-
Notifications
You must be signed in to change notification settings - Fork 2k
306 lines (263 loc) · 12.6 KB
/
release-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
name: Release Build
on:
push:
branches:
- 'release/**'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# shared kong github action for security checking
generate-sbom-and-upload-assets:
runs-on: ubuntu-latest
permissions:
packages: write
contents: write # publish sbom to GH releases/tag assets
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Perform SCA / SBOM analysis for the entire monorepo code repository
# Produces SCA(SBOM and CVE) report
# Helps understand vulnerabilities / license compliance across third party dependencies
# Automatically uploads to workflow assets
# (TODO): Produce workspace/package specific SBOM. Current limitation: https://github.com/anchore/syft/issues/2574
# (TODO): needs check (block) further steps if SCA fails
- id: sca-project
uses: Kong/public-shared-actions/security-actions/sca@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
with:
dir: .
upload-sbom-release-assets: false
build-and-upload-release-artifacts:
timeout-minutes: 30
runs-on: ${{ matrix.os }}
env:
INSO_PACKAGE_NAME: insomnia-inso
INSO_DOCKER_TAR: inso-docker-image.tar
strategy:
fail-fast: false
matrix:
include:
# macos-13 supports both intel and apple silicon on inso cli properly
# macos-latest is defaulting to apple silicon and breaks inso cli retrocompatibility
- os: macos-13
csc_link_secret: DESIGNER_MAC_CSC_LINK
csc_key_password_secret: DESIGNER_MAC_CSC_KEY_PASSWORD
- os: windows-latest
csc_link_secret: ''
csc_key_password_secret: ''
- os: ubuntu-latest
csc_link_secret: ''
csc_key_password_secret: ''
steps:
- name: Checkout branch
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'npm'
cache-dependency-path: package-lock.json
- name: Install packages
run: npm ci
- name: Setup Inso CLI version env var
run: |
echo "INSO_VERSION=$(jq .version ./packages/${{ env.INSO_PACKAGE_NAME }}/package.json -rj)" >> $GITHUB_ENV
# If this step fails its possible apple has new license terms which need to be accepted by logging into https://developer.apple.com/account
- name: Package app (MacOS only)
if: matrix.os == 'macos-13'
shell: bash
run: npm run app-package
env:
NODE_OPTIONS: '--max_old_space_size=6144'
APPLE_ID: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID || '' }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID_PASSWORD || '' }}
CSC_LINK: ${{ matrix.csc_link_secret != '' && secrets[matrix.csc_link_secret] || '' }}
CSC_KEY_PASSWORD: ${{ matrix.csc_key_password_secret != '' && secrets[matrix.csc_key_password_secret] || '' }}
- name: Package app (Linux only)
if: matrix.os == 'ubuntu-latest'
shell: bash
run: npm run app-package
env:
NODE_OPTIONS: '--max_old_space_size=6144'
# creates unpacked electron-builder contents that can be signed afterwards
- name: Package unpacked app (Windows only)
if: matrix.os == 'windows-latest'
shell: bash
run: NODE_OPTIONS='--max_old_space_size=6144' npm run package:windows:unpacked -w insomnia
- name: Move .dll and .exe files to /tosign (PowerShell)
if: matrix.os == 'windows-latest'
shell: pwsh
run: |
New-Item -Path "packages/insomnia/dist/win-unpacked/tosign" -ItemType Directory -Force
New-Item -Path "packages/insomnia/dist/win-unpacked/signed" -ItemType Directory -Force
Get-ChildItem -Path "packages/insomnia/dist/win-unpacked" -Filter *.dll | Move-Item -Destination "packages/insomnia/dist/win-unpacked/tosign"
Get-ChildItem -Path "packages/insomnia/dist/win-unpacked" -Filter *.exe | Move-Item -Destination "packages/insomnia/dist/win-unpacked/tosign"
# signs unpacked electron-builder contents, in this case only the .exe
- name: Code-sign unpacked .exe (Windows only)
if: matrix.os == 'windows-latest'
uses: sslcom/esigner-codesign@develop
with:
command: batch_sign
username: ${{secrets.ES_USERNAME}}
password: ${{secrets.ES_PASSWORD}}
credential_id: ${{secrets.ES_CREDENTIAL_ID}}
totp_secret: ${{secrets.ES_TOTP_SECRET}}
dir_path: packages/insomnia/dist/win-unpacked/tosign
output_path: packages/insomnia/dist/win-unpacked/signed
override: true
- name: Move .dll and .exe files back to win-unpacked and delete /tosign
if: matrix.os == 'windows-latest'
shell: pwsh
run: |
Get-ChildItem -Path "packages/insomnia/dist/win-unpacked/signed" -Filter *.dll | Move-Item -Destination "packages/insomnia/dist/win-unpacked"
Get-ChildItem -Path "packages/insomnia/dist/win-unpacked/signed" -Filter *.exe | Move-Item -Destination "packages/insomnia/dist/win-unpacked"
Remove-Item -Path "packages/insomnia/dist/win-unpacked/tosign" -Recurse -Force
Remove-Item -Path "packages/insomnia/dist/win-unpacked/signed" -Recurse -Force
# re-packages the now code-signed electron-builder contents into a squirrel installer
- name: Package dist app (Windows only)
if: matrix.os == 'windows-latest'
shell: bash
run: |
docker pull ghcr.io/sslcom/codesigner-win:latest
NODE_OPTIONS='--max_old_space_size=6144' npm run package:windows:dist -w insomnia
env:
USERNAME: ${{secrets.ES_USERNAME}}
PASSWORD: ${{secrets.ES_PASSWORD}}
CREDENTIAL_ID: ${{secrets.ES_CREDENTIAL_ID}}
TOTP_SECRET: ${{secrets.ES_TOTP_SECRET}}
- name: Package inso
run: |
