Publish 11.5.0-beta.2 channel by @pavkout #299

Workflow file for this run

.github/workflows/release-publish.yml at 40a411e

	name: Release Publish
	run-name: Publish ${{ github.event.inputs.version }} channel by @${{ github.actor }}

	on:
	workflow_dispatch:
	inputs:
	version:
	required: true
	description: Release version (e.g. 2022.1.0 or 2022.1.0-beta.0)

	env:
	RELEASE_VERSION: ${{ github.event.inputs.version }}
	RELEASE_CORE_TAG: core@${{ github.event.inputs.version }}
	RELEASE_BRANCH: release/${{ github.event.inputs.version }}
	IS_PRERELEASE: ${{ contains(github.event.inputs.version, 'alpha') \|\| contains(github.event.inputs.version, 'beta') }}
	ARTIFACTS_DOWNLOAD_PATH: ${{ github.workspace }}/artifacts
	ARTIFACTS_VERIFY_DOWNLOAD_PATH: ${{ github.workspace }}/artifacts_verify
	INSO_DOCKER_IMAGE: kong/inso # By default, registry is docker.io
	NOTARY_REPOSITORY: "kong/notary" # All signatures will be pushed to public notary repository

	jobs:
	publish:
	timeout-minutes: 30
	runs-on: ubuntu-22.04
	outputs:
	NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }}
	INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.cli_binary_hashes.outputs.handle }}
	INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }}
	INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
	INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }}
	ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.electron_binary_hashes.outputs.handle }}
	permissions:
	id-token: write # needed for signing the images
	actions: read # For getting workflow run info for keyless signing of docker image
	contents: write # Required to upload assets. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
	packages: write
	steps:
	- name: Checkout branch # Check out the release branch
	uses: actions/checkout@v4
	with:
	ref: ${{ env.RELEASE_BRANCH }}
	fetch-depth: 0
	persist-credentials: false

	- name: Setup Node
	uses: actions/setup-node@v4
	with:
	node-version-file: ".nvmrc"
	cache: "npm"
	cache-dependency-path: package-lock.json
	registry-url: "https://npm.pkg.github.com"
	scope: "@kong"

	- name: Install packages
	run: npm ci
	env:
	NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Download all artifacts from release-build.yml
	uses: dawidd6/action-download-artifact@268677152d06ba59fcec7a7f0b5d961b6ccd7e1e # v2
	with:
	github_token: ${{secrets.GITHUB_TOKEN}}
	workflow: release-build.yml
	workflow_conclusion: success
	branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created
	path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets

	- name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily
	id: metadata
	run: \|
	INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj)
	echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV
	echo "CLI_ARTIFACT_BASE64_FILE=${{env.CLI_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV
	echo "ELECTRON_ARTIFACT_BASE64_FILE=${{env.ELECTRON_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV
	./.github/scripts/generate-binary-digest.sh
	env:
	ARTIFACT_PATH: "${{ env.ARTIFACTS_DOWNLOAD_PATH }}"
	CLI_ARTIFACT_SHAFILE: ${{runner.temp}}/cli.sha256
	ELECTRON_ARTIFACT_SHAFILE: ${{runner.temp}}/electron.sha256
	CLI_ARTIFACT_BASE64_FILE: ${{runner.temp}}/cli_digests_file.text
	ELECTRON_ARTIFACT_BASE64_FILE: ${{runner.temp}}/electron_digests_file.text

	- name: Calculate CLI Binary base64 file handle
	uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
	id: cli_binary_hashes
	with:
	path: ${{ env.CLI_ARTIFACT_BASE64_FILE }}

	- name: Calculate Electron Binary base64 file handle
	uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
	id: electron_binary_hashes
	with:
	path: ${{ env.ELECTRON_ARTIFACT_BASE64_FILE }}

	- name: Create Tag and Release
	uses: ncipollo/release-action@v1
	id: core_tag_and_release
	with:
	tag: ${{ env.RELEASE_CORE_TAG }}
	name: "${{ env.RELEASE_VERSION }} 📦"
	generateReleaseNotes: true
	commit: ${{ env.RELEASE_BRANCH }}
	prerelease: ${{ env.IS_PRERELEASE }}
	draft: false
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Upload artifacts to release
	uses: xresloader/upload-to-github-release@d29300fdff9f0fcd7c3eb960c490b2a6640fbf50 # v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	release_id: ${{ steps.core_tag_and_release.outputs.id }}
	tag_name: ${{ env.RELEASE_CORE_TAG }}
	file: "./artifacts/-artifacts/insomnia/dist/Insomnia.;./artifacts/-artifacts/insomnia/dist/{alpha,beta,latest}.yml;./artifacts/-artifacts/insomnia/dist/squirrel-windows/;./artifacts/-artifacts/insomnia-inso/artifacts/inso-;./artifacts//sbom.{spdx,cyclonedx}.json"
	prerelease: ${{ env.IS_PRERELEASE }}
	draft: false
	overwrite: true

	- name: Upload sourcemaps to Sentry
	env:
	SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}"
	SENTRY_ORG: "${{ secrets.SENTRY_ORG }}"
	SENTRY_PROJECT: "${{ secrets.SENTRY_PROJECT }}"
	run: \|
	curl -sL https://sentry.io/get-cli/ \| SENTRY_CLI_VERSION="2.2.0" bash

	sentry-cli releases new ${{ env.RELEASE_VERSION }}
	sentry-cli releases set-commits ${{ env.RELEASE_VERSION }} --commit 'Kong/insomnia@${{ env.RELEASE_BRANCH }}'
	sentry-cli sourcemaps upload -r ${{ env.RELEASE_VERSION }} ./artifacts/*-latest-sentry

	# TODO: also take care of aarch64 image
	- name: Load the Inso CLI Docker Archive
	run: \|
	docker load -i ./artifacts/Linux-X64-artifacts/insomnia-inso/artifacts/inso-docker-image.tar
	docker image ls

	- name: Login to Docker Hub
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.1.0
	with:
	username: ${{ secrets.DOCKER_REGISTRY_USER }}
	password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}

	- name: Docker meta for Inso CLI Docker Image
	id: inso_docker_meta
	uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
	with:
	images: ${{ env.INSO_DOCKER_IMAGE }}
	tags: \|
	type=raw,value=${{ env.RELEASE_VERSION }},priority=1000
	type=raw,value=latest,enable=${{ env.IS_PRERELEASE == 'false' }}
	type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }}
	type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }}
	sep-tags: ","

	- name: Push Inso CLI docker image tags to Docker Hub
	run: \|
	for tag in ${IMAGE_TAGS//,/ }; do \
	docker tag insomnia-inso:temp $tag
	docker push $tag; \
	done
	env:
	IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }}

	# Setup regctl to parse platform specific image digest from image manifest
	- name: Install regctl
	uses: regclient/actions/regctl-installer@ce5fd131e371ffcdd7508b478cb223b3511a9183 # main

	# The image manifest digest/sha is generated only after the image is published to registry
	- name: Parse architecture specific digest from image manifest
	id: image_manifest_metadata
	run: \|
	INSO_IMAGE=${{ env.INSO_DOCKER_IMAGE }}:${{ steps.inso_docker_meta.outputs.version }}
	inso_image_sha="$(regctl image digest "${INSO_IMAGE}")"
	echo "inso_image_sha=${inso_image_sha}" >> $GITHUB_OUTPUT

	# Signing images requires image manifest digest
	- name: Sign images
	id: sign_images
	if: ${{ steps.image_manifest_metadata.outputs.inso_image_sha != '' }}
	uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
	with:
	image_digest: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
	tags: ${{ steps.inso_docker_meta.outputs.tags }}
	registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
	registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
	# Optional: Central notary repository for image signatures
	signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
	signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
	signature_registry: ${{ env.NOTARY_REPOSITORY }}

	- name: Publish beta/stable of Insomnia to Insomnia API
	if: ${{ !contains(github.event.inputs.version, 'alpha') }}
	run: \|
	curl \
	--fail \
	--request POST \
	--url $INSOMNIA_API_URL/v1/releases \
	--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
	--header "Content-Type: application/json" \
	--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns \| sed 's/ /T/; s/$\....$.*$[+-]$/\1\2/g')\" }"
	env:
	INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
	INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
	RELEASE_APP: com.insomnia.app
	RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
	RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' \|\| 'stable' }}

	- name: Publish beta/stable of inso to Insomnia API
	if: ${{ !contains(github.event.inputs.version, 'alpha') }}
	run: \|
	curl \
	--fail \
	--request POST \
	--url $INSOMNIA_API_URL/v1/releases \
	--header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
	--header "Content-Type: application/json" \
	--data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns \| sed 's/ /T/; s/$\....$.*$[+-]$/\1\2/g')\" }"
	env:
	INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
	INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
	RELEASE_APP: com.insomnia.inso
	RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
	RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' \|\| 'stable' }}

	- name: Upload x64 Linux snap to snapcraft (beta and stable only)
	if: ${{ !contains(github.event.inputs.version, 'alpha') }}
	uses: canonical/action-publish@214b86e5ca036ead1668c79afb81e550e6c54d40 # v1
	env:
	SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE_NEW }}
	with:
	# TODO-ARM64: Replace to *-amd64.snap when we have ARM64 build from insomnia-ee
	snap: artifacts/Linux-X64-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.snap
	release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' \|\| 'stable' }}

	# TODO: also release for aarch64 Linux?
	- name: Upload .deb to pulp and/or cloudsmith (stable only)
	if: ${{ !contains(github.event.inputs.version, 'alpha') && !contains(github.event.inputs.version, 'beta') }}
	uses: docker://kong/release-script:latest
	env:
	PULP_USERNAME: ${{ secrets.PULP_USERNAME }}
	PULP_PASSWORD: ${{ secrets.PULP_PASSWORD }}
	PULP_HOST: ${{ secrets.PULP_HOST }}
	VERBOSE: ${{ runner.debug == '1' && '1' \|\| '' }}
	CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
	CLOUDSMITH_DRY_RUN: ""
	IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }}
	USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }}
	USE_PULP: ${{ vars.USE_PULP }}
	with:
	entrypoint: /entrypoint.sh
	# TODO-ARM64: Replace to *-amd64.deb when we have arm64 builds from insomnia-ee
	args: >
	release
	--file artifacts/Linux-X64-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.deb
	--dist-name ubuntu
	--dist-version focal
	--package-type insomnia
	${{ env.IS_PRERELEASE == 'true' && '--internal' \|\| '--publish' }}

	- name: Configure Git user
	uses: Homebrew/actions/git-user-config@266845213695c3047d210b2e8fbc42ecdaf45802 # master
	with:
	username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) \|\| 'insomnia-infra' }}

	- name: Merge git branch into develop
	run: \|
	remote_repo="https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
	git checkout develop
	git merge --no-ff ${{ env.RELEASE_BRANCH }}
	git status
	git push "${remote_repo}"
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	artifact-provenance:
	needs: [publish]
	permissions:
	id-token: write # needed for signing the images
	actions: read # For getting workflow run info to build provenance
	packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
	contents: write
	strategy:
	fail-fast: true
	matrix:
	include:
	- product: insomnia
	binary_artifacts_subject_as_file: ${{ needs.publish.outputs.ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }}
	- product: inso
	binary_artifacts_subject_as_file: ${{ needs.publish.outputs.INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }}
	# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects-as-file: "${{ matrix.binary_artifacts_subject_as_file }}"
	upload-assets: true
	upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }}
	provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl
	draft-release: false

	inso-image-provenance:
	needs: [publish]
	permissions:
	id-token: write # needed for signing the images
	actions: read # For getting workflow run info to build provenance
	packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
	# need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
	contents: write
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE }}
	digest: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE_DIGEST }}
	provenance-repository: "${{ needs.publish.outputs.NOTARY_REPOSITORY }}"
	secrets:
	registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
	registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
	provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
	provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Publish 11.5.0-beta.2 channel by @pavkout #299

Workflow file

Publish 11.5.0-beta.2 channel by @pavkout #299

Uh oh!

Jobs

Run details

Workflow file for this run