From 57472eb57977c048f66b4db6ce6a5ff5a340a05c Mon Sep 17 00:00:00 2001
From: Vivek Thuravupala <2700229+godfrzero@users.noreply.github.com>
Date: Thu, 28 May 2026 12:49:55 -0700
Subject: [PATCH 1/3] chore: bump easily bumpable actions off of Node 20
runtime
---
.github/workflows/homebrew.yml | 10 +++++-----
.github/workflows/release-build.yml | 6 +++---
.github/workflows/release-publish.yml | 6 +++---
.github/workflows/release-start.yml | 2 +-
.github/workflows/update-changelog.yml | 2 +-
5 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml
index 8b009a369e76..94592a268f21 100644
--- a/.github/workflows/homebrew.yml
+++ b/.github/workflows/homebrew.yml
@@ -19,7 +19,7 @@ jobs:
steps:
- name: Set up Homebrew
id: set-up-homebrew
- uses: Homebrew/actions/setup-homebrew@266845213695c3047d210b2e8fbc42ecdaf45802 # master
+ uses: Homebrew/actions/setup-homebrew@6eaeff80e7e5c43087c0e5eb5aa82120399e9c91 # master
with:
test-bot: false
@@ -39,7 +39,7 @@ jobs:
run: brew tap homebrew/homebrew-cask --force
- name: Configure Git user
- uses: Homebrew/actions/git-user-config@266845213695c3047d210b2e8fbc42ecdaf45802 # master
+ uses: Homebrew/actions/git-user-config@6eaeff80e7e5c43087c0e5eb5aa82120399e9c91 # master
with:
username: 'insomnia-infra'
@@ -49,17 +49,17 @@ jobs:
# Update Homebrew's Inso(mnia) formulae
# https://github.com/Homebrew/actions/tree/master/bump-formulae
- name: Bump Inso (Beta) Formula
- uses: Homebrew/actions/bump-packages@266845213695c3047d210b2e8fbc42ecdaf45802 # master
+ uses: Homebrew/actions/bump-packages@6eaeff80e7e5c43087c0e5eb5aa82120399e9c91 # master
with:
token: ${{ secrets.HOMEBREW_PR_GH_TOKEN }}
casks: inso@beta
- name: Bump Inso Formula
- uses: Homebrew/actions/bump-packages@266845213695c3047d210b2e8fbc42ecdaf45802 # master
+ uses: Homebrew/actions/bump-packages@6eaeff80e7e5c43087c0e5eb5aa82120399e9c91 # master
with:
token: ${{ secrets.HOMEBREW_PR_GH_TOKEN }}
casks: inso
- name: Bump Insomnia Formula
- uses: Homebrew/actions/bump-packages@266845213695c3047d210b2e8fbc42ecdaf45802 # master
+ uses: Homebrew/actions/bump-packages@6eaeff80e7e5c43087c0e5eb5aa82120399e9c91 # master
with:
token: ${{ secrets.HOMEBREW_PR_GH_TOKEN }}
# Bump only these formulae if outdated
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 517333012e8f..9aa329f3a8fb 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -128,7 +128,7 @@ jobs:
# smctl will be used in the next step for signing
- name: Setup Software Trust Manager
if: runner.os == 'Windows'
- uses: digicert/code-signing-software-trust-action@9b30180369343eb1ce0dcbebb933cfa3e17b6cc8 # v1.0.0
+ uses: digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # v1.2.1
with:
simple-signing-mode: true
env:
@@ -168,7 +168,7 @@ jobs:
# this installs smctl as well
- name: Code-sign unpacked .exe (Windows only)
if: runner.os == 'Windows'
- uses: digicert/code-signing-software-trust-action@9b30180369343eb1ce0dcbebb933cfa3e17b6cc8 # v1.0.0
+ uses: digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # v1.2.1
with:
simple-signing-mode: true
# If the below 2 parameters are supplied, then smctl executable is invoked to attempt the signing.
@@ -246,7 +246,7 @@ jobs:
- name: Code-sign inso exe (Windows only)
if: runner.os == 'Windows'
- uses: digicert/code-signing-software-trust-action@9b30180369343eb1ce0dcbebb933cfa3e17b6cc8 # v1.0.0
+ uses: digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # v1.2.1
with:
simple-signing-mode: true
# If the below 2 parameters are supplied, then smctl executable is invoked to attempt the signing.
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index 36885fa20c34..bd5fbdbdb002 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -115,7 +115,7 @@ jobs:
path: ${{ env.ELECTRON_ARTIFACT_BASE64_FILE }}
- name: Create Tag and Release
- uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
+ uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
id: core_tag_and_release
with:
tag: ${{ env.RELEASE_CORE_TAG }}
@@ -128,7 +128,7 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload artifacts to release
- uses: xresloader/upload-to-github-release@d29300fdff9f0fcd7c3eb960c490b2a6640fbf50 # v1
+ uses: xresloader/upload-to-github-release@7c5757a90c0bcf0c0e1741da8f2abd7b85e675d0 # v1.6.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
@@ -165,7 +165,7 @@ jobs:
- name: Docker meta for Inso CLI Docker Image
id: inso_docker_meta
- uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
+ uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
with:
images: ${{ env.INSO_DOCKER_IMAGE }}
tags: |
diff --git a/.github/workflows/release-start.yml b/.github/workflows/release-start.yml
index 7e4889c7be27..86e272dde31b 100644
--- a/.github/workflows/release-start.yml
+++ b/.github/workflows/release-start.yml
@@ -95,7 +95,7 @@ jobs:
- name: Configure Git user
id: configure_git_user
- uses: Homebrew/actions/git-user-config@266845213695c3047d210b2e8fbc42ecdaf45802 # master
+ uses: Homebrew/actions/git-user-config@6eaeff80e7e5c43087c0e5eb5aa82120399e9c91 # master
with:
username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }}
diff --git a/.github/workflows/update-changelog.yml b/.github/workflows/update-changelog.yml
index 7087c9795e5a..1994847da4dc 100644
--- a/.github/workflows/update-changelog.yml
+++ b/.github/workflows/update-changelog.yml
@@ -30,7 +30,7 @@ jobs:
release-notes: ${{ github.event.release.body }}
- name: Commit updated CHANGELOG
- uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5
+ uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
with:
branch: ${{ github.event.release.target_commitish }}
commit_message: Update CHANGELOG
From 44ace8d866998a7b10b810af113c417e5c77259a Mon Sep 17 00:00:00 2001
From: Vivek Thuravupala <2700229+godfrzero@users.noreply.github.com>
Date: Thu, 28 May 2026 13:24:35 -0700
Subject: [PATCH 2/3] chore: bump remaining actions or replace with inline
logic where Node 24 versions are unavailable
---
.github/workflows/release-build.yml | 60 +++++++++++++++++----------
.github/workflows/release-publish.yml | 11 ++---
.github/workflows/release-start.yml | 2 +-
3 files changed, 44 insertions(+), 29 deletions(-)
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index 9aa329f3a8fb..f6c773ddedad 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -277,30 +277,39 @@ jobs:
- name: Notarize Inso CLI installer (macOS only)
if: runner.os == 'macOS'
- uses: lando/notarize-action@b5c3ef16cf2fbcf2af26dc58c90255ec242abeed # v2.0.2
- with:
- product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
- primary-bundle-id: com.insomnia.inso
- appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }}
- appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
- appstore-connect-team-id: FX44YY62GV
- verbose: true
+ env:
+ APPLE_ID: ${{ secrets.DESIGNER_APPLE_ID }}
+ APPLE_ID_PASSWORD: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
+ run: |
+ xcrun notarytool submit \
+ "./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg" \
+ --apple-id "$APPLE_ID" \
+ --password "$APPLE_ID_PASSWORD" \
+ --team-id FX44YY62GV \
+ --verbose \
+ --wait
- name: Staple Inso CLI installer (macOS only)
if: runner.os == 'macOS'
- uses: BoundfoxStudios/action-xcode-staple@1e2200b448c6ed4dd44b963ff17d3e340fc6b064 # v1
- with:
- product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg
+ run: |
+ xcrun stapler staple \
+ "./packages/${{ env.INSO_PACKAGE_NAME }}/artifacts/inso-${{ matrix.os }}-${{ env.INSO_VERSION }}.pkg"
- name: Notarize Inso CLI binary (macOS only)
if: runner.os == 'macOS'
- uses: lando/notarize-action@b5c3ef16cf2fbcf2af26dc58c90255ec242abeed # v2.0.2
- with:
- product-path: ./packages/${{ env.INSO_PACKAGE_NAME }}/binaries/inso
- primary-bundle-id: com.insomnia.inso-binary
- appstore-connect-username: ${{ secrets.DESIGNER_APPLE_ID }}
- appstore-connect-password: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
- appstore-connect-team-id: FX44YY62GV
+ env:
+ APPLE_ID: ${{ secrets.DESIGNER_APPLE_ID }}
+ APPLE_ID_PASSWORD: ${{ secrets.DESIGNER_APPLE_ID_PASSWORD }}
+ # notarytool requires the binary to be packaged in a zip, dmg, or pkg.
+ run: |
+ BIN_PATH="./packages/${{ env.INSO_PACKAGE_NAME }}/binaries/inso"
+ ZIP_PATH="$(mktemp -d)/inso.zip"
+ ditto -c -k --keepParent "$BIN_PATH" "$ZIP_PATH"
+ xcrun notarytool submit "$ZIP_PATH" \
+ --apple-id "$APPLE_ID" \
+ --password "$APPLE_ID_PASSWORD" \
+ --team-id FX44YY62GV \
+ --wait
- name: Create Inso zip/tar/gz artifacts
run: npm run artifacts -w insomnia-inso
@@ -375,9 +384,9 @@ jobs:
BRANCH: ${{ github.ref_name }}
- name: update-pull-request
- uses: kt3k/update-pr-description@fef8b17c6648e0daa550d2ed6b5cf140d282574e # v2.0.0
- with:
- pr_body: |
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ PR_BODY: |
# WARNING: Do not merge this PR. Use the "Publish" workflow.
## Publish workflow:
@@ -423,5 +432,10 @@ jobs:
git push
```
- destination_branch: develop
- github_token: ${{ secrets.GITHUB_TOKEN }}
+ run: |
+ PR_NUMBER=$(gh pr list --repo "${{ github.repository }}" --base develop --head "${GITHUB_REF_NAME}" --state open --json number -q '.[0].number')
+ if [ -z "$PR_NUMBER" ]; then
+ echo "No open PR found from ${GITHUB_REF_NAME} into develop; skipping body update."
