We're working on collecting information about MongoDB Products' publishes to public distribution channels (DEVPROD-4940) to understand if we're compliant with the "Authorized publication on third party distribution channels" requirement of the SSDLC Policy

Please answer the following questions about releases/publishes for your product. There are 2 sections - one for 3rd party channels (like dockerhub, pypi, crates.io) and one for MongoDB-managed channels (like repo.mongodb.com, fastdl.mongodb.org). The compliance requirement currently specifies 3rd party channels, so it's a higher priority. But we'd also like to assess releases/publishes to our own distribution channels for security reasons.

I'll try to pre-populate some answers based on what we know today. Feel free to change that information if it's incorrect.

Feel free to re-assign this ticket or move to another project if needed. You can close the ticket after you answer the questions. Thank you!

For 3rd party distribution channels:

What distribution channels do you publish to? E.g. PyPi, npmjs, dockerhub, etc
> None
Are there any publishing tasks that happen manually and/or outside of the CI/CD platforms? E.g. someone's workstation
> N/A (since we don't publish to 3rd-party channels)
Is publishing automated via CI/CD (evergreen, github actions, etc)? If yes, what platforms?
> N/A (since we don't publish to 3rd-party channels)
If automated via CI/CD, does publishing happen in the same project/repo as mainline commits/builds/tests or in a separate project/repo?
> N/A (since we don't publish to 3rd-party channels)
If automated via CI/CD, who can trigger a release or publish to public distribution channels? Only release managers, anyone on the team, anyone with write access to the git repo, etc?
> N/A (since we don't publish to 3rd-party channels)
If automated via CI/CD, does the release project have patch builds enabled? E.g. certain tasks can be triggered from CLI or PR without commits to the main git repo?
> N/A (since we don't publish to 3rd-party channels)

For MongoDB-managed distribution channels

What distribution channels do you publish to? E.g. repo.mongodb.com/org, downloads.mongodb.com/org, etc
> downloads.mongodb.com/org, repo.mongodb.com/org, and github.com/mongodb/homebrew-brew
Are there any publishing tasks that happen manually and/or outside of the CI/CD platforms? E.g. someone's workstation
> Publishing to homebrew tap occurs via pull request on the mongodb/homebrew-brew repo
Is publishing automated via CI/CD (evergreen, github actions, etc)? If yes, what platforms?
> Yes; automated via evergreen. The archives and linux packages for every platform are built and published via evg.
If automated via CI/CD, does publishing happen in the same project/repo as mainline commits/builds/tests or in a separate project/repo?
> Same project & repo as regular builds and tests
If automated via CI/CD, who can trigger a release or publish to public distribution channels? Only release managers, anyone on the team, anyone with write access to the git repo, etc?
> Release builds are done via evergreen's tag-triggered versions. This requires that someone has permissions both to push a git tag to the repo and is configured in evg to allowlist their commits for tag-triggered builds
If automated via CI/CD, does the release project have patch builds enabled? E.g. certain tasks can be triggered from CLI or PR without commits to the main git repo?
> Patch builds are enabled, since it's the same repo as regular development. Release tasks are configured to be git tag only, but a patch could change that.