Skip to content

Release Publish

Release Publish #193

name: Release Publish
on:
workflow_dispatch:
inputs:
version:
required: true
description: Release version (e.g. 2022.1.0 or 2022.1.0-beta.0)
env:
RELEASE_VERSION: ${{ github.event.inputs.version }}
RELEASE_CORE_TAG: core@${{ github.event.inputs.version }}
RELEASE_BRANCH: release/${{ github.event.inputs.version }}
IS_PRERELEASE: ${{ contains(github.event.inputs.version, 'alpha') || contains(github.event.inputs.version, 'beta') }}
ARTIFACTS_DOWNLOAD_PATH: ${{ github.workspace }}/artifacts
INSO_DOCKER_IMAGE: kong/inso # By default, registry is docker.io
NOTARY_REPOSITORY: 'kong/notary' # All signatures will be pushed to public notary repository
jobs:
publish:
timeout-minutes: 15
runs-on: ubuntu-latest
outputs:
NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }}
INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.cli_binary_hashes.outputs.handle }}
INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }}
INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }}
ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.electron_binary_hashes.outputs.handle }}
permissions:
id-token: write # needed for signing the images
actions: read # For getting workflow run info for keyless signing of docker image
contents: write # Required to upload assets. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
packages: write
steps:
- name: Checkout branch # Check out the release branch
uses: actions/checkout@v4
with:
ref: ${{ env.RELEASE_BRANCH }}
fetch-depth: 0
persist-credentials: false
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: 'npm'
cache-dependency-path: package-lock.json
- name: Install packages
run: npm ci
- name: Download all artifacts from release-build.yml
uses: dawidd6/action-download-artifact@v2
with:
github_token: ${{secrets.GITHUB_TOKEN}}
workflow: release-build.yml
workflow_conclusion: success
branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created
path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets
- name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily
id: metadata
run: |
INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj)
echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV
echo "CLI_ARTIFACT_BASE64_FILE=${{env.CLI_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV
echo "ELECTRON_ARTIFACT_BASE64_FILE=${{env.ELECTRON_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV
./.github/scripts/generate-binary-digest.sh
env:
ARTIFACT_PATH: "${{ env.ARTIFACTS_DOWNLOAD_PATH }}"
CLI_ARTIFACT_SHAFILE: ${{runner.temp}}/cli.sha256
ELECTRON_ARTIFACT_SHAFILE: ${{runner.temp}}/electron.sha256
CLI_ARTIFACT_BASE64_FILE: ${{runner.temp}}/cli_digests_file.text
ELECTRON_ARTIFACT_BASE64_FILE: ${{runner.temp}}/electron_digests_file.text
- name: Calculate CLI Binary base64 file handle
uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.0.0
id: cli_binary_hashes
with:
path: ${{ env.CLI_ARTIFACT_BASE64_FILE }}
- name: Calculate Electron Binary base64 file handle
uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.0.0
id: electron_binary_hashes
with:
path: ${{ env.ELECTRON_ARTIFACT_BASE64_FILE }}
- name: Create Tag and Release
uses: ncipollo/release-action@v1
id: core_tag_and_release
with:
tag: ${{ env.RELEASE_CORE_TAG }}
name: "${{ env.RELEASE_VERSION }} 📦"
generateReleaseNotes: true
commit: ${{ env.RELEASE_BRANCH }}
prerelease: ${{ env.IS_PRERELEASE }}
draft: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload artifacts to release
uses: xresloader/upload-to-github-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.core_tag_and_release.outputs.id }}
tag_name: ${{ env.RELEASE_CORE_TAG }}
file: "./artifacts/*-artifacts/insomnia/dist/Insomnia.*;./artifacts/*-artifacts/insomnia/dist/squirrel-windows/*;./artifacts/*-artifacts/insomnia-inso/artifacts/inso-*;./artifacts/**/*sbom.{spdx,cyclonedx}.json"
# /github/workspace/artifacts/windows-latest-artifacts/***/dist/squirrel-windows/Insomnia.Core-9.3.0-beta.1.exe
# /github/workspace/artifacts/windows-latest-artifacts/***/dist/squirrel-windows/Insomnia.Core-9.3.0-beta.1-full.nupkg
# /github/workspace/artifacts/windows-latest-artifacts/***/dist/squirrel-windows/RELEASES
# /home/runner/work/***/***/artifacts/macos-13-artifacts/***/dist/Insomnia.Core-9.3.0-alpha.7.dmg
# /home/runner/work/***/***/artifacts/ubuntu-latest-artifacts/***/dist/Insomnia.Core-9.3.0-alpha.7.deb
# /home/runner/work/***/***/artifacts/ubuntu-latest-artifacts/***-inso/artifacts/inso-linux-9.3.0-alpha.7.tar.xz
# /home/runner/work/***/***/artifacts/macos-13-artifacts/***-inso/artifacts/inso-macos-13-9.3.0-alpha.7.pkg
# /home/runner/work/***/***/artifacts/image-inso-Linux-sbom.spdx.json/image-inso-Linux-sbom.spdx.json
# /home/runner/work/***/***/artifacts/sbom.cyclonedx.json/sbom.cyclonedx.json
prerelease: ${{ env.IS_PRERELEASE }}
draft: false
- name: Publish beta/stable of Insomnia to Insomnia API
if: ${{ !contains(github.event.inputs.version, 'alpha') }}
run: |
curl \
--fail \
--request POST \
--url $INSOMNIA_API_URL/v1/releases \
--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
--header "Content-Type: application/json" \
--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }"
env:
INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
RELEASE_APP: com.insomnia.app
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
- name: Publish beta/stable of inso to Insomnia API
if: ${{ !contains(github.event.inputs.version, 'alpha') }}
run: |
curl \
--fail \
--request POST \
--url $INSOMNIA_API_URL/v1/releases \
--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
--header "Content-Type: application/json" \
--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }"
