@postman-cse/onboarding-insights 0.7.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +256 -0
- package/action.yml +60 -0
- package/dist/cli.cjs +28146 -0
- package/dist/index.cjs +28014 -0
- package/package.json +47 -0
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Postman, Inc.
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
ADDED
|
@@ -0,0 +1,256 @@
|
|
|
1
|
+
# postman-insights-onboarding-action
|
|
2
|
+
|
|
3
|
+
GitHub Action that links Postman Insights discovered services to API Catalog workspaces and git repositories. Designed for Kubernetes discovery-mode deployments where the Insights DaemonSet agent automatically finds running services.
|
|
4
|
+
|
|
5
|
+
## Scope
|
|
6
|
+
|
|
7
|
+
After the Postman Insights agent discovers a service on your cluster, this action:
|
|
8
|
+
|
|
9
|
+
- Polls the API Catalog discovered-services list until the service appears (with configurable timeout).
|
|
10
|
+
- Prepares an API Catalog collection for the discovered service in your workspace.
|
|
11
|
+
- Links the service to a GitHub repository through the API Catalog git onboarding flow.
|
|
12
|
+
- Acknowledges the service and workspace with the Insights backend (Akita).
|
|
13
|
+
- Creates an application binding with the observability API (required for service graph edges).
|
|
14
|
+
- Retrieves the team verification token for DaemonSet telemetry.
|
|
15
|
+
|
|
16
|
+
This action does **not** deploy the Insights agent, create workspaces, or manage environments. Use [postman-bootstrap-action](https://github.com/postman-cs/postman-bootstrap-action) and [postman-repo-sync-action](https://github.com/postman-cs/postman-repo-sync-action) for those concerns.
|
|
17
|
+
|
|
18
|
+
## Prerequisites
|
|
19
|
+
|
|
20
|
+
- The Postman Insights DaemonSet agent must be running on your cluster in discovery mode.
|
|
21
|
+
- The target service must be deployed and running (the agent discovers it from live traffic).
|
|
22
|
+
- A Postman workspace and environment must already exist for the service.
|
|
23
|
+
- A `postman-access-token` (session token) is required for Bifrost API access.
|
|
24
|
+
|
|
25
|
+
## Usage
|
|
26
|
+
|
|
27
|
+
```yaml
|
|
28
|
+
jobs:
|
|
29
|
+
deploy:
|
|
30
|
+
runs-on: ubuntu-latest
|
|
31
|
+
steps:
|
|
32
|
+
- uses: actions/checkout@v4
|
|
33
|
+
|
|
34
|
+
# ... deploy your service to Kubernetes ...
|
|
35
|
+
|
|
36
|
+
- uses: postman-cs/postman-insights-onboarding-action@v0
|
|
37
|
+
with:
|
|
38
|
+
project-name: af-cards-activation
|
|
39
|
+
workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
|
|
40
|
+
environment-id: ${{ steps.sync.outputs.environment-uids-json && fromJSON(steps.sync.outputs.environment-uids-json).prod }}
|
|
41
|
+
cluster-name: my-cluster
|
|
42
|
+
postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
|
|
43
|
+
postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
|
|
44
|
+
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
45
|
+
poll-timeout-seconds: 180
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
### With the full onboarding pipeline
|
|
49
|
+
|
|
50
|
+
```yaml
|
|
51
|
+
jobs:
|
|
52
|
+
provision:
|
|
53
|
+
runs-on: ubuntu-latest
|
|
54
|
+
steps:
|
|
55
|
+
- uses: actions/checkout@v4
|
|
56
|
+
|
|
57
|
+
- uses: postman-cs/postman-bootstrap-action@v0
|
|
58
|
+
id: bootstrap
|
|
59
|
+
with:
|
|
60
|
+
project-name: af-cards-activation
|
|
61
|
+
spec-url: https://example.com/openapi.yaml
|
|
62
|
+
postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
|
|
63
|
+
postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
|
|
64
|
+
|
|
65
|
+
# ... deploy service to Kubernetes ...
|
|
66
|
+
|
|
67
|
+
- uses: postman-cs/postman-repo-sync-action@v0
|
|
68
|
+
id: sync
|
|
69
|
+
with:
|
|
70
|
+
project-name: af-cards-activation
|
|
71
|
+
workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
|
|
72
|
+
baseline-collection-id: ${{ steps.bootstrap.outputs.baseline-collection-id }}
|
|
73
|
+
smoke-collection-id: ${{ steps.bootstrap.outputs.smoke-collection-id }}
|
|
74
|
+
contract-collection-id: ${{ steps.bootstrap.outputs.contract-collection-id }}
|
|
75
|
+
environments-json: '["prod"]'
|
|
76
|
+
env-runtime-urls-json: '{"prod":"https://api.example.com"}'
|
|
77
|
+
postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
|
|
78
|
+
postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
|
|
79
|
+
|
|
80
|
+
- uses: postman-cs/postman-insights-onboarding-action@v0
|
|
81
|
+
with:
|
|
82
|
+
project-name: af-cards-activation
|
|
83
|
+
workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
|
|
84
|
+
environment-id: ${{ fromJSON(steps.sync.outputs.environment-uids-json).prod }}
|
|
85
|
+
cluster-name: my-cluster
|
|
86
|
+
postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
|
|
87
|
+
postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
|
|
88
|
+
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
## CLI Usage (Non-GitHub CI)
|
|
92
|
+
|
|
93
|
+
The CLI is available for GitLab CI, Bitbucket Pipelines, Azure DevOps, and other CI systems. GitHub Actions users should continue using the `action.yml` interface.
|
|
94
|
+
|
|
95
|
+
Install globally:
|
|
96
|
+
|
|
97
|
+
```bash
|
|
98
|
+
npm install -g postman-insights-onboarding-action
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
Basic usage:
|
|
102
|
+
|
|
103
|
+
```bash
|
|
104
|
+
postman-insights-onboard \
|
|
105
|
+
--project-name af-cards-activation \
|
|
106
|
+
--workspace-id ws_123 \
|
|
107
|
+
--environment-id env_123 \
|
|
108
|
+
--postman-access-token "$POSTMAN_ACCESS_TOKEN" \
|
|
109
|
+
--postman-api-key "$POSTMAN_API_KEY" \
|
|
110
|
+
--cluster-name my-cluster \
|
|
111
|
+
--repo-url https://gitlab.com/acme/af-cards-activation \
|
|
112
|
+
--poll-timeout-seconds 180 \
|
|
113
|
+
--result-json /tmp/insights-result.json \
|
|
114
|
+
--dotenv-path /tmp/insights.env
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
The CLI auto-detects the CI provider from environment variables and uses that to resolve the repo URL and owner. For non-GitHub repositories, API Catalog git onboarding is skipped because of a backend limitation, but the remaining Insights steps continue normally.
|
|
118
|
+
|
|
119
|
+
Output is JSON to stdout. Use `--result-json` to write the same payload to a file, or `--dotenv-path` to write shell-sourceable `KEY=VALUE` pairs with the `POSTMAN_INSIGHTS_` prefix. All logs go to stderr, and stdout is reserved for JSON output.
|
|
120
|
+
|
|
121
|
+
### GitLab CI
|
|
122
|
+
|
|
123
|
+
```yaml
|
|
124
|
+
onboarding:
|
|
125
|
+
image: node:20
|
|
126
|
+
script:
|
|
127
|
+
- npm install -g postman-insights-onboarding-action
|
|
128
|
+
- postman-insights-onboard --project-name af-cards-activation --workspace-id "$WORKSPACE_ID" --environment-id "$ENVIRONMENT_ID" --postman-access-token "$POSTMAN_ACCESS_TOKEN" --postman-api-key "$POSTMAN_API_KEY" --cluster-name "$CLUSTER_NAME" --repo-url "$CI_PROJECT_URL" --poll-timeout-seconds 180 --result-json insights-result.json --dotenv-path insights.env
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
### Bitbucket Pipelines
|
|
132
|
+
|
|
133
|
+
```yaml
|
|
134
|
+
image: node:20
|
|
135
|
+
|
|
136
|
+
pipelines:
|
|
137
|
+
default:
|
|
138
|
+
- step:
|
|
139
|
+
script:
|
|
140
|
+
- npm install -g postman-insights-onboarding-action
|
|
141
|
+
- postman-insights-onboard --project-name af-cards-activation --workspace-id "$WORKSPACE_ID" --environment-id "$ENVIRONMENT_ID" --postman-access-token "$POSTMAN_ACCESS_TOKEN" --postman-api-key "$POSTMAN_API_KEY" --cluster-name "$CLUSTER_NAME" --repo-url "$BITBUCKET_GIT_HTTP_ORIGIN" --poll-timeout-seconds 180 --result-json insights-result.json --dotenv-path insights.env
