chore(NODE-6118): generate authorized publisher report and compliance report (#4156)

Author: baileympearson

.github/actions/compress_sign_and_upload/action.yml

@@ -1,19 +1,23 @@
 name: Compress and Sign
 description: 'Compresses package and signs with garasign'
 
-inputs: 
-    aws_role_arn:
-      description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
-      required: true
-    aws_region_name:
-      description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
-      required: true
-    aws_secret_id:
-      description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
-      required: true
-    npm_package_name:
-      description: 'The name for the npm package this repository represents'
-      required: true
+inputs:
+  aws_role_arn:
+    description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
+    required: true
+  aws_region_name:
+    description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
+    required: true
+  aws_secret_id:
+    description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
+    required: true
+  npm_package_name:
+    description: 'The name for the npm package this repository represents'
+    required: true
+  dry_run:
+    description: 'Should we upload files to the release?'
+    required: false
+    default: 'true'
 
 runs:
   using: composite
@@ -31,24 +35,25 @@ runs:
 
     - name: Set up drivers-github-tools
       uses: mongodb-labs/drivers-github-tools/setup@v2
-      with: 
+      with:
         aws_region_name: ${{ inputs.aws_region_name }}
         aws_role_arn: ${{ inputs.aws_role_arn }}
         aws_secret_id: ${{ inputs.aws_secret_id }}
 
     - name: Create detached signature
       uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
-      with: 
+      with:
         filenames: ${{ steps.get_vars.outputs.package_file }}
-      env: 
+      env:
         RELEASE_ASSETS: ${{ steps.get_vars.outputs.package_file }}.temp.sig
 
-    - name: Name release asset correctly 
+    - name: Name release asset correctly
       run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig
       shell: bash
 
     - name: "Upload release artifacts"
+      if: ${{ inputs.dry_run == false }}
       run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig
       shell: bash
       env:
-        GH_TOKEN: ${{ github.token }}
+        GH_TOKEN: ${{ github.token }}

.github/workflows/release-5.x.yml

@@ -21,95 +21,62 @@ jobs:
         with:
           target-branch: 5.x
 
-  compress_sign_and_upload:
+  ssdlc:
     needs: [release_please]
-    if: ${{ needs.release_please.outputs.release_created }}
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
     environment: release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: actions/setup
         uses: ./.github/actions/setup
+      - name: Get release version and release package file name
+        id: get_vars
+        shell: bash
+        run: |
+          package_version=$(jq --raw-output '.version' package.json)
+          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+          echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
       - name: actions/compress_sign_and_upload
         uses: ./.github/actions/compress_sign_and_upload
         with:
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region_name: 'us-east-1'
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
           npm_package_name: 'mongodb'
-      - run: npm publish --provenance --tag=5x
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-  generate_sarif_report:
-    environment: release
-    runs-on: ubuntu-latest
-    needs: [release_please]
-    permissions:
-      # required for all workflows
-      security-events: write
-      id-token: write
-      contents: write
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up drivers-github-tools
-        uses: mongodb-labs/drivers-github-tools/setup@v2
-        with:
-          aws_region_name: us-east-1
-          aws_role_arn: ${{ secrets.aws_role_arn }}
-          aws_secret_id: ${{ secrets.aws_secret_id }}
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
 
-      - name: "Generate Sarif Report"
-        uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
-        with:
-          ref: 5.x
-          output-file: sarif-report.json
-
-      - name: Get release version and release package file name
-        id: get_version
+      - name: Copy sbom file to release assets
         shell: bash
-        run: |
-          package_version=$(jq --raw-output '.version' package.json)
-          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
-      - name: actions/publish_asset_to_s3
-        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@main
+        run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
+
+      - name: Generate authorized pub report
+        uses: mongodb-labs/drivers-github-tools/full-report@v2
         with:
-          version: ${{ steps.get_version.outputs.package_version }}
-          product_name: node-mongodb-native
-          file: sarif-report.json
-          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+          release_version: ${{ steps.get_version.outputs.package_version }}
+          product_name: mongodb
+          sarif_report_target_ref: 5.x
+          third_party_dependency_tool: n/a
+          # <package> and <package>.sig
+          dist_filenames: ${{ steps.get_vars.outputs.package_file }}*
+          token:  ${{ github.token }}
+          sbom_file_name: sbom.json
 
