name: Release Build on: push: branches: - 'release/**' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: # shared kong github action for security checking generate-sbom-and-upload-assets: runs-on: ubuntu-latest permissions: packages: write contents: write # publish sbom to GH releases/tag assets steps: - name: Checkout repository uses: actions/checkout@v3 # Perform SCA / SBOM analysis for the entire monorepo code repository # Produces SCA(SBOM and CVE) report # Helps understand vulnerabilities / license compliance across third party dependencies # Automatically uploads to workflow assets # (TODO): Produce workspace/package specific SBOM. Current limitation: https://github.com/anchore/syft/issues/2574 # (TODO): needs check (block) further steps if SCA fails - id: sca-project uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: dir: . upload-sbom-release-assets: false build-and-upload-release-artifacts: timeout-minutes: 30 runs-on: ${{ matrix.os }} env: INSO_PACKAGE_NAME: insomnia-inso INSO_DOCKER_TAR: inso-docker-image.tar strategy: fail-fast: false matrix: include: # macos-13 supports both intel and apple silicon on inso cli properly # macos-latest is defaulting to apple silicon and breaks inso cli retrocompatibility - os: macos-13 csc_link_secret: DESIGNER_MAC_CSC_LINK csc_key_password_secret: DESIGNER_MAC_CSC_KEY_PASSWORD - os: windows-latest csc_link_secret: DESIGNER_WINDOWS_CSC_LINK csc_key_password_secret: DESIGNER_WINDOWS_CSC_KEY_PASSWORD - os: ubuntu-latest csc_link_secret: '' csc_key_password_secret: '' steps: - name: Checkout branch uses: actions/checkout@v4 - name: Setup Node uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'npm' cache-dependency-path: package-lock.json - name: Install packages run: npm ci # If this step fails its possible apple has new license terms which need to be accepted by logging into https://developer.apple.com/account - name: Package app (MacOS only) if: matrix.os == 'macos-13' shell: bash run: npm run app-package env: NODE_OPTIONS: '--max_old_space_size=6144' APPLE_ID: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID || '' }} APPLE_APP_SPECIFIC_PASSWORD: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID_PASSWORD || '' }} CSC_LINK: ${{ matrix.csc_link_secret != '' && secrets[matrix.csc_link_secret] || '' }} CSC_KEY_PASSWORD: ${{ matrix.csc_key_password_secret != '' && secrets[matrix.csc_key_password_secret] || '' }} - name: Package app (Windows and Linux) if: matrix.os != 'macos-13' shell: bash run: npm run app-package env: NODE_OPTIONS: '--max_old_space_size=6144' - name: Setup Inso CLI version env var run: echo "INSO_VERSION=$(jq .version ./packages/${{ env.INSO_PACKAGE_NAME }}/package.json -rj)" >> $GITHUB_ENV - name: Package inso run: | echo "Replacing electron binary with node binary" node_modules/.bin/node-pre-gyp install --update-binary --directory node_modules/@getinsomnia/node-libcurl npm run inso-package env: VERSION: ${{ env.INSO_VERSION }} - name: Code-sign & create Inso CLI installer (macOS only) if: matrix.os == 'macos-13' run: ./src/scripts/macos-pkg.sh shell: bash working-directory: ./packages/${{ env.INSO_PACKAGE_NAME }} continue-on-error: false env: MACOS_CERTIFICATE: ${{ secrets.DESIGNER_MAC_CSC_LINK }} MACOS_CERTIFICATE_PWD: ${{ secrets.DESIGNER_MAC_CSC_KEY_PASSWORD }} PKG_NAME: inso-${{ matrix.os }}-${{ env.INSO_VERSION }} BUNDLE_ID: com.insomnia.inso VERSION: ${{ env.INSO_VERSION }} - name: Notarize Inso CLI installer (macOS only) if: matrix.os == 'macos-13' uses: lando/notarize-action@v2 with: product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg primary-bundle-id: com.insomnia.inso appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }} appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }} appstore-connect-team-id: FX44YY62GV verbose: true - name: Staple Inso CLI installer (macOS only) if: matrix.os == 'macos-13' uses: BoundfoxStudios/action-xcode-staple@v1 with: product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg - name: Notarize Inso CLI binary (macOS only) if: matrix.os == 'macos-13' uses: lando/notarize-action@v2 with: product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/binaries/inso primary-bundle-id: com.insomnia.inso-binary appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }} appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }} appstore-connect-team-id: FX44YY62GV - name: Create inso artifacts run: npm run inso-package:artifacts - name: Create inso Docker Image artifacts if: matrix.os == 'ubuntu-latest' run: | DOCKER_BUILDKIT=1 docker build --tag ${{ env.INSO_PACKAGE_NAME }}:temp ./packages/${{ env.INSO_PACKAGE_NAME }} docker save ${{ env.INSO_PACKAGE_NAME }}:temp -o ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }} # Produce Docker SBOM for Inso Image # Automatically uploads to workflow assets - name: Scan inso docker artifacts id: sbom_action if: matrix.os == 'ubuntu-latest' uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0 with: asset_prefix: image-inso-${{ runner.os }} image: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }} upload-sbom-release-assets: false # No release is publushed yet. Uploads as workflow assets env: SYFT_SOURCE_NAME: ${{ env.INSO_DOCKER_TAR }} - name: Upload artifacts uses: actions/upload-artifact@v4 with: if-no-files-found: ignore name: ${{ matrix.os }}-artifacts path: | packages/insomnia/dist/*.exe packages/insomnia/dist/squirrel-windows/* packages/insomnia/dist/*.zip packages/insomnia/dist/*.dmg packages/insomnia/dist/*.snap packages/insomnia/dist/*.rpm packages/insomnia/dist/*.deb packages/insomnia/dist/*.AppImage packages/insomnia/dist/*.tar.gz packages/insomnia-inso/artifacts/* - name: Upload source assets for Sentry uses: actions/upload-artifact@v4 with: name: ${{ matrix.os }}-sentry path: | packages/insomnia/build/*.js packages/insomnia/build/*.map !packages/insomnia/build/yarn-standalone.js update-pull-request: timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }} needs: build-and-upload-release-artifacts runs-on: ubuntu-latest steps: - name: Get release version id: release_version shell: bash run: | echo "version=${BRANCH/release\//}" >> $GITHUB_OUTPUT env: BRANCH: ${{ github.ref_name }} - name: update-pull-request uses: kt3k/update-pr-description@v2.0.0 with: pr_body: | **WARNING: Do not merge this PR. This is an automated release PR. It should be released using the "Publish" workflow.** Download release artifacts [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) ## Steps for Publish: You can update the changelog.md in this branch, run git log to get the latest changes: ```bash git log --no-merges --oneline --pretty=format:'* %s by @%an' --since="" --until="release/${{ steps.release_version.outputs.version }}" ``` When ready to publish, trigger [Publish](https://github.com/${{ github.repository }}/actions/workflows/release-publish.yml) workflow with these variables: - Release version (`version`): `${{ steps.release_version.outputs.version }}` Alternatively, you can trigger the workflow from [Github CLI](https://cli.github.com/): ```bash gh workflow run release-publish.yml -f version=${{ steps.release_version.outputs.version }} --repo ${{ github.repository }} ``` Release notes will be generated automatically based on the commit messages during publish. Remove any unwanted notes manually afterwards.
Conflicts? Merge branch step failed on the publish workflow? Try this... Run locally: ```bash # Make sure git remote is Kong/insomnia... git checkout develop git merge --no-ff release/ # Solve merge conflicts ... # If there's package-lock conflicts, run `npm install` and commit the package-lock changes git push ```
destination_branch: develop github_token: ${{ secrets.GITHUB_TOKEN }}