chore: full SSDLC compliance workflow (#179)

.evergreen/config.yml

@@ -96,14 +96,6 @@ functions:
         env:
           PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
           NODE_GITHUB_TOKEN: ${github_token}
-  run prebuild and force publish:
-    - command: shell.exec
-      type: test
-      params:
-        working_dir: src
-        script: >
-          ${PREPARE_SHELL}
-          NODE_FORCE_PUBLISH=1 NODE_GITHUB_TOKEN=${github_token} ${PROJECT_DIRECTORY}/.evergreen/run-prebuild.sh
   install dependencies:
     - command: subprocess.exec
       type: setup
@@ -138,65 +130,8 @@ tasks:
     commands:
       - func: install dependencies
       - func: run prebuild
-  - name: run-prebuild-force-publish
-    commands:
-      - func: install dependencies
-      - func: run prebuild and force publish
 
 buildvariants:
-  - name: macos
-    display_name: 'macOS 10.14'
-    run_on: macos-1014
-    tasks:
-      - run-prebuild
-      - run-prebuild-force-publish
-    expansions:
-      NODE_LTS_VERSION: 14
-      NPM_VERSION: 9
-  - name: macos-m1
-    display_name: MacOS M1
-    run_on: macos-1100-arm64
-    tasks:
-      - run-prebuild
-      - run-prebuild-force-publish
-    expansions:
-      NODE_LTS_VERSION: 18
-  - name: windows-x64
-    display_name: 'Windows 2016'
-    run_on: windows-64-vs2017-test
-    tasks:
-      - run-prebuild
-      - run-prebuild-force-publish
-  - name: rhel8-s390x
-    display_name: 'RHEL 8 s390x'
-    run_on: rhel83-zseries-small
-    expansions:
-      has_packages: true
-      packager_distro: rhel8
-      packager_arch: s390x
-    tasks:
-      - run-prebuild
-      - run-prebuild-force-publish
-  - name: ubuntu1804-64
-    display_name: 'Ubuntu 18.04 64-bit'
-    run_on: ubuntu1804-test
-    expansions:
-      has_packages: true
-      packager_distro: ubuntu1804
-      packager_arch: x86_64
-    tasks:
-      - run-prebuild
-      - run-prebuild-force-publish
-  - name: ubuntu1804-arm64
-    display_name: 'Ubuntu 18.04 arm64'
-    run_on: ubuntu1804-arm64-build
-    expansions:
-      has_packages: true
-      packager_distro: ubuntu1804
-      packager_arch: arm64
-    tasks:
-      - run-prebuild
-      - run-prebuild-force-publish
   - name: ubuntu2204-64
     display_name: 'Ubuntu 22.04 64-bit'
     run_on: ubuntu2204-small

.evergreen/run-prebuild.sh

@@ -10,42 +10,6 @@ export PATH="/opt/mongodbtoolchain/v2/bin:$PATH"
 
 echo "Node Version $(node -v)"
 
-get_version_at_git_rev () {
-  local REV=$1
-  local VERSION
-  VERSION=$(node -r child_process -e "console.log(JSON.parse(child_process.execSync('git show $REV:./package.json', { encoding: 'utf8' })).version);")
-  echo "$VERSION"
-}
-
-run_prebuild() {
-  set +o xtrace # Don't log the token
-  if [[ -z $NODE_GITHUB_TOKEN ]];then
-    echo "No github token set. Cannot run prebuild."
-    exit 1
-  else
-    echo "Github token detected. Running prebuild."
-    npm run prebuild -- -u "${NODE_GITHUB_TOKEN}"
-    echo "Prebuild's successfully submitted"
-  fi
-  set -o xtrace
-}
-
-
-VERSION_AT_HEAD=$(get_version_at_git_rev "HEAD")
-VERSION_AT_HEAD_1=$(get_version_at_git_rev "HEAD~1")
-
-if [[ -n $NODE_FORCE_PUBLISH ]]; then
-  echo 'NODE_FORCE_PUBLISH detected'
-  echo "Beginning prebuild"
-  run_prebuild
-elif [[ $VERSION_AT_HEAD != "$VERSION_AT_HEAD_1" ]]; then
-  echo "Difference is package version ($VERSION_AT_HEAD_1 -> $VERSION_AT_HEAD)"
-  echo "Beginning prebuild"
-  run_prebuild
-else
-  echo "No difference is package version ($VERSION_AT_HEAD_1 -> $VERSION_AT_HEAD)"
-  echo "Will prebuild without submit"
-  npm run prebuild
-  echo "Local prebuild successful."
-  ls prebuilds
-fi
+npm run prebuild
+echo "Local prebuild successful."
+ls prebuilds

.github/actions/setup/action.yml

@@ -11,5 +11,5 @@ runs:
         registry-url: 'https://registry.npmjs.org'
     - run: npm install -g npm@latest
       shell: bash
-    - run: npm clean-install
+    - run: npm clean-install --ignore-scripts
       shell: bash

.github/docker/Dockerfile.glibc

@@ -0,0 +1,19 @@
+FROM ubuntu:bionic AS build
+
+# Possible values: s390x, arm64, x64
+ARG NODE_ARCH
+ADD https://nodejs.org/dist/v16.20.1/node-v16.20.1-linux-${NODE_ARCH}.tar.gz /
+RUN mkdir -p /nodejs && tar -xzf /node-v16.20.1-linux-${NODE_ARCH}.tar.gz --strip-components=1 -C /nodejs
+ENV PATH=$PATH:/nodejs/bin
+
+WORKDIR /kerberos
+COPY . .
+
+RUN apt-get -qq update && apt-get -qq install -y python3 build-essential libkrb5-dev && ldd --version
+
+RUN npm clean-install --ignore-scripts
+RUN npm run prebuild
+
+FROM scratch
+
+COPY --from=build /kerberos/prebuilds/ /

.github/workflows/build.yml

@@ -0,0 +1,67 @@
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch: {}
+  workflow_call: {}
+
+name: Build and Test
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
+jobs:
+  host_builds:
+    strategy:
+      matrix:
+        os: [macos-latest, windows-2019]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build ${{ matrix.os }} Prebuild
+        run: |
+          npm clean-install --ignore-scripts
+          npm run prebuild
+
+      - id: upload
+        name: Upload prebuild
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-${{ matrix.os }}
+          path: prebuilds/
+          if-no-files-found: 'error'
+          retention-days: 1
+          compression-level: 0
+
+  container_builds:
+    outputs:
+      artifact_id: ${{ steps.upload.outputs.artifact-id }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        linux_arch: [s390x, arm64, amd64]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Run Buildx
+        run: |
+          docker buildx create --name builder --bootstrap --use
+          docker buildx build --platform linux/${{ matrix.linux_arch }} --build-arg NODE_ARCH=${{ matrix.linux_arch == 'amd64' && 'x64' || matrix.linux_arch }} --output type=local,dest=./prebuilds,platform-split=false -f ./.github/docker/Dockerfile.glibc .
+
+      - id: upload
+        name: Upload prebuild
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-linux-${{ matrix.linux_arch }}
+          path: prebuilds/
+          if-no-files-found: 'error'
+          retention-days: 1
+          compression-level: 0

