PYTHON-5432 Use ECR instead of artifactory and update to v3

.github/workflows/version.txt

@@ -1 +1 @@
-2
+3

README.md

@@ -26,7 +26,7 @@ used with the `gh` cli.
 
 There is a common setup action that is meant to be run before all
 other actions.  It handles fetching secrets from AWS Secrets Manager,
-signing into Artifactory, setting up Garasign credentials, and
+signing into ECR, setting up Garasign credentials, and
 setting up environment variables used in other actions.
 The action requires `id-token: write` permissions.
 
@@ -45,9 +45,8 @@ The action requires `id-token: write` permissions.
 > `actions/checkout action`
 >
 > The following keys MUST be defined in the ``AWS_SECRET_ID`` vault:
-> `artifactory-username`, `artifactory-password`, `garasign-username`
-> `garasign-password`, `gpg-key-id`.  If uploading to an S3 bucket, also define
-> `release-assets-bucket`.
+> `garasign-username`, `garasign-password`, `gpg-key-id`.
+> If uploading to an S3 bucket, also define `release-assets-bucket`.
 
 ## Signing tools
 

bump-version/action.yml

@@ -16,9 +16,9 @@
   working_directory:
     description: The working directory for the version bump
     default: "."
-  artifactory_image:
-    description: "Image to use for artifactory"
-    default: release-tools-container-registry-local/garasign-git
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
 
 runs:
   using: composite
@@ -36,10 +36,10 @@
         export COMMIT_MESSAGE=$(echo "${{ inputs.commit_template }}" | envsubst)
         echo "COMMIT_MESSAGE=$COMMIT_MESSAGE" >> $GITHUB_ENV
     - name: Commit the version bump
-      uses: mongodb-labs/drivers-github-tools/git-sign@v2
+      uses: mongodb-labs/drivers-github-tools/git-sign@PYTHON-5432
       with:
         command: git commit -a -m \"${{ env.COMMIT_MESSAGE }}\" -s --gpg-sign=${{ env.GPG_KEY_ID }}
-        artifactory_image: ${{ inputs.artifactory_image }}
+        ecr_repository: ${{ inputs.ecr_repository }}
     - name: Push the commit to the source branch
       shell: bash -eux {0}
       run: |

create-branch/action.yml

@@ -23,15 +23,10 @@ inputs:
   release_workflow_path:
     description: The path to the release workflow file
     default: .github/workflows/release.yml
-  artifactory_image:
-    description: Image to use for artifactory
-    default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local
-  # Unused inputs, to be removed in V3.
-  sbom_file_path:
-      description: The path of the sbom-lite file
-      default: sbom.json
-  silk_group_prefix:
-    description: The prefix to use for the silk asset group, defaults to the repo name
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
+
 runs:
   using: composite
   steps:
@@ -43,11 +38,11 @@ runs:
         SBOM_FILE_PATH: ${{ inputs.sbom_file_path }}
         RELEASE_WORKFLOW_PATH: ${{ inputs.release_workflow_path }}
         EVERGREEN_PROJECT: ${{ inputs.evergreen_project }}
-        ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
       run: ${{ github.action_path }}/create-branch.sh
     - uses: mongodb-labs/drivers-github-tools/bump-version@v2
       with:
         version: ${{ inputs.version }}
         version_bump_script: ${{ inputs.version_bump_script }}
         commit_template: "Prep branch ${{ inputs.branch_name }}"
-        push_commit: ${{ inputs.push_changes }}
+        push_commit: ${{ inputs.push_changes }}
+        ecr_repository: ${{ inputs.ecr_repository }}

full-report/action.yml

@@ -31,15 +31,12 @@
     description: The distribution filename or glob pattern
   token:
     description: The GitHub access token
-  # No longer used, to be removed in V3.
-  silk_asset_group:
-    description: The Silk Asset Group for the Project
 
