chore(NODE-4869): sign and upload to releases

Author: durran

.github/actions/sign_and_upload_native/action.yml

@@ -0,0 +1,32 @@
+name: Sign and Upload Native
+description: 'Signs and uploads the native release artifacts'
+
+inputs: 
+    garasign_username:
+      description: 'Garasign username input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    garasign_password:
+      description: 'Garasign password input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    artifactory_username:
+      description: 'Artifactory username input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    artifactory_password:
+      description: 'Artifactory password input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/download-artifact@v4
+
+    - name: Display structure of downloaded files
+      run: ls -R
+
+    - name: Get release version and release package file name
+      id: vars
+      shell: bash
+      run: |
+        package_version=$(jq --raw-output '.version' package.json)
+        echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+        echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT"

.github/actions/sign_and_upload_package/action.yml

@@ -0,0 +1,43 @@
+name: Sign and Upload Package
+description: 'Signs and uploads the release artifacts'
+
+inputs: 
+    garasign_username:
+      description: 'Garasign username input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    garasign_password:
+      description: 'Garasign password input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    artifactory_username:
+      description: 'Artifactory username input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+    artifactory_password:
+      description: 'Artifactory password input for drivers-github-tools/garasign/gpg-sign'
+      required: true
+
+runs:
+  using: composite
+  steps:
+    - run: npm pack
+      shell: bash
+
+    - name: Get release version and release package file name
+      id: vars
+      shell: bash
+      run: |
+        package_version=$(jq --raw-output '.version' package.json)
+        echo "package_version=${package_version}" >> "$GITHUB_OUTPUT"
+        echo "package_file=bson-${package_version}.tgz" >> "$GITHUB_OUTPUT"
+
+    - name: Create detached signature
+      uses: mongodb-labs/drivers-github-tools/garasign/gpg-sign@v1
+      with:
+        filenames: ${{ steps.vars.package_file }}
+        garasign_username: ${{ inputs.garasign_username }}
+        garasign_password: ${{ inputs.garasign_password }}
+        artifactory_username: ${{ inputs.artifactory_username }}
+        artifactory_password: ${{ inputs.artifactory_password }}
+
+    - name: "Upload release artifacts"
+      run: gh release upload v${{ steps.vars.package_version }} ${{ steps.vars.package_file }}.sig
+      shell: bash

.github/workflows/build.yml

@@ -79,3 +79,21 @@ jobs:
           if-no-files-found: 'error'
           retention-days: 1
           compression-level: 0
+
+  sign_and_upload:
+    needs: [host_builds, container_builds]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: actions/setup
+        uses: ./.github/actions/setup
+      - name: actions/sign_and_upload_package
+        uses: ./.github/actions/sign_and_upload_package
+        with: 
+          garasign_username: ${{ secrets.GRS_CONFIG_USER1_USERNAME }}
+          garasign_password: ${{ secrets.GRS_CONFIG_USER1_PASSWORD }}
+          artifactory_username: ${{ secrets.ARTIFACTORY_USER }}
+          artifactory_password: ${{ secrets.ARTIFACTORY_PASSWORD }}
+      # - run: npm publish --provenance
+      #  env:
+      #    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}