9393 aws_region_name : ${{ vars.AWS_REGION_NAME }}
9494 aws_secret_id : ${{ secrets.AWS_SECRET_ID }}
9595
96- # Create a draft release with release message filled in
9796 - name : " Prepare release message"
9897 run : |
9998 cat > release-message <<'EOL'
@@ -103,7 +102,6 @@ jobs:
103102name : " Create draft release"
104103 run : echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV"
105104
106- # This step creates the signed release tag
107105 - name : " Create release tag"
108106 uses : mongodb-labs/drivers-github-tools/git-sign@v2
109107 with :
@@ -119,11 +117,88 @@ jobs:
119117 - name : " Push changes from release branch"
120118 run : git push
121119
122- # Pushing the release tag starts build processes that then produce artifacts for the release
123120 - name : " Push release tag"
124121 run : git push origin ${{ inputs.version }}
125122
126123 - name : " Set summary"
127124 run : |
128125 echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
129126 echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
127+
128+ static-analysis :
129+ needs : prepare-release
130+ name : " Run Static Analysis"
131+ uses : ./.github/workflows/static-analysis.yml
132+ with :
133+ ref : refs/tags/${{ inputs.version }}
134+ permissions :
135+ security-events : write
136+ id-token : write
137+
138+ publish-ssdlc-assets :
139+ needs : static-analysis
140+ environment : release
141+ name : " Publish SSDLC Assets"
142+ runs-on : ubuntu-latest
143+ permissions :
144+ security-events : read
145+ id-token : write
146+ contents : write
147+
148+ steps :
149+ - name : " Create temporary app token"
150+ uses : actions/create-github-app-token@v1
151+ id : app-token
152+ with :
153+ app-id : ${{ vars.APP_ID }}
154+ private-key : ${{ secrets.APP_PRIVATE_KEY }}
155+
156+ - name : " Store GitHub token in environment"
157+ run : echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
158+ shell : bash
159+
160+ - uses : actions/checkout@v4
161+ with :
162+ ref : refs/tags/${{ inputs.version }}
163+ token : ${{ env.GH_TOKEN }}
164+
165+ - name : " Set up drivers-github-tools"
166+ uses : mongodb-labs/drivers-github-tools/setup@v2
167+ with :
168+ aws_role_arn : ${{ secrets.AWS_ROLE_ARN }}
169+ aws_region_name : ${{ vars.AWS_REGION_NAME }}
170+ aws_secret_id : ${{ secrets.AWS_SECRET_ID }}
171+
172+ - name : " Generate authorized publication document"
173+ uses : mongodb-labs/drivers-github-tools/authorized-pub@v2
174+ with :
175+ product_name : " MongoDB PHP Driver (library)"
176+ release_version : ${{ inputs.version }}
177+ filenames : " "
178+ token : ${{ env.GH_TOKEN }}
179+
180+ - name : " Download SBOM file from Silk"
181+ uses : mongodb-labs/drivers-github-tools/sbom@v2
182+ with :
183+ silk_asset_group : mongodb-php-driver-library
184+
185+ - name : " Upload SBOM as release artifact"
186+ run : gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
187+ continue-on-error : true
188+
189+ - name : " Generate SARIF report from code scanning alerts"
190+ uses : mongodb-labs/drivers-github-tools/code-scanning-export@v2
191+ with :
192+ ref : ${{ inputs.version }}
193+ output-file : ${{ env.S3_ASSETS }}/code-scanning-alerts.json
194+
195+ - name : " Generate compliance report"
196+ uses : mongodb-labs/drivers-github-tools/compliance-report@v2
197+ with :
198+ token : ${{ env.GH_TOKEN }}
199+
200+ - name : Upload S3 assets
201+ uses : mongodb-labs/drivers-github-tools/upload-s3-assets@v2
202+ with :
203+ version : ${{ inputs.version }}
204+ product_name : mongo-php-library
0 commit comments