+ exit 0
+ fi
+ gh pr edit "$PR_NUMBER" --repo "${{ github.repository }}" --body "$PR_BODY"
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index bd5fbdbdb002..5e768606a55a 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -247,13 +247,14 @@ jobs:
- name: Upload x64 Linux snap to snapcraft (beta and stable only)
if: ${{ !contains(github.event.inputs.version, 'alpha') }}
- uses: canonical/action-publish@214b86e5ca036ead1668c79afb81e550e6c54d40 # v1
env:
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE_NEW }}
- with:
- # TODO-ARM64: Replace to *-amd64.snap when we have ARM64 build from insomnia-ee
- snap: artifacts/Linux-X64-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.snap
- release: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
+ # TODO-ARM64: Replace to *-amd64.snap when we have ARM64 build from insomnia-ee
+ run: |
+ sudo snap install snapcraft --classic
+ snapcraft upload \
+ --release="${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}" \
+ "artifacts/Linux-X64-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.snap"
# TODO: also release for aarch64 Linux?
- name: Upload .deb to pulp and/or cloudsmith (stable only)
diff --git a/.github/workflows/release-start.yml b/.github/workflows/release-start.yml
index 86e272dde31b..6642069df567 100644
--- a/.github/workflows/release-start.yml
+++ b/.github/workflows/release-start.yml
@@ -81,7 +81,7 @@ jobs:
echo "RELEASE_BRANCH=release/$MAJOR_MINOR" >> $GITHUB_ENV
- name: Create Branch # Create a branch if it doesn't exist
- uses: peterjgrainger/action-create-branch@c2800a3a9edbba2218da6861fa46496cf8f3195a # v2.2.0
+ uses: peterjgrainger/action-create-branch@4b81ce657e255acd677cc6c55c9c763654be3aef # v4.0.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
From 48c204b6ed5630ac2ce0151b462b4b2e16491964 Mon Sep 17 00:00:00 2001
From: Vivek Thuravupala <2700229+godfrzero@users.noreply.github.com>
Date: Thu, 28 May 2026 18:12:53 -0700
Subject: [PATCH 3/3] refactor: remove variable interpolation in run blocks as
flagged by Semgrep
---
.github/workflows/release-build.yml | 7 ++++---
.github/workflows/release-publish.yml | 3 ++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
index f6c773ddedad..a657869cc513 100644
--- a/.github/workflows/release-build.yml
+++ b/.github/workflows/release-build.yml
@@ -386,6 +386,7 @@ jobs:
- name: update-pull-request
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ REPO: ${{ github.repository }}
PR_BODY: |
# WARNING: Do not merge this PR. Use the "Publish" workflow.
@@ -433,9 +434,9 @@ jobs:
```
run: |
- PR_NUMBER=$(gh pr list --repo "${{ github.repository }}" --base develop --head "${GITHUB_REF_NAME}" --state open --json number -q '.[0].number')
+ PR_NUMBER=$(gh pr list --repo "$REPO" --base develop --head "$GITHUB_REF_NAME" --state open --json number -q '.[0].number')
if [ -z "$PR_NUMBER" ]; then
- echo "No open PR found from ${GITHUB_REF_NAME} into develop; skipping body update."
+ echo "No open PR found from $GITHUB_REF_NAME into develop; skipping body update."
exit 0
fi
- gh pr edit "$PR_NUMBER" --repo "${{ github.repository }}" --body "$PR_BODY"
+ gh pr edit "$PR_NUMBER" --repo "$REPO" --body "$PR_BODY"
diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index 5e768606a55a..b2f6d8ce5545 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -249,11 +249,12 @@ jobs:
if: ${{ !contains(github.event.inputs.version, 'alpha') }}
env:
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN_FILE_NEW }}
+ SNAP_CHANNEL: ${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}
# TODO-ARM64: Replace to *-amd64.snap when we have ARM64 build from insomnia-ee
run: |
sudo snap install snapcraft --classic
snapcraft upload \
- --release="${{ contains(github.event.inputs.version, 'beta') && 'beta' || 'stable' }}" \
+ --release="$SNAP_CHANNEL" \
"artifacts/Linux-X64-artifacts/insomnia/dist/Insomnia.Core-${{ env.RELEASE_VERSION }}.snap"
# TODO: also release for aarch64 Linux?