From c4d1106253d3503ff054567bb6753371bed85e75 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 24 Jun 2024 10:02:15 -0500 Subject: [PATCH] PYTHON-4389 SSDLC Policy Conformance for pymongocrypt (#840) --- .github/workflows/codeql.yml | 6 ++ .github/workflows/dist-python.yml | 78 +++++++++++++++ .github/workflows/release-python.yml | 136 +++++++++++++-------------- bindings/python/pyproject.toml | 1 + 4 files changed, 153 insertions(+), 68 deletions(-) create mode 100644 .github/workflows/dist-python.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 91bcf73e7..e8295349c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -9,6 +9,11 @@ on: - bindings/python/**/*.py schedule: - cron: '17 10 * * 2' + workflow_call: + inputs: + ref: + required: true + type: string jobs: analyze-python: @@ -26,6 +31,7 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 + ref: ${{ inputs.ref }} - uses: actions/setup-python@v5 with: python-version: 3.x diff --git a/.github/workflows/dist-python.yml b/.github/workflows/dist-python.yml new file mode 100644 index 000000000..86e68bdd8 --- /dev/null +++ b/.github/workflows/dist-python.yml @@ -0,0 +1,78 @@ +name: Python Dist + +on: + push: + tags: + - "pymongocrypt-[0-9]+.[0-9]+.[0-9]+" + - "pymongocrypt-[0-9]+.[0-9]+.[0-9]+.post[0-9]+" + - "pymongocrypt-[0-9]+.[0-9]+.[0-9]+[a-b][0-9]+" + - "pymongocrypt-[0-9]+.[0-9]+.[0-9]+rc[0-9]+" + pull_request: + paths: + - bindings/python/* + workflow_dispatch: + workflow_call: + inputs: + force: + required: true + type: boolean + +concurrency: + group: python-dist-${{ github.ref }} + cancel-in-progress: true + +defaults: + run: + working-directory: ./bindings/python + shell: bash -eux {0} + +jobs: + build_dist: + if: github.repository_owner == 'mongodb' || inputs.force == true + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest, windows-latest, macos-latest] + fail-fast: false + + steps: + - name: Checkout libmongocrypt + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: actions/setup-python@v5 + with: + python-version: 3.8 + cache: 'pip' + cache-dependency-path: 'bindings/python/pyproject.toml' + allow-prereleases: true + + - name: Build and test dist files + run: | + export LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt) + git fetch origin $LIBMONGOCRYPT_VERSION + bash ./release.sh + + - uses: actions/upload-artifact@v4 + with: + name: dist-${{ matrix.os }} + path: ./bindings/python/dist/*.* + if-no-files-found: error + + collect_dist: + runs-on: ubuntu-latest + needs: [build_dist] + name: Collect dist files + steps: + - name: Download all workflow run artifacts + uses: actions/download-artifact@v4 + - name: Flatten directory + working-directory: . + run: | + find . -mindepth 2 -type f -exec mv {} . \; + find . -type d -empty -delete + - uses: actions/upload-artifact@v4 + with: + name: all-dist-${{ github.run_id }} + path: "./*" diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index f4273daac..7904b6090 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -1,90 +1,90 @@ name: Python Release on: - push: - tags: - - "pymongocrypt-[0-9]+.[0-9]+.[0-9]+" - - "pymongocrypt-[0-9]+.[0-9]+.[0-9]+.post[0-9]+" - - "pymongocrypt-[0-9]+.[0-9]+.[0-9]+[a-b][0-9]+" - - "pymongocrypt-[0-9]+.[0-9]+.[0-9]+rc[0-9]+" - pull_request: - paths: - - bindings/python/* workflow_dispatch: + inputs: + version: + description: "The new version to set" + required: true + following_version: + description: "The post (dev) version to set" + required: true + dry_run: + description: "Dry Run?" + default: false + type: boolean -concurrency: - group: python-release-${{ github.ref }} - cancel-in-progress: true +env: + # Changes per repo + PRODUCT_NAME: PyMongoCrypt + # Changes per branch + SILK_ASSET_GROUP: pymongocrypt defaults: run: - working-directory: ./bindings/python shell: bash -eux {0} jobs: - build_dist: - if: github.repository_owner == 'mongodb' - runs-on: ${{ matrix.os }} - strategy: - matrix: - os: [ubuntu-latest, windows-latest, macos-latest] - fail-fast: false - - steps: - - name: Checkout libmongocrypt - uses: actions/checkout@v4 + pre-publish: + environment: release-python + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + steps: + - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 with: - fetch-depth: 0 - - - uses: actions/setup-python@v5 + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + - uses: mongodb-labs/drivers-github-tools/setup@v2 with: - python-version: 3.8 - cache: 'pip' - cache-dependency-path: 'bindings/python/pyproject.toml' - allow-prereleases: true - - - name: Build and test dist files - run: | - export LIBMONGOCRYPT_VERSION=$(cat ./libmongocrypt-version.txt) - git fetch origin $LIBMONGOCRYPT_VERSION - bash ./release.sh - - - uses: actions/upload-artifact@v4 + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }} + - uses: mongodb-labs/drivers-github-tools/python/pre-publish@v2 with: - name: dist-${{ matrix.os }} - path: ./bindings/python/dist/*.* - if-no-files-found: error + version: ${{ inputs.version }} + working_directory: ./bindings/python + dry_run: ${{ inputs.dry_run }} - collect_dist: - runs-on: ubuntu-latest - needs: [build_dist] - name: Collect dist files - steps: - - name: Download all workflow run artifacts - uses: actions/download-artifact@v4 - - name: Flatten directory - working-directory: . - run: | - find . -mindepth 2 -type f -exec mv {} . \; - find . -type d -empty -delete - - uses: actions/upload-artifact@v4 - with: - name: all-dist - path: "./*" + build-dist: + needs: [pre-publish] + uses: ./.github/workflows/dist-python.yml + with: + force: true + + static-scan: + needs: [pre-publish] + uses: ./.github/workflows/codeql.yml + with: + ref: ${{ inputs.version }} publish: - # https://packaging.python.org/en/latest/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#publishing-the-distribution-to-pypi - needs: [collect_dist] - if: startsWith(github.ref, 'refs/tags/') + needs: [build-dist, static-scan] runs-on: ubuntu-latest environment: release-python permissions: id-token: write + contents: write + security-events: write steps: - - name: Download all the dists - uses: actions/download-artifact@v4 - with: - name: all-dist - path: dist/ - - name: Publish distribution 📦 to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + - uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + with: + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + - uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + artifactory_username: ${{ vars.ARTIFACTORY_USERNAME }} + - uses: mongodb-labs/drivers-github-tools/python/publish@v2 + with: + version: ${{ inputs.version }} + following_version: ${{ inputs.following_version }} + working_directory: ./bindings/python + product_name: ${{ env.PRODUCT_NAME }} + silk_asset_group: ${{ env.SILK_ASSET_GROUP }} + token: ${{ github.token }} + dry_run: ${{ inputs.dry_run }} \ No newline at end of file diff --git a/bindings/python/pyproject.toml b/bindings/python/pyproject.toml index a4d8835e8..ec0c9dc71 100644 --- a/bindings/python/pyproject.toml +++ b/bindings/python/pyproject.toml @@ -44,6 +44,7 @@ Homepage = "https://github.com/mongodb/libmongocrypt/tree/master/bindings/python [tool.hatch.version] path = "pymongocrypt/version.py" +validate-bump = false # Used to call hatch_build.py [tool.hatch.build.hooks.custom]