 runs:
   using: composite
   steps:
     - name: Generate Authorized Publication Report
-      uses: mongodb-labs/drivers-github-tools/authorized-pub@v2
+      uses: mongodb-labs/drivers-github-tools/authorized-pub@PYTHON-5432
       with:
         product_name: ${{ inputs.product_name }}
         release_version: ${{ inputs.release_version }}
@@ -48,19 +45,19 @@
     - name: Generate SBOM File
       # not all packages have third party dependencies, and so not all packages integrate with silk.
       if: ${{ inputs.silk_asset_group }} || ${{ inputs.sbom_in_path }}
-      uses: mongodb-labs/drivers-github-tools/sbom@v2
+      uses: mongodb-labs/drivers-github-tools/sbom@PYTHON-5432
       with:
         silk_asset_group: ${{ inputs.silk_asset_group }}
         sbom_file_name: ${{ inputs.sbom_file_name }}
         kondukto_sub_project: ${{ inputs.kondukto_sub_project }}
         sbom_in_path: ${{ inputs.sbom_in_path }}
     - name: Generate Sarif File
-      uses: mongodb-labs/drivers-github-tools/code-scanning-export@v2
+      uses: mongodb-labs/drivers-github-tools/code-scanning-export@PYTHON-5432
       with:
         ref: ${{ inputs.sarif_report_target_ref || inputs.release_version }}
         output-file: ${{ env.S3_ASSETS }}/code-scanning-alerts.json
     - name: Generate Compliance Report
-      uses: mongodb-labs/drivers-github-tools/compliance-report@v2
+      uses: mongodb-labs/drivers-github-tools/compliance-report@PYTHON-5432
       with:
         release_version: ${{ inputs.release_version }}
         security_report_location: ${{ inputs.security_report_location }}

git-sign/action.yml

@@ -4,20 +4,21 @@
   command:
     description: "Command to run inside the container"
     required: true
-  artifactory_image:
-    description: "Image to use for artifactory"
-    default: release-tools-container-registry-local/garasign-git
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
 
 runs:
   using: composite
   steps:
     - name: "Run git command"
       run: |
-        podman run \
+        WORKING_DIR=/home/git-checkout
+        docker run \
           --env-file=$GARASIGN_ENVFILE \
           --rm \
-          -v $(pwd):$(pwd) \
-          -w $(pwd) \
-          ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
-          /bin/bash -c "gpgloader && ${{ inputs.command }}"
+          -v $(pwd):$WORKING_DIR \
+          -w $WORKING_DIR \
+          ${ECR_REGISTRY}/${{ inputs.ecr_repository }} \
+          /bin/bash -c "git config --global --add safe.directory $WORKING_DIR && gpgloader && ${{ inputs.command }}"
       shell: bash

golang/publish/action.yml

@@ -15,10 +15,6 @@ inputs:
     default: "true"
   token:
     description: The GitHub token
-  # No longer used, to be removed in V3.
-  silk_asset_group:
-    description: The Silk Asset Group for the Project
-    required: false
 
 runs:
   using: composite

gpg-sign/action.yml

@@ -4,9 +4,9 @@
   filenames:
     description: "File name(s) to sign, can be a glob pattern"
     required: true
-  artifactory_image:
-    description: "Image to use for artifactory"
-    default: release-tools-container-registry-local/garasign-gpg
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
 
 runs:
   using: composite
@@ -24,15 +24,15 @@
     - name: "Create detached signature for file"
       shell: bash
       run: |
-        podman run \
+        docker run \
           --env-file=$GARASIGN_ENVFILE \
           --rm \
           -v $(pwd):$(pwd) \
           -w $(pwd) \
-          ${ARTIFACTORY_REGISTRY}/${{ inputs.artifactory_image }} \
+          ${ECR_REGISTRY}/${{ inputs.ecr_repository }} \
           /bin/bash -c 'gpgloader && for filename in ${{ inputs.filenames }}; do gpg --detach-sign --armor --output ${filename}.sig ${filename}; done'
 
     - name: "Move the signature files to the release directory"
       shell: bash
       run: |
         set -eux

python/post-publish/action.yml

@@ -36,10 +36,6 @@
   dry_run:
     description: Whether this is a dry run
     required: true
-  # No longer used, to be removed in V3.
-  silk_asset_group:
-    description: The Silk Asset Group for the Project
-    required: false
 
