-
Notifications
You must be signed in to change notification settings - Fork 2k
330 lines (297 loc) · 15.5 KB
/
release-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
name: Release Publish
on:
workflow_dispatch:
inputs:
version:
required: true
description: Release version (e.g. 2022.1.0 or 2022.1.0-beta.0)
env:
RELEASE_VERSION: ${{ github.event.inputs.version }}
RELEASE_CORE_TAG: core@${{ github.event.inputs.version }}
RELEASE_BRANCH: release/${{ github.event.inputs.version }}
IS_PRERELEASE: ${{ contains(github.event.inputs.version, 'alpha') || contains(github.event.inputs.version, 'beta') }}
ARTIFACTS_DOWNLOAD_PATH: ${{ github.workspace }}/artifacts
INSO_DOCKER_IMAGE: kong/inso # By default, registry is docker.io
NOTARY_REPOSITORY: 'kong/notary' # All signatures will be pushed to public notary repository
jobs:
publish:
timeout-minutes: 15
runs-on: ubuntu-latest
outputs:
NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }}
INSO_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.inso_binary_artifact_digest_base64 }}
INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }}
INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }}
ELECTRON_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.electron_binary_artifact_digest_base64 }}
permissions:
id-token: write # needed for signing the images
actions: read # For getting workflow run info for keyless signing of docker image
contents: write # Required to upload assets. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
packages: write
steps:
- name: Checkout branch # Check out the release branch
uses: actions/checkout@v4
with:
ref: ${{ env.RELEASE_BRANCH }}
fetch-depth: 0
persist-credentials: false
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: ".nvmrc"
cache: 'npm'
cache-dependency-path: package-lock.json
- name: Install packages
run: npm ci
- name: Download artifact
uses: dawidd6/action-download-artifact@v2
with:
github_token: ${{secrets.GITHUB_TOKEN}}
workflow: release-build.yml
workflow_conclusion: success
branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created
path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets
- name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily
id: metadata
run: |
INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj)
echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV
inso_binary_artifact_digest_base64=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \
\( -name "inso-*.zip" -o -name "inso-*.pkg" -o -name "inso-*.tar.xz" \) \
-exec sha256sum {} \; | sed "s/\(.* \)\(.*\(inso\)\)/\1\\3/" | sort | base64 -w0)
echo "Inso CLI Artifact digest:"
echo "${inso_binary_artifact_digest_base64}"
echo "inso_binary_artifact_digest_base64=${inso_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT
electron_binary_artifacts=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \
\( -name "Insomnia.Core-*" \) \
-exec sha256sum {} \; | sed "s/\(.* \)\(.*\(Insomnia.Core\)\)/\1\\3/" | sort)
echo "${electron_binary_artifacts}"
electron_binary_artifact_digest_base64=$(echo "${electron_binary_artifacts}" | base64 -w0)
echo "Electron Binary Artifact digest:"
echo "${electron_binary_artifact_digest_base64}"
echo "electron_binary_artifact_digest_base64=${electron_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT
- name: Temporarily move artifacts
shell: bash
run: |
mv ./artifacts/windows-latest-artifacts/insomnia/dist/squirrel-windows/Insomnia.Core-${{ env.RELEASE_VERSION }}.exe ./artifacts/
- name: Code-sign Windows .exe artifact
uses: sslcom/actions-codesigner@develop
with:
command: sign
username: ${{secrets.ES_USERNAME}}
password: ${{secrets.ES_PASSWORD}}
credential_id: ${{secrets.ES_CREDENTIAL_ID}}
totp_secret: ${{secrets.ES_TOTP_SECRET}}
file_path: ${GITHUB_WORKSPACE}/artifacts/Insomnia.Core-${{ env.RELEASE_VERSION }}.exe
output_path: ${GITHUB_WORKSPACE}/artifacts/windows-latest-artifacts/insomnia/dist/squirrel-windows
# - name: Code-sign Windows portable .exe artifact
# uses: sslcom/actions-codesigner@develop
# with:
# command: sign
# username: ${{secrets.ES_USERNAME}}
# password: ${{secrets.ES_PASSWORD}}
# credential_id: ${{secrets.ES_CREDENTIAL_ID}}
# totp_secret: ${{secrets.ES_TOTP_SECRET}}
# file_path: ${GITHUB_WORKSPACE}/artifacts/Insomnia.Core-${{ env.RELEASE_VERSION }}-portable.exe
# output_path: ${GITHUB_WORKSPACE}/artifacts/windows-latest-artifacts/insomnia/dist
- name: Create Tag and Release
uses: ncipollo/release-action@v1
id: core_tag_and_release
with:
tag: ${{ env.RELEASE_CORE_TAG }}
name: "${{ env.RELEASE_VERSION }} 📦"
generateReleaseNotes: true
commit: ${{ env.RELEASE_BRANCH }}
prerelease: ${{ env.IS_PRERELEASE }}
draft: false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload artifacts to release
uses: xresloader/upload-to-github-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
release_id: ${{ steps.core_tag_and_release.outputs.id }}
tag_name: ${{ env.RELEASE_CORE_TAG }}
file: "./artifacts/*-latest-artifacts/insomnia/**;./artifacts/inso-*;./artifacts/*sbom.{spdx,cyclonedx}.json"
prerelease: ${{ env.IS_PRERELEASE }}
draft: false
- name: Publish beta/stable of Insomnia to Insomnia API
if: "!contains(github.event.inputs.version, 'alpha')"
run: |
curl \
--fail \
--request POST \
--url $INSOMNIA_API_URL/v1/releases \
--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
--header "Content-Type: application/json" \
--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }"
env:
INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
RELEASE_APP: com.insomnia.app
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
- name: Publish beta/stable of inso to Insomnia API
if: "!contains(github.event.inputs.version, 'alpha')"
run: |
curl \
--fail \
--request POST \
--url $INSOMNIA_API_URL/v1/releases \
