RUBY-3357 SSDLC Requirements (#2880)

jamis · web-flow · commit de60b9e3b7c6 · 2024-07-01T16:08:16.000-06:00
* add more tasks to the release workflow

also, add a cleanup workflow for use while testing

* workflows don't have descriptions

* inputs are specified on the trigger, not the workflow

* skip the SBOM generation until we can figure it out

* use bson-ruby asset group, for testing

this is temporary until silk is able to grab the correct sbom lite from
the mongo-ruby-driver repo

* put code scan results in S3_ASSETS

and for testing, remove dry-run from s3 upload, to make sure it works

* restore the correct silk asset group

* refactor to try the new ruby actions in drivers-github-tools

* remove stray quotation mark

* use the canonical version of the ruby actions

* Indicate `dry_run` to be of type boolean

This is so it gets rendered as a checkbox. We'll default it to `true` to avoid accidental releases.
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
@@ -0,0 +1,44 @@
+name: "Dry-Run Cleanup"
+run-name: "Dry Run Cleanup for ${{ github.ref }}"
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm:
+        description: Indicate whether you want this workflow to run (must be "true")
+        required: true
+        type: string
+      tag:
+        description: The name of the tag (and release) to clean up
+        required: true
+        type: string
+
+jobs:
+  release:
+    name: "Dry-Run Cleanup"
+    environment: release
+    runs-on: 'ubuntu-latest'
+    if: ${{ inputs.confirm == 'true' }}
+
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: write
+
+      # required by the mongodb-labs/drivers-github-tools/setup@v2 step
+      # also required by `rubygems/release-gem`
+      id-token: write
+
+    steps:
+      - name: "Run the cleanup action"
+        uses: mongodb-labs/drivers-github-tools/ruby/cleanup@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          tag: ${{ inputs.tag }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,9 +1,17 @@
 name: "Driver Release"
-run-name: "Ruby Driver Release ${{ github.ref_name }}"
+run-name: "Driver Release for ${{ github.ref }}"
 
-on: workflow_dispatch
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: Whether this is a dry run or not
+        required: true
+        default: true
+        type: boolean
 
 env:
+  SILK_ASSET_GROUP: mongodb-ruby-driver
   RELEASE_MESSAGE_TEMPLATE: |
     Version {0} of the [MongoDB Ruby Driver](https://rubygems.org/gems/mongo) is now available.
 
@@ -43,88 +51,17 @@ jobs:
       id-token: write
 
     steps:
-      - name: "Create temporary app token"
-        uses: actions/create-github-app-token@v1
-        id: app-token
-        with:
-          app-id: ${{ vars.APP_ID }}
-          private-key: ${{ secrets.APP_PRIVATE_KEY }}
-
-      - name: "Store GitHub token in environment"
-        run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
-        shell: bash
-
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          token: ${{ env.GH_TOKEN }}
-
-      - name: Setup Ruby
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.2'
-          bundler-cache: true
-
-      - name: Setup GitHub tooling for DBX Drivers
-        uses: mongodb-labs/drivers-github-tools/setup@v2
+      - name: "Run the publish action"
+        uses: mongodb-labs/drivers-github-tools/ruby/publish@v2
         with:
+          app_id: ${{ vars.APP_ID }}
+          app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
           aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
           aws_region_name: ${{ vars.AWS_REGION_NAME }}
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
-
-      - name: Get the driver version
-        shell: bash
-        run: |
-          echo "DRIVER_VERSION=$(ruby -Ilib -rmongo/version -e 'puts Mongo::VERSION')" >> "$GITHUB_ENV"
-
-      - name: Set output gem file name
-        shell: bash
-        run: |
-          echo "GEM_FILE_NAME=mongo-${{ env.DRIVER_VERSION }}.gem" >> "$GITHUB_ENV"
-
-      - name: Build the gem
-        shell: bash
-        run: |
-          gem build --output=${{ env.GEM_FILE_NAME }} mongo.gemspec
-
-      - name: Sign the gem
-        uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
-        with:
-          filenames: '${{ env.GEM_FILE_NAME }}'
-
-      - name: Create and sign the tag
-        uses: mongodb-labs/drivers-github-tools/git-sign@v2
-        with:
-          command: "git tag -u ${{ env.GPG_KEY_ID }} -m 'Release tag for v${{ env.DRIVER_VERSION }}' v${{ env.DRIVER_VERSION }}"
-
-      - name: Push the tag to the repository
-        shell: bash
-        run: |
-          git push origin v${{ env.DRIVER_VERSION }}
-
-      - name: Create a new release
-        shell: bash
-        run: gh release create v${{ env.DRIVER_VERSION }} --title ${{ env.DRIVER_VERSION }} --generate-notes --draft
-
-      - name: Capture the changelog
-        shell: bash
-        run: gh release view v${{ env.DRIVER_VERSION }} --json body --template '{{ .body }}' >> changelog
-
-      - name: Prepare release message
-        shell: bash
-        run: |
-          echo "${{ format(env.RELEASE_MESSAGE_TEMPLATE, env.DRIVER_VERSION) }}" > release-message
-          cat changelog >> release-message
-
-      - name: Update release information
-        shell: bash
-        run: |
-          echo "RELEASE_URL=$(gh release edit v${{ env.DRIVER_VERSION }} --notes-file release-message)" >> "$GITHUB_ENV"
-
-      - name: Upload release artifacts
-        run: gh release upload v${{ env.DRIVER_VERSION }} ${{ env.GEM_FILE_NAME }} ${{ env.RELEASE_ASSETS }}/${{ env.GEM_FILE_NAME }}.sig
-
-      - name: Publish the gem
-        uses: rubygems/release-gem@v1
-        with:
-          await-release: false
+          dry_run: ${{ inputs.dry_run }}
+          gem_name: mongo
+          product_name: Ruby Driver
+          product_id: mongodb-ruby-driver
+          release_message_template: ${{ env.RELEASE_MESSAGE_TEMPLATE }}
+          silk_asset_group: ${{ env.SILK_ASSET_GROUP }}
diff --git a/Rakefile b/Rakefile
@@ -46,6 +46,18 @@ task :build do
   WARNING
 end
 
+# `rake version` is used by the deployment system so get the release version
+# of the product beng deployed. It must do nothing more than just print the
+# product version number.
+# 
+# See the mongodb-labs/driver-github-tools/ruby/publish Github action.
+desc "Print the current value of Mongo::VERSION"
+task :version do
+  require 'mongo/version'
+
+  puts Mongo::VERSION
+end
+
 # overrides the default Bundler-provided `release` task, which also
 # builds the gem. Our release process assumes the gem has already
 # been built (and signed via GPG), so we just need `rake release` to
