Skip to content

Release Publish

Release Publish #159

name: Release Publish
on:
workflow_dispatch:
inputs:
version:
required: true
description: Release version (e.g. 2022.1.0 or 2022.1.0-beta.0)
env:
RELEASE_VERSION: ${{ github.event.inputs.version }}
RELEASE_CORE_TAG: core@${{ github.event.inputs.version }}
RELEASE_BRANCH: release/${{ github.event.inputs.version }}
IS_PRERELEASE: ${{ contains(github.event.inputs.version, 'alpha') || contains(github.event.inputs.version, 'beta') }}
ARTIFACTS_DOWNLOAD_PATH: ${{ github.workspace }}/artifacts
INSO_DOCKER_IMAGE: kong/inso # By default, registry is docker.io
NOTARY_REPOSITORY: 'kong/notary' # All signatures will be pushed to public notary repository
jobs:
publish:
timeout-minutes: 15
runs-on: ubuntu-latest
outputs:
NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }}
INSO_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.inso_binary_artifact_digest_base64 }}
INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }}
INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }}
ELECTRON_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.electron_binary_artifact_digest_base64 }}
permissions:
id-token: write # needed for signing the images
actions: read # For getting workflow run info for keyless signing of docker image
contents: write # Required to upload assets. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
packages: write
steps:
- name: Checkout branch # Check out the release branch
uses: actions/checkout@v4
with:
ref: ${{ env.RELEASE_BRANCH }}
fetch-depth: 0
persist-credentials: false
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: 'npm'
cache-dependency-path: package-lock.json
- name: Install packages
run: npm ci
- name: Download artifact
uses: dawidd6/action-download-artifact@v2
with:
github_token: ${{secrets.GITHUB_TOKEN}}
workflow: release-build.yml
workflow_conclusion: success
branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created
path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets
- name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily
id: metadata
run: |
INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj)
echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV
inso_binary_artifact_digest_base64=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \
\( -name "inso-*.zip" -o -name "inso-*.pkg" -o -name "inso-*.tar.xz" \) \
-exec sha256sum {} \; | sed "s/\(.* \)\(.*\(inso\)\)/\1\\3/" | sort | base64 -w0)
echo "Inso CLI Artifact digest:"
echo "${inso_binary_artifact_digest_base64}"
echo "inso_binary_artifact_digest_base64=${inso_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT
electron_binary_artifacts=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \
\( -name "Insomnia.Core-*" \) \
-exec sha256sum {} \; | sed "s/\(.* \)\(.*\(Insomnia.Core\)\)/\1\\3/" | sort)
echo "${electron_binary_artifacts}"
electron_binary_artifact_digest_base64=$(echo "${electron_binary_artifacts}" | base64 -w0)
echo "Electron Binary Artifact digest:"
echo "${electron_binary_artifact_digest_base64}"
echo "electron_binary_artifact_digest_base64=${electron_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT
- name: Temporarily move artifacts
shell: bash
run: |
mv ./artifacts/windows-latest-artifacts/insomnia/dist/squirrel-windows/Insomnia.Core-${{ env.RELEASE_VERSION }}.exe ./artifacts/
- name: Code-sign Windows .exe artifact
uses: sslcom/actions-codesigner@develop
with:
command: sign
username: ${{secrets.ES_USERNAME}}
password: ${{secrets.ES_PASSWORD}}
credential_id: ${{secrets.ES_CREDENTIAL_ID}}
totp_secret: ${{secrets.ES_TOTP_SECRET}}
file_path: ${GITHUB_WORKSPACE}/artifacts/Insomnia.Core-${{ env.RELEASE_VERSION }}.exe
output_path: ${GITHUB_WORKSPACE}/artifacts/windows-latest-artifacts/insomnia/dist/squirrel-windows
# - name: Code-sign Windows portable .exe artifact
# uses: sslcom/actions-codesigner@develop
# with:
# command: sign
# username: ${{secrets.ES_USERNAME}}
# password: ${{secrets.ES_PASSWORD}}
# credential_id: ${{secrets.ES_CREDENTIAL_ID}}
# totp_secret: ${{secrets.ES_TOTP_SECRET}}
# file_path: ${GITHUB_WORKSPACE}/artifacts/Insomnia.Core-${{ env.RELEASE_VERSION }}-portable.exe
# output_path: ${GITHUB_WORKSPACE}/artifacts/windows-latest-artifacts/insomnia/dist
- name: Create Tag and Release
uses: ncipollo/release-action@v1
id: core_tag_and_release
with:
tag: ${{ env.RELEASE_CORE_TAG }}
name: "${{ env.RELEASE_VERSION }} 📦"
generateReleaseNotes: true
commit: ${{ env.RELEASE_BRANCH }}
prerelease: ${{ env.IS_PRERELEASE }}
draft: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload artifacts to release
uses: xresloader/upload-to-github-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.core_tag_and_release.outputs.id }}
tag_name: ${{ env.RELEASE_CORE_TAG }}
file: "./artifacts/*-latest-artifacts/insomnia/**;./artifacts/inso-*;./artifacts/*sbom.{spdx,cyclonedx}.json"
prerelease: ${{ env.IS_PRERELEASE }}
draft: false
- name: Publish beta/stable of Insomnia to Insomnia API
if: "!contains(github.event.inputs.version, 'alpha')"
run: |
curl \
--fail \
--request POST \
--url $INSOMNIA_API_URL/v1/releases \
--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
--header "Content-Type: application/json" \
--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }"
env:
INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
RELEASE_APP: com.insomnia.app
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
- name: Publish beta/stable of inso to Insomnia API
if: "!contains(github.event.inputs.version, 'alpha')"
run: |
curl \
--fail \
--request POST \
--url $INSOMNIA_API_URL/v1/releases \
--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
--header "Content-Type: application/json" \
--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }"
env:
INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
RELEASE_APP: com.insomnia.inso
RELEASE_VERSION: ${{ env.INSO_VERSION }}
RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
- name: Upload to snapcraft (beta and stable only)
if: "!contains(github.event.inputs.version, 'alpha')"
uses: snapcore/action-publish@7fe468c9de12396a9c8964af5d0dfd1d5b493bd7
env:
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE }}
with:
snap: artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.snap
release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
- name: Upload .deb to pulp and/or cloudsmith (stable only)
uses: docker://kong/release-script:latest
env:
PULP_USERNAME: ${{ secrets.PULP_USERNAME }}
PULP_PASSWORD: ${{ secrets.PULP_PASSWORD }}
PULP_HOST: ${{ secrets.PULP_HOST }}
VERBOSE: ${{ runner.debug == '1' && '1' || '' }}
CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
CLOUDSMITH_DRY_RUN: ''
IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }}
USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }}
USE_PULP: ${{ vars.USE_PULP }}
with:
entrypoint: /entrypoint.sh
args: >
release
--file artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.deb
--dist-name ubuntu
--dist-version focal
--package-type insomnia
${{ env.IS_PRERELEASE == 'true' && '--internal' || '--publish' }}
- name: Load the Inso CLI Docker Archive
run: |
docker load -i ./artifacts/ubuntu-latest-artifacts/insomnia-inso/artifacts/inso-docker-image.tar
docker image ls
- name: Login to Docker Hub
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.1.0
with:
username: ${{ secrets.DOCKER_REGISTRY_USER }}
password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
- name: Docker meta for Inso CLI Docker Image
id: inso_docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.INSO_DOCKER_IMAGE }}
tags: |
type=raw,value=${{ env.INSO_VERSION }},prirority=1000
type=raw,value=latest,enable=${{ env.IS_PRERELEASE == 'false' }}
type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }}
type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }}
sep-tags: ","
- name: Push Inso CLI docker image tags to Docker Hub
id: publish_isno_docker_image
run: |
for tag in ${IMAGE_TAGS//,/ }; do \
docker tag insomnia-inso:temp $tag
docker push $tag; \
done
env:
IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }}
# Setup regctl to parse platform specific image digest from image manifest
- name: Install regctl
uses: regclient/actions/regctl-installer@main
# The image manifest digest/sha is generated only after the image is published to registry
- name: Parse architecture specific digest from image manifest
id: image_manifest_metadata
run: |
INSO_IMAGE=${{ env.INSO_DOCKER_IMAGE }}:${{ steps.inso_docker_meta.outputs.version }}
inso_image_sha="$(regctl image digest "${INSO_IMAGE}")"
echo "inso_image_sha=${inso_image_sha}" >> $GITHUB_OUTPUT
# Signing images requires image manifest digest
- name: Sign images
id: sign_images
if: ${{ steps.image_manifest_metadata.outputs.inso_image_sha != '' }}
uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
with:
image_digest: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
tags: ${{ steps.inso_docker_meta.outputs.tags }}
registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
# Optional: Central notary repository for image signatures
signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
signature_registry: ${{ env.NOTARY_REPOSITORY }}
- name: Upload sourcemaps to Sentry
env:
SENTRY_AUTH_TOKEN: '${{ secrets.SENTRY_AUTH_TOKEN }}'
SENTRY_ORG: '${{ secrets.SENTRY_ORG }}'
SENTRY_PROJECT: '${{ secrets.SENTRY_PROJECT }}'
run: |
curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.2.0" bash
sentry-cli releases new ${{ env.RELEASE_VERSION }}
sentry-cli releases set-commits ${{ env.RELEASE_VERSION }} --commit 'Kong/insomnia@${{ env.RELEASE_BRANCH }}'
sentry-cli sourcemaps upload -r ${{ env.RELEASE_VERSION }} ./artifacts/*-latest-sentry
- name: Configure Git user
uses: Homebrew/actions/git-user-config@master
with:
username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }}
- name: Merge git branch into develop
run: |
remote_repo="https://${GITHUB_ACTOR}:${RELEASE_GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
git checkout develop
git merge --no-ff ${{ env.RELEASE_BRANCH }}
git status
git push "${remote_repo}"
env:
RELEASE_GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }}
artifact-provenance:
needs: [publish]
permissions:
id-token: write # needed for signing the images
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
contents: write
strategy:
fail-fast: true
matrix:
include:
- product: insomnia
binary_artifacts_digest_base64: ${{ needs.publish.outputs.ELECTRON_BINARY_ARTIFACTS_DIGEST_BASE64 }}
- product: inso
binary_artifacts_digest_base64: ${{ needs.publish.outputs.INSO_BINARY_ARTIFACTS_DIGEST_BASE64 }}
# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
base64-subjects: ${{matrix.binary_artifacts_digest_base64 }}
upload-assets: true
upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }}
provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl
draft-release: false
inso-image-provenance:
needs: [publish]
permissions:
id-token: write # needed for signing the images
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
with:
image: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE }}
digest: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE_DIGEST }}
provenance-repository: "${{ needs.publish.outputs.NOTARY_REPOSITORY }}"
secrets:
registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}