Merge branch 'develop' into feat-send-progress

Kong · Jun 6, 2024 · 50e495a · 50e495a
2 parents 498ff3b + 6b22f1d
commit 50e495a
Show file tree

Hide file tree

Showing 52 changed files with 2,356 additions and 1,517 deletions.
diff --git a/.github/scripts/generate-binary-digest.sh b/.github/scripts/generate-binary-digest.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/bash
+
+# To test locally, set ARTIFACT_PATH="packages" CLI_ARTIFACT_SHAFILE=cli.sha256 ELECTRON_ARTIFACT_SHAFILE=electron.sha256  ./.github/scripts/generate-binary-digest.sh
+set -euo pipefail
+echo "CLI FILES FOUND"
+cli_files=$(find "${ARTIFACT_PATH}" -type f \( -name "inso-*.zip" -o -name "inso-*.pkg" -o -name "inso-*.tar.xz" \) -exec sha256sum {} \;)
+echo "${cli_files}"
+echo "CLI FILES WITH PATH STRIPPED"
+echo "${cli_files}" | sed "s/\(.* \)\(.*\(inso\)\)/\1\\3/" | sort > "${CLI_ARTIFACT_SHAFILE}"
+cat "${CLI_ARTIFACT_SHAFILE}"
+echo "ELECTRON APP FILES FOUND"
+app_files=$(find "${ARTIFACT_PATH}" -type f \( -name "Insomnia.Core-*" \)  -exec sha256sum {} \;)
+echo "${app_files}"
+echo "ELECTRON APP FILES WITH PATH STRIPPED"
+echo "${app_files}" | sed "s/\(.* \)\(.*\(Insomnia.Core\)\)/\1\\3/" | sort > "${ELECTRON_ARTIFACT_SHAFILE}"
+cat "${ELECTRON_ARTIFACT_SHAFILE}"
+
+if [[ -z "$(cat ${CLI_ARTIFACT_SHAFILE})" ]]; then
+    echo "CLI Artifacts SHA256 Digest file generation failed"
+    exit 1
+else
+    echo "CLI ARTIFACT BASE64 DIGEST"
+    base64 -w0 "${CLI_ARTIFACT_SHAFILE}" > "${CLI_ARTIFACT_BASE64_FILE}"
+fi
+
+if [[ -z "$(cat ${ELECTRON_ARTIFACT_SHAFILE})" ]]; then
+    echo "ELECTRON Artifacts SHA256 Digest file generation failed"
+    exit 1
+else
+    echo "ELECTRON APP FILE DIGEST"
+    base64 -w0 "${ELECTRON_ARTIFACT_SHAFILE}" > "${ELECTRON_ARTIFACT_BASE64_FILE}"
+fi
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -10,14 +10,40 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  # shared kong github action for security checking
+  generate-sbom-and-upload-assets:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: write # publish sbom to GH releases/tag assets
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Perform SCA / SBOM analysis for the entire monorepo code repository
+      # Produces SCA(SBOM and CVE) report
+      # Helps understand vulnerabilities / license compliance across third party dependencies
+      # Automatically uploads to workflow assets
+      # (TODO): Produce workspace/package specific SBOM. Current limitation: https://github.com/anchore/syft/issues/2574
+      # (TODO): needs check (block) further steps if SCA fails
+      - id: sca-project
+        uses: Kong/public-shared-actions/security-actions/sca@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
+        with:
+          dir: .
+          upload-sbom-release-assets: false
   build-and-upload-release-artifacts:
     timeout-minutes: 30
     runs-on: ${{ matrix.os }}
+    env:
+      INSO_PACKAGE_NAME: insomnia-inso
+      INSO_DOCKER_TAR: inso-docker-image.tar
     strategy:
       fail-fast: false
       matrix:
         include:
-          - os: macos-latest
+          # macos-13 supports both intel and apple silicon on inso cli properly
+          # macos-latest is defaulting to apple silicon and breaks inso cli retrocompatibility
+          - os: macos-13
             csc_link_secret: DESIGNER_MAC_CSC_LINK
             csc_key_password_secret: DESIGNER_MAC_CSC_KEY_PASSWORD
           - os: windows-latest
@@ -41,26 +67,26 @@ jobs:
         run: npm ci
 
