Skip to content

Commit

Permalink
RUBY-3501 SSDLC for bson-ruby (#330)
Browse files Browse the repository at this point in the history 
* SSDLC shenanigans...

* publish job depends on the build job

* need Ruby configured to build the native code

* fix regex anchoring (alerted via codeql)

* ignore vendor folder

* apparently we have to specify environment for each job

* see if it picks up jruby this way?

* download all artifacts to the current directory

don't create separate directories for each downloaded artifact.

* authorized-pub task doesn't like globs with spaces in them

* use boolean type for dry-run flag

* don't need to specify "false" explicitly anymore

* simplify the build phase (don't need secure checkout)
  • Loading branch information
@jamis
jamis authored Jul 1, 2024
1 parent 9af9f98 commit 80be3c0
Show file tree
Hide file tree
Showing 15 changed files with 350 additions and 247 deletions.
44 changes: 44 additions & 0 deletions .github/workflows/cleanup.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: "Dry-Run Cleanup"
run-name: "Dry Run Cleanup for ${{ github.ref }}"

on:
workflow_dispatch:
inputs:
confirm:
description: Indicate whether you want this workflow to run (must be "true")
required: true
type: string
tag:
description: The name of the tag (and release) to clean up
required: true
type: string

jobs:
release:
name: "Dry-Run Cleanup"
environment: release
runs-on: 'ubuntu-latest'
if: ${{ inputs.confirm == 'true' }}

permissions:
# required for all workflows
security-events: write

# required to fetch internal or private CodeQL packs
packages: read

# only required for workflows in private repositories
actions: read
contents: write

# required by the mongodb-labs/drivers-github-tools/setup@v2 step
# also required by `rubygems/release-gem`
id-token: write

steps:
- name: "Run the cleanup action"
uses: mongodb-labs/drivers-github-tools/ruby/cleanup@v2
with:
app_id: ${{ vars.APP_ID }}
app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
tag: ${{ inputs.tag }}
69 changes: 69 additions & 0 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: "CodeQL"

on: [ push, pull_request ]

jobs:
analyze:
name: Analyze (${{ matrix.language }})
# Runner size impacts CodeQL analysis time. To learn more, please see:
# - https://gh.io/recommended-hardware-resources-for-running-codeql
# - https://gh.io/supported-runners-and-hardware-resources
# - https://gh.io/using-larger-runners (GitHub.com only)
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
runs-on: 'ubuntu-latest'
timeout-minutes: 360
permissions:
# required for all workflows
security-events: write

# required to fetch internal or private CodeQL packs
packages: read

# only required for workflows in private repositories
actions: read
contents: read

strategy:
fail-fast: false
matrix:
include:
- language: ruby
build-mode: none
- language: c
build-mode: manual
- language: java
build-mode: none
steps:
- name: Checkout repository
uses: actions/checkout@v4

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
config: |
paths-ignore:
- .evergreen
- spec
- perf
- vendor
- name: Setup Ruby
if: matrix.build-mode == 'manual'
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
bundler-cache: true

- name: Manually build the native code
if: matrix.build-mode == 'manual'
run: |
bundle exec rake compile
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"

170 changes: 170 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
name: "BSON Release"
run-name: "BSON Release for ${{ github.ref }}"

on:
workflow_dispatch:
inputs:
dry_run:
description: Whether this is a dry run or not
required: true
default: true
type: boolean

env:
SILK_ASSET_GROUP: bson-ruby
RELEASE_MESSAGE_TEMPLATE: |
Version {0} of [BSON for Ruby](https://rubygems.org/gems/bson) is now available.
**Release Highlights**
TODO: one or more paragraphs describing important changes in this release
**Documentation**
Documentation is available at [MongoDB.com](https://www.mongodb.com/docs/ruby-driver/current/tutorials/bson/).
**Installation**
You may install this version via RubyGems, with:
gem install --version {0} bson
permissions:
# required for all workflows
security-events: write

# required to fetch internal or private CodeQL packs
packages: read

# only required for workflows in private repositories
actions: read
contents: write

# required by the mongodb-labs/drivers-github-tools/setup@v2 step
# also required by `rubygems/release-gem`
id-token: write

jobs:
build:
name: "Build Gems"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
ruby: [ '3.2', jruby ]
steps:
- name: Check out the repository
uses: actions/checkout@v4

- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: true

- name: Set output gem file name
shell: bash
run: |
echo "GEM_FILE_NAME=$(bundle exec rake gem_file_name)" >> "$GITHUB_ENV"
- name: Build the gem
shell: bash
run: bundle exec rake build

- name: Save the generated gem file for later
uses: actions/upload-artifact@v4
with:
name: ${{ env.GEM_FILE_NAME }}
path: ${{ env.GEM_FILE_NAME }}
retention-days: 1
overwrite: true

publish:
name: Publish Gems
needs: build
environment: release
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
with:
app_id: ${{ vars.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}

- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '3.2'
bundler-cache: true

- name: Get the release version
shell: bash
run: echo "RELEASE_VERSION=$(bundle exec rake version)" >> "$GITHUB_ENV"

- name: Setup GitHub tooling for DBX Drivers
uses: mongodb-labs/drivers-github-tools/setup@v2
with:
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region_name: ${{ vars.AWS_REGION_NAME }}
aws_secret_id: ${{ secrets.AWS_SECRET_ID }}

- name: Fetch the gem artifacts
uses: actions/download-artifact@v4
with:
merge-multiple: true

- name: Sign the gems
uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
with:
filenames: '*.gem'

- name: Generate SSDLC Reports
uses: mongodb-labs/drivers-github-tools/full-report@v2
with:
product_name: BSON for Ruby
release_version: ${{ env.RELEASE_VERSION }}
dist_filenames: '*.gem'
silk_asset_group: bson-ruby

- name: Create the tag
uses: mongodb-labs/drivers-github-tools/tag-version@v2
with:
version: ${{ env.RELEASE_VERSION }}
tag_template: "v${VERSION}"
tag_message_template: "Release tag for v${VERSION}"

- name: Create a new release
shell: bash
run: gh release create v${{ env.RELEASE_VERSION }} --title ${{ env.RELEASE_VERSION }} --generate-notes --draft

- name: Capture the changelog
shell: bash
run: gh release view v${{ env.RELEASE_VERSION }} --json body --template '{{ .body }}' >> changelog

- name: Prepare release message
shell: bash
run: |
echo "${{ format(env.RELEASE_MESSAGE_TEMPLATE, env.RELEASE_VERSION) }}" > release-message
cat changelog >> release-message
- name: Update release information
shell: bash
run: |
echo "RELEASE_URL=$(gh release edit v${{ env.RELEASE_VERSION }} --notes-file release-message)" >> "$GITHUB_ENV"
- name: Upload release artifacts
shell: bash
run: gh release upload v${{ env.RELEASE_VERSION }} *.gem ${{ env.RELEASE_ASSETS }}/*.sig

- name: Upload S3 assets
uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
with:
version: ${{ env.RELEASE_VERSION }}
product_name: 'bson-ruby'
dry_run: ${{ inputs.dry_run }}

- name: Publish the gems
uses: rubygems/release-gem@v1
if: inputs.dry_run == 'false'
with:
await-release: false
Loading

0 comments on commit 80be3c0

Please sign in to comment.