echo "Replacing electron binary with node binary"
node_modules/.bin/node-pre-gyp install --update-binary --directory node_modules/@getinsomnia/node-libcurl
npm run build:production -w insomnia-inso
npm run package -w insomnia-inso
env:
VERSION: ${{ env.INSO_VERSION }}
- name: Code-sign & create Inso CLI installer (macOS only)
if: matrix.os == 'macos-13'
run: ./src/scripts/macos-pkg.sh
shell: bash
working-directory: ./packages/${{ env.INSO_PACKAGE_NAME }}
continue-on-error: false
env:
MACOS_CERTIFICATE: ${{ secrets.DESIGNER_MAC_CSC_LINK }}
MACOS_CERTIFICATE_PWD: ${{ secrets.DESIGNER_MAC_CSC_KEY_PASSWORD }}
PKG_NAME: inso-${{ matrix.os }}-${{ env.INSO_VERSION }}
BUNDLE_ID: com.insomnia.inso
VERSION: ${{ env.INSO_VERSION }}
- name: Notarize Inso CLI installer (macOS only)
if: matrix.os == 'macos-13'
uses: lando/notarize-action@v2
with:
product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
primary-bundle-id: com.insomnia.inso
appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }}
appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
appstore-connect-team-id: FX44YY62GV
verbose: true
- name: Staple Inso CLI installer (macOS only)
if: matrix.os == 'macos-13'
uses: BoundfoxStudios/action-xcode-staple@v1
with:
product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
- name: Notarize Inso CLI binary (macOS only)
if: matrix.os == 'macos-13'
uses: lando/notarize-action@v2
with:
product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/binaries/inso
primary-bundle-id: com.insomnia.inso-binary
appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }}
appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
appstore-connect-team-id: FX44YY62GV
- name: Create Inso zip/tar/gz artifacts
run: npm run artifacts -w insomnia-inso
- name: Create inso Docker Image artifacts
if: matrix.os == 'ubuntu-latest'
run: |
DOCKER_BUILDKIT=1 docker build --tag ${{ env.INSO_PACKAGE_NAME }}:temp ./packages/${{ env.INSO_PACKAGE_NAME }}
docker save ${{ env.INSO_PACKAGE_NAME }}:temp -o ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }}
# Produce Docker SBOM for Inso Image
# Automatically uploads to workflow assets
- name: Scan inso docker artifacts
id: sbom_action
if: matrix.os == 'ubuntu-latest'
uses: Kong/public-shared-actions/security-actions/scan-docker-image@28d20a1f492927f35b00b317acd78f669c45f88b # v2.7.3
with:
asset_prefix: image-inso-${{ runner.os }}
image: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }}
upload-sbom-release-assets: false # No release is publushed yet. Uploads as workflow assets
skip_cis_scan: true
env:
SYFT_SOURCE_NAME: ${{ env.INSO_DOCKER_TAR }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
if-no-files-found: ignore
name: ${{ matrix.os }}-artifacts
path: |
packages/insomnia/dist/*.exe
packages/insomnia/dist/squirrel-windows/*
packages/insomnia/dist/*.zip
packages/insomnia/dist/*.dmg
packages/insomnia/dist/*.snap
packages/insomnia/dist/*.rpm
packages/insomnia/dist/*.deb
packages/insomnia/dist/*.AppImage
packages/insomnia/dist/*.tar.gz
packages/insomnia-inso/artifacts/*
- name: Upload source assets for Sentry
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os }}-sentry
path: |
packages/insomnia/build/*.js
packages/insomnia/build/*.map
!packages/insomnia/build/yarn-standalone.js
update-pull-request:
timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}
needs: build-and-upload-release-artifacts
runs-on: ubuntu-latest
steps:
- name: Get release version
id: release_version
shell: bash
run: |
echo "version=${BRANCH/release\//}" >> $GITHUB_OUTPUT
env:
BRANCH: ${{ github.ref_name }}
- name: update-pull-request
uses: kt3k/[email protected]
with:
pr_body: |
# WARNING: <ins>Do not merge</ins> this PR. Use the "Publish" workflow.
## Publish workflow:
When ready to publish, trigger [Publish](https://github.com/${{ github.repository }}/actions/workflows/release-publish.yml) workflow with these variables:
- Release version (`version`): `${{ steps.release_version.outputs.version }}`
Alternatively, you can trigger the workflow from [GitHub CLI](https://cli.github.com/):
```bash
gh workflow run release-publish.yml -f version=${{ steps.release_version.outputs.version }} --repo ${{ github.repository }}
```
> Release notes will be generated automatically based on the commit messages during publish. Remove any unwanted notes manually afterwards.
## Release artifacts:
Download release artifacts [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
<details>
<summary>Edit Changelog file...</summary>
You can update the changelog.md in this branch, run git log to get the latest changes:
```bash
git log --no-merges --oneline --pretty=format:'* %s by @%an' --since="<last release tag>" --until="release/${{ steps.release_version.outputs.version }}"
```
</details>
<details>
<summary>Conflicts? Merge branch step failed on the publish workflow? Try this...</summary>
Run locally:
```bash
# Make sure git remote is Kong/insomnia...
git checkout develop
git merge --no-ff release/<replaced with version>
# Solve merge conflicts ...
# If there's package-lock conflicts, run `npm install` and commit the package-lock changes
git push
```
</details>
destination_branch: develop
github_token: ${{ secrets.GITHUB_TOKEN }}