release message (#7483)

* message * check for stable * clearer title * fix lint * improve publish script dx * [skipci] comment
Kong · Jun 5, 2024 · a5204cf · a5204cf
1 parent 3f34ef4
commit a5204cf
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 39 deletions.
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -10,20 +10,22 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  check:
+  # shared kong github action for security checking
+  generate-sbom-and-upload-assets:
     runs-on: ubuntu-latest
     permissions:
-      packages: write 
+      packages: write
       contents: write # publish sbom to GH releases/tag assets
     steps:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-      # Perform SCA / SBOM analysis for the entiire monorepo code repository
-      # Produces SBOM and CVE report
+      # Perform SCA / SBOM analysis for the entire monorepo code repository
+      # Produces SCA(SBOM and CVE) report
       # Helps understand vulnerabilities / license compliance across third party dependencies
       # Automatically uploads to workflow assets
-      # (TODO): Prouce workspace/package specific SBOM. Current limitation: https://github.com/anchore/syft/issues/2574
+      # (TODO): Produce workspace/package specific SBOM. Current limitation: https://github.com/anchore/syft/issues/2574
+      # (TODO): needs check (block) further steps if SCA fails
       - id: sca-project
         uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
         with:
@@ -39,8 +41,8 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          # macos-13 supports both intel and apple sillicon on inso cli properly
-          # macos-latest is defaulting to apple sillicon and breaks inso cli retrocompatibility
+          # macos-13 supports both intel and apple silicon on inso cli properly
+          # macos-latest is defaulting to apple silicon and breaks inso cli retrocompatibility
           - os: macos-13
             csc_link_secret: DESIGNER_MAC_CSC_LINK
             csc_key_password_secret: DESIGNER_MAC_CSC_KEY_PASSWORD
@@ -141,7 +143,7 @@ jobs:
         run: |
           DOCKER_BUILDKIT=1 docker build --tag ${{ env.INSO_PACKAGE_NAME }}:temp ./packages/${{ env.INSO_PACKAGE_NAME }}
           docker save ${{ env.INSO_PACKAGE_NAME }}:temp -o ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }}
-      
+
       # Produce Docker SBOM for Inso Image
       # Automatically uploads to workflow assets
       - name: Scan inso docker artifacts

diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }}
-      INSO_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.inso_binary_artifact_digest_base64 }}  
+      INSO_BINARY_ARTIFACTS_DIGEST_BASE64: ${{ steps.metadata.outputs.inso_binary_artifact_digest_base64 }}
       INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }}
       INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
       INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }}
@@ -50,37 +50,45 @@ jobs:
       - name: Install packages
         run: npm ci
 
-      - name: Download artifact
+      - name: Download all artifacts from release-build.yml
         uses: dawidd6/action-download-artifact@v2
         with:
           github_token: ${{secrets.GITHUB_TOKEN}}
           workflow: release-build.yml
           workflow_conclusion: success
           branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created
           path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets
-      
+
       - name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily
         id: metadata
         run: |
           INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj)
-          echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV 
-
-          inso_binary_artifact_digest_base64=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \
-          \( -name "inso-*.zip" -o -name "inso-*.pkg" -o -name "inso-*.tar.xz" \) \
-          -exec sha256sum {} \; | sed "s/\(.* \)\(.*\(inso\)\)/\1\\3/" | sort | base64 -w0)
-          echo "Inso CLI Artifact digest:"
-          echo "${inso_binary_artifact_digest_base64}"
-          echo "inso_binary_artifact_digest_base64=${inso_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT
+          echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV
           
-          electron_binary_artifacts=$(find "${{env.ARTIFACTS_DOWNLOAD_PATH}}" -type f \
-          \( -name "Insomnia.Core-*" \) \
-          -exec sha256sum {} \; | sed "s/\(.* \)\(.*\(Insomnia.Core\)\)/\1\\3/" | sort)
+          ARTIFACT_PATH="${{ env.ARTIFACTS_DOWNLOAD_PATH }}"
 
-          echo "${electron_binary_artifacts}"
-          electron_binary_artifact_digest_base64=$(echo "${electron_binary_artifacts}" | base64 -w0)
-          echo "Electron Binary Artifact digest:"
-          echo "${electron_binary_artifact_digest_base64}"
-          echo "electron_binary_artifact_digest_base64=${electron_binary_artifact_digest_base64}" >> $GITHUB_OUTPUT
+          # To test set ARTIFACT_PATH to a local path, containing an inso-1.zip and Insomnia.Core-1.zip and paste the next 18 lines in a terminal
+          echo "CLI FILES FOUND"
+          cli_files=$(find "${ARTIFACT_PATH}" -type f \( -name "inso-*.zip" -o -name "inso-*.pkg" -o -name "inso-*.tar.xz" \) -exec sha256sum {} \;)
+          echo "${cli_files}"
+          echo "CLI FILES WITH PATH STRIPPED"
+          cli_replaced_files=$(echo "${cli_files}" | sed "s/\(.* \)\(.*\(inso\)\)/\1\\3/" | sort)
+          echo "${cli_replaced_files}"
+          echo "CLI FILE DIGEST"
+          cli_digest=$(echo "${cli_replaced_files}" | base64 -w0)
+          echo "${cli_digest}"
+          echo "APP FILES FOUND"
+          app_files=$(find "${ARTIFACT_PATH}" -type f \( -name "Insomnia.Core-*" \)  -exec sha256sum {} \;)
+          echo "${app_files}"
+          echo "APP FILES WITH PATH STRIPPED"
+          app_replaced_files=$(echo "${app_files}" | sed "s/\(.* \)\(.*\(Insomnia.Core\)\)/\1\\3/" | sort)
+          echo "${app_replaced_files}"
+          echo "APP FILE DIGEST"
+          app_digest=$(echo "${app_replaced_files}" | base64 -w0)
+          echo "${app_digest}"
+          
+          echo "inso_binary_artifact_digest_base64=${cli_digest}" >> $GITHUB_OUTPUT
+          echo "electron_binary_artifact_digest_base64=${app_digest}" >> $GITHUB_OUTPUT
           
       - name: Temporarily move artifacts
         shell: bash
@@ -134,7 +142,7 @@ jobs:
           draft: false
 
       - name: Publish beta/stable of Insomnia to Insomnia API
-        if: "!contains(github.event.inputs.version, 'alpha')"
+        if: ${{ !contains(github.event.inputs.version, 'alpha') }}
         run: |
           curl \
             --fail \
@@ -151,7 +159,7 @@ jobs:
           RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
 
       - name: Publish beta/stable of inso to Insomnia API
-        if: "!contains(github.event.inputs.version, 'alpha')"
+        if: ${{ !contains(github.event.inputs.version, 'alpha') }}
         run: |
           curl \
             --fail \
@@ -168,7 +176,7 @@ jobs:
           RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
 
       - name: Upload to snapcraft (beta and stable only)
-        if: "!contains(github.event.inputs.version, 'alpha')"
+        if: ${{ !contains(github.event.inputs.version, 'alpha') }}
         uses: snapcore/action-publish@7fe468c9de12396a9c8964af5d0dfd1d5b493bd7
         env:
           SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE }}
@@ -177,6 +185,7 @@ jobs:
           release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
 
       - name: Upload .deb to pulp and/or cloudsmith (stable only)
+        if: ${{ !contains(github.event.inputs.version, 'alpha') && !contains(github.event.inputs.version, 'beta') }}
         uses: docker://kong/release-script:latest
         env:
           PULP_USERNAME: ${{ secrets.PULP_USERNAME }}
@@ -197,7 +206,7 @@ jobs:
             --dist-version focal
             --package-type insomnia
             ${{ env.IS_PRERELEASE == 'true' && '--internal' || '--publish' }}
-    
+
       - name: Load the Inso CLI Docker Archive
         run: |
           docker load -i ./artifacts/ubuntu-latest-artifacts/insomnia-inso/artifacts/inso-docker-image.tar
@@ -208,7 +217,7 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_REGISTRY_USER }}
           password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
-        
+
       - name: Docker meta for Inso CLI Docker Image
         id: inso_docker_meta
         uses: docker/metadata-action@v5
@@ -220,7 +229,7 @@ jobs:
             type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }}
             type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }}
           sep-tags: ","
-      
+
       - name: Push Inso CLI docker image tags to Docker Hub
         id: publish_isno_docker_image
         run: |
@@ -230,7 +239,7 @@ jobs:
           done
         env:
           IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }}
-      
+
       # Setup regctl to parse platform specific image digest from image manifest
       - name: Install regctl
         uses: regclient/actions/regctl-installer@main
@@ -257,7 +266,7 @@ jobs:
           signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
           signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
           signature_registry: ${{ env.NOTARY_REPOSITORY }}
-    
+
       - name: Upload sourcemaps to Sentry
         env:
           SENTRY_AUTH_TOKEN: '${{ secrets.SENTRY_AUTH_TOKEN }}'
@@ -285,7 +294,7 @@ jobs:
           git push "${remote_repo}"
         env:
           RELEASE_GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }}
-  
+
   artifact-provenance:
     needs: [publish]
     permissions:
@@ -306,7 +315,7 @@ jobs:
     with:
       base64-subjects: ${{matrix.binary_artifacts_digest_base64 }}
       upload-assets: true
-      upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }} 
+      upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }}
       provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl
       draft-release: false
 
@@ -327,4 +336,4 @@ jobs:
       registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
       registry-password:  ${{ secrets.DOCKER_REGISTRY_TOKEN }}
       provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
-      provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
+      provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
diff --git a/.github/workflows/release-start.yml b/.github/workflows/release-start.yml
@@ -13,7 +13,7 @@ on:
         - stable
       version:
         required: false
-        description: force version of the release (e.g. 9.0.0) leave blank to increment automatically
+        description: force version of the release (e.g. 9.0.0) if previous release was successful, this should auto increment
 
 jobs:
   setup-release-branch: