name: Release Publish on: workflow_dispatch: inputs: version: required: true description: Release version (e.g. 2022.1.0 or 2022.1.0-beta.0) env: RELEASE_VERSION: ${{ github.event.inputs.version }} RELEASE_CORE_TAG: core@${{ github.event.inputs.version }} RELEASE_BRANCH: release/${{ github.event.inputs.version }} IS_PRERELEASE: ${{ contains(github.event.inputs.version, 'alpha') || contains(github.event.inputs.version, 'beta') }} ARTIFACTS_DOWNLOAD_PATH: ${{ github.workspace }}/artifacts INSO_DOCKER_IMAGE: kong/inso # By default, registry is docker.io NOTARY_REPOSITORY: 'kong/notary' # All signatures will be pushed to public notary repository jobs: publish: timeout-minutes: 15 runs-on: ubuntu-latest outputs: NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }} INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.cli_binary_hashes.outputs.handle }} INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }} INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }} INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }} ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.electron_binary_hashes.outputs.handle }} permissions: id-token: write # needed for signing the images actions: read # For getting workflow run info for keyless signing of docker image contents: write # Required to upload assets. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues packages: write steps: - name: Checkout branch # Check out the release branch uses: actions/checkout@v4 with: ref: ${{ env.RELEASE_BRANCH }} fetch-depth: 0 persist-credentials: false - name: Setup Node uses: actions/setup-node@v4 with: node-version-file: ".nvmrc" cache: 'npm' cache-dependency-path: package-lock.json - name: Install packages run: npm ci - name: Download all artifacts from release-build.yml uses: dawidd6/action-download-artifact@v2 with: github_token: ${{secrets.GITHUB_TOKEN}} workflow: release-build.yml workflow_conclusion: success branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets - name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily id: metadata run: | INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj) echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV echo "CLI_ARTIFACT_BASE64_FILE=${{env.CLI_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV echo "ELECTRON_ARTIFACT_BASE64_FILE=${{env.ELECTRON_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV ./.github/scripts/generate-binary-digest.sh env: ARTIFACT_PATH: "${{ env.ARTIFACTS_DOWNLOAD_PATH }}" CLI_ARTIFACT_SHAFILE: ${{runner.temp}}/cli.sha256 ELECTRON_ARTIFACT_SHAFILE: ${{runner.temp}}/electron.sha256 CLI_ARTIFACT_BASE64_FILE: ${{runner.temp}}/cli_digests_file.text ELECTRON_ARTIFACT_BASE64_FILE: ${{runner.temp}}/electron_digests_file.text - name: Calculate CLI Binary base64 file handle uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.0.0 id: cli_binary_hashes with: path: ${{ env.CLI_ARTIFACT_BASE64_FILE }} - name: Calculate Electron Binary base64 file handle uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.0.0 id: electron_binary_hashes with: path: ${{ env.ELECTRON_ARTIFACT_BASE64_FILE }} - name: Code-sign Windows .exe artifact uses: sslcom/esigner-codesign@develop with: command: sign username: ${{secrets.ES_USERNAME}} password: ${{secrets.ES_PASSWORD}} credential_id: ${{secrets.ES_CREDENTIAL_ID}} totp_secret: ${{secrets.ES_TOTP_SECRET}} file_path: ${GITHUB_WORKSPACE}/artifacts/windows-latest-artifacts/insomnia/dist/squirrel-windows/Insomnia.Core-${{ env.RELEASE_VERSION }}.exe override: true - name: Create Tag and Release uses: ncipollo/release-action@v1 id: core_tag_and_release with: tag: ${{ env.RELEASE_CORE_TAG }} name: "${{ env.RELEASE_VERSION }} 📦" generateReleaseNotes: true commit: ${{ env.RELEASE_BRANCH }} prerelease: ${{ env.IS_PRERELEASE }} draft: false env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload artifacts to release uses: xresloader/upload-to-github-release@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: release_id: ${{ steps.core_tag_and_release.outputs.id }} tag_name: ${{ env.RELEASE_CORE_TAG }} file: "./artifacts/*-artifacts/insomnia/dist/Insomnia.*;./artifacts/*-artifacts/insomnia/dist/squirrel-windows/*;./artifacts/*-artifacts/insomnia-inso/artifacts/inso-*;./artifacts/**/*sbom.{spdx,cyclonedx}.json" # /github/workspace/artifacts/windows-latest-artifacts/***/dist/squirrel-windows/Insomnia.Core-9.3.0-beta.1.exe # /github/workspace/artifacts/windows-latest-artifacts/***/dist/squirrel-windows/Insomnia.Core-9.3.0-beta.1-full.nupkg # /github/workspace/artifacts/windows-latest-artifacts/***/dist/squirrel-windows/RELEASES # /home/runner/work/***/***/artifacts/macos-13-artifacts/***/dist/Insomnia.Core-9.3.0-alpha.7.dmg # /home/runner/work/***/***/artifacts/ubuntu-latest-artifacts/***/dist/Insomnia.Core-9.3.0-alpha.7.deb # /home/runner/work/***/***/artifacts/ubuntu-latest-artifacts/***-inso/artifacts/inso-linux-9.3.0-alpha.7.tar.xz # /home/runner/work/***/***/artifacts/macos-13-artifacts/***-inso/artifacts/inso-macos-13-9.3.0-alpha.7.pkg # /home/runner/work/***/***/artifacts/image-inso-Linux-sbom.spdx.json/image-inso-Linux-sbom.spdx.json # /home/runner/work/***/***/artifacts/sbom.cyclonedx.json/sbom.cyclonedx.json prerelease: ${{ env.IS_PRERELEASE }} draft: false - name: Publish beta/stable of Insomnia to Insomnia API if: ${{ !contains(github.event.inputs.version, 'alpha') }} run: | curl \ --fail \ --request POST \ --url $INSOMNIA_API_URL/v1/releases \ --header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \ --header "Content-Type: application/json" \ --data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }" env: INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }} INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }} RELEASE_APP: com.insomnia.app RELEASE_VERSION: ${{ env.RELEASE_VERSION }} RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} - name: Publish beta/stable of inso to Insomnia API if: ${{ !contains(github.event.inputs.version, 'alpha') }} run: | curl \ --fail \ --request POST \ --url $INSOMNIA_API_URL/v1/releases \ --header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \ --header "Content-Type: application/json" \ --data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }" env: INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }} INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }} RELEASE_APP: com.insomnia.inso RELEASE_VERSION: ${{ env.INSO_VERSION }} RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} - name: Load the Inso CLI Docker Archive run: | docker load -i ./artifacts/ubuntu-latest-artifacts/insomnia-inso/artifacts/inso-docker-image.tar docker image ls - name: Login to Docker Hub uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.1.0 with: username: ${{ secrets.DOCKER_REGISTRY_USER }} password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} - name: Docker meta for Inso CLI Docker Image id: inso_docker_meta uses: docker/metadata-action@v5 with: images: ${{ env.INSO_DOCKER_IMAGE }} tags: | type=raw,value=${{ env.INSO_VERSION }},prirority=1000 type=raw,value=latest,enable=${{ env.IS_PRERELEASE == 'false' }} type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }} type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }} sep-tags: "," - name: Push Inso CLI docker image tags to Docker Hub id: publish_isno_docker_image run: | for tag in ${IMAGE_TAGS//,/ }; do \ docker tag insomnia-inso:temp $tag docker push $tag; \ done env: IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }} # Setup regctl to parse platform specific image digest from image manifest - name: Install regctl uses: regclient/actions/regctl-installer@main # The image manifest digest/sha is generated only after the image is published to registry - name: Parse architecture specific digest from image manifest id: image_manifest_metadata run: | INSO_IMAGE=${{ env.INSO_DOCKER_IMAGE }}:${{ steps.inso_docker_meta.outputs.version }} inso_image_sha="$(regctl image digest "${INSO_IMAGE}")" echo "inso_image_sha=${inso_image_sha}" >> $GITHUB_OUTPUT # Signing images requires image manifest digest - name: Sign images id: sign_images if: ${{ steps.image_manifest_metadata.outputs.inso_image_sha != '' }} uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2 with: image_digest: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }} tags: ${{ steps.inso_docker_meta.outputs.tags }} registry_username: ${{ secrets.DOCKER_REGISTRY_USER }} registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} # Optional: Central notary repository for image signatures signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }} signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} signature_registry: ${{ env.NOTARY_REPOSITORY }} - name: Upload sourcemaps to Sentry env: SENTRY_AUTH_TOKEN: '${{ secrets.SENTRY_AUTH_TOKEN }}' SENTRY_ORG: '${{ secrets.SENTRY_ORG }}' SENTRY_PROJECT: '${{ secrets.SENTRY_PROJECT }}' run: | curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.2.0" bash sentry-cli releases new ${{ env.RELEASE_VERSION }} sentry-cli releases set-commits ${{ env.RELEASE_VERSION }} --commit 'Kong/insomnia@${{ env.RELEASE_BRANCH }}' sentry-cli sourcemaps upload -r ${{ env.RELEASE_VERSION }} ./artifacts/*-latest-sentry - name: Configure Git user uses: Homebrew/actions/git-user-config@master with: username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }} - name: Merge git branch into develop run: | remote_repo="https://${GITHUB_ACTOR}:${RELEASE_GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" git checkout develop git merge --no-ff ${{ env.RELEASE_BRANCH }} git status git push "${remote_repo}" env: RELEASE_GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }} - name: Upload to snapcraft (beta and stable only) if: ${{ !contains(github.event.inputs.version, 'alpha') }} uses: snapcore/action-publish@v1 env: SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE_NEW }} with: snap: artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.snap release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} - name: Upload .deb to pulp and/or cloudsmith (stable only) if: ${{ !contains(github.event.inputs.version, 'alpha') && !contains(github.event.inputs.version, 'beta') }} uses: docker://kong/release-script:latest env: PULP_USERNAME: ${{ secrets.PULP_USERNAME }} PULP_PASSWORD: ${{ secrets.PULP_PASSWORD }} PULP_HOST: ${{ secrets.PULP_HOST }} VERBOSE: ${{ runner.debug == '1' && '1' || '' }} CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} CLOUDSMITH_DRY_RUN: '' IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }} USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }} USE_PULP: ${{ vars.USE_PULP }} with: entrypoint: /entrypoint.sh args: > release --file artifacts/ubuntu-latest-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.deb --dist-name ubuntu --dist-version focal --package-type insomnia ${{ env.IS_PRERELEASE == 'true' && '--internal' || '--publish' }} artifact-provenance: needs: [publish] permissions: id-token: write # needed for signing the images actions: read # For getting workflow run info to build provenance packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues contents: write strategy: fail-fast: true matrix: include: - product: insomnia binary_artifacts_subject_as_file: ${{ needs.publish.outputs.ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }} - product: inso binary_artifacts_subject_as_file: ${{ needs.publish.outputs.INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }} # need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects-as-file: "${{ matrix.binary_artifacts_subject_as_file }}" upload-assets: true upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }} provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl draft-release: false inso-image-provenance: needs: [publish] permissions: id-token: write # needed for signing the images actions: read # For getting workflow run info to build provenance packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues # need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498 contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE }} digest: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE_DIGEST }} provenance-repository: "${{ needs.publish.outputs.NOTARY_REPOSITORY }}" secrets: registry-username: ${{ secrets.DOCKER_REGISTRY_USER }} registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }} provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}