@postman-cse/onboarding-api 0.10.1

package/README.md

@@ -0,0 +1,258 @@
+# postman-api-onboarding-action
+
+Public open-alpha composite GitHub Action that orchestrates Postman onboarding by chaining:
+
+- `postman-cs/postman-bootstrap-action@v0`
+- `postman-cs/postman-repo-sync-action@v0`
+- `postman-cs/postman-insights-onboarding-action@v0` (optional, when `enable-insights: true`)
+
+This is the primary partner-facing entrypoint for the open-alpha suite.
+
+For existing services, the composite action can target an existing workspace/spec/collection set and can suppress or redirect generated CI workflow output for repos that already have their own pipeline layout.
+
+## Contract
+
+- Default `integration-backend` is `bifrost`.
+- Inputs are backend-neutral and kebab-case.
+- Bootstrap outputs are explicitly mapped into repo-sync inputs in `action.yml`.
+- Final outputs are surfaced from the two lower-level actions without exposing internal step mode controls.
+- Collection artifacts are exported in the Postman Collection v3 multi-file YAML directory structure (produced during the repo-sync step).
+- Workspace-to-repository linking supports both GitHub and GitLab (cloud and self-hosted) URLs via Bifrost.
+
+## Usage
+
+```yaml
+jobs:
+  onboarding:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: postman-cs/postman-api-onboarding-action@v0
+        with:
+          project-name: core-payments
+          domain: core-banking
+          domain-code: AF
+          requester-email: owner@example.com
+          workspace-admin-user-ids: 101,102
+          spec-url: https://example.com/openapi.yaml
+          environments-json: '["prod","stage"]'
+          system-env-map-json: '{"prod":"uuid-prod","stage":"uuid-stage"}'
+          governance-mapping-json: '{"core-banking":"Core Banking"}'
+          env-runtime-urls-json: '{"prod":"https://api.example.com"}'
+          postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
+          postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          gh-fallback-token: ${{ secrets.GH_FALLBACK_TOKEN }}
+          # enable-insights: true  # Chain Insights onboarding after bootstrap and repo sync
+          # cluster-name: my-cluster
+
+  onboarding-existing:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+      variables: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: postman-cs/postman-api-onboarding-action@v0
+        with:
+          project-name: core-payments
+          workspace-id: ws-123
+          spec-id: spec-123
+          baseline-collection-id: col-baseline
+          smoke-collection-id: col-smoke
+          contract-collection-id: col-contract
+          spec-url: https://example.com/openapi.yaml
+          generate-ci-workflow: false
+          postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
+```
+
+## Non-GitHub CI Usage
+
+On GitHub Actions, continue using the composite action as documented above. The CLI entry points are for GitLab CI, Bitbucket Pipelines, Azure DevOps, and other CI systems.
+
+Install both CLIs globally:
+
+```bash
+npm install -g postman-bootstrap-action postman-repo-sync-action
+```
+
+Run bootstrap first and save its JSON output:
+
+```bash
+postman-bootstrap \
+  --project-name "my-api" \
+  --spec-url "https://registry.example.com/specs/my-api/openapi.yaml" \
+  --postman-api-key "$POSTMAN_API_KEY" \
+  --result-json ./bootstrap-result.json
+```
+
+Extract the outputs you need from the JSON:
+
+```bash
+WORKSPACE_ID=$(jq -r '.["workspace-id"]' bootstrap-result.json)
+SMOKE_COLLECTION_ID=$(jq -r '.["smoke-collection-id"]' bootstrap-result.json)
+CONTRACT_COLLECTION_ID=$(jq -r '.["contract-collection-id"]' bootstrap-result.json)
+BASELINE_COLLECTION_ID=$(jq -r '.["baseline-collection-id"]' bootstrap-result.json)
+```
+
+Run repo-sync with those values:
+
+```bash
+postman-repo-sync \
+  --project-name "my-api" \
+  --workspace-id "$WORKSPACE_ID" \
+  --baseline-collection-id "$BASELINE_COLLECTION_ID" \
+  --smoke-collection-id "$SMOKE_COLLECTION_ID" \
+  --contract-collection-id "$CONTRACT_COLLECTION_ID" \
+  --postman-api-key "$POSTMAN_API_KEY" \
+  --result-json ./sync-result.json
+```
+
+Both CLIs support `--dotenv-path` for shell-friendly KEY=VALUE output that can be sourced with `source ./bootstrap.env`.
+
+The Insights onboarding CLI is not yet available for non-GitHub CI. See the `postman-insights-onboarding-action` repo for updates.
+
+Even when reusing an existing `spec-id`, the composite action still requires `spec-url` because the bootstrap step updates the existing Spec Hub asset from that source of truth.
+
+## Inputs
+
+| Input | Default | Notes |
+| --- | --- | --- |
+| `workspace-id` | | Reuse an existing Postman workspace through the bootstrap step. |
+| `spec-id` | | Update an existing Postman spec instead of creating a new one. |
+| `baseline-collection-id` | | Reuse an existing baseline collection. |
+| `smoke-collection-id` | | Reuse an existing smoke collection. |
+| `contract-collection-id` | | Reuse an existing contract collection. |
+| `collection-sync-mode` | `refresh` | Collection lifecycle policy. `refresh` regenerates from latest spec (default), `reuse` keeps existing, `version` creates release-scoped collections. |
+| `spec-sync-mode` | `update` | Spec lifecycle policy. `update` keeps canonical spec current, `version` creates release-scoped spec. |
+| `release-label` | | Optional release label for versioned specs and collections. Derived from git tag/branch when omitted. |
+| `monitor-id` | | Existing smoke monitor ID. When set, the action validates and reuses this monitor instead of creating a new one. |
+| `mock-url` | | Existing mock server URL. When set, the action validates and reuses this mock instead of creating a new one. |
+| `monitor-cron` | `""` | Cron expression for monitor scheduling (e.g. `0 */6 * * *`). When empty, the monitor is created in a disabled state. |
+| `generate-ci-workflow` | `true` | Pass through to repo sync; set `false` for repos that already manage CI. |
+| `ci-workflow-path` | `.github/workflows/ci.yml` | Pass through to repo sync to redirect generated workflow output. |
+| `project-name` | | Service name used across bootstrap and repo sync. |
+| `domain` | | Business domain used for governance assignment. |
+| `domain-code` | | Short prefix used in workspace naming. |
+| `requester-email` | | Optional workspace invite target. |
+| `workspace-admin-user-ids` | | Optional comma-separated workspace admin IDs. |
+| `workspace-team-id` | | Numeric sub-team ID for org-mode workspace creation. |
+| `spec-url` | | Required registry-backed OpenAPI document URL. |
+| `environments-json` | `["prod"]` | Environment slugs to materialize downstream. |
+| `system-env-map-json` | `{}` | Map of environment slug to system environment ID. |
+| `governance-mapping-json` | `{}` | Map of domain to governance group name. |
+| `env-runtime-urls-json` | `{}` | Map of environment slug to runtime base URL. |
+| `postman-api-key` | | Required Postman API key for the bootstrap and sync phases. The composite always runs `postman-bootstrap-action`, which still requires a PMAK. |
+| `postman-access-token` | | Enables governance assignment, Bifrost integration, and API key generation fallback. |
+| `postman-team-id` | | Explicit Postman team ID override for org-mode Bifrost calls. Passed to the downstream actions when provided. |
+| `github-token` | | Enables generated commits, workflow writes, and optional secret persistence in repo sync. |
+| `gh-fallback-token` | | Optional fallback token for workflow and commit APIs. |
+| `repo-write-mode` | `commit-and-push` | Repo mutation mode passed to repo sync. |
+| `current-ref` | | Optional explicit ref override for detached checkouts. |
+| `committer-name` | `Postman CSE` | Commit author name for generated sync commits. |
+| `committer-email` | `help@postman.com` | Commit author email for generated sync commits. |
+| `enable-insights` | `false` | When `true`, chains `postman-cs/postman-insights-onboarding-action@v0` after bootstrap and repo sync. |
+| `cluster-name` | | Optional Insights cluster name passed to the downstream Insights onboarding step. |
+| `integration-backend` | `bifrost` | Current public open-alpha backend. |
+| `org-mode` | `false` | When `true`, includes `x-entity-team-id` header in Bifrost proxy calls. Non-org teams must omit this header. |
+| `ssl-client-cert` | | Base64-encoded PEM client certificate for mTLS. Passed through to repo-sync for CI workflow SSL support. |
+| `ssl-client-key` | | Base64-encoded PEM client private key. Passed through to repo-sync. |
+| `ssl-client-passphrase` | | Passphrase for encrypted private key. Passed through to repo-sync. |
+| `ssl-extra-ca-certs` | | Base64-encoded PEM additional CA certificates. Passed through to repo-sync. |
+
+### Team ID derivation
+
+Pass `postman-team-id` only when a downstream org-mode Bifrost call needs an explicit team header. When omitted, the lower-level actions can leave `x-entity-team-id` unset and let Bifrost resolve team context from the access token.
