chore(NODE-6160): sign and upload to releases

.github/actions/setup/action.yml

@@ -0,0 +1,15 @@
+name: Setup
+description: 'Installs node, driver dependencies, and builds source'
+
+runs:
+ using: composite
+ steps:
+ - uses: actions/setup-node@v4
+ with:
+ node-version: 'lts/*'
+ cache: 'npm'
+ registry-url: 'https://registry.npmjs.org'
+ - run: npm install -g npm@latest
+ shell: bash
+ - run: npm clean-install
+ shell: bash

.github/actions/sign_and_upload_package/action.yml

@@ -0,0 +1,80 @@
+name: Sign and Upload Package
+description: 'Signs native modules with garasign'
+
+inputs: 
+ aws_role_arn:
+ description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
+ required: true
+ aws_region_name:
+ description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
+ required: true
+ aws_secret_id:
+ description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
+ required: true
+ npm_package_name:
+ description: 'The name for the npm package this repository represents'
+ required: true
+
+runs:
+ using: composite
+ steps:
+ - uses: actions/download-artifact@v4
+ - name: Display structure of downloaded files
+ shell: bash
+ run: ls -R
+
+ - name: Make signatures directory
+ shell: bash
+ run: mkdir artifacts
+
+ - name: Set up drivers-github-tools
+ uses: mongodb-labs/drivers-github-tools/setup@v2
+ with: 
+ aws_region_name: ${{ inputs.aws_region_name }}
+ aws_role_arn: ${{ inputs.aws_role_arn }}
+ aws_secret_id: ${{ inputs.aws_secret_id }}
+
+ - name: Untar all the existing builds.
+ shell: bash
+ run: for filename in build-*/*.tar.gz; do tar -xvzf ${filename} --strip-components=2 -C $(dirname "$filename"); done
+
+ - name: Display structure of downloaded files
+ shell: bash
+ run: ls -R
+
+ - name: Rename the mongocrypt.node files to match the tar file name
+ shell: bash
+ run: for filename in build-*/*.node; do dir=$(dirname "$filename"); pattern=$(ls ${dir}/*.tar.gz | sed -r "s/$dir\/mongodb-client-encryption(.*).tar.gz/\1/"); mv ${filename} ${dir}/mongocrypt${pattern}.node; done
+
+ - name: Display structure of downloaded files
+ shell: bash
+ run: ls -R
+
+ - name: Create detached signature
+ uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+ with: 
+ filenames: 'build-*/*.node'
+ env: 
+ RELEASE_ASSETS: artifacts/
+
+ - name: Rename the .node files back to mongocrypt.node
+ shell: bash
+ run: for filename in build-*/*.node; do dir=$(dirname "$filename"); mkdir ${dir}/build; mkdir ${dir}/build/Release; mv ${filename} ${dir}/build/Release/mongocrypt.node; done
+
+ - name: Rearchive the native bindings
+ shell: bash
+ run: for filename in build-*/*.tar.gz; do dir=$(dirname "$filename"); file=$(basename "$filename"); tar -czvf artifacts/${file} ${dir}; done
+
+ - name: Display structure of downloaded files
+ shell: bash
+ run: ls -R
+
+ # - name: Name release asset correctly 
+ # run: mv ${{ steps.get_vars.outputs.package_file }}.temp.sig ${{ steps.get_vars.outputs.package_file }}.sig
+ # shell: bash
+
+ # - name: "Upload release artifacts"
+ # run: gh release upload v${{ steps.get_vars.outputs.package_version }} ${{ steps.get_vars.outputs.package_file }}.sig --clobber
+ # shell: bash
+ # env:
+ # GH_TOKEN: ${{ github.token }}

.github/workflows/build.yml

@@ -5,6 +5,11 @@ on:
  branches: [main]
  workflow_dispatch: {}
 
+permissions:
+ contents: write
+ pull-requests: write
+ id-token: write
+
 name: build
 
 jobs:
@@ -61,21 +66,40 @@ jobs:
  retention-days: 1
  compression-level: 0
 
- collect:
+ # collect:
+ # needs: [host_builds, container_builds]
+ # runs-on: ubunutu-latest
+ # steps:
+ # - uses: actions/download-artifact@v4
+
+ # - name: Display structure of downloaded files
+ # run: ls -R
+
+ # - id: upload
+ # name: Upload all prebuilds
+ # uses: actions/upload-artifact@v4
+ # with:
+ # name: all-build
+ # path: '*.tar.gz'
+ # if-no-files-found: 'error'
+ # retention-days: 1
+ # compression-level: 0
+
+ sign_and_upload:
  needs: [host_builds, container_builds]
  runs-on: ubuntu-latest
+ environment: release
  steps:
- - uses: actions/download-artifact@v4
-
- - name: Display structure of downloaded files
- run: ls -R
-
- - id: upload
- name: Upload all prebuilds
- uses: actions/upload-artifact@v4
- with:
- name: all-build
- path: '*.tar.gz'
- if-no-files-found: 'error'
- retention-days: 1
- compression-level: 0
+ - uses: actions/checkout@v4
+ # - name: actions/setup
+ # uses: ./.github/actions/setup
+ - name: actions/sign_and_upload_package
+ uses: ./.github/actions/sign_and_upload_package
+ with: 
+ aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+ aws_region_name: 'us-east-1'
+ aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+ npm_package_name: 'mongodb'
+ # - run: npm publish --provenance
+ # env:
+ # NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}