mongodb-js · aditi-khare-mongoDB · May 29, 2024 · Jun 6, 2024 · Jun 7, 2024 · Jun 7, 2024
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -11,5 +11,5 @@ runs:
         registry-url: 'https://registry.npmjs.org'
     - run: npm install -g npm@latest
       shell: bash
-    - run: npm clean-install
+    - run: npm clean-install --ignore-scripts
       shell: bash
diff --git a/.github/actions/sign_and_upload/action.yml b/.github/actions/sign_and_upload/action.yml
@@ -0,0 +1,71 @@
+name: Sign and Upload Package
+description: 'Signs native modules with garasign'
+
+inputs: 
+    aws_role_arn:
+      description: 'AWS role input for drivers-github-tools/gpg-sign@v2'
+      required: true
+    aws_region_name:
+      description: 'AWS region name input for drivers-github-tools/gpg-sign@v2'
+      required: true
+    aws_secret_id:
+      description: 'AWS secret id input for drivers-github-tools/gpg-sign@v2'
+      required: true
+    npm_package_name:
+      description: 'The name for the npm package this repository represents'
+      required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/download-artifact@v4
+
+    - name: Make signatures directory
+      shell: bash
+      run: mkdir artifacts
+
+    - name: Set up drivers-github-tools
+      uses: mongodb-labs/drivers-github-tools/setup@v2
+      with: 
+        aws_region_name: ${{ inputs.aws_region_name }}
+        aws_role_arn: ${{ inputs.aws_role_arn }}
+        aws_secret_id: ${{ inputs.aws_secret_id }}
+
+    - name: Create detached signature
+      uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+      with: 
+        filenames: 'build-*/*.tar.gz'
+      env: 
+        RELEASE_ASSETS: artifacts/
+
+    - name: Copy the tarballs to the artifacts directory
+      shell: bash
+      run: for filename in build-*/*.tar.gz; do cp ${filename} artifacts/; done
+
+    - run: npm pack
+      shell: bash
+
+    - name: Get release version and release package file name
+      id: get_vars
+      shell: bash
+      run: |
+        package_version=$(jq --raw-output '.version' package.json)
+        echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+        echo "package_file=${{ inputs.npm_package_name }}-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
+    - name: Create detached signature for module
+      uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+      with: 
+        filenames: ${{ steps.get_vars.outputs.package_file }}
+      env: 
+        RELEASE_ASSETS: artifacts/
+
+    - name: Display structure of downloaded files
+      shell: bash
+      run: ls -la artifacts/
+
+    - name: "Upload release artifacts"
+      run: gh release upload v${{ steps.get_vars.outputs.package_version }} artifacts/*.*
+      shell: bash
+      env:
+        GH_TOKEN: ${{ github.token }}
diff --git a/.github/docker/Dockerfile.glibc b/.github/docker/Dockerfile.glibc
@@ -0,0 +1,12 @@
+ARG NODE_BUILD_IMAGE=node:16.20.1-bullseye
+FROM $NODE_BUILD_IMAGE AS build
+
+WORKDIR /kerberos
+COPY . .
+
+RUN npm run install kerberos
+RUN npm run test
+
+FROM scratch
+
+COPY --from=build /kerberos/prebuilds/ /
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,100 @@
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch: {}
+
+name: Build and Test
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
+jobs:
+  host_builds:
+    strategy:
+      matrix:
+        os: [macos-11, macos-latest, windows-2019]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build ${{ matrix.os }} Prebuild
+        run: npm run prebuild
+        shell: bash
+
+      - name: Test ${{ matrix.os }}
+        shell: bash
+        run: npm run test
+
+      - id: upload
+        name: Upload prebuild
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-${{ matrix.os }}
+          path: prebuilds/
+          if-no-files-found: 'error'
+          retention-days: 1
+          compression-level: 0
+
+  container_builds:
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        linux_arch: [s390x, arm64, amd64]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Run Buildx
+        run: |
+          docker buildx create --name builder --bootstrap --use
+          docker buildx build --platform linux/${{ matrix.linux_arch }} --output type=local,dest=./prebuilds,platform-split=false -f ./.github/docker/Dockerfile.glibc .
+
+      - id: upload
+        name: Upload prebuild
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-linux-${{ matrix.linux_arch }}
+          path: prebuilds/
+          if-no-files-found: 'error'
+          retention-days: 1
+          compression-level: 0
+
+  release_please:
+    needs: [host_builds, container_builds]
+    runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+    steps:
+      - id: release
+        uses: googleapis/release-please-action@v4
+
+  sign_and_upload:
+    needs: [release_please]
+    if: ${{ needs.release_please.outputs.release_created }}
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - uses: actions/checkout@v4
+      - name: actions/setup
+        uses: ./.github/actions/setup
+      - name: actions/sign_and_upload_package
+        uses: ./.github/actions/sign_and_upload_package
+        with: 
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: 'us-east-1'
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          npm_package_name: 'kerberos'
+      - run: npm publish --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/README.md b/README.md
@@ -45,6 +45,23 @@ Now you can install `kerberos` with the following:
 npm install kerberos
 ```
 
+### Release Integrity
+
+The GitHub release contains a detached signature file for the NPM package (named
+`kerberos-X.Y.Z.tgz.sig`).
+
+The following command returns the link npm package. 
+```shell
+npm view kerberos@vX.Y.Z dist.tarball 
+```
+
+Using the result of the above command, a `curl` command can return the official npm package for the release.
+
+To verify the integrity of the downloaded package, run the following command:
+```shell
+gpg --verify kerberos-X.Y.Z.tgz.sig kerberos-X.Y.Z.tgz
+```
+
 ### Testing
 
 Run the test suite using: