Release Publish #159
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release Publish | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
required: true | |
description: Release version (e.g. 2022.1.0 or 2022.1.0-beta.0) | |
env: | |
RELEASE_VERSION: ${{ github.event.inputs.version }} | |
RELEASE_CORE_TAG: core@${{ github.event.inputs.version }} | |
RELEASE_BRANCH: release/${{ github.event.inputs.version }} | |
IS_PRERELEASE: ${{ contains(github.event.inputs.version, 'alpha') || contains(github.event.inputs.version, 'beta') }} | |
ARTIFACTS_DOWNLOAD_PATH: ${{ github.workspace }}/artifacts | |
INSO_DOCKER_IMAGE: kong/inso # By default, registry is docker.io | |
NOTARY_REPOSITORY: 'kong/notary' # All signatures will be pushed to public notary repository | |
jobs: | |
publish: | |
timeout-minutes: 15 | |
runs-on: ubuntu-latest | |
outputs: | |
NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }} | |
INSO_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.inso_binary_artifact_digest_base64 }} | |
INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }} | |
INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }} | |
INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }} | |
ELECTRON_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.electron_binary_artifact_digest_base64 }} | |
permissions: | |
id-token: write # needed for signing the images | |
actions: read # For getting workflow run info for keyless signing of docker image | |
contents: write # Required to upload assets. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues | |
packages: write | |
steps: | |
- name: Checkout branch # Check out the release branch | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ env.RELEASE_BRANCH }} | |
fetch-depth: 0 | |
persist-credentials: false | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: ".nvmrc" | |
cache: 'npm' | |
cache-dependency-path: package-lock.json | |
- name: Install packages | |
run: npm ci | |
- name: Download artifact | |
uses: dawidd6/action-download-artifact@v2 | |
with: | |
github_token: ${{secrets.GITHUB_TOKEN}} | |
workflow: release-build.yml | |
workflow_conclusion: success | |
branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created | |
path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets | |
- name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily | |
id: metadata | |
run: | | |
INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj) | |
echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV | |
inso_binary_artifact_digest_base64=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \ | |
\( -name "inso-*.zip" -o -name "inso-*.pkg" -o -name "inso-*.tar.xz" \) \ | |
-exec sha256sum {} \; | sed "s/\(.* \)\(.*\(inso\)\)/\1\\3/" | sort | base64 -w0) | |
echo "Inso CLI Artifact digest:" | |
echo "${inso_binary_artifact_digest_base64}" | |
echo "inso_binary_artifact_digest_base64=${inso_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT | |
electron_binary_artifacts=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \ | |
\( -name "Insomnia.Core-*" \) \ | |
-exec sha256sum {} \; | sed "s/\(.* \)\(.*\(Insomnia.Core\)\)/\1\\3/" | sort) | |
echo "${electron_binary_artifacts}" | |
electron_binary_artifact_digest_base64=$(echo "${electron_binary_artifacts}" | base64 -w0) | |
echo "Electron Binary Artifact digest:" | |
echo "${electron_binary_artifact_digest_base64}" | |
echo "electron_binary_artifact_digest_base64=${electron_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT | |
- name: Temporarily move artifacts | |
shell: bash | |
run: | | |
mv ./artifacts/windows-latest-artifacts/insomnia/dist/squirrel-windows/Insomnia.Core-${{ env.RELEASE_VERSION }}.exe ./artifacts/ | |
- name: Code-sign Windows .exe artifact | |
uses: sslcom/actions-codesigner@develop | |
with: | |
command: sign | |
username: ${{secrets.ES_USERNAME}} | |
password: ${{secrets.ES_PASSWORD}} | |
credential_id: ${{secrets.ES_CREDENTIAL_ID}} | |
totp_secret: ${{secrets.ES_TOTP_SECRET}} | |
file_path: ${GITHUB_WORKSPACE}/artifacts/Insomnia.Core-${{ env.RELEASE_VERSION }}.exe | |
output_path: ${GITHUB_WORKSPACE}/artifacts/windows-latest-artifacts/insomnia/dist/squirrel-windows | |
# - name: Code-sign Windows portable .exe artifact | |
# uses: sslcom/actions-codesigner@develop | |
# with: | |
# command: sign | |
# username: ${{secrets.ES_USERNAME}} | |
# password: ${{secrets.ES_PASSWORD}} | |
# credential_id: ${{secrets.ES_CREDENTIAL_ID}} | |
# totp_secret: ${{secrets.ES_TOTP_SECRET}} | |
# file_path: ${GITHUB_WORKSPACE}/artifacts/Insomnia.Core-${{ env.RELEASE_VERSION }}-portable.exe | |
# output_path: ${GITHUB_WORKSPACE}/artifacts/windows-latest-artifacts/insomnia/dist | |
- name: Create Tag and Release | |
uses: ncipollo/release-action@v1 | |
id: core_tag_and_release | |
with: | |
tag: ${{ env.RELEASE_CORE_TAG }} | |
name: "${{ env.RELEASE_VERSION }} 📦" | |
generateReleaseNotes: true | |
commit: ${{ env.RELEASE_BRANCH }} | |
prerelease: ${{ env.IS_PRERELEASE }} | |
draft: false | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload artifacts to release | |
uses: xresloader/upload-to-github-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
release_id: ${{ steps.core_tag_and_release.outputs.id }} | |
tag_name: ${{ env.RELEASE_CORE_TAG }} | |
file: "./artifacts/*-latest-artifacts/insomnia/**;./artifacts/inso-*;./artifacts/*sbom.{spdx,cyclonedx}.json" | |
prerelease: ${{ env.IS_PRERELEASE }} | |
draft: false | |
- name: Publish beta/stable of Insomnia to Insomnia API | |
if: "!contains(github.event.inputs.version, 'alpha')" | |
run: | | |
curl \ | |
--fail \ | |
--request POST \ | |
--url $INSOMNIA_API_URL/v1/releases \ | |
--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \ | |
--header "Content-Type: application/json" \ | |
--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }" | |
env: | |
INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }} | |
INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }} | |
RELEASE_APP: com.insomnia.app | |
RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | |
RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} | |
- name: Publish beta/stable of inso to Insomnia API | |
if: "!contains(github.event.inputs.version, 'alpha')" | |
run: | | |
curl \ | |
--fail \ | |
--request POST \ | |
--url $INSOMNIA_API_URL/v1/releases \ | |
--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \ | |
--header "Content-Type: application/json" \ | |
--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }" | |
env: | |
INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }} | |
INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }} | |
RELEASE_APP: com.insomnia.inso | |
RELEASE_VERSION: ${{ env.INSO_VERSION }} | |
RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} | |
- name: Upload to snapcraft (beta and stable only) | |
if: "!contains(github.event.inputs.version, 'alpha')" | |
uses: snapcore/action-publish@7fe468c9de12396a9c8964af5d0dfd1d5b493bd7 | |
env: | |
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE }} | |
with: | |
snap: artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.snap | |
release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} | |
- name: Upload .deb to pulp and/or cloudsmith (stable only) | |
uses: docker://kong/release-script:latest | |
env: | |
PULP_USERNAME: ${{ secrets.PULP_USERNAME }} | |
PULP_PASSWORD: ${{ secrets.PULP_PASSWORD }} | |
PULP_HOST: ${{ secrets.PULP_HOST }} | |
VERBOSE: ${{ runner.debug == '1' && '1' || '' }} | |
CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} | |
CLOUDSMITH_DRY_RUN: '' | |
IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }} | |
USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }} | |
USE_PULP: ${{ vars.USE_PULP }} | |
with: | |
entrypoint: /entrypoint.sh | |
args: > | |
release | |
--file artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.deb | |
--dist-name ubuntu | |
--dist-version focal | |
--package-type insomnia | |
${{ env.IS_PRERELEASE == 'true' && '--internal' || '--publish' }} | |
- name: Load the Inso CLI Docker Archive | |
run: | | |
docker load -i ./artifacts/ubuntu-latest-artifacts/insomnia-inso/artifacts/inso-docker-image.tar | |
docker image ls | |
- name: Login to Docker Hub | |
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.1.0 | |
with: | |
username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
- name: Docker meta for Inso CLI Docker Image | |
id: inso_docker_meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: ${{ env.INSO_DOCKER_IMAGE }} | |
tags: | | |
type=raw,value=${{ env.INSO_VERSION }},prirority=1000 | |
type=raw,value=latest,enable=${{ env.IS_PRERELEASE == 'false' }} | |
