93
93
aws_region_name : ${{ vars.AWS_REGION_NAME }}
94
94
aws_secret_id : ${{ secrets.AWS_SECRET_ID }}
95
95
96
- # Create a draft release with release message filled in
97
96
- name : " Prepare release message"
98
97
run : |
99
98
cat > release-message <<'EOL'
@@ -103,7 +102,6 @@ jobs:
103
102
- name : " Create draft release"
104
103
run : echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV"
105
104
106
- # This step creates the signed release tag
107
105
- name : " Create release tag"
108
106
uses : mongodb-labs/drivers-github-tools/git-sign@v2
109
107
with :
@@ -119,11 +117,88 @@ jobs:
119
117
- name : " Push changes from release branch"
120
118
run : git push
121
119
122
- # Pushing the release tag starts build processes that then produce artifacts for the release
123
120
- name : " Push release tag"
124
121
run : git push origin ${{ inputs.version }}
125
122
126
123
- name : " Set summary"
127
124
run : |
128
125
echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
129
126
echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
127
+
128
+ static-analysis :
129
+ needs : prepare-release
130
+ name : " Run Static Analysis"
131
+ uses : ./.github/workflows/static-analysis.yml
132
+ with :
133
+ ref : refs/tags/${{ inputs.version }}
134
+ permissions :
135
+ security-events : write
136
+ id-token : write
137
+
138
+ publish-ssdlc-assets :
139
+ needs : static-analysis
140
+ environment : release
141
+ name : " Publish SSDLC Assets"
142
+ runs-on : ubuntu-latest
143
+ permissions :
144
+ security-events : read
145
+ id-token : write
146
+ contents : write
147
+
148
+ steps :
149
+ - name : " Create temporary app token"
150
+ uses : actions/create-github-app-token@v1
151
+ id : app-token
152
+ with :
153
+ app-id : ${{ vars.APP_ID }}
154
+ private-key : ${{ secrets.APP_PRIVATE_KEY }}
155
+
156
+ - name : " Store GitHub token in environment"
157
+ run : echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
158
+ shell : bash
159
+
160
+ - uses : actions/checkout@v4
161
+ with :
162
+ ref : refs/tags/${{ inputs.version }}
163
+ token : ${{ env.GH_TOKEN }}
164
+
165
+ - name : " Set up drivers-github-tools"
166
+ uses : mongodb-labs/drivers-github-tools/setup@v2
167
+ with :
168
+ aws_role_arn : ${{ secrets.AWS_ROLE_ARN }}
169
+ aws_region_name : ${{ vars.AWS_REGION_NAME }}
170
+ aws_secret_id : ${{ secrets.AWS_SECRET_ID }}
171
+
172
+ - name : " Generate authorized publication document"
173
+ uses : mongodb-labs/drivers-github-tools/authorized-pub@v2
174
+ with :
175
+ product_name : " MongoDB PHP Driver (library)"
176
+ release_version : ${{ inputs.version }}
177
+ filenames : " "
178
+ token : ${{ env.GH_TOKEN }}
179
+
180
+ - name : " Download SBOM file from Silk"
181
+ uses : mongodb-labs/drivers-github-tools/sbom@v2
182
+ with :
183
+ silk_asset_group : mongodb-php-driver-library
184
+
185
+ - name : " Upload SBOM as release artifact"
186
+ run : gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
187
+ continue-on-error : true
188
+
189
+ - name : " Generate SARIF report from code scanning alerts"
190
+ uses : mongodb-labs/drivers-github-tools/code-scanning-export@v2
191
+ with :
192
+ ref : ${{ inputs.version }}
193
+ output-file : ${{ env.S3_ASSETS }}/code-scanning-alerts.json
194
+
195
+ - name : " Generate compliance report"
196
+ uses : mongodb-labs/drivers-github-tools/compliance-report@v2
197
+ with :
198
+ token : ${{ env.GH_TOKEN }}
199
+
200
+ - name : Upload S3 assets
201
+ uses : mongodb-labs/drivers-github-tools/upload-s3-assets@v2
202
+ with :
203
+ version : ${{ inputs.version }}
204
+ product_name : mongo-php-library
0 commit comments