Merge remote-tracking branch 'origin/beta-releases' into ga-releases

.evergreen/docker-config/bin/docker-credential-from-env

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+set -euo pipefail
+
+DOCKER_HUB_URL="https://index.docker.io/v1/"
+
+STDIN=$(cat)
+
+ACTION="$1"
+
+case "$ACTION" in
+  get)
+    SERVER_URL="$STDIN"
+
+    if [[ "$SERVER_URL" == "$DOCKER_HUB_URL" ]]; then
+      if [[ -z "${DOCKERHUB_USERNAME:-}" || -z "${DOCKERHUB_PASSWORD:-}" ]]; then
+        echo "Error: DOCKERHUB_USERNAME or DOCKERHUB_PASSWORD environment variables are not set." >&2
+        exit 1
+      fi
+
+      echo "{\"Username\": \"$DOCKERHUB_USERNAME\", \"Secret\": \"$DOCKERHUB_PASSWORD\"}"
+    else
+      echo "Error: No credentials available for $SERVER_URL" >&2
+      exit 1
+    fi
+    ;;
+
+  *)
+    echo "Unsupported action: $ACTION" >&2
+    exit 1
+    ;;
+esac

.evergreen/docker-config/config.json

@@ -0,0 +1,6 @@
+{
+	"auths": {
+		"https://index.docker.io/v1/": {}
+	},
+	"credsStore": "from-env"
+} 

.evergreen/functions.yml

@@ -78,6 +78,8 @@ variables:
     GARASIGN_PASSWORD: ${garasign_password}
     ARTIFACTORY_USERNAME: ${artifactory_username}
     ARTIFACTORY_PASSWORD: ${artifactory_password}
+    DOCKERHUB_USERNAME: ${dockerhub_username}
+    DOCKERHUB_PASSWORD: ${dockerhub_password}
 
 # This is here with the variables because anchors aren't supported across includes
 post:
@@ -982,16 +984,7 @@ functions:
 
           echo
 
-          # Runs for all the commits on main, including nightly builds:
-          if [[ "$EVERGREEN_IS_PATCH" != "true" ]] && [[ "${project}" == "10gen-compass-main" ]]; then
-            export JIRA_BASE_URL="https://jira.mongodb.org"
-            export JIRA_PROJECT="COMPASS"
-            export JIRA_VULNERABILITY_BUILD_INFO="- [Evergreen task|$EVERGREEN_TASK_URL]"
-
-            npm run create-vulnerability-tickets
-          else
-            cat .sbom/vulnerability-report.md
-          fi
+          cat .sbom/vulnerability-report.md
 
           echo
 

.evergreen/preinstall.sh

@@ -18,6 +18,8 @@ echo "IS_WINDOWS: $IS_WINDOWS"
 echo "IS_RHEL: $IS_RHEL"
 echo "IS_UBUNTU: $IS_UBUNTU"
 
+echo "DOCKER_CONFIG: $DOCKER_CONFIG"
+
 SCRIPTDIR="$(cd $(dirname "$0"); pwd)"
 
 if [ -n "$IS_WINDOWS" ]; then

.evergreen/print-compass-env.js

@@ -74,6 +74,8 @@ function printCompassEnv() {
     pathsToPrepend.unshift('/opt/mongodbtoolchain/v4/bin');
   }
 
+  pathsToPrepend.unshift(`${originalPWD}/.evergreen/docker-config/bin`);
+
   PATH = maybePrependPaths(PATH, pathsToPrepend);
   printVar('PATH', PATH);
 
@@ -113,6 +115,8 @@ function printCompassEnv() {
 
   // https://jira.mongodb.org/browse/NODE-6320
   printVar('GYP_DEFINES', `kerberos_use_rtld=${process.platform === 'linux'}`);
+
+  printVar('DOCKER_CONFIG', `${originalPWD}/.evergreen/docker-config`);
 }
 
 printCompassEnv();

.evergreen/start-atlas-cloud-cluster.sh

@@ -2,6 +2,7 @@
 
 RUN_ID="$(date +"%s")-$(git rev-parse --short HEAD)"
 DELETE_AFTER="$(date -u -Iseconds -d '+2 hours' 2>/dev/null || date -u -Iseconds -v '+2H')"
+DOCKER_REGISTRY="${DOCKER_REGISTRY:-docker.io}"
 
 # This script helps to automatically provision Atlas cluster for running the e2e
 # tests against. In CI this will always create a new cluster and delete it when
@@ -39,8 +40,8 @@ DELETE_AFTER="$(date -u -Iseconds -d '+2 hours' 2>/dev/null || date -u -Iseconds
 #     MCLI_ORG_ID           Org ID
 #     MCLI_PROJECT_ID       Project ID
 #
-#     COMPASS_E2E_ATLAS_CLOUD_SANDBOX_USERNAME         Cloud user you created
-#     COMPASS_E2E_ATLAS_CLOUD_SANDBOX_PASSWORD         Cloud user password
+#     COMPASS_E2E_ATLAS_CLOUD_SANDBOX_USERNAME  Cloud user you created
+#     COMPASS_E2E_ATLAS_CLOUD_SANDBOX_PASSWORD  Cloud user password
 #
 # - Source the script followed by running the tests to make sure that some
 #   variables exported from this script are available for the test env:
@@ -68,7 +69,7 @@ function atlascli() {
     -e MCLI_ORG_ID \
     -e MCLI_PROJECT_ID \
     -e MCLI_OPS_MANAGER_URL \
-    mongodb/atlas atlas $@
+    "$DOCKER_REGISTRY/mongodb/atlas" atlas $@
 }
 
 cleanup() {

.github/workflows/authors-and-third-party-notices.yaml

@@ -15,20 +15,27 @@ jobs:
     env:
       HADRON_DISTRIBUTION: compass
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
           # this is important so git log can pick up on
           # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
+          fetch-depth: "0"
+          token: ${{ steps.app-token.outputs.token }}
 
-
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.16.0
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install [email protected]
         run: |
@@ -40,38 +47,26 @@ jobs:
           npm run bootstrap-ci
 
       - name: Update AUTHORS
-        run: npm run update-authors
+        run: |
+          npm run update-authors
+          git add AUTHORS
 
       - name: Update THIRD-PARTY-NOTICES.md
-        run: npm run update-third-party-notices
+        run: |
+          npm run update-third-party-notices
+          git add THIRD-PARTY-NOTICES.md
 
       - name: Update Security Test Summary
         run: |
           npm run update-security-test-summary
+          git add docs/security-test-summary.md
 
       - name: Update tracking-plan.md
-        run: npm run update-tracking-plan
-
-      - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
-        with:
-          commit-message: Update report
-          branch: ci/update-3rd-party-notices-and-authors
-          title: 'chore: update AUTHORS, THIRD-PARTY-NOTICES, Security Test Summary'
-          add-paths: |
-            THIRD-PARTY-NOTICES.md
-            AUTHORS
-            docs/security-test-summary.md
-            docs/tracking-plan.md
-          body: |
-            - Update `AUTHORS`, `THIRD-PARTY-NOTICES`, docs/tracking-plan.md and `docs/security-test-summary.md`
+        run: |
+          npm run update-tracking-plan
+          git add docs/tracking-plan.md
 
-      - name: Merge PR
-        env:
-          PULL_REQUEST_NUMBER: ${{steps.cpr.outputs.pull-request-number}}
-          # NOTE: we don't use a PAT so to not trigger further automation
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Commit and push
         run: |
-          gh pr merge $PULL_REQUEST_NUMBER --squash --delete-branch
-          gh workflow run codeql.yml -r main
+          git commit --no-allow-empty -m "chore: update AUTHORS, THIRD-PARTY-NOTICES, Security Test Summary [skip actions]" || true
+          git push

.github/workflows/bump-packages.yaml

@@ -10,24 +10,22 @@ jobs:
     name: Bump packages
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
-          # this is important so git log can pick up on
-          # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
-
-      - name: Setup git
-        run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.16.0
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install [email protected]
         run: |
@@ -40,21 +38,20 @@ jobs:
 
       - name: Bump packages
         env:
-          LAST_BUMP_COMMIT_MESSAGE: 'chore(release): bump package versions'
-          SKIP_BUMP_PACKAGES: 'mongodb-compass'
+          LAST_BUMP_COMMIT_MESSAGE: "chore(release): bump package versions"
+          SKIP_BUMP_PACKAGES: "mongodb-compass"
         run: |
           npm run bump-packages
           git add .
           git commit --no-allow-empty -m "$LAST_BUMP_COMMIT_MESSAGE" || true
 
       - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5
         with:
-          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
-          commit-message: 'chore(release): bump package versions'
+          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }} # TODO: replace with steps.app-token.outputs.token when it gets the PR permissions
+          commit-message: "chore(release): bump package versions"
           branch: ci/bump-packages
-          title: 'chore(release): bump package versions'
+          title: "chore(release): bump package versions"
           labels: no-title-validation
           body: |
             - Bump package versions

