Publish 11.0.1-alpha.0 channel by @notjaywu #236
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Publish | |
| run-name: Publish ${{ github.event.inputs.version }} channel by @${{ github.actor }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| required: true | |
| description: Release version (e.g. 2022.1.0 or 2022.1.0-beta.0) | |
| env: | |
| RELEASE_VERSION: ${{ github.event.inputs.version }} | |
| RELEASE_CORE_TAG: core@${{ github.event.inputs.version }} | |
| RELEASE_BRANCH: release/${{ github.event.inputs.version }} | |
| IS_PRERELEASE: ${{ contains(github.event.inputs.version, 'alpha') || contains(github.event.inputs.version, 'beta') }} | |
| ARTIFACTS_DOWNLOAD_PATH: ${{ github.workspace }}/artifacts | |
| INSO_DOCKER_IMAGE: kong/inso # By default, registry is docker.io | |
| NOTARY_REPOSITORY: 'kong/notary' # All signatures will be pushed to public notary repository | |
| jobs: | |
| publish: | |
| timeout-minutes: 15 | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }} | |
| INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.cli_binary_hashes.outputs.handle }} | |
| INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }} | |
| INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }} | |
| INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }} | |
| ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.electron_binary_hashes.outputs.handle }} | |
| permissions: | |
| id-token: write # needed for signing the images | |
| actions: read # For getting workflow run info for keyless signing of docker image | |
| contents: write # Required to upload assets. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues | |
| packages: write | |
| steps: | |
| # - name: Checkout branch # Check out the release branch | |
| # uses: actions/checkout@v4 | |
| # with: | |
| # ref: ${{ env.RELEASE_BRANCH }} | |
| # fetch-depth: 0 | |
| # persist-credentials: false | |
| # - name: Setup Node | |
| # uses: actions/setup-node@v4 | |
| # with: | |
| # node-version-file: ".nvmrc" | |
| # cache: 'npm' | |
| # cache-dependency-path: package-lock.json | |
| # - name: Install packages | |
| # run: npm ci | |
| # - name: Download all artifacts from release-build.yml | |
| # uses: dawidd6/action-download-artifact@v2 | |
| # with: | |
| # github_token: ${{secrets.GITHUB_TOKEN}} | |
| # workflow: release-build.yml | |
| # workflow_conclusion: success | |
| # branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created | |
| # path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets | |
| # repo: ${{ secrets.BUILD_REPOSITORY }} | |
| - name: Download release artifacts from insomnia-ee | |
| uses: robinraju/release-downloader@v1 | |
| with: | |
| repository: 'kong/insomnia-ee' | |
| tag: core@${{ env.RELEASE_VERSION }} | |
| fileName: '*' | |
| token: ${{ secrets.EE_DOWNLOAD_TOKEN }} | |
| out-file-path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} | |
| # - name: Debug downloaded artifacts | |
| # run: ls -lah ${{ env.ARTIFACTS_DOWNLOAD_PATH }} | |
| - name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily | |
| id: metadata | |
| run: | | |
| INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj) | |
| echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV | |
| echo "CLI_ARTIFACT_BASE64_FILE=${{env.CLI_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV | |
| echo "ELECTRON_ARTIFACT_BASE64_FILE=${{env.ELECTRON_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV | |
| ./.github/scripts/generate-binary-digest.sh | |
| env: | |
| ARTIFACT_PATH: "${{ env.ARTIFACTS_DOWNLOAD_PATH }}" | |
| CLI_ARTIFACT_SHAFILE: ${{runner.temp}}/cli.sha256 | |
| ELECTRON_ARTIFACT_SHAFILE: ${{runner.temp}}/electron.sha256 | |
| CLI_ARTIFACT_BASE64_FILE: ${{runner.temp}}/cli_digests_file.text | |
| ELECTRON_ARTIFACT_BASE64_FILE: ${{runner.temp}}/electron_digests_file.text | |
| - name: Calculate CLI Binary base64 file handle | |
| uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.0.0 | |
| id: cli_binary_hashes | |
| with: | |
| path: ${{ env.CLI_ARTIFACT_BASE64_FILE }} | |
| - name: Calculate Electron Binary base64 file handle | |
| uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.0.0 | |
| id: electron_binary_hashes | |
| with: | |
| path: ${{ env.ELECTRON_ARTIFACT_BASE64_FILE }} | |
| - name: Create Tag and Release | |
| uses: ncipollo/release-action@v1 | |
| id: core_tag_and_release | |
| with: | |
| tag: ${{ env.RELEASE_CORE_TAG }} | |
| name: "${{ env.RELEASE_VERSION }} 📦" | |
| generateReleaseNotes: true | |
| commit: ${{ env.RELEASE_BRANCH }} | |
| prerelease: ${{ env.IS_PRERELEASE }} | |
| draft: false | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Upload artifacts to release | |
| uses: xresloader/upload-to-github-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| release_id: ${{ steps.core_tag_and_release.outputs.id }} | |
| tag_name: ${{ env.RELEASE_CORE_TAG }} | |
| file: "./artifacts/*-artifacts/insomnia/dist/Insomnia.*;./artifacts/*-artifacts/insomnia/dist/squirrel-windows/*;./artifacts/*-artifacts/insomnia-inso/artifacts/inso-*;./artifacts/**/*sbom.{spdx,cyclonedx}.json" | |
| prerelease: ${{ env.IS_PRERELEASE }} | |
| draft: false | |
| # - name: Publish beta/stable of Insomnia to Insomnia API | |
| # if: ${{ !contains(github.event.inputs.version, 'alpha') }} | |
| # run: | | |
| # curl \ | |
| # --fail \ | |
| # --request POST \ | |
| # --url $INSOMNIA_API_URL/v1/releases \ | |
| # --header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \ | |
| # --header "Content-Type: application/json" \ | |
| # --data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }" | |
| # env: | |
| # INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }} | |
| # INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }} | |
| # RELEASE_APP: com.insomnia.app | |
| # RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | |
| # RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} | |
| # - name: Publish beta/stable of inso to Insomnia API | |
| # if: ${{ !contains(github.event.inputs.version, 'alpha') }} | |
| # run: | | |
| # curl \ | |
| # --fail \ | |
| # --request POST \ | |
| # --url $INSOMNIA_API_URL/v1/releases \ | |
| # --header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \ | |
| # --header "Content-Type: application/json" \ | |
| # --data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }" | |
| # env: | |
| # INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }} | |
| # INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }} | |
| # RELEASE_APP: com.insomnia.inso | |
| # RELEASE_VERSION: ${{ env.INSO_VERSION }} | |
| # RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} | |
| # # TODO: also take care of aarch64 image | |
| # - name: Load the Inso CLI Docker Archive | |
| # run: | | |
| # docker load -i ./artifacts/Linux-X64-artifacts/insomnia-inso/artifacts/inso-docker-image.tar | |
| # docker image ls | |
| # - name: Login to Docker Hub | |
| # uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.1.0 | |
| # with: | |
| # username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
| # password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| # - name: Docker meta for Inso CLI Docker Image | |
| # id: inso_docker_meta | |
| # uses: docker/metadata-action@v5 | |
| # with: | |
| # images: ${{ env.INSO_DOCKER_IMAGE }} | |
| # tags: | | |
| # type=raw,value=${{ env.INSO_VERSION }},prirority=1000 | |
| # type=raw,value=latest,enable=${{ env.IS_PRERELEASE == 'false' }} | |
| # type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }} | |
| # type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }} | |
| # sep-tags: "," | |
| # - name: Push Inso CLI docker image tags to Docker Hub | |
| # run: | | |
| # for tag in ${IMAGE_TAGS//,/ }; do \ | |
| # docker tag insomnia-inso:temp $tag | |
| # docker push $tag; \ | |
| # done | |
| # env: | |
| # IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }} | |
| # # Setup regctl to parse platform specific image digest from image manifest | |
| # - name: Install regctl | |
| # uses: regclient/actions/regctl-installer@main | |
| # # The image manifest digest/sha is generated only after the image is published to registry | |
| # - name: Parse architecture specific digest from image manifest | |
| # id: image_manifest_metadata | |
| # run: | | |
| # INSO_IMAGE=${{ env.INSO_DOCKER_IMAGE }}:${{ steps.inso_docker_meta.outputs.version }} | |
| # inso_image_sha="$(regctl image digest "${INSO_IMAGE}")" | |
| # echo "inso_image_sha=${inso_image_sha}" >> $GITHUB_OUTPUT | |
| # # Signing images requires image manifest digest | |
| # - name: Sign images | |
| # id: sign_images | |
| # if: ${{ steps.image_manifest_metadata.outputs.inso_image_sha != '' }} | |
| # uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2 | |
| # with: | |
| # image_digest: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }} | |
| # tags: ${{ steps.inso_docker_meta.outputs.tags }} | |
| # registry_username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
| # registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| # # Optional: Central notary repository for image signatures | |
| # signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
| # signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| # signature_registry: ${{ env.NOTARY_REPOSITORY }} | |
