Skip to content

Commit 4b3c5b1

Browse files
committed
Run static analysis on release and publish SSDLC assets
1 parent d450528 commit 4b3c5b1

File tree

1 file changed

+78
-3
lines changed

1 file changed

+78
-3
lines changed

.github/workflows/release.yml

+78-3
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,6 @@ jobs:
9393
aws_region_name: ${{ vars.AWS_REGION_NAME }}
9494
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
9595

96-
# Create a draft release with release message filled in
9796
- name: "Prepare release message"
9897
run: |
9998
cat > release-message <<'EOL'
@@ -103,7 +102,6 @@ jobs:
103102
- name: "Create draft release"
104103
run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV"
105104

106-
# This step creates the signed release tag
107105
- name: "Create release tag"
108106
uses: mongodb-labs/drivers-github-tools/git-sign@v2
109107
with:
@@ -119,11 +117,88 @@ jobs:
119117
- name: "Push changes from release branch"
120118
run: git push
121119

122-
# Pushing the release tag starts build processes that then produce artifacts for the release
123120
- name: "Push release tag"
124121
run: git push origin ${{ inputs.version }}
125122

126123
- name: "Set summary"
127124
run: |
128125
echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
129126
echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
127+
128+
static-analysis:
129+
needs: prepare-release
130+
name: "Run Static Analysis"
131+
uses: ./.github/workflows/static-analysis.yml
132+
with:
133+
ref: refs/tags/${{ inputs.version }}
134+
permissions:
135+
security-events: write
136+
id-token: write
137+
138+
publish-ssdlc-assets:
139+
needs: static-analysis
140+
environment: release
141+
name: "Publish SSDLC Assets"
142+
runs-on: ubuntu-latest
143+
permissions:
144+
security-events: read
145+
id-token: write
146+
contents: write
147+
148+
steps:
149+
- name: "Create temporary app token"
150+
uses: actions/create-github-app-token@v1
151+
id: app-token
152+
with:
153+
app-id: ${{ vars.APP_ID }}
154+
private-key: ${{ secrets.APP_PRIVATE_KEY }}
155+
156+
- name: "Store GitHub token in environment"
157+
run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
158+
shell: bash
159+
160+
- uses: actions/checkout@v4
161+
with:
162+
ref: refs/tags/${{ inputs.version }}
163+
token: ${{ env.GH_TOKEN }}
164+
165+
- name: "Set up drivers-github-tools"
166+
uses: mongodb-labs/drivers-github-tools/setup@v2
167+
with:
168+
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
169+
aws_region_name: ${{ vars.AWS_REGION_NAME }}
170+
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
171+
172+
- name: "Generate authorized publication document"
173+
uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
174+
with:
175+
product_name: "MongoDB PHP Driver (library)"
176+
release_version: ${{ inputs.version }}
177+
filenames: ""
178+
token: ${{ env.GH_TOKEN }}
179+
180+
- name: "Download SBOM file from Silk"
181+
uses: mongodb-labs/drivers-github-tools/sbom@v2
182+
with:
183+
silk_asset_group: mongodb-php-driver-library
184+
185+
- name: "Upload SBOM as release artifact"
186+
run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
187+
continue-on-error: true
188+
189+
- name: "Generate SARIF report from code scanning alerts"
190+
uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
191+
with:
192+
ref: ${{ inputs.version }}
193+
output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
194+
195+
- name: "Generate compliance report"
196+
uses: mongodb-labs/drivers-github-tools/compliance-report@v2
197+
with:
198+
token: ${{ env.GH_TOKEN }}
199+
200+
- name: Upload S3 assets
201+
uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
202+
with:
203+
version: ${{ inputs.version }}
204+
product_name: mongo-php-library

0 commit comments

Comments
 (0)