-  upload_sbom_lite:
+  publish:
+    needs: [release_please, ssdlc]
     environment: release
     runs-on: ubuntu-latest
-    needs: [release_please]
-    permissions:
-      # required for all workflows
-      security-events: write
-      id-token: write
-      contents: write
-
     steps:
       - uses: actions/checkout@v4
-      - name: Set up drivers-github-tools
-        uses: mongodb-labs/drivers-github-tools/setup@v2
-        with:
-          aws_region_name: us-east-1
-          aws_role_arn: ${{ secrets.aws_role_arn }}
-          aws_secret_id: ${{ secrets.aws_secret_id }}
-
-      - name: Get release version and release package file name
-        id: get_version
-        shell: bash
-        run: |
-          package_version=$(jq --raw-output '.version' package.json)
-          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+      - name: actions/setup
+        uses: ./.github/actions/setup
 
-      - name: actions/publish_asset_to_s3
-        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
-        with:
-          version: ${{ steps.get_version.outputs.package_version }}
-          product_name: node-mongodb-native
-          file: sbom.json
-          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+      - run: npm publish --provenance --tag=5.x
+        if: ${{ needs.release_please.outputs.release_created }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/release.yml

@@ -19,96 +19,68 @@ jobs:
       - id: release
         uses: googleapis/release-please-action@v4
 
-  compress_sign_and_upload:
+  ssdlc:
     needs: [release_please]
-    if: ${{ needs.release_please.outputs.release_created }}
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
     environment: release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: actions/setup
         uses: ./.github/actions/setup
+      - name: Get release version and release package file name
+        id: get_vars
+        shell: bash
+        run: |
+          package_version=$(jq --raw-output '.version' package.json)
+          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+          echo "package_file=mongodb-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
       - name: actions/compress_sign_and_upload
         uses: ./.github/actions/compress_sign_and_upload
         with:
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region_name: 'us-east-1'
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
           npm_package_name: 'mongodb'
-      - run: npm publish --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
 
-  generate_sarif_report:
-    environment: release
-    runs-on: ubuntu-latest
-    needs: [release_please]
-    permissions:
-      # required for all workflows
-      security-events: write
-      id-token: write
-      contents: write
-
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up drivers-github-tools
-        uses: mongodb-labs/drivers-github-tools/setup@v2
-        with:
-          aws_region_name: us-east-1
-          aws_role_arn: ${{ secrets.aws_role_arn }}
-          aws_secret_id: ${{ secrets.aws_secret_id }}
+      - name: Copy sbom file to release assets
+        shell: bash
+        run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
 
-      - name: "Generate Sarif Report"
-        uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+      - name: Generate authorized pub report
+        uses: mongodb-labs/drivers-github-tools/full-report@v2
         with:
-          ref: main
-          output-file: sarif-report.json
+          release_version: ${{ steps.get_version.outputs.package_version }}
+          product_name: mongodb
+          sarif_report_target_ref: main
+          third_party_dependency_tool: n/a
+          # <package> and <package>.sig
+          dist_filenames: ${{ steps.get_vars.outputs.package_file }}*
+          token:  ${{ github.token }}
+          sbom_file_name: sbom.json
 
-      - name: Get release version and release package file name
-        id: get_version
-        shell: bash
-        run: |
-          package_version=$(jq --raw-output '.version' package.json)
-          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
-      - name: actions/publish_asset_to_s3
-        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
+      - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
         with:
-          version: ${{ steps.get_version.outputs.package_version }}
-          product_name: node-mongodb-native
-          file: sarif-report.json
+          version: ${{ inputs.version }}
+          product_name: ${{ inputs.product_name }}
           dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
 
-
-  upload_sbom_lite:
+  publish:
+    needs: [release_please, ssdlc]
     environment: release
     runs-on: ubuntu-latest
-    needs: [release_please]
-    permissions:
-      # required for all workflows
-      security-events: write
-      id-token: write
-      contents: write
-
     steps:
       - uses: actions/checkout@v4
-      - name: Set up drivers-github-tools
-        uses: mongodb-labs/drivers-github-tools/setup@v2
-        with:
-          aws_region_name: us-east-1
-          aws_role_arn: ${{ secrets.aws_role_arn }}
-          aws_secret_id: ${{ secrets.aws_secret_id }}
-
-      - name: Get release version and release package file name
-        id: get_version
-        shell: bash
-        run: |
-          package_version=$(jq --raw-output '.version' package.json)
-          echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+      - name: actions/setup
+        uses: ./.github/actions/setup
 
-      - name: actions/publish_asset_to_s3
-        uses: mongodb-labs/drivers-github-tools/node/publish_asset_to_s3@v2
-        with:
-          version: ${{ steps.get_version.outputs.package_version }}
-          product_name: node-mongodb-native
-          file: sbom.json
-          dry_run:  ${{ needs.release_please.outputs.release_created == '' }}
+      - run: npm publish --provenance --tag=latest
+        if: ${{ needs.release_please.outputs.release_created }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}