| # - name: Upload sourcemaps to Sentry | |
| # env: | |
| # SENTRY_AUTH_TOKEN: '${{ secrets.SENTRY_AUTH_TOKEN }}' | |
| # SENTRY_ORG: '${{ secrets.SENTRY_ORG }}' | |
| # SENTRY_PROJECT: '${{ secrets.SENTRY_PROJECT }}' | |
| # run: | | |
| # curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.2.0" bash | |
| # sentry-cli releases new ${{ env.RELEASE_VERSION }} | |
| # sentry-cli releases set-commits ${{ env.RELEASE_VERSION }} --commit 'Kong/insomnia@${{ env.RELEASE_BRANCH }}' | |
| # sentry-cli sourcemaps upload -r ${{ env.RELEASE_VERSION }} ./artifacts/*-latest-sentry | |
| # - name: Upload x64 Linux snap to snapcraft (beta and stable only) | |
| # if: ${{ !contains(github.event.inputs.version, 'alpha') }} | |
| # uses: canonical/action-publish@v1 | |
| # env: | |
| # SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE_NEW }} | |
| # with: | |
| # snap: artifacts/Linux-X64-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}-amd64.snap | |
| # release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }} | |
| # # TODO: also release for aarch64 Linux? | |
| # - name: Upload .deb to pulp and/or cloudsmith (stable only) | |
| # if: ${{ !contains(github.event.inputs.version, 'alpha') && !contains(github.event.inputs.version, 'beta') }} | |
| # uses: docker://kong/release-script:latest | |
| # env: | |
| # PULP_USERNAME: ${{ secrets.PULP_USERNAME }} | |
| # PULP_PASSWORD: ${{ secrets.PULP_PASSWORD }} | |
| # PULP_HOST: ${{ secrets.PULP_HOST }} | |
| # VERBOSE: ${{ runner.debug == '1' && '1' || '' }} | |
| # CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }} | |
| # CLOUDSMITH_DRY_RUN: '' | |
| # IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }} | |
| # USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }} | |
| # USE_PULP: ${{ vars.USE_PULP }} | |
| # with: | |
| # entrypoint: /entrypoint.sh | |
| # args: > | |
| # release | |
| # --file artifacts/Linux-X64-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}-amd64.deb | |
| # --dist-name ubuntu | |
| # --dist-version focal | |
| # --package-type insomnia | |
| # ${{ env.IS_PRERELEASE == 'true' && '--internal' || '--publish' }} | |
| # - name: Configure Git user | |
| # uses: Homebrew/actions/git-user-config@master | |
| # with: | |
| # username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }} | |
| # - name: Merge git branch into develop | |
| # run: | | |
| # remote_repo="https://${GITHUB_ACTOR}:${RELEASE_GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" | |
| # git checkout develop | |
| # git merge --no-ff ${{ env.RELEASE_BRANCH }} | |
| # git status | |
| # git push "${remote_repo}" | |
| # env: | |
| # RELEASE_GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }} | |
| artifact-provenance: | |
| needs: [publish] | |
| permissions: | |
| id-token: write # needed for signing the images | |
| actions: read # For getting workflow run info to build provenance | |
| packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues | |
| contents: write | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| include: | |
| - product: insomnia | |
| binary_artifacts_subject_as_file: ${{ needs.publish.outputs.ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }} | |
| - product: inso | |
| binary_artifacts_subject_as_file: ${{ needs.publish.outputs.INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }} | |
| # need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498 | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 | |
| with: | |
| base64-subjects-as-file: "${{ matrix.binary_artifacts_subject_as_file }}" | |
| upload-assets: true | |
| upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }} | |
| provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl | |
| draft-release: false | |
| inso-image-provenance: | |
| needs: [publish] | |
| permissions: | |
| id-token: write # needed for signing the images | |
| actions: read # For getting workflow run info to build provenance | |
| packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues | |
| # need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498 | |
| contents: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
| with: | |
| image: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE }} | |
| digest: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE_DIGEST }} | |
| provenance-repository: "${{ needs.publish.outputs.NOTARY_REPOSITORY }}" | |
| secrets: | |
| registry-username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
| registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }} | |
| provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} |