feat(NODE-6156): Sign Release Artifacts

mongodb · May 7, 2024 · 26d3ac6 · 26d3ac6
1 parent 208f7e8
commit 26d3ac6
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -13,3 +13,9 @@ runs:
       shell: bash
     - run: npm clean-install
       shell: bash
+    - uses: drivers-github-tools/garasign/setup/action.yml
+      with: 
+        garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
+        garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
+        artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+        artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
diff --git a/.github/workflows/create-sign-and-commit-tarball.sh b/.github/workflows/create-sign-and-commit-tarball.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -e
+
+PACKAGE_VERSION=$1
+GPG_KEY_ID=$2
+
+gpgloader
+
+# Create signed "Release x.y.z" tarball
+echo "Create release tarball"
+npm pack
+mv "bson-${PACKAGE_VERSION}.tgz" "bson-${PACKAGE_VERSION}.tgz.${GPG_KEY_ID}"
+
+git add .
+
+# Create signed "Package x.y.z" commit
+echo "Create package commit"
+git commit -m "Package ${PACKAGE_VERSION}" -s --gpg-sign=${GPG_KEY_ID} 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,12 +26,29 @@ jobs:
           changelog-path: HISTORY.md
           default-branch: main
 
+      - id: prepare-garasign
+        uses: drivers-github-tools/garasign/setup/action.yml
+        with: 
+          garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
+          garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
+          artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+          artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}       
+
       # If release-please created a release, publish to npm
       - if: ${{ steps.release.outputs.release_created }}
         uses: actions/checkout@v3
       - if: ${{ steps.release.outputs.release_created }}
         name: actions/setup
         uses: ./.github/actions/setup
+      -  if: ${{ steps.release.outputs.release_created }}
+        name: Create, sign, and commit signed tarball
+        uses: drivers-github-tools/garasign/git-sign/action.yml
+        with: 
+          command: "$(pwd)/.github/workflows/create-sign-and-commit-tarball.sh ${{ env.PACKAGE_VERSION }} ${{ vars.GPG_KEY_ID }}"
+          garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
+          garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
+          artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+          artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}  
       - if: ${{ steps.release.outputs.release_created }}
         run: npm publish --provenance
         env: