.github/workflows/release-publish.yml

name: Release Publish
run-name: Publish ${{ github.event.inputs.version }} channel by @${{ github.actor }}

on:
  workflow_dispatch:
    inputs:
      version:
        required: true
        description: Release version (e.g. 2022.1.0 or 2022.1.0-beta.0)

env:
  RELEASE_VERSION: ${{ github.event.inputs.version }}
  RELEASE_CORE_TAG: core@${{ github.event.inputs.version }}
  RELEASE_BRANCH: release/${{ github.event.inputs.version }}
  IS_PRERELEASE: ${{ contains(github.event.inputs.version, 'alpha') || contains(github.event.inputs.version, 'beta') }}
  ARTIFACTS_DOWNLOAD_PATH: ${{ github.workspace }}/artifacts
  INSO_DOCKER_IMAGE: kong/inso # By default, registry is docker.io
  NOTARY_REPOSITORY: 'kong/notary' # All signatures will be pushed to public notary repository
  ARTIFACTS_REPOSITORY: ${{  vars.ARTIFACTS_REPOSITORY }}

jobs:
  publish:
    timeout-minutes: 15
    runs-on: ubuntu-22.04
    outputs:
      NOTARY_REPOSITORY: ${{ env.NOTARY_REPOSITORY }}
      INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.cli_binary_hashes.outputs.handle }}
      INSO_DOCKER_IMAGE: ${{ env.INSO_DOCKER_IMAGE }}
      INSO_DOCKER_IMAGE_DIGEST: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
      INSOMNIA_RELEASE_TAG: ${{ env.RELEASE_CORE_TAG }}
      ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE: ${{ steps.electron_binary_hashes.outputs.handle }}
    permissions:
      id-token: write # needed for signing the images
      actions: read # For getting workflow run info for keyless signing of docker image
      contents: write # Required to upload assets. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
      packages: write
    steps:
      - name: Checkout branch # Check out the release branch
        uses: actions/checkout@v4
        with:
          ref: ${{ env.RELEASE_BRANCH }}
          fetch-depth: 0
          persist-credentials: false

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version-file: ".nvmrc"
          cache: 'npm'
          cache-dependency-path: package-lock.json

      - name: Install packages
        run: npm ci

      # - name: Download all artifacts from release-build.yml
      #   uses: dawidd6/action-download-artifact@v2
      #   with:
      #     github_token: ${{secrets.GITHUB_TOKEN}}
      #     workflow: release-build.yml
      #     workflow_conclusion: success
      #     branch: ${{ env.RELEASE_BRANCH }} # Branch workflow ran on != branch the workflow created
      #     path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} # Base path to download all release workflow assets
      #     repo: ${{ secrets.BUILD_REPOSITORY }}

      - name: Download release artifacts from insomnia-ee
        uses: robinraju/release-downloader@v1
        with:
          repository: ${{ env.ARTIFACTS_REPOSITORY }}
          tag: core@${{ env.RELEASE_VERSION }}
          fileName: '*'
          token: ${{ secrets.EE_DOWNLOAD_TOKEN }}
          out-file-path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }}

      # - name: Debug downloaded artifacts
      #   run: ls -lah ${{ env.ARTIFACTS_DOWNLOAD_PATH }}

      # - name: Set publish metadata # Checksum for provenance must be calculated before moving artifacts temporarily
      #   id: metadata
      #   run: |
      #     INSO_VERSION=$(jq .version packages/insomnia-inso/package.json -rj)
      #     echo "INSO_VERSION=${INSO_VERSION}" >> $GITHUB_ENV
      #     echo "CLI_ARTIFACT_BASE64_FILE=${{env.CLI_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV
      #     echo "ELECTRON_ARTIFACT_BASE64_FILE=${{env.ELECTRON_ARTIFACT_BASE64_FILE}}" >> $GITHUB_ENV
      #     ./.github/scripts/generate-binary-digest.sh
      #   env:
      #     ARTIFACT_PATH: "${{ env.ARTIFACTS_DOWNLOAD_PATH }}"
      #     CLI_ARTIFACT_SHAFILE: ${{runner.temp}}/cli.sha256
      #     ELECTRON_ARTIFACT_SHAFILE: ${{runner.temp}}/electron.sha256
      #     CLI_ARTIFACT_BASE64_FILE: ${{runner.temp}}/cli_digests_file.text
      #     ELECTRON_ARTIFACT_BASE64_FILE: ${{runner.temp}}/electron_digests_file.text

      # - name: Calculate CLI Binary base64 file handle
      #   uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.0.0
      #   id: cli_binary_hashes
      #   with:
      #     path: ${{ env.CLI_ARTIFACT_BASE64_FILE }}

      # - name: Calculate Electron Binary base64 file handle
      #   uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.0.0
      #   id: electron_binary_hashes
      #   with:
      #     path: ${{ env.ELECTRON_ARTIFACT_BASE64_FILE }}

      - name: Create Tag and Release
        uses: ncipollo/release-action@v1
        id: core_tag_and_release
        with:
          tag: ${{ env.RELEASE_CORE_TAG }}
          name: "${{ env.RELEASE_VERSION }} 📦"
          generateReleaseNotes: true
          commit: ${{ env.RELEASE_BRANCH }}
          prerelease: ${{ env.IS_PRERELEASE }}
          draft: false
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload artifacts to release
        uses: xresloader/upload-to-github-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          release_id: ${{ steps.core_tag_and_release.outputs.id }}
          tag_name: ${{ env.RELEASE_CORE_TAG }}
          file: "./artifacts/*"
          prerelease: ${{ env.IS_PRERELEASE }}
          draft: false

      # - name: Publish beta/stable of Insomnia to Insomnia API
      #   if: ${{ !contains(github.event.inputs.version, 'alpha') }}
      #   run: |
      #     curl \
      #       --fail \
      #       --request POST \
      #       --url $INSOMNIA_API_URL/v1/releases \
      #       --header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
      #       --header "Content-Type: application/json" \
      #       --data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }"
      #   env:
      #     INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
      #     INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
      #     RELEASE_APP: com.insomnia.app
      #     RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
      #     RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}

      # - name: Publish beta/stable of inso to Insomnia API
      #   if: ${{ !contains(github.event.inputs.version, 'alpha') }}
      #   run: |
      #     curl \
      #       --fail \
      #       --request POST \
      #       --url $INSOMNIA_API_URL/v1/releases \
      #       --header "Authorization: Bearer ${INSOMNIA_API_TOKEN}" \
      #       --header "Content-Type: application/json" \
      #       --data "{ \"app\": \"${RELEASE_APP}\", \"version\": \"${RELEASE_VERSION}\", \"channel\": \"${RELEASE_CHANNEL}\", \"release_date\": \"$(date --rfc-3339=ns | sed 's/ /T/; s/\(\....\).*\([+-]\)/\1\2/g')\" }"
      #   env:
      #     INSOMNIA_API_URL: ${{ secrets.INSOMNIA_API_URL }}
      #     INSOMNIA_API_TOKEN: ${{ secrets.INSOMNIA_API_TOKEN }}
      #     RELEASE_APP: com.insomnia.inso
      #     RELEASE_VERSION: ${{ env.INSO_VERSION }}
      #     RELEASE_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}

      # # TODO: also take care of aarch64 image
      # - name: Load the Inso CLI Docker Archive
      #   run: |
      #     docker load -i ./artifacts/inso-docker-image.tar
      #     docker image ls

      # - name: Login to Docker Hub
      #   uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.1.0
      #   with:
      #     username: ${{ secrets.DOCKER_REGISTRY_USER }}
      #     password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}

      # - name: Docker meta for Inso CLI Docker Image
      #   id: inso_docker_meta
      #   uses: docker/metadata-action@v5
      #   with:
      #     images: ${{ env.INSO_DOCKER_IMAGE }}
      #     tags: |
      #       type=raw,value=${{ env.INSO_VERSION }},prirority=1000
      #       type=raw,value=latest,enable=${{ env.IS_PRERELEASE == 'false' }}
      #       type=raw,value=alpha,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'alpha') }}
      #       type=raw,value=beta,enable=${{ env.IS_PRERELEASE == 'true' && contains(github.event.inputs.version, 'beta') }}
      #     sep-tags: ","

      # - name: Push Inso CLI docker image tags to Docker Hub
      #   run: |
      #     for tag in ${IMAGE_TAGS//,/ }; do \
      #       docker tag insomnia-inso:temp $tag
      #       docker push $tag; \
      #     done
      #   env:
      #     IMAGE_TAGS: ${{ steps.inso_docker_meta.outputs.tags }}

      # # Setup regctl to parse platform specific image digest from image manifest
      # - name: Install regctl
      #   uses: regclient/actions/regctl-installer@main

      # # The image manifest digest/sha is generated only after the image is published to registry
      # - name: Parse architecture specific digest from image manifest
      #   id: image_manifest_metadata
      #   run: |
      #     INSO_IMAGE=${{ env.INSO_DOCKER_IMAGE }}:${{ steps.inso_docker_meta.outputs.version }}
      #     inso_image_sha="$(regctl image digest "${INSO_IMAGE}")"
      #     echo "inso_image_sha=${inso_image_sha}" >> $GITHUB_OUTPUT

      # # Signing images requires image manifest digest
      # - name: Sign images
      #   id: sign_images
      #   if: ${{ steps.image_manifest_metadata.outputs.inso_image_sha != '' }}
      #   uses: Kong/public-shared-actions/security-actions/sign-docker-image@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
      #   with:
      #     image_digest: ${{ steps.image_manifest_metadata.outputs.inso_image_sha }}
      #     tags: ${{ steps.inso_docker_meta.outputs.tags }}
      #     registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
      #     registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
      #     # Optional: Central notary repository for image signatures
      #     signature_registry_username: ${{ secrets.DOCKER_REGISTRY_USER }}
      #     signature_registry_password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
      #     signature_registry: ${{ env.NOTARY_REPOSITORY }}

      # - name: Upload sourcemaps to Sentry
      #   env:
      #     SENTRY_AUTH_TOKEN: '${{ secrets.SENTRY_AUTH_TOKEN }}'
      #     SENTRY_ORG: '${{ secrets.SENTRY_ORG }}'
      #     SENTRY_PROJECT: '${{ secrets.SENTRY_PROJECT }}'
      #   run: |
      #     curl -sL https://sentry.io/get-cli/ | SENTRY_CLI_VERSION="2.2.0" bash

      #     sentry-cli releases new ${{ env.RELEASE_VERSION }}
      #     sentry-cli releases set-commits ${{ env.RELEASE_VERSION }} --commit 'Kong/insomnia@${{ env.RELEASE_BRANCH }}'

      #     sentry-cli sourcemaps upload -r ${{ env.RELEASE_VERSION }} ./artifacts/*-latest-sentry

      # - name: Upload x64 Linux snap to snapcraft (beta and stable only)
      #   if: ${{ !contains(github.event.inputs.version, 'alpha') }}
      #   uses: canonical/action-publish@v1
      #   env:
      #     SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE_NEW }}
      #   with:
      #     snap: artifacts/Insomnia.Core-${{ env.RELEASE_VERSION }}-amd64.snap
      #     release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}

      # # TODO: also release for aarch64 Linux?
      # - name: Upload .deb to pulp and/or cloudsmith (stable only)
      #   if: ${{ !contains(github.event.inputs.version, 'alpha') && !contains(github.event.inputs.version, 'beta') }}
      #   uses: docker://kong/release-script:latest
      #   env:
      #     PULP_USERNAME: ${{ secrets.PULP_USERNAME }}
      #     PULP_PASSWORD: ${{ secrets.PULP_PASSWORD }}
      #     PULP_HOST: ${{ secrets.PULP_HOST }}
      #     VERBOSE: ${{ runner.debug == '1' && '1' || '' }}
      #     CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
      #     CLOUDSMITH_DRY_RUN: ''
      #     IGNORE_CLOUDSMITH_FAILURES: ${{ vars.IGNORE_CLOUDSMITH_FAILURES }}
      #     USE_CLOUDSMITH: ${{ vars.USE_CLOUDSMITH }}
      #     USE_PULP: ${{ vars.USE_PULP }}
      #   with:
      #     entrypoint: /entrypoint.sh
      #     args: >
      #       release
      #       --file artifacts/Insomnia.Core-${{ env.RELEASE_VERSION }}-amd64.deb
      #       --dist-name ubuntu
      #       --dist-version focal
      #       --package-type insomnia
      #       ${{ env.IS_PRERELEASE == 'true' && '--internal' || '--publish' }}

      # - name: Configure Git user
      #   uses: Homebrew/actions/git-user-config@master
      #   with:
      #     username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }}

      # - name: Merge git branch into develop
      #   run: |
      #     remote_repo="https://${GITHUB_ACTOR}:${RELEASE_GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
      #     git checkout develop
      #     git merge --no-ff ${{ env.RELEASE_BRANCH }}
      #     git status
      #     git push "${remote_repo}"
      #   env:
      #     RELEASE_GH_TOKEN: ${{ secrets.RELEASE_GH_TOKEN }}

  # artifact-provenance:
  #   needs: [publish]
  #   permissions:
  #     id-token: write # needed for signing the images
  #     actions: read # For getting workflow run info to build provenance
  #     packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
  #     contents: write
  #   strategy:
  #     fail-fast: true
  #     matrix:
  #       include:
  #         - product: insomnia
  #           binary_artifacts_subject_as_file: ${{ needs.publish.outputs.ELECTRON_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }}
  #         - product: inso
  #           binary_artifacts_subject_as_file: ${{ needs.publish.outputs.INSO_BINARY_ARTIFACTS_SUBJECTS_AS_FILE }}
  #   # need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
  #   uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
  #   with:
  #     base64-subjects-as-file: "${{ matrix.binary_artifacts_subject_as_file }}"
  #     upload-assets: true
  #     upload-tag-name: ${{ needs.publish.outputs.INSOMNIA_RELEASE_TAG }}
  #     provenance-name: ${{ matrix.product }}-provenance.intoto.jsonl
  #     draft-release: false

  # inso-image-provenance:
  #   needs: [publish]
  #   permissions:
  #     id-token: write # needed for signing the images
  #     actions: read # For getting workflow run info to build provenance
  #     packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
  #   # need to use non hash version because of: https://github.com/slsa-framework/slsa-github-generator/issues/3498
  #     contents: write
  #   uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
  #   with:
  #     image: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE }}
  #     digest: ${{ needs.publish.outputs.INSO_DOCKER_IMAGE_DIGEST }}
  #     provenance-repository: "${{ needs.publish.outputs.NOTARY_REPOSITORY }}"
  #   secrets:
  #     registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
  #     registry-password:  ${{ secrets.DOCKER_REGISTRY_TOKEN }}
  #     provenance-registry-username: ${{ secrets.DOCKER_REGISTRY_USER }}
  #     provenance-registry-password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}