GODRIVER-3192 Add SSDLC workflow (#1680)

Signed-off-by: mongodb-dbx-release-bot[bot] <167856002+mongodb-dbx-release-bot[bot]@users.noreply.github.com> Co-authored-by: mongodb-dbx-release-bot[bot] <167856002+mongodb-dbx-release-bot[bot]@users.noreply.github.com>
mongodb · Jun 27, 2024 · ad12442 · ad12442
1 parent 90146e7
commit ad12442
Show file tree

Hide file tree

Showing 2 changed files with 88 additions and 7 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -22,13 +22,6 @@ jobs:
  # required for all workflows
  security-events: write
 
- # required to fetch internal or private CodeQL packs
- packages: read
-
- # only required for workflows in private repositories
- actions: read
- contents: read
-
  strategy:
  fail-fast: false
  matrix:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,88 @@
+name: Release
+
+on:
+ workflow_dispatch:
+ inputs:
+ version:
+ description: "The new version to set"
+ required: true
+ prev_version:
+ description: "The previous tagged version"
+ required: true
+ push_changes:
+ description: "Push changes?"
+ default: true
+ type: boolean
+
+defaults:
+ run:
+ shell: bash -eux {0}
+
+env:
+ # Changes per branch
+ SILK_ASSET_GROUP: mongodb-go-driver-v1
+ EVERGREEN_PROJECT: mongo-go-driver-v1
+
+jobs:
+ pre-publish:
+ environment: release
+ runs-on: ubuntu-latest
+ permissions:
+ id-token: write
+ contents: write
+ outputs:
+ prev_version: ${{ steps.pre-publish.outputs.prev_version }}
+ steps:
+ - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+ with:
+ app_id: ${{ vars.APP_ID }}
+ private_key: ${{ secrets.APP_PRIVATE_KEY }}
+ - uses: mongodb-labs/drivers-github-tools/setup@v2
+ with:
+ aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+ aws_region_name: ${{ vars.AWS_REGION_NAME }}
+ aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+ artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
+ - name: Pre Publish
+ id: pre-publish
+ uses: mongodb-labs/drivers-github-tools/golang/pre-publish@v2
+ with:
+ version: ${{ inputs.version }}
+ push_changes: ${{ inputs.push_changes }}
+
+ static-scan:
+ needs: [pre-publish]
+ permissions:
+ security-events: write
+ uses: ./.github/workflows/codeql.yml
+ with:
+ ref: ${{ github.ref }}
+
+ publish:
+ needs: [pre-publish, static-scan]
+ runs-on: ubuntu-latest
+ environment: release
+ permissions:
+ id-token: write
+ contents: write
+ security-events: read
+ steps:
+ - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+ with:
+ app_id: ${{ vars.APP_ID }}
+ private_key: ${{ secrets.APP_PRIVATE_KEY }}
+ - uses: mongodb-labs/drivers-github-tools/setup@v2
+ with:
+ aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+ aws_region_name: ${{ vars.AWS_REGION_NAME }}
+ aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+ artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }}
+ - name: Publish
+ uses: mongodb-labs/drivers-github-tools/golang/publish@v2
+ with:
+ version: ${{ inputs.version }}
+ silk_asset_group: ${{ env.SILK_ASSET_GROUP }}
+ evergreen_project: ${{ env.EVERGREEN_PROJECT }}
+ prev_version: ${{ inputs.prev_version }}
+ push_changes: ${{ inputs.push_changes }}
+ token: ${{ env.GH_TOKEN }}