+
+### API key auto-creation
+
+`postman-repo-sync-action` and `postman-insights-onboarding-action` can create or rotate a PMAK from `postman-access-token` when they encounter a clear auth failure, but this composite still requires `postman-api-key` up front because `postman-bootstrap-action` cannot start without it.
+
+### Org-mode Bifrost headers
+
+The underlying actions include the `x-entity-team-id` header on Bifrost proxy calls only when an explicit team override is supplied. For non-org-mode tokens, omit `postman-team-id` so the header stays unset.
+
+### Obtaining `postman-api-key`
+
+The `postman-api-key` is a Postman API key (PMAK) used for all standard Postman API operations -- creating workspaces, uploading specs, generating collections, exporting artifacts, and managing environments.
+
+**To generate one:**
+
+1. Open the Postman desktop app or web UI.
+2. Go to **Settings** (gear icon) > **Account Settings** > **API Keys**.
+3. Click **Generate API Key**, give it a label, and copy the key (starts with `PMAK-`).
+4. Set it as a GitHub secret:
+   ```bash
+   gh secret set POSTMAN_API_KEY --repo <owner>/<repo>
+   ```
+
+> **Note:** The PMAK is a long-lived key tied to your Postman account. It does not require periodic renewal like the `postman-access-token`.
+
+### Obtaining `postman-access-token` (Open Alpha)
+
+> **Open-alpha limitation:** The `postman-access-token` input requires a manually-extracted session token. There is currently no public API to exchange a Postman API key (PMAK) for an access token programmatically. This manual step will be eliminated before GA.
+
+The `postman-access-token` is a Postman session token (`x-access-token`) required for internal API operations that the standard PMAK API key cannot perform -- specifically workspace-to-repo git sync (Bifrost), governance group assignment, and system environment associations. Without it, those steps are silently skipped during the onboarding pipeline.
+
+**To obtain and configure the token:**
+
+1. **Log in via the Postman CLI** (requires a browser):
+   ```bash
+   postman login
+   ```
+   This opens a browser window for Postman's PKCE OAuth flow. Complete the sign-in.
+
+2. **Extract the access token** from the CLI credential store:
+   ```bash
+   cat ~/.postman/postmanrc | jq -r '.login._profiles[].accessToken'
+   ```
+
+3. **Set it as a GitHub secret** on your repository or organization:
+   ```bash
+   # Repository-level secret
+   gh secret set POSTMAN_ACCESS_TOKEN --repo <owner>/<repo>
+
+   # Organization-level secret (recommended for multi-repo use)
+   gh secret set POSTMAN_ACCESS_TOKEN --org <org> --visibility selected --repos <repo1>,<repo2>
+   ```
+   Paste the token value when prompted.
+
+> **Important:** This token is session-scoped and will expire. When it does, operations that depend on it (workspace linking, governance, system environment associations) will silently degrade. You will need to repeat the login and secret update process. There is no automated refresh mechanism.
