mongodb-js · mcasimir · Jan 2, 2024 · Dec 29, 2023 · Dec 29, 2023 · Dec 29, 2023
diff --git a/.github/workflows/actions/test-and-build/action.yaml b/.github/workflows/actions/test-and-build/action.yaml
@@ -0,0 +1,144 @@
+name: Run test and build
+description: Test and build action, reused among workflows
+inputs:
+  SEGMENT_KEY:
+    required: true
+  ARTIFACTORY_HOST:
+    required: true
+  ARTIFACTORY_PASSWORD:
+    required: true
+  ARTIFACTORY_USERNAME:
+    required: true
+  GARASIGN_PASSWORD:
+    required: true
+  GARASIGN_USERNAME:
+    required: true
+  SNYK_TOKEN:
+    required: true
+  JIRA_API_TOKEN:
+    required: true
+
+runs:
+  using: "composite"
+  # Steps represent a sequence of tasks that will be executed as part of the job
+  steps:
+    - name: Install Deps Ubuntu
+      if: ${{ runner.os == 'Linux' }}
+      run: sudo apt-get update -y && sudo apt-get -y install libkrb5-dev libsecret-1-dev net-tools libstdc++6 gnome-keyring
+      shell: bash
+
+    # Default Python (3.12) doesn't have support for distutils because of
+    # which the dep install fails constantly on macos
+    # https://github.com/nodejs/node-gyp/issues/2869
+    - uses: actions/setup-python@v4
+      with:
+        python-version: '3.11'
+
+    - name: Run node-gyp bug workaround script
+      run: |
+        curl -sSfLO https://raw.githubusercontent.com/mongodb-js/compass/42e6142ae08be6fec944b80ff6289e6bcd11badf/.evergreen/node-gyp-bug-workaround.sh && bash node-gyp-bug-workaround.sh
+      shell: bash
+
+    - name: Set SEGMENT_KEY
+      env:
+        SEGMENT_KEY: ${{ inputs.SEGMENT_KEY }}
+      run: |
+        echo "SEGMENT_KEY=${SEGMENT_KEY}" >> $GITHUB_ENV
+      shell: bash
+
+    - name: Validate SEGMENT_KEY
+      run: |
+        if [ -z "${SEGMENT_KEY}" ]; then
+          echo "SEGMENT_KEY is not set or is empty"
+          exit 1
+        fi
+      shell: bash
+
+    - name: Install npm
+      run: npm install -g [email protected]
+      shell: bash
+
+    - name: Install Dependencies
+      shell: bash
+      run: |
+        npm ci --omit=optional
+
+    - name: Run Checks
+      run: npm run check
+      # the glob here just fails
+      if: ${{ runner.os != 'Windows' }}
+      shell: bash
+
+    - name: Run Tests
+      run: |
+        npm run test
+      shell: bash
+
+    - name: Build .vsix
+      env:
+        NODE_OPTIONS: "--require ./scripts/no-npm-list-fail.js"
+      # NOTE: --githubBranch is "The GitHub branch used to infer relative links in README.md."
+      run: |
+        npx vsce package --githubBranch main
+      shell: bash
+
+    - name: Check .vsix filesize
+      run: npm run check-vsix-size
+      shell: bash
+
+    - name: Sign .vsix
+      if: runner.os == 'Linux'
+      env:
+        ARTIFACTORY_HOST: ${{ inputs.ARTIFACTORY_HOST }}
+        ARTIFACTORY_PASSWORD: ${{ inputs.ARTIFACTORY_PASSWORD }}
+        ARTIFACTORY_USERNAME: ${{ inputs.ARTIFACTORY_USERNAME }}
+        GARASIGN_PASSWORD: ${{ inputs.GARASIGN_PASSWORD }}
+        GARASIGN_USERNAME: ${{ inputs.GARASIGN_USERNAME }}
+      run: |
+        bash scripts/sign-vsix.sh
+        ls *.vsix.sig
+      shell: bash
+
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v2
+      with:
+        name: VSIX built on ${{ runner.os }}
+        path: |
+          *.vsix
+          *.vsix.sig
+
+    - name: Run Snyk Test
+      if: runner.os == 'Linux'
+      shell: bash
+      env:
+        SNYK_TOKEN: ${{ inputs.SNYK_TOKEN }}
+      run: |
+        npm run snyk-test > /dev/null 2>&1
+
+    - name: Create Jira Tickets
+      if: >
+        runner.os == 'Linux' &&
+        (
+          github.event_name == 'push' && github.ref == 'refs/heads/main' ||
+          github.event_name == 'workflow_dispatch' ||
+          github.event_name == 'schedule'
+        )
+      shell: bash
+      env:
+        JIRA_API_TOKEN: ${{ inputs.JIRA_API_TOKEN }}
+        JIRA_BASE_URL: "https://jira.mongodb.org"
+        JIRA_PROJECT: "VSCODE"
+        JIRA_VULNERABILITY_BUILD_INFO: "- [GitHub Run|https://github.com/mongodb-js/vscode/actions/runs/${{github.run_id}}/jobs/${{github.job}}]"
+      run: |
+        npm run create-vulnerability-tickets > /dev/null
+
+    - name: Generate Vulnerability Report (Fail on >= High)
+      if: runner.os == 'Linux'
+      continue-on-error: ${{ github.event_name == 'pull_request' }}
+      shell: bash
+      run: |
+        # The standard output is suppressed since Github Actions logs are
+        # available for everyone with read access to the repo, which is everyone that is
+        # logged in for public repos.
