RUBY-3501 SSDLC for bson-ruby #330
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
don't create separate directories for each downloaded artifact.
There was a problem hiding this comment.
Workflows LGTM. I'll defer to @comandeo-mongo for reviewing the ruby-specific changes.
.github/workflows/release.yml
Outdated
| - name: Check out the repository | ||
| uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 | ||
| with: | ||
| app_id: ${{ vars.APP_ID }} | ||
| private_key: ${{ secrets.APP_PRIVATE_KEY }} |
There was a problem hiding this comment.
No objection to leaving this here, but strictly speaking this doesn't need to run in the release environment and use secure-checkout.
* SSDLC shenanigans... * publish job depends on the build job * need Ruby configured to build the native code * fix regex anchoring (alerted via codeql) * ignore vendor folder * apparently we have to specify environment for each job * see if it picks up jruby this way? * download all artifacts to the current directory don't create separate directories for each downloaded artifact. * authorized-pub task doesn't like globs with spaces in them * use boolean type for dry-run flag * don't need to specify "false" explicitly anymore * simplify the build phase (don't need secure checkout)
* SSDLC shenanigans... * publish job depends on the build job * need Ruby configured to build the native code * fix regex anchoring (alerted via codeql) * ignore vendor folder * apparently we have to specify environment for each job * see if it picks up jruby this way? * download all artifacts to the current directory don't create separate directories for each downloaded artifact. * authorized-pub task doesn't like globs with spaces in them * use boolean type for dry-run flag * don't need to specify "false" explicitly anymore * simplify the build phase (don't need secure checkout)
The general implementation is the same as that for the driver and for Mongoid, but because we produce two deliverables (a gem for MRI, and a gem for JRuby), the release process is split into two jobs: one with a matrix to build each gem, and upload the resulting artifact, and another to download the generated artifacts and complete the publication of the gems and other deliverables.