.github/workflows/merge-bump-packages-pr.yaml

@@ -3,18 +3,23 @@ on:
   workflow_dispatch:
   schedule:
     # Each Tuesday at 5 AM UTC
-    - cron: '0 5 * * 2'
+    - cron: "0 5 * * 2"
 
 jobs:
   merge_bump_packages_pr:
     name: Merge bump packages PR
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
 
       - name: Merge PR
         env:
-          GITHUB_TOKEN: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           set -e
           PR_NUMBER=$(gh pr list -s open --head=ci/bump-packages --limit=1 --json number | jq '.[0].number')

.github/workflows/update-electron.yaml

@@ -11,44 +11,40 @@ jobs:
     name: Update Electron
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Create Github App Token
+        uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
+        id: app-token
+        with:
+          app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }}
+          private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }}
+
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
-          # this is important so git log can pick up on
-          # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
-
-      - name: Setup git
-        run: |
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git config --local user.name "github-actions[bot]"
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           node-version: 20.16.0
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install [email protected]
         run: |
           npm install -g [email protected]
+
       - name: Install Dependencies
-        run: |
-          npm -v
-          npm ci
+        run: npm ci
+
       - name: Bump packages
-        run: |
-          node scripts/update-electron.js
-          git add .
-          git commit --no-allow-empty -m "chore(deps): update electron" || true
+        run: node scripts/update-electron.js
+
       - name: Create Pull Request
-        id: cpr
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5
         with:
-          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }}
-          commit-message: 'chore(deps): update electron'
+          token: ${{ secrets.SVC_DEVTOOLSBOT_TOKEN }} # TODO: replace with steps.app-token.outputs.token when it gets the PR permissions
+          commit-message: "chore(deps): update electron"
           branch: ci/update-electron
-          title: 'chore(deps): update electron'
+          title: "chore(deps): update electron"
           labels: no-title-validation
           body: |
             - Update electron

CONTRIBUTING.md

@@ -97,7 +97,7 @@ In particular each change to the `main` branch is analyzed to calculate a new ve
 
 Merging that PR will trigger another CI job that will publish to NPM any package which version is not yet present on the registry.
 
-The version of packages is calculated following conventional bumps: See https://github.com/mongodb-js/devtools-shared/tree/main/packages/bump-monorepo-packages for details.
+The version of packages is calculated following conventional bumps: See https://github.com/mongodb-js/devtools-shared/tree/main/packages/monorepo-tools for details.
 
 ## Add / Update / Remove Dependencies in Packages
 
@@ -115,6 +115,14 @@ npm run create-workspace [workspace name]
 
 This will do all the initial workspace bootstrapping for you, ensuring that your package has all the standard configs set up and ready, and all the npm scripts aligned with other packages in the monorepo, which is important to get the most out of all the provided helpers in this repository (like `npm run check-changed` commands or to make sure that your tests will not immediately fail in CI because of the test timeout being too small)
 
+## Using Github Actions
+
+Github actions offers an easy way to create workflows that run various automated checks. While our main CI system is Evergreen, we have a number of auxiliary workflows configured to run using github actions. While adding new workflows or updating existing ones, it's important that we follow [the security hardening guidelines](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) by Github. Those can change over time, so be sure to periodically review them to make sure we're not using insecure workflows. Some notable highlights to pay special attention to are:
+1. Avoid using tag or branch refs for untrusted 3rd party actions. Those can easily be recreated by malicious actors and introduce supply chain attacks. As a rule of thumb, first party actions are considered actions by MongoDB, Github, Microsoft, or the primary maintainer of a particular ecosystem - e.g. Amazon for AWS. When using a 3rd party action, always use the full git commit sha as the ref to checkout.
+2. Be extra vigilant when using user-supplied data, such as branch name or PR title in scripts as that opens up the possibility of script injection attacks. Instead, prefer to use js actions to achieve the same result or sanitize the input before using it in a script.
+3. Never commit secrets in the workflow file directly - instead use github secrets to store them securely at the repo/org level.
+4. Avoid using repo-level secrets that grant access to deployment/publishing resources. Instead prefer to store these as environment secrets and ensure the correct environments protections are in place.
+
 ## Caveats
 
 ### `hdiutil: couldn't unmount "diskn" - Resource busy` or Similar `hdiutil` Errors

THIRD-PARTY-NOTICES.md

@@ -1,5 +1,5 @@
 The following third-party software is used by and included in **Mongodb Compass**.
-This document was automatically generated on Mon Nov 18 2024.
+This document was automatically generated on Sun Dec 01 2024.
 
 ## List of dependencies