 runs:
   using: composite
@@ -70,15 +66,15 @@
           echo "VERSION=$VERSION" >> $GITHUB_ENV
         fi
     - name: Create detached signature for dist files
-      uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+      uses: mongodb-labs/drivers-github-tools/gpg-sign@PYTHON-5432
       with:
         filenames: dist/*
     - name: Get the evergreen commit
       id: evergreen-commit
       shell: bash
       run: |
         echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
-    - uses: mongodb-labs/drivers-github-tools/full-report@v2
+    - uses: mongodb-labs/drivers-github-tools/full-report@PYTHON-5432
       with:
         product_name: ${{ inputs.product_name }}
         release_version: ${{ env.VERSION }}
@@ -90,7 +86,7 @@
         evergreen_project: ${{ inputs.evergreen_project }}
         evergreen_commit: ${{ steps.evergreen-commit.outputs.commit }}
         token: ${{ inputs.token }}
-    - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+    - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@PYTHON-5432
       with:
           version: ${{ env.VERSION }}
           product_name: ${{ inputs.product_name }}
@@ -121,7 +117,7 @@
         git clean -dffx
         git pull origin ${GITHUB_REF}
     - name: Set following version
-      uses: mongodb-labs/drivers-github-tools/bump-version@v2
+      uses: mongodb-labs/drivers-github-tools/bump-version@PYTHON-5432
       if: inputs.dry_run == 'false'
       with:
           version: ${{ steps.publish-script.outputs.following_version }}

python/pre-publish/action.yml

@@ -63,15 +63,15 @@
           echo "VERSION=$VERSION" >> $GITHUB_ENV
         fi
     - name: Set version
-      uses: mongodb-labs/drivers-github-tools/bump-version@v2
+      uses: mongodb-labs/drivers-github-tools/bump-version@PYTHON-5432
       if: ${{ inputs.version }}
       with:
         version: ${{ env.VERSION }}
         version_bump_script: ${{ inputs.version_bump_script }}
         working_directory: ${{ inputs.working_directory }}
         push_commit: ${{ env.PUSH_CHANGES }}
     - name: Tag version
-      uses: mongodb-labs/drivers-github-tools/tag-version@v2
+      uses: mongodb-labs/drivers-github-tools/tag-version@PYTHON-5432
       with:
         version: ${{ env.VERSION }}
         tag_template: ${{ inputs.tag_template }}

sbom/action.yml

@@ -10,13 +10,9 @@ inputs:
   kondukto_sub_project:
     description: The Kondukto sub-project name (appended to the branch name)
     required: false
-  artifactory_image:
-    description: Image to use for artifactory
-    default: artifactory.corp.mongodb.com/release-tools-container-registry-public-local/silkbomb:2.0
-  # No longer used, to be removed in V3.
-  silk_asset_group:
-    description: The Silk Asset Group for the Project
-    required: false
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/silkbomb:2.0
 
 runs:
   using: composite
@@ -26,7 +22,7 @@ runs:
       env:
         SBOM_IN_PATH: ${{ inputs.sbom_in_path }}
         KONDUKTO_SUB_PROJECT: ${{ inputs.kondukto_sub_project }}
-        ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
+        ECR_REPOSITORY: ${{ inputs.ecr_repository }}
         SBOM_FILE_NAME: ${{ inputs.sbom_file_name }}
       run: |
         set -eu
@@ -37,14 +33,14 @@ runs:
         fi
         echo "Generating SBOM file for ${KONDUKTO_BRANCH}..."
         echo "Updating SBOM file..."
-        podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
+        docker run --platform="linux/amd64" -i --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
           --env-file=${KONDUKTO_ENVFILE} \
-          ${ARTIFACTORY_IMAGE} \
+          ${ECR_REGISTRY}/${ECR_REPOSITORY} \
           update --sbom-in /repo/${SBOM_IN_PATH} --sbom-out /pwd/cyclonedx.sbom.json --generate-new-serial-number
         echo "Augumenting SBOM file..."
-        podman run --platform="linux/amd64" -it --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
+        docker run --platform="linux/amd64" -i --rm -v ${RELEASE_ASSETS}:/pwd -v $(pwd):/repo \
           --env-file=${KONDUKTO_ENVFILE} \
-          ${ARTIFACTORY_IMAGE} \
+          ${ECR_REGISTRY}/${ECR_REPOSITORY} \
           augment --sbom-in /pwd/cyclonedx.sbom.json --repo ${GITHUB_REPOSITORY} --branch ${KONDUKTO_BRANCH} --sbom-out /pwd/cyclonedx.sbom.json
         cp ${RELEASE_ASSETS}/cyclonedx.sbom.json ${S3_ASSETS}/${SBOM_FILE_NAME}
         echo "Generating SBOM file for ${KONDUKTO_BRANCH}... done."

