chore(NODE-6160): sign and upload to releases (#9)

Co-authored-by: Aditi Khare <[email protected]>

.github/actions/setup/action.yml

@@ -0,0 +1,15 @@
+name: Setup
+description: 'Installs node, driver dependencies, and builds source'
+
+runs:
+ using: composite
+ steps:
+ - uses: actions/setup-node@v4
+ with:
+ node-version: 'lts/*'
+ cache: 'npm'
+ registry-url: 'https://registry.npmjs.org'
+ - run: npm install -g npm@latest
+ shell: bash
+ - run: npm clean-install --ignore-scripts
+ shell: bash

.github/actions/sign_and_upload_package/action.yml

@@ -0,0 +1,71 @@
+name: Sign and Upload Package
+description: 'Signs native modules with garasign'
+
+inputs: 
+ aws_role_arn:
+ description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
+ required: true
+ aws_region_name:
+ description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
+ required: true
+ aws_secret_id:
+ description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
+ required: true
+ npm_package_name:
+ description: 'The name for the npm package this repository represents'
+ required: true
+
+runs:
+ using: composite
+ steps:
+ - uses: actions/download-artifact@v4
+
+ - name: Make signatures directory
+ shell: bash
+ run: mkdir artifacts
+
+ - name: Set up drivers-github-tools
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with: 
+ aws_region_name: ${{ inputs.aws_region_name }}
+ aws_role_arn: ${{ inputs.aws_role_arn }}
+ aws_secret_id: ${{ inputs.aws_secret_id }}
+
+ - name: Create detached signature
+ uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+ with: 
+ filenames: 'build-*/*.tar.gz'
+ env: 
+ RELEASE_ASSETS: artifacts/
+
+ - name: Copy the tarballs to the artifacts directory
+ shell: bash
+ run: for filename in build-*/*.tar.gz; do cp ${filename} artifacts/; done
+
+ - run: npm pack
+ shell: bash
+
+ - name: Get release version and release package file name
+ id: get_vars
+ shell: bash
+ run: |
+ package_version=$(jq --raw-output '.version' package.json)
+ echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+ echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
+ - name: Create detached signature for module
+ uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+ with: 
+ filenames: ${{ steps.get_vars.outputs.package_file }}
+ env: 
+ RELEASE_ASSETS: artifacts/
+
+ - name: Display structure of downloaded files
+ shell: bash
+ run: ls -la artifacts/
+
+ - name: "Upload release artifacts"
+ run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
+ shell: bash
+ env:
+ GH_TOKEN: ${{ github.token }}

.github/workflows/build.yml

@@ -7,6 +7,11 @@ on:
 
 name: Build and Test
 
+permissions:
+ contents: write
+ pull-requests: write
+ id-token: write
+
 jobs:
  host_builds:
  strategy:
@@ -65,21 +70,31 @@ jobs:
  retention-days: 1
  compression-level: 0
 
- collect:
+ release_please:
  needs: [host_builds, container_builds]
  runs-on: ubuntu-latest
+ outputs:
+ release_created: ${{ steps.release.outputs.release_created }}
  steps:
- - uses: actions/download-artifact@v4
-
- - name: Display structure of downloaded files
- run: ls -R
+ - id: release
+ uses: googleapis/release-please-action@v4
 
- - id: upload
- name: Upload all prebuilds
- uses: actions/upload-artifact@v4
- with:
- name: all-build
- path: '*.tar.gz'
- if-no-files-found: 'error'
- retention-days: 1
- compression-level: 0
+ sign_and_upload:
+ needs: [release_please]
+ if: ${{ needs.release_please.outputs.release_created }}
+ runs-on: ubuntu-latest
+ environment: release
+ steps:
+ - uses: actions/checkout@v4
+ - name: actions/setup
+ uses: ./.github/actions/setup
+ - name: actions/sign_and_upload_package
+ uses: ./.github/actions/sign_and_upload_package
+ with: 
+ aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+ aws_region_name: 'us-east-1'
+ aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+ npm_package_name: 'mongodb-client-encryption'
+ - run: npm publish --provenance
+ env:
+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}