diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 52c2f9881f0..37e50021abf 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -10,20 +10,22 @@ concurrency: cancel-in-progress: true jobs: - check: + # shared kong github action for security checking + generate-sbom-and-upload-assets: runs-on: ubuntu-latest permissions: - packages: write + packages: write contents: write # publish sbom to GH releases/tag assets steps: - name: Checkout repository uses: actions/checkout@v3 - # Perform SCA / SBOM analysis for the entiire monorepo code repository - # Produces SBOM and CVE report + # Perform SCA / SBOM analysis for the entire monorepo code repository + # Produces SCA(SBOM and CVE) report # Helps understand vulnerabilities / license compliance across third party dependencies # Automatically uploads to workflow assets - # (TODO): Prouce workspace/package specific SBOM. Current limitation: https://github.com/anchore/syft/issues/2574 + # (TODO): Produce workspace/package specific SBOM. Current limitation: https://github.com/anchore/syft/issues/2574 + # (TODO): needs check (block) further steps if SCA fails - id: sca-project uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: @@ -39,8 +41,8 @@ jobs: fail-fast: false matrix: include: - # macos-13 supports both intel and apple sillicon on inso cli properly - # macos-latest is defaulting to apple sillicon and breaks inso cli retrocompatibility + # macos-13 supports both intel and apple silicon on inso cli properly + # macos-latest is defaulting to apple silicon and breaks inso cli retrocompatibility - os: macos-13 csc_link_secret: DESIGNER_MAC_CSC_LINK csc_key_password_secret: DESIGNER_MAC_CSC_KEY_PASSWORD @@ -141,7 +143,7 @@ jobs: run: | DOCKER_BUILDKIT=1 docker build --tag ${{ env.INSO_PACKAGE_NAME }}:temp ./packages/${{ env.INSO_PACKAGE_NAME }} docker save ${{ env.INSO_PACKAGE_NAME }}:temp -o ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }} - + # Produce Docker SBOM for Inso Image # Automatically uploads to workflow assets - name: Scan inso docker artifacts diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index 67bd11a4f59..4b78fab7430 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest outputs: NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }} - INSO_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.inso_binary_artifact_digest_base64 }} + INSO_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.inso_binary_artifact_digest_base64 }} INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }} INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }} INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }} @@ -50,7 +50,7 @@ jobs: - name: Install packages run: npm ci - - name: Download artifact + - name: Download all artifacts from release-build.yml uses: dawidd6/action-download-artifact@v2 with: github_token: ${{secrets.GITHUB_TOKEN}} @@ -58,29 +58,37 @@ jobs: workflow_conclusion: success branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets - + - name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily id: metadata run: | INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj) - echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV - - inso_binary_artifact_digest_base64=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \ - \( -name "inso-*.zip" -o -name "inso-*.pkg" -o -name "inso-*.tar.xz" \) \ - -exec sha256sum {} \; | sed "s/\(.* \)\(.*\(inso\)\)/\1\\3/" | sort | base64 -w0) - echo "Inso CLI Artifact digest:" - echo "${inso_binary_artifact_digest_base64}" - echo "inso_binary_artifact_digest_base64=${inso_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT + echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV - electron_binary_artifacts=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \ - \( -name "Insomnia.Core-*" \) \ - -exec sha256sum {} \; | sed "s/\(.* \)\(.*\(Insomnia.Core\)\)/\1\\3/" | sort) + ARTIFACT_PATH="${{ env.ARTIFACTS_DOWNLOAD_PATH }}" - echo "${electron_binary_artifacts}" - electron_binary_artifact_digest_base64=$(echo "${electron_binary_artifacts}" | base64 -w0) - echo "Electron Binary Artifact digest:" - echo "${electron_binary_artifact_digest_base64}" - echo "electron_binary_artifact_digest_base64=${electron_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT + # To test set ARTIFACT_PATH to a local path, containing an inso-1.zip and Insomnia.Core-1.zip and paste the next 18 lines in a terminal + echo "CLI FILES FOUND" + cli_files=$(find "${ARTIFACT_PATH}" -type f \( -name "inso-*.zip" -o -name "inso-*.pkg" -o -name "inso-*.tar.xz" \) -exec sha256sum {} \;) + echo "${cli_files}" + echo "CLI FILES WITH PATH STRIPPED" + cli_replaced_files=$(echo "${cli_files}" | sed "s/\(.* \)\(.*\(inso\)\)/\1\\3/" | sort) + echo "${cli_replaced_files}" + echo "CLI FILE DIGEST" + cli_digest=$(echo "${cli_replaced_files}" | base64 -w0) + echo "${cli_digest}" + echo "APP FILES FOUND" + app_files=$(find "${ARTIFACT_PATH}" -type f \( -name "Insomnia.Core-*" \) -exec sha256sum {} \;) + echo "${app_files}" + echo "APP FILES WITH PATH STRIPPED" + app_replaced_files=$(echo "${app_files}" | sed "s/\(.* \)\(.*\(Insomnia.Core\)\)/\1\\3/" | sort) + echo "${app_replaced_files}" + echo "APP FILE DIGEST" + app_digest=$(echo "${app_replaced_files}" | base64 -w0) + echo "${app_digest}" + + echo "inso_binary_artifact_digest_base64=${cli_digest}" >> $GITHUB_OUTPUT + echo "electron_binary_artifact_digest_base64=${app_digest}" >> $GITHUB_OUTPUT - name: Temporarily move artifacts shell: bash @@ -134,7 +142,7 @@ jobs: draft: false - name: Publish beta/stable of Insomnia to Insomnia API - if: "!contains(github.event.inputs.version, 'alpha')" + if: ${{ !contains(github.event.inputs.version, 'alpha') }} run: | curl \ --fail \ @@ -151,7 +159,7 @@ jobs: RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} - name: Publish beta/stable of inso to Insomnia API - if: "!contains(github.event.inputs.version, 'alpha')" + if: ${{ !contains(github.event.inputs.version, 'alpha') }} run: | curl \ --fail \ @@ -168,7 +176,7 @@ jobs: RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} - name: Upload to snapcraft (beta and stable only) - if: "!contains(github.event.inputs.version, 'alpha')" + if: ${{ !contains(github.event.inputs.version, 'alpha') }} uses: snapcore/action-publish@7fe468c9de12396a9c8964af5d0dfd1d5b493bd7 env: SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE }} @@ -177,6 +185,7 @@ jobs: release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} - name: Upload .deb to pulp and/or cloudsmith (stable only) + if: ${{ !contains(github.event.inputs.version, 'alpha') && !contains(github.event.inputs.version, 'beta') }} uses: docker://kong/release-script:latest env: PULP_USERNAME: ${{ secrets.PULP_USERNAME }} @@ -197,7 +206,7 @@ jobs: --dist-version focal --package-type insomnia ${{ env.IS_PRERELEASE == 'true' && '--internal' || '--publish' }} - + - name: Load the Inso CLI Docker Archive run: | docker load -i ./artifacts/ubuntu-latest-artifacts/insomnia-inso/artifacts/inso-docker-image.tar @@ -208,7 +217,7 @@ jobs: with: username: ${{ secrets.DOCKER_REGISTRY_USER }} password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} - + - name: Docker meta for Inso CLI Docker Image id: inso_docker_meta uses: docker/metadata-action@v5 @@ -220,7 +229,7 @@ jobs: type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }} type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }} sep-tags: "," - + - name: Push Inso CLI docker image tags to Docker Hub id: publish_isno_docker_image run: | @@ -230,7 +239,7 @@ jobs: done env: IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }} - + # Setup regctl to parse platform specific image digest from image manifest - name: Install regctl uses: regclient/actions/regctl-installer@main @@ -257,7 +266,7 @@ jobs: signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }} signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} signature_registry: ${{ env.NOTARY_REPOSITORY }} - + - name: Upload sourcemaps to Sentry env: SENTRY_AUTH_TOKEN: '${{ secrets.SENTRY_AUTH_TOKEN }}' @@ -285,7 +294,7 @@ jobs: git push "${remote_repo}" env: RELEASE_GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }} - + artifact-provenance: needs: [publish] permissions: @@ -306,7 +315,7 @@ jobs: with: base64-subjects: ${{matrix.binary_artifacts_digest_base64 }} upload-assets: true - upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }} + upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }} provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl draft-release: false @@ -327,4 +336,4 @@ jobs: registry-username: ${{ secrets.DOCKER_REGISTRY_USER }} registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }} - provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} \ No newline at end of file + provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} diff --git a/.github/workflows/release-start.yml b/.github/workflows/release-start.yml index efdea674ada..082c3a14e11 100644 --- a/.github/workflows/release-start.yml +++ b/.github/workflows/release-start.yml @@ -13,7 +13,7 @@ on: - stable version: required: false - description: force version of the release (e.g. 9.0.0) leave blank to increment automatically + description: force version of the release (e.g. 9.0.0) if previous release was successful, this should auto increment jobs: setup-release-branch: