-
Notifications
You must be signed in to change notification settings - Fork 2k
242 lines (209 loc) · 9.58 KB
/
release-build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
name: Release Build
on:
push:
branches:
- 'release/**'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
# shared kong github action for security checking
generate-sbom-and-upload-assets:
runs-on: ubuntu-latest
permissions:
packages: write
contents: write # publish sbom to GH releases/tag assets
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Perform SCA / SBOM analysis for the entire monorepo code repository
# Produces SCA(SBOM and CVE) report
# Helps understand vulnerabilities / license compliance across third party dependencies
# Automatically uploads to workflow assets
# (TODO): Produce workspace/package specific SBOM. Current limitation: https://github.com/anchore/syft/issues/2574
# (TODO): needs check (block) further steps if SCA fails
- id: sca-project
uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
with:
dir: .
upload-sbom-release-assets: false
build-and-upload-release-artifacts:
timeout-minutes: 30
runs-on: ${{ matrix.os }}
env:
INSO_PACKAGE_NAME: insomnia-inso
INSO_DOCKER_TAR: inso-docker-image.tar
strategy:
fail-fast: false
matrix:
include:
# macos-13 supports both intel and apple silicon on inso cli properly
# macos-latest is defaulting to apple silicon and breaks inso cli retrocompatibility
- os: macos-13
csc_link_secret: DESIGNER_MAC_CSC_LINK
csc_key_password_secret: DESIGNER_MAC_CSC_KEY_PASSWORD
- os: windows-latest
csc_link_secret: DESIGNER_WINDOWS_CSC_LINK
csc_key_password_secret: DESIGNER_WINDOWS_CSC_KEY_PASSWORD
- os: ubuntu-latest
csc_link_secret: ''
csc_key_password_secret: ''
steps:
- name: Checkout branch
uses: actions/checkout@v4
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
cache: 'npm'
cache-dependency-path: package-lock.json
- name: Install packages
run: npm ci
- name: Package app (MacOS only)
if: matrix.os == 'macos-13'
shell: bash
run: npm run app-package
env:
NODE_OPTIONS: '--max_old_space_size=6144'
APPLE_ID: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID || '' }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID_PASSWORD || '' }}
CSC_LINK: ${{ matrix.csc_link_secret != '' && secrets[matrix.csc_link_secret] || '' }}
CSC_KEY_PASSWORD: ${{ matrix.csc_key_password_secret != '' && secrets[matrix.csc_key_password_secret] || '' }}
- name: Package app (Windows and Linux)
if: matrix.os != 'macos-13'
shell: bash
run: npm run app-package
env:
NODE_OPTIONS: '--max_old_space_size=6144'
- name: Setup Inso CLI version env var
run:
echo "INSO_VERSION=$(jq .version ./packages/${{ env.INSO_PACKAGE_NAME }}/package.json -rj)" >> $GITHUB_ENV
- name: Package inso
run: |
echo "Replacing electron binary with node binary"
node_modules/.bin/node-pre-gyp install --update-binary --directory node_modules/@getinsomnia/node-libcurl
npm run inso-package
env:
VERSION: ${{ env.INSO_VERSION }}
- name: Code-sign & create Inso CLI installer (macOS only)
if: matrix.os == 'macos-13'
run: ./src/scripts/macos-pkg.sh
shell: bash
working-directory: ./packages/${{ env.INSO_PACKAGE_NAME }}
continue-on-error: false
env:
MACOS_CERTIFICATE: ${{ secrets.DESIGNER_MAC_CSC_LINK }}
MACOS_CERTIFICATE_PWD: ${{ secrets.DESIGNER_MAC_CSC_KEY_PASSWORD }}
PKG_NAME: inso-${{ matrix.os }}-${{ env.INSO_VERSION }}
BUNDLE_ID: com.insomnia.inso
VERSION: ${{ env.INSO_VERSION }}
- name: Notarize Inso CLI installer (macOS only)
if: matrix.os == 'macos-13'
uses: lando/notarize-action@v2
with:
product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
primary-bundle-id: com.insomnia.inso
appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }}
appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
appstore-connect-team-id: FX44YY62GV
- name: Staple Inso CLI installer (macOS only)
if: matrix.os == 'macos-13'
uses: BoundfoxStudios/action-xcode-staple@v1
with:
product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
- name: Notarize Inso CLI binary (macOS only)
if: matrix.os == 'macos-13'
uses: lando/notarize-action@v2
with:
product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/binaries/inso
primary-bundle-id: com.insomnia.inso-binary
appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }}
appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
appstore-connect-team-id: FX44YY62GV
- name: Create inso artifacts
run: npm run inso-package:artifacts
- name: Create inso Docker Image artifacts
if: matrix.os == 'ubuntu-latest'
run: |
DOCKER_BUILDKIT=1 docker build --tag ${{ env.INSO_PACKAGE_NAME }}:temp ./packages/${{ env.INSO_PACKAGE_NAME }}
docker save ${{ env.INSO_PACKAGE_NAME }}:temp -o ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }}
# Produce Docker SBOM for Inso Image
# Automatically uploads to workflow assets
- name: Scan inso docker artifacts
id: sbom_action
if: matrix.os == 'ubuntu-latest'
uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
with:
asset_prefix: image-inso-${{ runner.os }}
image: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }}
upload-sbom-release-assets: false # No release is publushed yet. Uploads as workflow assets
env:
SYFT_SOURCE_NAME: ${{ env.INSO_DOCKER_TAR }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
if-no-files-found: ignore
name: ${{ matrix.os }}-artifacts
path: |
packages/insomnia/dist/*.exe
packages/insomnia/dist/squirrel-windows/*
packages/insomnia/dist/*.zip
packages/insomnia/dist/*.dmg
packages/insomnia/dist/*.snap
packages/insomnia/dist/*.rpm
packages/insomnia/dist/*.deb
packages/insomnia/dist/*.AppImage
packages/insomnia/dist/*.tar.gz
packages/insomnia-inso/artifacts/*
- name: Upload source assets for Sentry
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os }}-sentry
path: |
packages/insomnia/build/*.js
packages/insomnia/build/*.map
!packages/insomnia/build/yarn-standalone.js
update-pull-request:
timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT) }}
needs: build-and-upload-release-artifacts
runs-on: ubuntu-latest
steps:
- name: Get release version
id: release_version
shell: bash
run: |
echo "version=${BRANCH/release\//}" >> $GITHUB_OUTPUT
env:
BRANCH: ${{ github.ref_name }}
- name: update-pull-request
uses: kt3k/[email protected]
with:
pr_body: |
**WARNING: Do not merge this PR. This is an automated release PR. It should be released using the "Publish" workflow.**
Download release artifacts [here](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
## Steps for Publish:
You can update the changelog.md in this branch, run git log to get the latest changes:
```bash
git log --no-merges --oneline --pretty=format:'* %s by @%an' --since="<last release tag>" --until="release/${{ steps.release_version.outputs.version }}"
```
When ready to publish, trigger [Publish](https://github.com/${{ github.repository }}/actions/workflows/release-publish.yml) workflow with these variables:
- Release version (`version`): `${{ steps.release_version.outputs.version }}`
Alternatively, you can trigger the workflow from [Github CLI](https://cli.github.com/):
```bash
gh workflow run release-publish.yml -f version=${{ steps.release_version.outputs.version }} --repo ${{ github.repository }}
```
Release notes will be generated automatically based on the commit messages during publish. Remove any unwanted notes manually afterwards.
<details>
<summary>Conflicts? Merge branch step failed on the publish workflow? Try this...</summary>
Run locally:
```bash
# Make sure git remote is Kong/insomnia...
git checkout develop
git merge --no-ff release/<replaced with version>
# Solve merge conflicts ...
# If there's package-lock conflicts, run `npm install` and commit the package-lock changes
git push
```
</details>
destination_branch: develop
github_token: ${{ secrets.GITHUB_TOKEN }}