RUBY-3501 SSDLC for bson-ruby (#330)

* SSDLC shenanigans...

* publish job depends on the build job

* need Ruby configured to build the native code

* fix regex anchoring (alerted via codeql)

* ignore vendor folder

* apparently we have to specify environment for each job

* see if it picks up jruby this way?

* download all artifacts to the current directory

don't create separate directories for each downloaded artifact.

* authorized-pub task doesn't like globs with spaces in them

* use boolean type for dry-run flag

* don't need to specify "false" explicitly anymore

* simplify the build phase (don't need secure checkout)

Author: jamis

.github/workflows/cleanup.yml

@@ -0,0 +1,44 @@
+name: "Dry-Run Cleanup"
+run-name: "Dry Run Cleanup for ${{ github.ref }}"
+
+on:
+  workflow_dispatch:
+    inputs:
+      confirm:
+        description: Indicate whether you want this workflow to run (must be "true")
+        required: true
+        type: string
+      tag:
+        description: The name of the tag (and release) to clean up
+        required: true
+        type: string
+
+jobs:
+  release:
+    name: "Dry-Run Cleanup"
+    environment: release
+    runs-on: 'ubuntu-latest'
+    if: ${{ inputs.confirm == 'true' }}
+
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: write
+
+      # required by the mongodb-labs/drivers-github-tools/setup@v2 step
+      # also required by `rubygems/release-gem`
+      id-token: write
+
+    steps:
+      - name: "Run the cleanup action"
+        uses: mongodb-labs/drivers-github-tools/ruby/cleanup@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
+          tag: ${{ inputs.tag }}

.github/workflows/codeql.yml

@@ -0,0 +1,69 @@
+name: "CodeQL"
+
+on: [ push, pull_request ]
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 360
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: ruby
+            build-mode: none
+          - language: c
+            build-mode: manual
+          - language: java
+            build-mode: none
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        config: |
+          paths-ignore:
+            - .evergreen
+            - spec
+            - perf
+            - vendor
+
+    - name: Setup Ruby
+      if: matrix.build-mode == 'manual'
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: '3.2'
+        bundler-cache: true
+
+    - name: Manually build the native code
+      if: matrix.build-mode == 'manual'
+      run: |
+        bundle exec rake compile
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
+

.github/workflows/release.yml

@@ -0,0 +1,170 @@
+name: "BSON Release"
+run-name: "BSON Release for ${{ github.ref }}"
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: Whether this is a dry run or not
+        required: true
+        default: true
+        type: boolean
+
+env:
+  SILK_ASSET_GROUP: bson-ruby
+  RELEASE_MESSAGE_TEMPLATE: |
+    Version {0} of [BSON for Ruby](https://rubygems.org/gems/bson) is now available.
+
+    **Release Highlights**
+
+    TODO: one or more paragraphs describing important changes in this release
+
+    **Documentation**
+
+    Documentation is available at [MongoDB.com](https://www.mongodb.com/docs/ruby-driver/current/tutorials/bson/).
+
+    **Installation**
+
+    You may install this version via RubyGems, with:
+
+    gem install --version {0} bson
+
+permissions:
+  # required for all workflows
+  security-events: write
+
+  # required to fetch internal or private CodeQL packs
+  packages: read
+
+  # only required for workflows in private repositories
+  actions: read
+  contents: write
+
+  # required by the mongodb-labs/drivers-github-tools/setup@v2 step
+  # also required by `rubygems/release-gem`
+  id-token: write
+
+jobs:
+  build:
+    name: "Build Gems"
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: [ '3.2', jruby ]
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Set output gem file name
+        shell: bash
+        run: |
+          echo "GEM_FILE_NAME=$(bundle exec rake gem_file_name)" >> "$GITHUB_ENV"
+
+      - name: Build the gem
+        shell: bash
+        run: bundle exec rake build
+
+      - name: Save the generated gem file for later
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.GEM_FILE_NAME }}
+          path: ${{ env.GEM_FILE_NAME }}
+          retention-days: 1
+          overwrite: true
+
+  publish:
+    name: Publish Gems
+    needs: build
+    environment: release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: mongodb-labs/drivers-github-tools/secure-checkout@v2
+        with:
+          app_id: ${{ vars.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'
+          bundler-cache: true
+
+      - name: Get the release version
+        shell: bash
+        run: echo "RELEASE_VERSION=$(bundle exec rake version)" >> "$GITHUB_ENV"
+
+      - name: Setup GitHub tooling for DBX Drivers
+        uses: mongodb-labs/drivers-github-tools/setup@v2
+        with:
+          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
+          aws_region_name: ${{ vars.AWS_REGION_NAME }}
+          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
+
+      - name: Fetch the gem artifacts
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+
+      - name: Sign the gems
+        uses: mongodb-labs/drivers-github-tools/gpg-sign@v2
+        with:
+          filenames: '*.gem'
+
+      - name: Generate SSDLC Reports
+        uses: mongodb-labs/drivers-github-tools/full-report@v2
+        with:
+          product_name: BSON for Ruby
+          release_version: ${{ env.RELEASE_VERSION }}
+          dist_filenames: '*.gem'
+          silk_asset_group: bson-ruby
+
+      - name: Create the tag
+        uses: mongodb-labs/drivers-github-tools/tag-version@v2
+        with:
+          version: ${{ env.RELEASE_VERSION }}
+          tag_template: "v${VERSION}"
+          tag_message_template: "Release tag for v${VERSION}"
+
+      - name: Create a new release
+        shell: bash
+        run: gh release create v${{ env.RELEASE_VERSION }} --title ${{ env.RELEASE_VERSION }} --generate-notes --draft
+
+      - name: Capture the changelog
+        shell: bash
+        run: gh release view v${{ env.RELEASE_VERSION }} --json body --template '{{ .body }}' >> changelog
+
+      - name: Prepare release message
+        shell: bash
+        run: |
+          echo "${{ format(env.RELEASE_MESSAGE_TEMPLATE, env.RELEASE_VERSION) }}" > release-message
+          cat changelog >> release-message
+
+      - name: Update release information
+        shell: bash
+        run: |
+          echo "RELEASE_URL=$(gh release edit v${{ env.RELEASE_VERSION }} --notes-file release-message)" >> "$GITHUB_ENV"
+
+      - name: Upload release artifacts
+        shell: bash
+        run: gh release upload v${{ env.RELEASE_VERSION }} *.gem ${{ env.RELEASE_ASSETS }}/*.sig
+
+      - name: Upload S3 assets
+        uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v2
+        with:
+          version: ${{ env.RELEASE_VERSION }}
+          product_name: 'bson-ruby'
+          dry_run: ${{ inputs.dry_run }}
+
+      - name: Publish the gems
+        uses: rubygems/release-gem@v1
+        if: inputs.dry_run == 'false'
+        with:
+          await-release: false