setup/action.yml

@@ -10,11 +10,9 @@ inputs:
   aws_secret_id:
     description: "The name of the aws secret to use"
     required: true
-  artifactory_username:
-    description: "The artifactory username to be used"
-  artifactory_registry:
-    description: "Artifactory registry to be used"
-    default: artifactory.corp.mongodb.com
+  ecr_registry:
+    description: "The ECR registry to use"
+    default: "901841024863"
 
 runs:
   using: composite
@@ -36,7 +34,14 @@ runs:
     id: setup
     run: ${{ github.action_path }}/setup.sh
     env:
-      ARTIFACTORY_USERNAME_INPUT: ${{ inputs.artifactory_username }}
-      ARTIFACTORY_REGISTRY: ${{ inputs.artifactory_registry }}
-      ARTIFACTORY_IMAGE: ${{ inputs.artifactory_image }}
       AWS_SECRET_ID: ${{ inputs.aws_secret_id }}
+  - name: configure aws credentials for ECR
+    uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
+    with:
+      role-to-assume: ${{ env.ECR_ROLE_ARN }}
+      role-session-name: release-session
+      aws-region: ${{ env.ECR_REGION }}
+  - name: Log in to ECR
+    uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2
+    with:
+      registries: "${{ env.ECR_REGISTRY_ID }}"

setup/setup.sh

@@ -10,14 +10,6 @@ for var in $vars; do
      declare $new_key=${!var}
 done
 
-echo "::group::Set up artifactory"
-ARTIFACTORY_USERNAME=${ARTIFACTORY_USERNAME:-}
-if [ -n "${ARTIFACTORY_USERNAME_INPUT}" ]; then
-  ARTIFACTORY_USERNAME=$ARTIFACTORY_USERNAME_INPUT
-fi
-echo $ARTIFACTORY_PASSWORD | podman login -u $ARTIFACTORY_USERNAME --password-stdin $ARTIFACTORY_REGISTRY
-echo "::endgroup::"
-
 echo "Set up envfile for garasign"
 GARASIGN_ENVFILE=/tmp/garasign-envfile
 cat << EOF > $GARASIGN_ENVFILE
@@ -57,7 +49,10 @@ GPG_PUBLIC_URL=${GPG_PUBLIC_URL:-}
 GARASIGN_ENVFILE=$GARASIGN_ENVFILE
 SILKBOMB_ENVFILE=${SILKBOMB_ENVFILE:-}
 KONDUKTO_ENVFILE=${KONDUKTO_ENVFILE:-}
-ARTIFACTORY_REGISTRY=$ARTIFACTORY_REGISTRY
+ECR_REGISTRY_ID=${ECR_REGISTRY_ID}
+ECR_REGISTRY=${ECR_REGISTRY_ID}.dkr.ecr.${ECR_REGION}.amazonaws.com
+ECR_ROLE_ARN=${ECR_ROLE_ARN}
+ECR_REGION=${ECR_REGION}
 RELEASE_ASSETS=$RELEASE_ASSETS
 S3_ASSETS=$S3_ASSETS
 SECURITY_REPORT_URL=${SECURITY_REPORT_URL:-}

tag-version/action.yml

@@ -13,9 +13,9 @@
   push_tag:
     description: Whether to push the tag
     default: "true"
-  artifactory_image:
-    description: "Image to use for artifactory"
-    default: release-tools-container-registry-local/garasign-git
+  ecr_repository:
+    description: "The ECR repository to use"
+    default: release-infrastructure/garasign-git
 
 runs:
   using: composite
@@ -33,10 +33,10 @@
         export TAG_MESSAGE=$(echo "${{ inputs.tag_message_template }}" | envsubst)
         echo "TAG_MESSAGE=$TAG_MESSAGE" >> $GITHUB_ENV
     - name: Tag the version
-      uses: mongodb-labs/drivers-github-tools/git-sign@v2
+      uses: mongodb-labs/drivers-github-tools/git-sign@PYTHON-5432
       with:
         command: git tag -a \"${{ env.TAG }}\" -m \"${{ env.TAG_MESSAGE }}\" -s --local-user=${{ env.GPG_KEY_ID }}
-        artifactory_image: ${{ inputs.artifactory_image }}
+        ecr_repository: ${{ inputs.ecr_repository }}
     - name: Verify the tag
       shell: bash -eux {0}
       run: |