+
+> **Note:** `postman login --with-api-key` stores a PMAK -- **not** the session token these APIs require. You must use the interactive browser login.
+
+## Output Mapping
+
+The composite action wires:
+
+- `workspace-id`, `workspace-url`, `spec-id`, and `collections-json` from `bootstrap`.
+- `environment-uids-json`, `mock-url`, `monitor-id`, `repo-sync-summary-json`, and `commit-sha` from `repo_sync`.
+- Existing-service passthrough inputs to `bootstrap`: `workspace-id`, `spec-id`, `baseline-collection-id`, `smoke-collection-id`, and `contract-collection-id`.
+- Existing-repo passthrough inputs to `repo_sync`: `generate-ci-workflow` and `ci-workflow-path`.
+- When `enable-insights: true`, the Insights onboarding step runs after repo sync using the workspace ID from bootstrap plus the first environment from `environments-json` for `environment-id` and `system-env-map-json` lookup.
+- Insights outputs (`insights-status`, `insights-verification-token`, `insights-application-id`, `insights-discovered-service-id`, `insights-discovered-service-name`, `insights-collection-id`) are surfaced when `enable-insights: true`.
+
+See [action.yml](action.yml) for exact step mappings.
+
+## Local Development
+
+```bash
+npm install
+npm test
+```
+
+## Open-Alpha Release Strategy
+
+- Open-alpha channel tags use `v0.x.y`.
+- Consumers can pin immutable tags such as `v0.2.0` for reproducibility.
+- Moving tag `v0` is used only as the rolling open-alpha channel.
+
+## REST Migration Seam
+
+This composite interface is backend-neutral and only passes stable inputs and outputs between bootstrap and repo-sync. `integration-backend` defaults to `bifrost` now, and future REST migration should occur inside the lower-level actions without changing this composite contract.
+
+Migration details are documented in [REST_MIGRATION_SEAM.md](REST_MIGRATION_SEAM.md).

package/REST_MIGRATION_SEAM.md

@@ -0,0 +1,32 @@
+# REST Migration Seam
+
+This open-alpha suite uses `integration-backend=bifrost` by default, but callers should not need to change their workflow syntax when the backend moves to REST.
+
+## Contract Invariants
+
+These must stay stable across backend migration:
+
+- Composite entrypoint: `postman-cs/postman-api-onboarding-action@v0`
+- Input names and meanings in [action.yml](/Users/jaredboynton/__devlocal/postman-api-onboarding-action/action.yml)
+- Output names and meanings in [action.yml](/Users/jaredboynton/__devlocal/postman-api-onboarding-action/action.yml)
+- Bootstrap-to-repo-sync handoff fields:
+  - `workspace-id`
+  - `baseline-collection-id`
+  - `smoke-collection-id`
+  - `contract-collection-id`
+
+## Implementation Boundaries
+
+Backend replacement must be internal to:
+
+- `postman-cs/postman-bootstrap-action@v0`
+- `postman-cs/postman-repo-sync-action@v0`
+
+The composite action should continue passing the same `with:` keys and surfacing the same outputs.
+
+## Migration Plan
+
+1. Add REST implementation behind `integration-backend=rest` in lower-level actions.
+2. Keep `bifrost` and `rest` parity tests for shared inputs and outputs.
+3. Switch composite default only after parity validation passes.
+4. Keep existing `v0.x.y` tags immutable; publish default changes in a new immutable tag.

package/action.yml

@@ -0,0 +1,269 @@
+name: postman-api-onboarding-action
+description: Public open-alpha composite action that orchestrates Postman bootstrap and repo sync.
+inputs:
+
+  workspace-id:
+    description: Existing Postman workspace ID.
+    required: false
+  spec-id:
+    description: Existing Postman spec ID.
+    required: false
+  baseline-collection-id:
+    description: Existing baseline collection ID.
+    required: false
+  smoke-collection-id:
+    description: Existing smoke collection ID.