env:
INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
RELEASE_APP: com.insomnia.inso
RELEASE_VERSION: ${{ env.INSO_VERSION }}
RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
- name: Load the Inso CLI Docker Archive
run: |
docker load -i ./artifacts/ubuntu-latest-artifacts/insomnia-inso/artifacts/inso-docker-image.tar
docker image ls
- name: Login to Docker Hub
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.1.0
with:
username: ${{ secrets.DOCKER_REGISTRY_USER }}
password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
- name: Docker meta for Inso CLI Docker Image
id: inso_docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.INSO_DOCKER_IMAGE }}
tags: |
type=raw,value=${{ env.INSO_VERSION }},prirority=1000
type=raw,value=latest,enable=${{ env.IS_PRERELEASE == 'false' }}
type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }}
type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }}
sep-tags: ","
- name: Push Inso CLI docker image tags to Docker Hub
id: publish_isno_docker_image
run: |
for tag in ${IMAGE_TAGS//,/ }; do \
docker tag insomnia-inso:temp $tag
docker push $tag; \
done
env:
IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }}
# Setup regctl to parse platform specific image digest from image manifest
- name: Install regctl
uses: regclient/actions/regctl-installer@main
# The image manifest digest/sha is generated only after the image is published to registry
- name: Parse architecture specific digest from image manifest
id: image_manifest_metadata
run: |
INSO_IMAGE=${{ env.INSO_DOCKER_IMAGE }}:${{ steps.inso_docker_meta.outputs.version }}
inso_image_sha="$(regctl image digest "${INSO_IMAGE}")"
echo "inso_image_sha=${inso_image_sha}" >> $GITHUB_OUTPUT
# Signing images requires image manifest digest
- name: Sign images
id: sign_images
if: ${{ steps.image_manifest_metadata.outputs.inso_image_sha != '' }}
uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
with:
image_digest: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
tags: ${{ steps.inso_docker_meta.outputs.tags }}
registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
# Optional: Central notary repository for image signatures
signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
signature_registry: ${{ env.NOTARY_REPOSITORY }}
- name: Upload sourcemaps to Sentry
env:
SENTRY_AUTH_TOKEN: '${{ secrets.SENTRY_AUTH_TOKEN }}'
SENTRY_ORG: '${{ secrets.SENTRY_ORG }}'
SENTRY_PROJECT: '${{ secrets.SENTRY_PROJECT }}'
run: |
curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.2.0" bash
sentry-cli releases new ${{ env.RELEASE_VERSION }}
sentry-cli releases set-commits ${{ env.RELEASE_VERSION }} --commit 'Kong/insomnia@${{ env.RELEASE_BRANCH }}'
sentry-cli sourcemaps upload -r ${{ env.RELEASE_VERSION }} ./artifacts/*-latest-sentry
- name: Configure Git user
uses: Homebrew/actions/git-user-config@master
with:
username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }}
- name: Merge git branch into develop
run: |
remote_repo="https://${GITHUB_ACTOR}:${RELEASE_GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
git checkout develop
git merge --no-ff ${{ env.RELEASE_BRANCH }}
git status
git push "${remote_repo}"
env:
RELEASE_GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }}
- name: Upload to snapcraft (beta and stable only)
if: ${{ !contains(github.event.inputs.version, 'alpha') }}
uses: snapcore/action-publish@v1
env:
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE_NEW }}
with:
snap: artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.snap
release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
- name: Upload .deb to pulp and/or cloudsmith (stable only)
if: ${{ !contains(github.event.inputs.version, 'alpha') && !contains(github.event.inputs.version, 'beta') }}
uses: docker://kong/release-script:latest
env:
PULP_USERNAME: ${{ secrets.PULP_USERNAME }}
PULP_PASSWORD: ${{ secrets.PULP_PASSWORD }}
PULP_HOST: ${{ secrets.PULP_HOST }}
VERBOSE: ${{ runner.debug == '1' && '1' || '' }}
CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
CLOUDSMITH_DRY_RUN: ''
IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }}
USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }}
USE_PULP: ${{ vars.USE_PULP }}
with:
entrypoint: /entrypoint.sh
args: >
release
--file artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.deb
--dist-name ubuntu
--dist-version focal
--package-type insomnia
${{ env.IS_PRERELEASE == 'true' && '--internal' || '--publish' }}
artifact-provenance:
needs: [publish]
permissions:
id-token: write # needed for signing the images
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
contents: write
strategy:
fail-fast: true
matrix:
include:
- product: insomnia
binary_artifacts_subject_as_file: ${{ needs.publish.outputs.ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }}
- product: inso
binary_artifacts_subject_as_file: ${{ needs.publish.outputs.INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }}
# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
base64-subjects-as-file: "${{ matrix.binary_artifacts_subject_as_file }}"
upload-assets: true
upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }}
provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl
draft-release: false
inso-image-provenance:
needs: [publish]
permissions:
id-token: write # needed for signing the images
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
with:
image: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE }}
digest: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE_DIGEST }}
provenance-repository: "${{ needs.publish.outputs.NOTARY_REPOSITORY }}"
secrets:
registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}