       - name: Package app (MacOS only)
-        if: matrix.os == 'macos-latest'
+        if: matrix.os == 'macos-13'
         shell: bash
         run: npm run app-package
         env:
           NODE_OPTIONS: '--max_old_space_size=6144'
-          APPLE_ID: ${{ matrix.os == 'macos-latest' && secrets.DESIGNER_APPLE_ID || '' }}
-          APPLE_APP_SPECIFIC_PASSWORD: ${{ matrix.os == 'macos-latest' && secrets.DESIGNER_APPLE_ID_PASSWORD || '' }}
+          APPLE_ID: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID || '' }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ matrix.os == 'macos-13' && secrets.DESIGNER_APPLE_ID_PASSWORD || '' }}
           CSC_LINK: ${{ matrix.csc_link_secret != '' && secrets[matrix.csc_link_secret] || '' }}
           CSC_KEY_PASSWORD: ${{ matrix.csc_key_password_secret != '' && secrets[matrix.csc_key_password_secret] || ''  }}
 
       - name: Package app (Windows and Linux)
-        if: matrix.os != 'macos-latest'
+        if: matrix.os != 'macos-13'
         shell: bash
         run: npm run app-package
         env:
           NODE_OPTIONS: '--max_old_space_size=6144'
 
       - name: Setup Inso CLI version env var
         run:
-          echo "INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj)" >> $GITHUB_ENV
+          echo "INSO_VERSION=$(jq .version ./packages/${{ env.INSO_PACKAGE_NAME }}/package.json -rj)" >> $GITHUB_ENV
 
       - name: Package inso
         run: |
@@ -71,10 +97,10 @@ jobs:
           VERSION: ${{ env.INSO_VERSION }}
 
       - name: Code-sign & create Inso CLI installer (macOS only)
-        if: matrix.os == 'macos-latest'
+        if: matrix.os == 'macos-13'
         run: ./src/scripts/macos-pkg.sh
         shell: bash
-        working-directory: packages/insomnia-inso
+        working-directory: ./packages/${{ env.INSO_PACKAGE_NAME }}
         continue-on-error: false
         env:
           MACOS_CERTIFICATE: ${{ secrets.DESIGNER_MAC_CSC_LINK }}
@@ -84,26 +110,26 @@ jobs:
           VERSION: ${{ env.INSO_VERSION }}
 
       - name: Notarize Inso CLI installer (macOS only)
-        if: matrix.os == 'macos-latest'
+        if:  matrix.os == 'macos-13'
         uses: lando/notarize-action@v2
         with:
-          product-path: packages/insomnia-inso/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
+          product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
           primary-bundle-id: com.insomnia.inso
           appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }}
           appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
           appstore-connect-team-id: FX44YY62GV
 
       - name: Staple Inso CLI installer (macOS only)
-        if: matrix.os == 'macos-latest'
+        if: matrix.os == 'macos-13'
         uses: BoundfoxStudios/action-xcode-staple@v1
         with:
-          product-path: packages/insomnia-inso/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
+          product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
 
       - name: Notarize Inso CLI binary (macOS only)
-        if: matrix.os == 'macos-latest'
+        if: matrix.os == 'macos-13'
         uses: lando/notarize-action@v2
         with:
-          product-path: packages/insomnia-inso/binaries/inso
+          product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/binaries/inso
           primary-bundle-id: com.insomnia.inso-binary
           appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }}
           appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
@@ -112,11 +138,24 @@ jobs:
       - name: Create inso artifacts
         run: npm run inso-package:artifacts
 
-      - name: Create Docker Image artifacts
+      - name: Create inso Docker Image artifacts
         if: matrix.os == 'ubuntu-latest'
         run: |
-          DOCKER_BUILDKIT=1 docker build --tag insomnia-inso:temp ./packages/insomnia-inso/
-          docker save insomnia-inso:temp -o ./packages/insomnia-inso/artifacts/inso-docker-image.tar
+          DOCKER_BUILDKIT=1 docker build --tag ${{ env.INSO_PACKAGE_NAME }}:temp ./packages/${{ env.INSO_PACKAGE_NAME }}
+          docker save ${{ env.INSO_PACKAGE_NAME }}:temp -o ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }}
+
+      # Produce Docker SBOM for Inso Image
+      # Automatically uploads to workflow assets
+      - name: Scan inso docker artifacts
+        id: sbom_action
+        if: matrix.os == 'ubuntu-latest'
+        uses: Kong/public-shared-actions/security-actions/scan-docker-image@62643b74f79f6a697b9add1a2f9c069bf9ca1250 # v2.3.0
+        with:
+          asset_prefix: image-inso-${{ runner.os }}
+          image: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/${{ env.INSO_DOCKER_TAR }}
+          upload-sbom-release-assets: false # No release is publushed yet. Uploads as workflow assets
+        env:
+          SYFT_SOURCE_NAME: ${{ env.INSO_DOCKER_TAR }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4