+    required: false
+  contract-collection-id:
+    description: Existing contract collection ID.
+    required: false
+  collection-sync-mode:
+    description: Collection lifecycle policy (reuse, refresh, or version). Default refresh ensures collections stay in sync with the spec.
+    required: false
+    default: refresh
+  spec-sync-mode:
+    description: Spec lifecycle policy (update or version).
+    required: false
+    default: update
+  release-label:
+    description: Optional release label for versioned specs and collections. When omitted during versioned sync, derived from GitHub tag or branch metadata.
+    required: false
+  monitor-id:
+    description: Existing smoke monitor ID. When set, the action validates and reuses this monitor instead of creating a new one.
+    required: false
+  mock-url:
+    description: Existing mock server URL. When set, the action validates and reuses this mock instead of creating a new one.
+    required: false
+  monitor-cron:
+    description: Cron expression for monitor scheduling (e.g. '0 */6 * * *'). When empty, the monitor is created in a disabled state.
+    required: false
+    default: ""
+  generate-ci-workflow:
+    description: Whether to generate the CI workflow file.
+    required: false
+    default: "true"
+  ci-workflow-path:
+    description: Path to write the generated CI workflow file.
+    required: false
+    default: .github/workflows/ci.yml
+  project-name:
+    description: Service project name used across bootstrap and repo sync phases.
+    required: true
+  domain:
+    description: Business domain used for governance assignment.
+    required: false
+  domain-code:
+    description: Short domain code used in workspace naming.
+    required: false
+  requester-email:
+    description: Requester email used for workspace membership.
+    required: false
+  workspace-admin-user-ids:
+    description: Comma-separated workspace admin user ids.
+    required: false
+  spec-url:
+    description: URL to the OpenAPI document to bootstrap.
+    required: true
+  environments-json:
+    description: JSON array of environment slugs to materialize.
+    required: false
+    default: '["prod"]'
+  system-env-map-json:
+    description: JSON map of environment slug to system environment id.
+    required: false
+    default: '{}'
+  governance-mapping-json:
+    description: JSON map of business domain to governance group name.
+    required: false
+    default: '{}'
+  env-runtime-urls-json:
+    description: JSON map of environment slug to runtime base URL.
+    required: false
+    default: '{}'
+  postman-api-key:
+    description: Postman API key used for bootstrap and sync operations.
+    required: true
+  postman-access-token:
+    description: Postman access token used for Bifrost and governance integration.
+    required: false
+  postman-team-id:
+    description: Explicit Postman team ID override for org-mode Bifrost calls.
+    required: false
+  github-token:
+    description: GitHub token used for repo variables and generated commits.
+    required: false
+  gh-fallback-token:
+    description: Fallback GitHub token for variable and workflow-file APIs.
+    required: false
+  repo-write-mode:
+    description: Repo mutation mode for generated assets and workflow files.
+    required: false
+    default: commit-and-push
+  current-ref:
+    description: Explicit ref override for detached checkout push semantics.
+    required: false
+  committer-name:
+    description: Commit author name for generated sync commits.
+    required: false
+    default: Postman CSE
+  committer-email:
+    description: Commit author email for generated sync commits.
+    required: false
+    default: help@postman.com
+  enable-insights:
+    description: Whether to enable Postman Insights.
+    required: false
+    default: 'false'
+  cluster-name:
+    description: Insights cluster name passed to the downstream Insights onboarding step.
+    required: false
+  integration-backend:
+    description: Integration backend used to coordinate onboarding phases.
+    required: false
+    default: bifrost
+  org-mode:
+    description: Whether the Postman team uses org-mode. When true, x-entity-team-id header is included in Bifrost proxy calls. Non-org teams must omit this header.
+    required: false
+    default: 'false'
+  ssl-client-cert:
+    description: Base64-encoded PEM client certificate for mTLS. Passed through to repo-sync for CI workflow generation.
+    required: false
+  ssl-client-key:
+    description: Base64-encoded PEM client private key. Passed through to repo-sync.
