.github/workflows/release.yml

on:
  push:
    branches: [main]
  workflow_dispatch: {}

permissions:
  contents: write
  pull-requests: write
  id-token: write

name: release

jobs:
  release_please:
    runs-on: ubuntu-latest
    outputs:
      release_created: ${{ steps.release.outputs.release_created }}
    steps:
      - id: release
        uses: googleapis/release-please-action@v4

  ssdlc:
    needs: [release_please]
    permissions:
      # required for all workflows
      security-events: write
      id-token: write
      contents: write
    environment: release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: actions/setup
        uses: ./.github/actions/setup
      - name: Get release version and release package file name
        id: get_vars
        shell: bash
        run: |
          package_version=$(jq --raw-output '.version' package.json)
          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
          echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT"

      - name: actions/compress_sign_and_upload
        uses: ./.github/actions/compress_sign_and_upload
        with: 
          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
          aws_region_name: 'us-east-1'
          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
          npm_package_name: 'bson'
          dry_run: ${{ needs.release_please.outputs.release_created == '' }}

      - name: Copy sbom file to release assets
        shell: bash
        run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json

      - name: Generate authorized pub report
        uses: mongodb-labs/drivers-github-tools/full-report@v2
        with:
          release_version: ${{ steps.get_version.outputs.package_version }}
          product_name: bson
          sarif_report_target_ref: main
          third_party_dependency_tool: n/a
          # <package> and <package>.sig
          dist_filenames: ${{ steps.get_vars.outputs.package_file }}*
          token:  ${{ github.token }}
          sbom_file_name: sbom.json

      - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
        with:
          version: ${{ inputs.version }}
          product_name: ${{ inputs.product_name }}
          dry_run:  false

  publish:
    needs: [release_please, ssdlc]
    environment: release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: actions/setup
        uses: ./.github/actions/setup

      - run: npm publish --provenance --tag=latest
        if: ${{ needs.release_please.outputs.release_created }}
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}