type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }} | |
type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }} | |
sep-tags: "," | |
- name: Push Inso CLI docker image tags to Docker Hub | |
id: publish_isno_docker_image | |
run: | | |
for tag in ${IMAGE_TAGS//,/ }; do \ | |
docker tag insomnia-inso:temp $tag | |
docker push $tag; \ | |
done | |
env: | |
IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }} | |
# Setup regctl to parse platform specific image digest from image manifest | |
- name: Install regctl | |
uses: regclient/actions/regctl-installer@main | |
# The image manifest digest/sha is generated only after the image is published to registry | |
- name: Parse architecture specific digest from image manifest | |
id: image_manifest_metadata | |
run: | | |
INSO_IMAGE=${{ env.INSO_DOCKER_IMAGE }}:${{ steps.inso_docker_meta.outputs.version }} | |
inso_image_sha="$(regctl image digest "${INSO_IMAGE}")" | |
echo "inso_image_sha=${inso_image_sha}" >> $GITHUB_OUTPUT | |
# Signing images requires image manifest digest | |
- name: Sign images | |
id: sign_images | |
if: ${{ steps.image_manifest_metadata.outputs.inso_image_sha != '' }} | |
uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2 | |
with: | |
image_digest: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }} | |
tags: ${{ steps.inso_docker_meta.outputs.tags }} | |
registry_username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
# Optional: Central notary repository for image signatures | |
signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
signature_registry: ${{ env.NOTARY_REPOSITORY }} | |
- name: Upload sourcemaps to Sentry | |
env: | |
SENTRY_AUTH_TOKEN: '${{ secrets.SENTRY_AUTH_TOKEN }}' | |
SENTRY_ORG: '${{ secrets.SENTRY_ORG }}' | |
SENTRY_PROJECT: '${{ secrets.SENTRY_PROJECT }}' | |
run: | | |
curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.2.0" bash | |
sentry-cli releases new ${{ env.RELEASE_VERSION }} | |
sentry-cli releases set-commits ${{ env.RELEASE_VERSION }} --commit 'Kong/insomnia@${{ env.RELEASE_BRANCH }}' | |
sentry-cli sourcemaps upload -r ${{ env.RELEASE_VERSION }} ./artifacts/*-latest-sentry | |
- name: Configure Git user | |
uses: Homebrew/actions/git-user-config@master | |
with: | |
username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }} | |
- name: Merge git branch into develop | |
run: | | |
remote_repo="https://${GITHUB_ACTOR}:${RELEASE_GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" | |
git checkout develop | |
git merge --no-ff ${{ env.RELEASE_BRANCH }} | |
git status | |
git push "${remote_repo}" | |
env: | |
RELEASE_GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }} | |
artifact-provenance: | |
needs: [publish] | |
permissions: | |
id-token: write # needed for signing the images | |
actions: read # For getting workflow run info to build provenance | |
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues | |
contents: write | |
strategy: | |
fail-fast: true | |
matrix: | |
include: | |
- product: insomnia | |
binary_artifacts_digest_base64: ${{ needs.publish.outputs.ELECTRON_BINARY_ARTIFACTS_DIGEST_BASE64 }} | |
- product: inso | |
binary_artifacts_digest_base64: ${{ needs.publish.outputs.INSO_BINARY_ARTIFACTS_DIGEST_BASE64 }} | |
# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498 | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 | |
with: | |
base64-subjects: ${{matrix.binary_artifacts_digest_base64 }} | |
upload-assets: true | |
upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }} | |
provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl | |
draft-release: false | |
inso-image-provenance: | |
needs: [publish] | |
permissions: | |
id-token: write # needed for signing the images | |
actions: read # For getting workflow run info to build provenance | |
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues | |
# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498 | |
contents: write | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
with: | |
image: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE }} | |
digest: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE_DIGEST }} | |
provenance-repository: "${{ needs.publish.outputs.NOTARY_REPOSITORY }}" | |
secrets: | |
registry-username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} |