+    required: false
+  ssl-client-passphrase:
+    description: Passphrase for encrypted private key. Passed through to repo-sync.
+    required: false
+  ssl-extra-ca-certs:
+    description: Base64-encoded PEM additional CA certificates. Passed through to repo-sync.
+    required: false
+outputs:
+  integration-backend:
+    description: Resolved integration backend for the onboarding run.
+    value: ${{ inputs.integration-backend }}
+  workspace-id:
+    description: Postman workspace ID.
+    value: ${{ steps.bootstrap.outputs.workspace-id }}
+  workspace-url:
+    description: Postman workspace URL.
+    value: ${{ steps.bootstrap.outputs.workspace-url }}
+  spec-id:
+    description: Uploaded Postman spec ID.
+    value: ${{ steps.bootstrap.outputs.spec-id }}
+  collections-json:
+    description: JSON summary of generated collections.
+    value: ${{ steps.bootstrap.outputs.collections-json }}
+  environment-uids-json:
+    description: JSON map of environment slug to Postman environment uid.
+    value: ${{ steps.repo_sync.outputs.environment-uids-json }}
+  mock-url:
+    description: Mock server URL.
+    value: ${{ steps.repo_sync.outputs.mock-url }}
+  monitor-id:
+    description: Smoke monitor ID.
+    value: ${{ steps.repo_sync.outputs.monitor-id }}
+  repo-sync-summary-json:
+    description: JSON summary of repo materialization and workspace sync planning.
+    value: ${{ steps.repo_sync.outputs.repo-sync-summary-json }}
+  commit-sha:
+    description: Commit SHA produced by repo-write-mode.
+    value: ${{ steps.repo_sync.outputs.commit-sha }}
+  insights-status:
+    description: Insights onboarding status (success, not-found, error, or empty if insights disabled).
+    value: ${{ steps.insights_onboarding.outputs.status }}
+  insights-verification-token:
+    description: Team verification token for Insights DaemonSet configuration.
+    value: ${{ steps.insights_onboarding.outputs.verification-token }}
+  insights-application-id:
+    description: Insights application binding ID.
+    value: ${{ steps.insights_onboarding.outputs.application-id }}
+  insights-discovered-service-id:
+    description: Discovered service ID from Insights agent.
+    value: ${{ steps.insights_onboarding.outputs.discovered-service-id }}
+  insights-discovered-service-name:
+    description: Discovered service name from Insights agent.
+    value: ${{ steps.insights_onboarding.outputs.discovered-service-name }}
+  insights-collection-id:
+    description: Insights API Catalog collection ID.
+    value: ${{ steps.insights_onboarding.outputs.collection-id }}
+runs:
+  using: composite
+  steps:
+    - id: bootstrap
+      name: Bootstrap Postman Assets
+      uses: postman-cs/postman-bootstrap-action@v0
+      env:
+        POSTMAN_TEAM_ID: ${{ inputs.postman-team-id }}
+      with:
+        project-name: ${{ inputs.project-name }}
+        workspace-id: ${{ inputs.workspace-id }}
+        spec-id: ${{ inputs.spec-id }}
+        baseline-collection-id: ${{ inputs.baseline-collection-id }}
+        smoke-collection-id: ${{ inputs.smoke-collection-id }}
+        contract-collection-id: ${{ inputs.contract-collection-id }}
+        collection-sync-mode: ${{ inputs.collection-sync-mode }}
+        spec-sync-mode: ${{ inputs.spec-sync-mode }}
+        release-label: ${{ inputs.release-label }}
+        domain: ${{ inputs.domain }}
+        domain-code: ${{ inputs.domain-code }}
+        requester-email: ${{ inputs.requester-email }}
+        workspace-admin-user-ids: ${{ inputs.workspace-admin-user-ids }}
+        spec-url: ${{ inputs.spec-url }}
+        governance-mapping-json: ${{ inputs.governance-mapping-json }}
+        postman-api-key: ${{ inputs.postman-api-key }}
+        postman-access-token: ${{ inputs.postman-access-token }}
+        integration-backend: ${{ inputs.integration-backend }}
+    - id: repo_sync
+      name: Sync Repository and Workspace
+      uses: postman-cs/postman-repo-sync-action@v0
+      env:
+        POSTMAN_TEAM_ID: ${{ inputs.postman-team-id }}
+      with:
+        project-name: ${{ inputs.project-name }}
+        workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
+        baseline-collection-id: ${{ steps.bootstrap.outputs.baseline-collection-id }}
+        smoke-collection-id: ${{ steps.bootstrap.outputs.smoke-collection-id }}
+        contract-collection-id: ${{ steps.bootstrap.outputs.contract-collection-id }}
+        collection-sync-mode: ${{ inputs.collection-sync-mode }}
+        spec-sync-mode: ${{ inputs.spec-sync-mode }}
+        release-label: ${{ inputs.release-label }}
+        generate-ci-workflow: ${{ inputs.generate-ci-workflow }}
+        ci-workflow-path: ${{ inputs.ci-workflow-path }}
+        environments-json: ${{ inputs.environments-json }}
+        system-env-map-json: ${{ inputs.system-env-map-json }}
+        environment-uids-json: '{}'
+        env-runtime-urls-json: ${{ inputs.env-runtime-urls-json }}
+        repo-write-mode: ${{ inputs.repo-write-mode }}
+        current-ref: ${{ inputs.current-ref }}
+        committer-name: ${{ inputs.committer-name }}
+        committer-email: ${{ inputs.committer-email }}
+        postman-api-key: ${{ inputs.postman-api-key }}
+        postman-access-token: ${{ inputs.postman-access-token }}
+        github-token: ${{ inputs.github-token }}
+        gh-fallback-token: ${{ inputs.gh-fallback-token }}
+        org-mode: ${{ inputs.org-mode }}
+        integration-backend: ${{ inputs.integration-backend }}
+        monitor-id: ${{ inputs.monitor-id }}
+        mock-url: ${{ inputs.mock-url }}
+        monitor-cron: ${{ inputs.monitor-cron }}
+        ssl-client-cert: ${{ inputs.ssl-client-cert }}
+        ssl-client-key: ${{ inputs.ssl-client-key }}
+        ssl-client-passphrase: ${{ inputs.ssl-client-passphrase }}
+        ssl-extra-ca-certs: ${{ inputs.ssl-extra-ca-certs }}
+        spec-id: ${{ steps.bootstrap.outputs.spec-id }}
+    - id: insights_onboarding
+      if: inputs.enable-insights == 'true'
+      name: Onboard Postman Insights
+      uses: postman-cs/postman-insights-onboarding-action@v0
+      env:
+        POSTMAN_TEAM_ID: ${{ inputs.postman-team-id }}
+      with:
+        project-name: ${{ inputs.project-name }}
+        workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
+        environment-id: ${{ fromJSON(steps.repo_sync.outputs.environment-uids-json)[fromJSON(inputs.environments-json)[0]] }}
+        system-environment-id: ${{ fromJSON(inputs.system-env-map-json)[fromJSON(inputs.environments-json)[0]] }}
+        cluster-name: ${{ inputs.cluster-name }}
+        postman-api-key: ${{ inputs.postman-api-key }}
+        postman-access-token: ${{ inputs.postman-access-token }}
+        postman-team-id: ${{ inputs.postman-team-id }}
+        github-token: ${{ inputs.github-token }}

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "@postman-cse/onboarding-api",
+  "version": "0.10.1",
+  "description": "Public open-alpha composite Postman API onboarding GitHub Action.",
+  "files": [
+    "action.yml",
+    "README.md",
+    "REST_MIGRATION_SEAM.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit -p tsconfig.json"
+  },
+  "keywords": [
+    "github-action",
+    "postman"
+  ],
+  "license": "MIT",
+  "devDependencies": {
+    "@types/node": "^25.3.5",
+    "typescript": "^5.9.3",
+    "yaml": "^2.8.2",
+    "vitest": "^4.0.18"
+  }
+}