.github/workflows/release.yml

@@ -8,23 +8,98 @@ permissions:
   pull-requests: write
   id-token: write
 
-name: release
+name: release-latest
 
 jobs:
-  release-please:
+  release_please:
     runs-on: ubuntu-latest
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
     steps:
       - id: release
         uses: googleapis/release-please-action@v4
+        with:
+          target-branch: main
+
+  build:
+    needs: [release_please]
+    name: "Perform any build or bundling steps, as necessary."
+    uses: ./.github/workflows/build.yml
+
+  ssdlc:
+    needs: [release_please, build]
+    permissions:
+      # required for all workflows
+      security-events: write
+      id-token: write
+      contents: write
+    environment: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Node and dependencies
+        uses: mongodb-labs/drivers-github-tools/node/setup@v2
+        with:
+          ignore_install_scripts: true
+
+      - name: Load version and package info
+        uses: mongodb-labs/drivers-github-tools/node/get_version_info@v2
+        with:
+          npm_package_name: kerberos
+
+      - name: actions/compress_sign_and_upload
+        uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: us-east-1
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+          npm_package_name: kerberos
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+          sign_native: true
+
+      - name: Copy sbom file to release assets
+        shell: bash
+        if: ${{ '' == '' }}
+        run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
+
+      # only used for mongodb-client-encryption
+      - name: Augment SBOM and copy to release assets
+        if: ${{ '' != '' }}
+        uses: mongodb-labs/drivers-github-tools/sbom@v2
+        with:
+          silk_asset_group: ''
+          sbom_file_name: sbom.json
+
+      - name: Generate authorized pub report
+        uses: mongodb-labs/drivers-github-tools/full-report@v2
+        with:
+          release_version: ${{ env.package_version }}
+          product_name: kerberos
+          sarif_report_target_ref: main
+          third_party_dependency_tool: n/a
+          dist_filenames: artifacts/*
+          token: ${{ github.token }}
+          sbom_file_name: sbom.json
+
+      - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+        with:
+          version: ${{ env.package_version }}
+          product_name: kerberos
+          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
+
+  publish:
+    needs: [release_please, ssdlc, build]
+    environment: release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Node and dependencies
+        uses: mongodb-labs/drivers-github-tools/node/setup@v2
 
-      # If release-please created a release, publish to npm
-      - if: ${{ steps.release.outputs.release_created }}
-        uses: actions/checkout@v4
-      - if: ${{ steps.release.outputs.release_created }}
-        name: actions/setup
-        uses: ./.github/actions/setup
-      - if: ${{ steps.release.outputs.release_created }}
-        run: npm publish --provenance
+      - run: npm publish --provenance --tag=latest
+        if: ${{ needs.release_please.outputs.release_created }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 

README.md

@@ -45,6 +45,49 @@ Now you can install `kerberos` with the following:
 npm install kerberos
 ```
 
+#### Prebuild Platforms
+
+Below are the platforms that are available as prebuilds on each github release.
+`prebuild-install` downloads these automatically depending on the platform you are running npm install on.
+
+- Linux GLIBC 2.23 or later
+    - s390x
+    - arm64
+    - x64
+- MacOS universal binary
+    - x64
+    - arm64
+- Windows
+    - x64
+
+### Release Integrity
+
+Releases are created automatically and signed using the [Node team's GPG key](https://pgp.mongodb.com/node-driver.asc). This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:
+
+```
+gpg --import node-driver.asc
+```
+
+The GitHub release contains a detached signature file for the NPM package (named
+`kerberos-X.Y.Z.tgz.sig`).
+
+The following command returns the link npm package. 
+```shell
+npm view [email protected] dist.tarball 
+```
+
+Using the result of the above command, a `curl` command can return the official npm package for the release.
+
+To verify the integrity of the downloaded package, run the following command:
+```shell
+gpg --verify kerberos-X.Y.Z.tgz.sig kerberos-X.Y.Z.tgz
+```
+
+>[!Note]
+No verification is done when using npm to install the package. To ensure release integrity when using npm, download the tarball manually from the GitHub release, verify the signature, then install the package from the downloaded tarball using npm install mongodb-X.Y.Z.tgz.
+
+To verify the native `.node` packages, follow the same steps as above. 
+
 ### Testing
 
 Run the test suite using:

binding.gyp

@@ -13,7 +13,15 @@
       'xcode_settings': {
         'GCC_ENABLE_CPP_EXCEPTIONS': 'YES',
         'CLANG_CXX_LIBRARY': 'libc++',
-        'MACOSX_DEPLOYMENT_TARGET': '10.12'
+        'MACOSX_DEPLOYMENT_TARGET': '10.12',
+        "OTHER_CFLAGS": [
+          "-arch x86_64",
+          "-arch arm64"
+        ],
+        "OTHER_LDFLAGS": [
+          "-arch x86_64",
+          "-arch arm64"
+        ]
       },
       'cflags!': [ '-fno-exceptions' ],
       'cflags_cc!': [ '-fno-exceptions' ],