analysis on release and publish SSDLC assets --- .github/workflows/release.yml | 81 +++++++++++++++++++++++++++++++++-- 1 file changed, 78 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e0592ff2e..cbb6212c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -93,7 +93,6 @@ jobs: aws_region_name: ${{ vars.AWS_REGION_NAME }} aws_secret_id: ${{ secrets.AWS_SECRET_ID }} - # Create a draft release with release message filled in - name: "Prepare release message" run: | cat > release-message <<'EOL' @@ -103,7 +102,6 @@ jobs: - name: "Create draft release" run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV" - # This step creates the signed release tag - name: "Create release tag" uses: mongodb-labs/drivers-github-tools/git-sign@v2 with: @@ -119,7 +117,6 @@ jobs: - name: "Push changes from release branch" run: git push - # Pushing the release tag starts build processes that then produce artifacts for the release - name: "Push release tag" run: git push origin ${{ inputs.version }} @@ -127,3 +124,81 @@ jobs: run: | echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY + + static-analysis: + needs: prepare-release + name: "Run Static Analysis" + uses: ./.github/workflows/static-analysis.yml + with: + ref: refs/tags/${{ inputs.version }} + permissions: + security-events: write + id-token: write + + publish-ssdlc-assets: + needs: static-analysis + environment: release + name: "Publish SSDLC Assets" + runs-on: ubuntu-latest + permissions: + security-events: read + id-token: write + contents: write + + steps: + - name: "Create temporary app token" + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + + - name: "Store GitHub token in environment" + run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV" + shell: bash + + - uses: actions/checkout@v4 + with: + ref: refs/tags/${{ inputs.version }} + token: ${{ env.GH_TOKEN }} + + - name: "Set up drivers-github-tools" + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + + - name: "Generate authorized publication document" + uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + with: + product_name: "MongoDB PHP Driver (library)" + release_version: ${{ inputs.version }} + filenames: "" + token: ${{ env.GH_TOKEN }} + + - name: "Download SBOM file from Silk" + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: mongodb-php-driver-library + + - name: "Upload SBOM as release artifact" + run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json + continue-on-error: true + + - name: "Generate SARIF report from code scanning alerts" + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + with: + ref: ${{ inputs.version }} + output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json + + - name: "Generate compliance report" + uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + with: + token: ${{ env.GH_TOKEN }} + + - name: Upload S3 assets + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ inputs.version }} + product_name: mongo-php-library From 74c8f2a43e7a0dd3214a0c509b9cc49f3c8ca5b7 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Tue, 11 Jun 2024 08:28:56 +0200 Subject: [PATCH 3/4] Address code review feedback --- .github/workflows/release.yml | 1 + .github/workflows/static-analysis.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cbb6212c6..dcf3847d9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -162,6 +162,7 @@ jobs: ref: refs/tags/${{ inputs.version }} token: ${{ env.GH_TOKEN }} + # Sets the S3_ASSETS environment variable used later - name: "Set up drivers-github-tools" uses: mongodb-labs/drivers-github-tools/setup@v2 with: diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 2633b810e..a17c2ede2 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -15,7 +15,7 @@ on: workflow_call: inputs: ref: - description: "The git reference to check" + description: "The git ref to check" type: string required: true From b8537dc01692cae6470c8d1e06ef152982d75295 Mon Sep 17 00:00:00 2001 From: Andreas Braun Date: Tue, 11 Jun 2024 08:29:47 +0200 Subject: [PATCH 4/4] Move rector to coding standards workflow --- .github/workflows/coding-standards.yml | 17 +++++++++++++++++ .github/workflows/static-analysis.yml | 18 ------------------ 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 00eb476b6..9fe30fbb0 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -35,3 +35,20 @@ jobs: # The -q option is required until phpcs v4 is released - name: "Run PHP_CodeSniffer" run: "vendor/bin/phpcs -q --no-colors --report=checkstyle | cs2pr" + + rector: + name: "Rector" + runs-on: "ubuntu-22.04" + + steps: + - name: "Checkout" + uses: "actions/checkout@v4" + + - name: "Setup" + uses: "./.github/actions/setup" + with: + php-version: ${{ env.PHP_VERSION }} + driver-version: ${{ env.DRIVER_VERSION }} + + - name: "Run Rector" + run: "vendor/bin/rector --ansi --dry-run" diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index a17c2ede2..ac2299693 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -47,21 +47,3 @@ jobs: uses: "github/codeql-action/upload-sarif@v3" with: sarif_file: psalm.sarif - - rector: - if: ${{ github.event_name != 'workflow_dispatch' }} - name: "Rector" - runs-on: "ubuntu-22.04" - - steps: - - name: "Checkout" - uses: "actions/checkout@v4" - - - name: "Setup" - uses: "./.github/actions/setup" - with: - php-version: ${{ env.PHP_VERSION }} - driver-version: ${{ env.DRIVER_VERSION }} - - - name: "Run Rector" - run: "vendor/bin/rector --ansi --dry-run"