+        # This command is only here to fail on failures for `main` and tags.
+        npm run generate-vulnerability-report > /dev/null
diff --git a/.github/workflows/draft-release.yaml b/.github/workflows/draft-release.yaml
@@ -0,0 +1,110 @@
+name: Draft release
+
+on:
+  workflow_dispatch:
+    inputs:
+      versionBump:
+        description: 'Version bump'
+        type: choice
+        required: true
+        default: 'patch'
+        options:
+        - patch
+        - minor
+        - major
+        - exact-version
+
+      exactVersion:
+        description: 'Exact version: (Only effective selecting "exact-version" as version bump)'
+        required: false
+
+jobs:
+  prepare-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          # NOTE: this is necessary to get the full history
+          # and check if tags are already present
+          fetch-depth: 0
+
+      - name: Setup Node.js Environment
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16.x
+
+      - name: Determine Next Version
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+
+          VERSION_BUMP=${{ github.event.inputs.versionBump }}
+
+          if [[ "$VERSION_BUMP" == "major" || "$VERSION_BUMP" == "minor" || "$VERSION_BUMP" == "patch" ]]; then
+            PREV_VERSION_TAG=$(gh api repos/:owner/:repo/releases --jq '. | map(select(.draft == false)) | .[0] | .tag_name')
+            PREV_VERSION=$(npx semver --coerce ${PREV_VERSION_TAG})
+
+            NEXT_VERSION=$(npx semver -i $VERSION_INPUT $PREV_VERSION)
+          else
+            NEXT_VERSION=${{ github.event.inputs.exactVersion }}
+          fi
+
+          # Remove the 'v' prefix from NEXT_VERSION if it exists
+          NEXT_VERSION="${NEXT_VERSION#v}"
+
+          # Validates the version before using it
+          npx semver v"${NEXT_VERSION}"
+
+          npm version "${NEXT_VERSION}" --no-git-tag-version
+          echo "RELEASE_TAG=v${NEXT_VERSION}" >> $GITHUB_ENV
+
+      - name: Validate release tag
+        shell: bash
+        run: |
+          RELEASE_TAG=${{ inputs.RELEASE_TAG }}
+
+          if [ -z "${RELEASE_TAG}" ]; then
+            echo "RELEASE_TAG is not set or is empty"
+            exit 1
+          fi
+
+          if git rev-parse "$RELEASE_TAG" >/dev/null 2>&1; then
+            echo "Error: Tag $RELEASE_TAG already existing"
+            echo "If you are trying to re-create a draft release with this version, please delete the release and the tag first."
+            echo "If this version has already been release consider using a different one."
+            exit 1
+          fi
+
+      - name: Run tests and build
+        uses: ./.github/workflows/actions/test-and-build
+        with:
+          SEGMENT_KEY: ${{ secrets.SEGMENT_KEY_PROD }}
+          ARTIFACTORY_HOST: ${{ secrets.ARTIFACTORY_HOST }}
+          ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
+          ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
+          GARASIGN_PASSWORD: ${{ secrets.GARASIGN_PASSWORD }}
+          GARASIGN_USERNAME: ${{ secrets.GARASIGN_USERNAME }}
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+
+      - name: Create Draft Release
+        run: |
+          set -e
+          echo Creating draft release for: "${RELEASE_TAG}"
+          ls *.vsix
+          ls *.vsix.sig
+
+          gh release create "${RELEASE_TAG}" \
+            --title "${RELEASE_VERSION}" \
+            --notes "Edit the release notes before publishing." \
+            --target main \
+            --draft \
+            *.vsix \
+            *.vsix.sig
+        shell: bash
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+