PHPLIB-1434: Publish SSDLC assets upon release (#1342)

* Allow reusing static analysis workflow

* Run static analysis on release and publish SSDLC assets

* Address code review feedback

* Move rector to coding standards workflow

Author: alcaeus

.github/workflows/coding-standards.yml

@@ -35,3 +35,20 @@ jobs:
       # The -q option is required until phpcs v4 is released
       - name: "Run PHP_CodeSniffer"
         run: "vendor/bin/phpcs -q --no-colors --report=checkstyle | cs2pr"
+
+  rector:
+    name: "Rector"
+    runs-on: "ubuntu-22.04"
+
+    steps:
+      - name: "Checkout"
+        uses: "actions/checkout@v4"
+
+      - name: "Setup"
+        uses: "./.github/actions/setup"
+        with:
+          php-version: ${{ env.PHP_VERSION }}
+          driver-version: ${{ env.DRIVER_VERSION }}
+
+      - name: "Run Rector"
+        run: "vendor/bin/rector --ansi --dry-run"

.github/workflows/release.yml

@@ -93,7 +93,6 @@ jobs:
           aws_region_name: ${{ vars.AWS_REGION_NAME }}
           aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
 
-      # Create a draft release with release message filled in
       - name: "Prepare release message"
         run: |
           cat > release-message <<'EOL'
@@ -103,7 +102,6 @@ jobs:
       - name: "Create draft release"
         run: echo "RELEASE_URL=$(gh release create ${{ inputs.version }} --target ${{ github.ref_name }} --title "${{ inputs.version }}" --notes-file release-message --draft)" >> "$GITHUB_ENV"
 
-      # This step creates the signed release tag
       - name: "Create release tag"
         uses: mongodb-labs/drivers-github-tools/git-sign@v2
         with:
@@ -119,11 +117,89 @@ jobs:
       - name: "Push changes from release branch"
         run: git push
 
-      # Pushing the release tag starts build processes that then produce artifacts for the release
       - name: "Push release tag"
         run: git push origin ${{ inputs.version }}
 
       - name: "Set summary"
         run: |
           echo '🚀 Created tag and drafted release for version [${{ inputs.version }}](${{ env.RELEASE_URL }})' >> $GITHUB_STEP_SUMMARY
           echo '✍️ You may now update the release notes and publish the release when ready' >> $GITHUB_STEP_SUMMARY
+
+  static-analysis:
+    needs: prepare-release
+    name: "Run Static Analysis"
+    uses: ./.github/workflows/static-analysis.yml
+    with:
+      ref: refs/tags/${{ inputs.version }}
+    permissions:
+      security-events: write
+      id-token: write
+
+  publish-ssdlc-assets:
+    needs: static-analysis
+    environment: release
+    name: "Publish SSDLC Assets"
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: read
+      id-token: write
+      contents: write
+
+    steps:
+      - name: "Create temporary app token"
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: "Store GitHub token in environment"
+        run: echo "GH_TOKEN=${{ steps.app-token.outputs.token }}" >> "$GITHUB_ENV"
+        shell: bash
+
+      - uses: actions/checkout@v4
+        with:
+          ref: refs/tags/${{ inputs.version }}
+          token: ${{ env.GH_TOKEN }}
+
+      # Sets the S3_ASSETS environment variable used later
+      - name: "Set up drivers-github-tools"
+        uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+
+      - name: "Generate authorized publication document"
+        uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+        with:
+          product_name: "MongoDB PHP Driver (library)"
+          release_version: ${{ inputs.version }}
+          filenames: ""
+          token: ${{ env.GH_TOKEN }}
+
+      - name: "Download SBOM file from Silk"
+        uses: mongodb-labs/drivers-github-tools/sbom@v2
+        with:
+          silk_asset_group: mongodb-php-driver-library
+
+      - name: "Upload SBOM as release artifact"
+        run: gh release upload ${{ inputs.version }} ${{ env.S3_ASSETS }}/cyclonedx.sbom.json
+        continue-on-error: true
+
+      - name: "Generate SARIF report from code scanning alerts"
+        uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+        with:
+          ref: ${{ inputs.version }}
+          output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
+
+      - name: "Generate compliance report"
+        uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+        with:
+          token: ${{ env.GH_TOKEN }}
+
+      - name: Upload S3 assets
+        uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+        with:
+          version: ${{ inputs.version }}
+          product_name: mongo-php-library

.github/workflows/static-analysis.yml

@@ -12,8 +12,12 @@ on:
       - "v*.*"
       - "master"
       - "feature/*"
-    tags:
-      - "*"
+  workflow_call:
+    inputs:
+      ref:
+        description: "The git ref to check"
+        type: string
+        required: true
 
 env:
   PHP_VERSION: "8.2"
@@ -27,6 +31,8 @@ jobs:
     steps:
       - name: "Checkout"
         uses: "actions/checkout@v4"
+        with:
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }}
 
       - name: "Setup"
         uses: "./.github/actions/setup"
@@ -41,20 +47,3 @@ jobs:
         uses: "github/codeql-action/upload-sarif@v3"
         with:
           sarif_file: psalm.sarif
-
-  rector:
-    name: "Rector"
-    runs-on: "ubuntu-22.04"
-
-    steps:
-      - name: "Checkout"
-        uses: "actions/checkout@v4"
-
-      - name: "Setup"
-        uses: "./.github/actions/setup"
-        with:
-          php-version: ${{ env.PHP_VERSION }}
-          driver-version: ${{ env.DRIVER_VERSION }}
-
-      - name: "Run Rector"
-        run: "vendor/bin/rector --ansi --dry-run"