fix: use different security-actions version #388
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release Build | |
on: | |
push: | |
branches: | |
- 'release/**' | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
# shared kong github action for security checking | |
generate-sbom-and-upload-assets: | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
contents: write # publish sbom to GH releases/tag assets | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
# Perform SCA / SBOM analysis for the entire monorepo code repository | |
# Produces SCA(SBOM and CVE) report | |
# Helps understand vulnerabilities / license compliance across third party dependencies | |
# Automatically uploads to workflow assets | |
# (TODO): Produce workspace/package specific SBOM. Current limitation: https://github.com/anchore/syft/issues/2574 | |
# (TODO): needs check (block) further steps if SCA fails | |
- id: sca-project | |
uses: Kong/public-shared-actions/security-actions/sca@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3 | |
with: | |
dir: . | |
upload-sbom-release-assets: false | |
build-and-upload-release-artifacts: | |
timeout-minutes: 30 | |
runs-on: ${{ matrix.os }} | |
env: | |
INSO_PACKAGE_NAME: insomnia-inso | |
INSO_DOCKER_TAR: inso-docker-image.tar | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
# macos-13 supports both intel and apple silicon on inso cli properly | |
# macos-latest is defaulting to apple silicon and breaks inso cli retrocompatibility | |
- os: macos-13 | |
csc_link_secret: DESIGNER_MAC_CSC_LINK | |
csc_key_password_secret: DESIGNER_MAC_CSC_KEY_PASSWORD | |
- os: windows-latest | |
csc_link_secret: '' | |
csc_key_password_secret: '' | |
- os: ubuntu-latest | |
csc_link_secret: '' | |
csc_key_password_secret: '' | |
steps: | |
- name: Checkout branch | |
uses: actions/checkout@v4 | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version-file: '.nvmrc' | |
cache: 'npm' | |
cache-dependency-path: package-lock.json | |
- name: Install packages | |
run: npm ci | |
- name: Setup Inso CLI version env var | |
run: | | |
echo "INSO_VERSION=$(jq .version ./packages/${{ env.INSO_PACKAGE_NAME }}/package.json -rj)" >> $GITHUB_ENV | |
# If this step fails its possible apple has new license terms which need to be accepted by logging into https://developer.apple.com/account | |
- name: Package app (MacOS only) | |
if: matrix.os == 'macos-13' | |
shell: bash | |
run: npm run app-package | |
env: | |
NODE_OPTIONS: '--max_old_space_size=6144' | |
APPLE_ID: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID || '' }} | |
APPLE_APP_SPECIFIC_PASSWORD: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID_PASSWORD || '' }} | |
CSC_LINK: ${{ matrix.csc_link_secret != '' && secrets[matrix.csc_link_secret] || '' }} | |
CSC_KEY_PASSWORD: ${{ matrix.csc_key_password_secret != '' && secrets[matrix.csc_key_password_secret] || '' }} | |
- name: Package app (Linux only) | |
if: matrix.os == 'ubuntu-latest' | |
shell: bash | |
run: npm run app-package | |
env: | |
NODE_OPTIONS: '--max_old_space_size=6144' | |
# creates unpacked electron-builder contents that can be signed afterwards | |
- name: Package unpacked app (Windows only) | |
if: matrix.os == 'windows-latest' | |
shell: bash | |
run: NODE_OPTIONS='--max_old_space_size=6144' npm run package:windows:unpacked -w insomnia | |
- name: Move .dll and .exe files to /tosign (PowerShell) | |
if: matrix.os == 'windows-latest' | |
shell: pwsh | |
run: | | |
New-Item -Path "packages/insomnia/dist/win-unpacked/tosign" -ItemType Directory -Force | |
New-Item -Path "packages/insomnia/dist/win-unpacked/signed" -ItemType Directory -Force | |
Get-ChildItem -Path "packages/insomnia/dist/win-unpacked" -Filter *.dll | Move-Item -Destination "packages/insomnia/dist/win-unpacked/tosign" | |
Get-ChildItem -Path "packages/insomnia/dist/win-unpacked" -Filter *.exe | Move-Item -Destination "packages/insomnia/dist/win-unpacked/tosign" | |
# signs unpacked electron-builder contents, in this case only the .exe | |
- name: Code-sign unpacked .exe (Windows only) | |
if: matrix.os == 'windows-latest' | |
uses: sslcom/esigner-codesign@develop | |
with: | |
command: batch_sign | |
username: ${{secrets.ES_USERNAME}} | |
password: ${{secrets.ES_PASSWORD}} | |
credential_id: ${{secrets.ES_CREDENTIAL_ID}} | |
totp_secret: ${{secrets.ES_TOTP_SECRET}} | |
dir_path: packages/insomnia/dist/win-unpacked/tosign | |
output_path: packages/insomnia/dist/win-unpacked/signed | |
override: true | |
- name: Move .dll and .exe files back to win-unpacked and delete /tosign | |
if: matrix.os == 'windows-latest' | |
shell: pwsh | |
run: | | |
Get-ChildItem -Path "packages/insomnia/dist/win-unpacked/signed" -Filter *.dll | Move-Item -Destination "packages/insomnia/dist/win-unpacked" | |
Get-ChildItem -Path "packages/insomnia/dist/win-unpacked/signed" -Filter *.exe | Move-Item -Destination "packages/insomnia/dist/win-unpacked" | |
Remove-Item -Path "packages/insomnia/dist/win-unpacked/tosign" -Recurse -Force | |
Remove-Item -Path "packages/insomnia/dist/win-unpacked/signed" -Recurse -Force | |
# re-packages the now code-signed electron-builder contents into a squirrel installer | |
- name: Package dist app (Windows only) | |
if: matrix.os == 'windows-latest' | |
shell: bash | |
run: | | |
docker pull ghcr.io/sslcom/codesigner-win:latest | |
NODE_OPTIONS='--max_old_space_size=6144' npm run package:windows:dist -w insomnia | |
env: | |
USERNAME: ${{secrets.ES_USERNAME}} | |
PASSWORD: ${{secrets.ES_PASSWORD}} | |
CREDENTIAL_ID: ${{secrets.ES_CREDENTIAL_ID}} | |
TOTP_SECRET: ${{secrets.ES_TOTP_SECRET}} | |
- name: Package inso | |
run: | | |
echo "Replacing electron binary with node binary" | |
node_modules/.bin/node-pre-gyp install --update-binary --directory node_modules/@getinsomnia/node-libcurl | |
npm run build:production -w insomnia-inso | |
npm run package -w insomnia-inso | |
env: | |
VERSION: ${{ env.INSO_VERSION }} | |
- name: Code-sign & create Inso CLI installer (macOS only) | |
if: matrix.os == 'macos-13' | |
run: ./src/scripts/macos-pkg.sh | |
shell: bash | |
working-directory: ./packages/${{ env.INSO_PACKAGE_NAME }} | |
continue-on-error: false | |
env: | |
MACOS_CERTIFICATE: ${{ secrets.DESIGNER_MAC_CSC_LINK }} | |
MACOS_CERTIFICATE_PWD: ${{ secrets.DESIGNER_MAC_CSC_KEY_PASSWORD }} | |
PKG_NAME: inso-${{ matrix.os }}-${{ env.INSO_VERSION }} | |
BUNDLE_ID: com.insomnia.inso | |
VERSION: ${{ env.INSO_VERSION }} | |
- name: Notarize Inso CLI installer (macOS only) | |
if: matrix.os == 'macos-13' | |
uses: lando/notarize-action@v2 | |
with: | |
product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg | |
primary-bundle-id: com.insomnia.inso | |
appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }} | |
appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }} | |
appstore-connect-team-id: FX44YY62GV | |
verbose: true | |
- name: Staple Inso CLI installer (macOS only) | |
if: matrix.os == 'macos-13' | |
uses: BoundfoxStudios/action-xcode-staple@v1 | |
with: | |
product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg | |
- name: Notarize Inso CLI binary (macOS only) | |
if: matrix.os == 'macos-13' | |
uses: lando/notarize-action@v2 | |
with: | |
product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/binaries/inso | |
primary-bundle-id: com.insomnia.inso-binary | |
appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }} | |
appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }} | |
appstore-connect-team-id: FX44YY62GV | |
- name: Create Inso zip/tar/gz artifacts | |
run: npm run artifacts -w insomnia-inso | |
- name: Create inso Docker Image artifacts | |
if: matrix.os == 'ubuntu-latest' | |
run: | | |
DOCKER_BUILDKIT=1 docker build --tag ${{ env.INSO_PACKAGE_NAME }}:temp ./packages/${{ env.INSO_PACKAGE_NAME }} | |
docker save ${{ env.INSO_PACKAGE_NAME }}:temp -o ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }} | |
# Produce Docker SBOM for Inso Image | |
# Automatically uploads to workflow assets | |
- name: Scan inso docker artifacts | |
id: sbom_action | |
if: matrix.os == 'ubuntu-latest' | |
uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3 | |
with: | |
asset_prefix: image-inso-${{ runner.os }} | |
image: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }} | |
upload-sbom-release-assets: false # No release is publushed yet. Uploads as workflow assets | |
env: | |
SYFT_SOURCE_NAME: ${{ env.INSO_DOCKER_TAR }} | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
if-no-files-found: ignore | |
name: ${{ matrix.os }}-artifacts | |
path: | | |
packages/insomnia/dist/*.exe | |
packages/insomnia/dist/squirrel-windows/* | |
packages/insomnia/dist/*.zip | |
packages/insomnia/dist/*.dmg | |
packages/insomnia/dist/*.snap | |
packages/insomnia/dist/*.rpm | |
packages/insomnia/dist/*.deb | |
packages/insomnia/dist/*.AppImage | |
packages/insomnia/dist/*.tar.gz | |
packages/insomnia-inso/artifacts/* | |
- name: Upload source assets for Sentry | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ matrix.os }}-sentry | |
path: | | |
packages/insomnia/build/*.js | |
packages/insomnia/build/*.map | |
!packages/insomnia/build/yarn-standalone.js | |
update-pull-request: | |
timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }} | |
needs: build-and-upload-release-artifacts | |
runs-on: ubuntu-latest | |
steps: | |
- name: Get release version | |
id: release_version | |
shell: bash | |
run: | | |
echo "version=${BRANCH/release\//}" >> $GITHUB_OUTPUT | |
env: | |
BRANCH: ${{ github.ref_name }} | |
- name: update-pull-request | |
uses: kt3k/[email protected] | |
with: | |
pr_body: | | |
**WARNING: Do not merge this PR. This is an automated release PR. It should be released using the "Publish" workflow.** | |
Download release artifacts [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) | |
## Steps for Publish: | |
You can update the changelog.md in this branch, run git log to get the latest changes: | |
```bash | |
git log --no-merges --oneline --pretty=format:'* %s by @%an' --since="<last release tag>" --until="release/${{ steps.release_version.outputs.version }}" | |
``` | |
When ready to publish, trigger [Publish](https://github.com/${{ github.repository }}/actions/workflows/release-publish.yml) workflow with these variables: | |
- Release version (`version`): `${{ steps.release_version.outputs.version }}` | |
Alternatively, you can trigger the workflow from [Github CLI](https://cli.github.com/): | |
```bash | |
gh workflow run release-publish.yml -f version=${{ steps.release_version.outputs.version }} --repo ${{ github.repository }} | |
``` | |
Release notes will be generated automatically based on the commit messages during publish. Remove any unwanted notes manually afterwards. | |
<details> | |
<summary>Conflicts? Merge branch step failed on the publish workflow? Try this...</summary> | |
Run locally: | |
```bash | |
# Make sure git remote is Kong/insomnia... | |
git checkout develop | |
git merge --no-ff release/<replaced with version> | |
# Solve merge conflicts ... | |
# If there's package-lock conflicts, run `npm install` and commit the package-lock changes | |
git push | |
``` | |
</details> | |
destination_branch: develop | |
github_token: ${{ secrets.GITHUB_TOKEN }} |