chore: upgrade release signing to drivers-github-tools v2 (#696)

mongodb · Jun 7, 2024 · 8cf9323 · 8cf9323
1 parent 9e7b76a
commit 8cf9323
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 28 deletions.
diff --git a/.github/actions/compress_sign_and_upload/action.yml b/.github/actions/compress_sign_and_upload/action.yml
@@ -2,18 +2,21 @@ name: Compress and Sign
 description: 'Compresses package and signs with garasign'
 
 inputs: 
-    garasign_username:
-      description: 'Garasign username input for drivers-github-tools/garasign/gpg-sign'
+    aws_role_arn:
+      description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
       required: true
-    garasign_password:
-      description: 'Garasign password input for drivers-github-tools/garasign/gpg-sign'
+    aws_region_name:
+      description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
       required: true
-    artifactory_username:
-      description: 'Artifactory username input for drivers-github-tools/garasign/gpg-sign'
+    aws_secret_id:
+      description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
       required: true
-    artifactory_password:
-      description: 'Artifactory password input for drivers-github-tools/garasign/gpg-sign'
+    npm_package_name:
+      description: 'The name for the npm package this repository represents'
       required: true
+    sign_SBOMs:
+      description: 'If provided, this script will create SBOM signatures'
+      required: false
 
 runs:
   using: composite
@@ -27,18 +30,28 @@ runs:
       run: |
         package_version=$(jq --raw-output '.version' package.json)
         echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
-        echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+        echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
+    - name: Set up drivers-github-tools
+      uses: mongodb-labs/drivers-github-tools/setup@v2
+      with: 
+        aws_region_name: ${{ inputs.aws_region_name }}
+        aws_role_arn: ${{ inputs.aws_role_arn }}
+        aws_secret_id: ${{ inputs.aws_secret_id }}
+
     - name: Create detached signature
-      uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@v1
-      with:
+      uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+      with: 
         filenames: ${{ steps.get_vars.outputs.package_file }}
-        garasign_username: ${{ inputs.garasign_username }}
-        garasign_password: ${{ inputs.garasign_password }}
-        artifactory_username: ${{ inputs.artifactory_username }}
-        artifactory_password: ${{ inputs.artifactory_password }}
+      env: 
+        RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig
+
+    - name: Name release asset correctly 
+      run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig
+      shell: bash
 
     - name: "Upload release artifacts"
       run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig
       shell: bash
       env:
-        GH_TOKEN: ${{ github.token }}
+        GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/release-5.x.yml b/.github/workflows/release-5.x.yml
@@ -17,24 +17,26 @@ jobs:
       release_created: ${{ steps.release.outputs.release_created }}
     steps:
       - id: release
-        uses: google-github-actions/release-please-action@v4
+        uses: googleapis/release-please-action@v4
         with:
           target-branch: 5.x
 
-  compress-sign-and-upload:
+  compress_sign_and_upload:
     needs: [release_please]
+    if: ${{ needs.release_please.outputs.release_created }}
+    environment: release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: actions/setup
         uses: ./.github/actions/setup
       - name: actions/compress_sign_and_upload
         uses: ./.github/actions/compress_sign_and_upload
-        with:
-          garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
-          garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
-          artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
-          artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+        with: 
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: 'us-east-1'
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          npm_package_name: 'bson'
       - run: npm publish --provenance --tag=5x
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,10 +18,11 @@ jobs:
     steps:
       - id: release
         uses: googleapis/release-please-action@v4
-
+  
   compress_sign_and_upload:
     needs: [release_please]
     if: ${{ needs.release_please.outputs.release_created }}
+    environment: release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -30,10 +31,10 @@ jobs:
       - name: actions/compress_sign_and_upload
         uses: ./.github/actions/compress_sign_and_upload
         with: 
-          garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
-          garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
-          artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
-          artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: 'us-east-1'
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          npm_package_name: 'bson'
       - run: npm publish --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}