diff --git a/.github/workflows/coding-standards.yml b/.github/workflows/coding-standards.yml index 1eebcaa5f..24d397294 100644 --- a/.github/workflows/coding-standards.yml +++ b/.github/workflows/coding-standards.yml @@ -67,59 +67,3 @@ jobs: uses: stefanzweifel/git-auto-commit-action@v5 with: commit_message: "apply phpcbf formatting" - - analysis: - runs-on: "ubuntu-22.04" - continue-on-error: true - strategy: - matrix: - php: - - '8.1' - - '8.2' - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: ${{ matrix.php }} - extensions: curl, mbstring - tools: composer:v2 - coverage: none - - - name: Cache dependencies - id: composer-cache - uses: actions/cache@v4 - with: - path: ./vendor - key: composer-${{ hashFiles('**/composer.lock') }} - - - name: Install dependencies - run: composer install - - - name: Restore cache PHPStan results - id: phpstan-cache-restore - uses: actions/cache/restore@v4 - with: - path: .cache - key: "phpstan-result-cache-${{ github.run_id }}" - restore-keys: | - phpstan-result-cache- - - - name: Run PHPStan - run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif - - - name: "Upload SARIF report" - if: always() - uses: "github/codeql-action/upload-sarif@v3" - with: - sarif_file: phpstan.sarif - - - name: Save cache PHPStan results - id: phpstan-cache-save - if: always() - uses: actions/cache/save@v4 - with: - path: .cache - key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b8df0df69..63dea84c4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,25 +9,24 @@ on: required: true type: "string" -env: - # TODO: Use different token - GH_TOKEN: ${{ secrets.MERGE_UP_TOKEN }} - GIT_AUTHOR_NAME: "DBX PHP Release Bot" - GIT_AUTHOR_EMAIL: "dbx-php@mongodb.com" - jobs: prepare-release: + environment: release name: "Prepare release" runs-on: ubuntu-latest + permissions: + id-token: write + contents: write steps: - name: "Create release output" run: echo '🎬 Release process for version ${{ inputs.version }} started by @${{ github.triggering_actor }}' >> $GITHUB_STEP_SUMMARY - - uses: actions/checkout@v4 + - name: "Generate token and checkout repository" + uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 with: - submodules: true - token: ${{ env.GH_TOKEN }} + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} - name: "Store version numbers in env variables" run: | @@ -51,24 +50,22 @@ jobs: # Preliminary checks done - commence the release process # - - name: "Set git author information" - run: | - git config user.name "${GIT_AUTHOR_NAME}" - git config user.email "${GIT_AUTHOR_EMAIL}" + - name: "Set up drivers-github-tools" + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} # Create draft release with release notes - name: "Create draft release" run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --generate-notes --draft)" >> "$GITHUB_ENV" - # This step creates the signed release tag - name: "Create release tag" - uses: mongodb-labs/drivers-github-tools/garasign/git-sign@v1 + uses: mongodb-labs/drivers-github-tools/tag-version@v2 with: - command: "git tag -m 'Release ${{ inputs.version }}' -s --local-user=${{ vars.GPG_KEY_ID }} ${{ inputs.version }}" - garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }} - garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }} - artifactory_username: ${{ secrets.ARTIFACTORY_USER }} - artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }} + version: ${{ inputs.version }} + tag_message_template: 'Release ${VERSION}' # TODO: Manually merge using ours strategy. This avoids merge-up pull requests being created # Process is: @@ -77,14 +74,77 @@ jobs: # 3. push next branch # 4. switch back to release branch, then push - - name: "Push changes from release branch" - run: git push - - # Pushing the release tag starts build processes that then produce artifacts for the release - - name: "Push release tag" - run: git push origin ${{ inputs.version }} - - name: "Set summary" run: | echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY + + static-analysis: + needs: prepare-release + name: "Run Static Analysis" + uses: ./.github/workflows/static-analysis.yml + with: + ref: refs/tags/${{ inputs.version }} + permissions: + security-events: write + id-token: write + + publish-ssdlc-assets: + needs: static-analysis + environment: release + name: "Publish SSDLC Assets" + runs-on: ubuntu-latest + permissions: + security-events: read + id-token: write + contents: write + + steps: + - name: "Generate token and checkout repository" + uses: mongodb-labs/drivers-github-tools/secure-checkout@v2 + with: + app_id: ${{ vars.