--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
--header "Content-Type: application/json" \
--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }"
env:
INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
RELEASE_APP: com.insomnia.inso
RELEASE_VERSION: ${{ env.INSO_VERSION }}
RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
- name: Upload to snapcraft (beta and stable only)
if: "!contains(github.event.inputs.version, 'alpha')"
uses: snapcore/action-publish@7fe468c9de12396a9c8964af5d0dfd1d5b493bd7
env:
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE }}
with:
snap: artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.snap
release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
- name: Upload .deb to pulp and/or cloudsmith (stable only)
uses: docker://kong/release-script:latest
env:
PULP_USERNAME: ${{ secrets.PULP_USERNAME }}
PULP_PASSWORD: ${{ secrets.PULP_PASSWORD }}
PULP_HOST: ${{ secrets.PULP_HOST }}
VERBOSE: ${{ runner.debug == '1' && '1' || '' }}
CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
CLOUDSMITH_DRY_RUN: ''
IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }}
USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }}
USE_PULP: ${{ vars.USE_PULP }}
with:
entrypoint: /entrypoint.sh
args: >
release
--file artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.deb
--dist-name ubuntu
--dist-version focal
--package-type insomnia
${{ env.IS_PRERELEASE == 'true' && '--internal' || '--publish' }}
- name: Load the Inso CLI Docker Archive
run: |
docker load -i ./artifacts/ubuntu-latest-artifacts/insomnia-inso/artifacts/inso-docker-image.tar
docker image ls
- name: Login to Docker Hub
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.1.0
with:
username: ${{ secrets.DOCKER_REGISTRY_USER }}
password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
- name: Docker meta for Inso CLI Docker Image
id: inso_docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.INSO_DOCKER_IMAGE }}
tags: |
type=raw,value=${{ env.INSO_VERSION }},prirority=1000
type=raw,value=latest,enable=${{ env.IS_PRERELEASE == 'false' }}
type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }}
type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }}
sep-tags: ","
- name: Push Inso CLI docker image tags to Docker Hub
id: publish_isno_docker_image
run: |
for tag in ${IMAGE_TAGS//,/ }; do \
docker tag insomnia-inso:temp $tag
docker push $tag; \
done
env:
IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }}
# Setup regctl to parse platform specific image digest from image manifest
- name: Install regctl
uses: regclient/actions/regctl-installer@main
# The image manifest digest/sha is generated only after the image is published to registry
- name: Parse architecture specific digest from image manifest
id: image_manifest_metadata
run: |
INSO_IMAGE=${{ env.INSO_DOCKER_IMAGE }}:${{ steps.inso_docker_meta.outputs.version }}
inso_image_sha="$(regctl image digest "${INSO_IMAGE}")"
echo "inso_image_sha=${inso_image_sha}" >> $GITHUB_OUTPUT
# Signing images requires image manifest digest
- name: Sign images
id: sign_images
if: ${{ steps.image_manifest_metadata.outputs.inso_image_sha != '' }}
uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
with:
image_digest: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
tags: ${{ steps.inso_docker_meta.outputs.tags }}
registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
# Optional: Central notary repository for image signatures
signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
signature_registry: ${{ env.NOTARY_REPOSITORY }}
- name: Upload sourcemaps to Sentry
env:
SENTRY_AUTH_TOKEN: '${{ secrets.SENTRY_AUTH_TOKEN }}'
SENTRY_ORG: '${{ secrets.SENTRY_ORG }}'
SENTRY_PROJECT: '${{ secrets.SENTRY_PROJECT }}'
run: |
curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.2.0" bash
sentry-cli releases new ${{ env.RELEASE_VERSION }}
sentry-cli releases set-commits ${{ env.RELEASE_VERSION }} --commit 'Kong/insomnia@${{ env.RELEASE_BRANCH }}'
sentry-cli sourcemaps upload -r ${{ env.RELEASE_VERSION }} ./artifacts/*-latest-sentry
- name: Configure Git user
uses: Homebrew/actions/git-user-config@master
with:
username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }}
- name: Merge git branch into develop
run: |
remote_repo="https://${GITHUB_ACTOR}:${RELEASE_GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
git checkout develop
git merge --no-ff ${{ env.RELEASE_BRANCH }}
git status
git push "${remote_repo}"
env:
RELEASE_GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }}
artifact-provenance:
needs: [publish]
permissions:
id-token: write # needed for signing the images
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
contents: write
strategy:
fail-fast: true
matrix:
include:
- product: insomnia
binary_artifacts_digest_base64: ${{ needs.publish.outputs.ELECTRON_BINARY_ARTIFACTS_DIGEST_BASE64 }}
- product: inso
binary_artifacts_digest_base64: ${{ needs.publish.outputs.INSO_BINARY_ARTIFACTS_DIGEST_BASE64 }}
# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
base64-subjects: ${{matrix.binary_artifacts_digest_base64 }}
upload-assets: true
upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }}
provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl
draft-release: false
inso-image-provenance:
needs: [publish]
permissions:
id-token: write # needed for signing the images
actions: read # For getting workflow run info to build provenance
packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
with:
image: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE }}
digest: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE_DIGEST }}
provenance-repository: "${{ needs.publish.outputs.NOTARY_REPOSITORY }}"
secrets:
registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}