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + ref: refs/tags/${{ inputs.version }} + + # Sets the S3_ASSETS environment variable used later + - name: "Set up drivers-github-tools" + uses: mongodb-labs/drivers-github-tools/setup@v2 + with: + aws_role_arn: ${{ secrets.AWS_ROLE_ARN }} + aws_region_name: ${{ vars.AWS_REGION_NAME }} + aws_secret_id: ${{ secrets.AWS_SECRET_ID }} + + - name: "Generate authorized publication document" + uses: mongodb-labs/drivers-github-tools/authorized-pub@v2 + with: + product_name: "MongoDB Laravel Integration" + release_version: ${{ inputs.version }} + filenames: "" + token: ${{ env.GH_TOKEN }} + + - name: "Download SBOM file from Silk" + uses: mongodb-labs/drivers-github-tools/sbom@v2 + with: + silk_asset_group: mongodb-laravel-integration + + - name: "Upload SBOM as release artifact" + run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json + continue-on-error: true + + - name: "Generate SARIF report from code scanning alerts" + uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2 + with: + ref: ${{ inputs.version }} + output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json + + - name: "Generate compliance report" + uses: mongodb-labs/drivers-github-tools/compliance-report@v2 + with: + token: ${{ env.GH_TOKEN }} + + - name: Upload S3 assets + uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2 + with: + version: ${{ inputs.version }} + product_name: laravel-mongodb diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml new file mode 100644 index 000000000..240c0aa5b --- /dev/null +++ b/.github/workflows/static-analysis.yml @@ -0,0 +1,74 @@ +name: "Static Analysis" + +on: + push: + pull_request: + workflow_call: + inputs: + ref: + description: "The git ref to check" + type: string + required: true + +env: + PHP_VERSION: "8.2" + DRIVER_VERSION: "stable" + +jobs: + phpstan: + runs-on: "ubuntu-22.04" + continue-on-error: true + strategy: + matrix: + php: + - '8.1' + - '8.2' + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} + + - name: Setup PHP + uses: shivammathur/setup-php@v2 + with: + php-version: ${{ matrix.php }} + extensions: curl, mbstring + tools: composer:v2 + coverage: none + + - name: Cache dependencies + id: composer-cache + uses: actions/cache@v4 + with: + path: ./vendor + key: composer-${{ hashFiles('**/composer.lock') }} + + - name: Install dependencies + run: composer install + + - name: Restore cache PHPStan results + id: phpstan-cache-restore + uses: actions/cache/restore@v4 + with: + path: .cache + key: "phpstan-result-cache-${{ matrix.php }}-${{ github.run_id }}" + restore-keys: | + phpstan-result-cache- + + - name: Run PHPStan + run: ./vendor/bin/phpstan analyse --no-interaction --no-progress --ansi --error-format=sarif > phpstan.sarif + + - name: "Upload SARIF report" + if: always() + uses: "github/codeql-action/upload-sarif@v3" + with: + sarif_file: phpstan.sarif + + - name: Save cache PHPStan results + id: phpstan-cache-save + if: always() + uses: actions/cache/save@v4 + with: + path: .cache + key: ${{ steps.phpstan-cache-restore.outputs.cache-primary-key }} diff --git a/RELEASING.md b/RELEASING.md index c4aeecd39..4be9302a4 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -31,24 +31,18 @@ Update the version's release date and status from the [Manage Versions](https://jira.mongodb.org/plugins/servlet/project-config/PHPORM/versions) page. -## Update version info +## Trigger the release workflow -This uses [semantic versioning](https://semver.org/). Do not break -backwards compatibility in a non-major release or your users will kill you. +Releases are done automatically through a GitHub Action. Visit the corresponding +[Release New Version](https://github.com/mongodb/laravel-mongodb/actions/workflows/release.yml) +workflow page to trigger a new build. Select the correct branch (e.g. `v4.5`) +and trigger a new run using the "Run workflow" button. In the following prompt, +enter the version number. -Before proceeding, ensure that the default branch is up-to-date with all code -changes in this maintenance branch. This is important because we will later -merge the ensuing release commits with `--strategy=ours`, which will ignore -changes from the merged commits. +The automation will then create and push the necessary commits and tag, and create +a draft release. The release is created in a draft state and can be published +once the release notes have been updated. -## Tag the release - -Create a tag for the release and push: - -```console -$ git tag -a -m "Release X.Y.Z" X.Y.Z -$ git push mongodb --tags -``` ## Branch management diff --git a/docs/includes/framework-compatibility-laravel.rst b/docs/includes/framework-compatibility-laravel.rst index 1305cf8e0..44519e27c 100644 --- a/docs/includes/framework-compatibility-laravel.rst +++ b/docs/includes/framework-compatibility-laravel.rst @@ -7,6 +7,11 @@ - Laravel 10.x - Laravel 9.x + * - 4.4 + - ✓ + - ✓ + - + * - 4.3 - ✓ - ✓