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
### Azure DevOps
|
|
145
|
+
|
|
146
|
+
```yaml
|
|
147
|
+
pool:
|
|
148
|
+
vmImage: ubuntu-latest
|
|
149
|
+
|
|
150
|
+
steps:
|
|
151
|
+
- task: NodeTool@0
|
|
152
|
+
inputs:
|
|
153
|
+
versionSpec: '20.x'
|
|
154
|
+
- script: |
|
|
155
|
+
npm install -g postman-insights-onboarding-action
|
|
156
|
+
postman-insights-onboard --project-name af-cards-activation --workspace-id "$(WORKSPACE_ID)" --environment-id "$(ENVIRONMENT_ID)" --postman-access-token "$(POSTMAN_ACCESS_TOKEN)" --postman-api-key "$(POSTMAN_API_KEY)" --cluster-name "$(CLUSTER_NAME)" --repo-url "$(BUILD_REPOSITORY_URI)" --poll-timeout-seconds 180 --result-json insights-result.json --dotenv-path insights.env
|
|
157
|
+
displayName: Run Postman Insights onboarding
|
|
158
|
+
```
|
|
159
|
+
|
|
160
|
+
## Inputs
|
|
161
|
+
|
|
162
|
+
| Input | Required | Default | Notes |
|
|
163
|
+
| --- | --- | --- | --- |
|
|
164
|
+
| `project-name` | Yes | | Service name to match against discovered service names. Matches `{cluster-name}/{project-name}` in the API Catalog. |
|
|
165
|
+
| `workspace-id` | Yes | | Postman workspace ID to link the discovered service to. |
|
|
166
|
+
| `environment-id` | Yes | | Postman environment UID for the onboarding association. |
|
|
167
|
+
| `system-environment-id` | No | | Postman system environment UUID for service-level Insights acknowledgment. Falls back to the value from the discovered service record. |
|
|
168
|
+
| `cluster-name` | No | | Insights cluster name. When set, the action matches `{cluster-name}/{project-name}` exactly. When omitted, falls back to suffix matching. |
|
|
169
|
+
| `git-owner` | No | `$GITHUB_REPOSITORY_OWNER` | GitHub organization or user for the repository URL. |
|
|
170
|
+
| `git-repository-name` | No | `project-name` | GitHub repository name. Defaults to the project name. |
|
|
171
|
+
| `postman-access-token` | Yes | | Postman session token for Bifrost API calls. See [Obtaining postman-access-token](#obtaining-postman-access-token-open-alpha). |
|
|
172
|
+
| `postman-team-id` | No | | Explicit Postman team ID for org-mode Bifrost requests. When omitted, the action leaves `x-entity-team-id` unset so Bifrost resolves team context from the access token. |
|
|
173
|
+
| `github-token` | No | ambient `GITHUB_TOKEN` env when exported by the workflow | Optional GitHub token passed as `git_api_key` only when repository auth is required by the onboarding endpoint. |
|
|
174
|
+
| `postman-api-key` | No | | Postman API key (`PMAK-*`) for the application binding call to the observability API. Auto-created from `postman-access-token` when omitted or invalid after a clear 401/403 validation failure. |
|
|
175
|
+
| `poll-timeout-seconds` | No | `120` | Maximum seconds to wait for the service to appear in the discovered list. Clamped to 10--600. |
|
|
176
|
+
| `poll-interval-seconds` | No | `10` | Seconds between polling attempts. Clamped to 2--60. |
|
|
177
|
+
|
|
178
|
+
Supply `postman-team-id` only for org-mode tokens that require an explicit team header. For non-org tokens, leave it unset so Bifrost can infer team context from the access token.
|
|
179
|
+
|
|
180
|
+
If `postman-api-key` is omitted or the `/me` validation call returns `401` or `403`, the action creates a new API key via the Bifrost identity service using the `postman-access-token`. Network failures and unexpected validation responses fail the action instead of silently rotating credentials.
|
|
181
|
+
|
|
182
|
+
### Obtaining `postman-access-token` (Open Alpha)
|
|
183
|
+
|
|
184
|
+
> **Open-alpha limitation:** The `postman-access-token` input requires a manually-extracted session token. There is currently no public API to exchange a Postman API key (PMAK) for an access token programmatically. This manual step will be eliminated before GA.
|
|
185
|
+
|
|
186
|
+
The `postman-access-token` is a Postman session token (`x-access-token`) required for the Bifrost API Catalog onboarding endpoints. Without it, this action cannot function.
|
|
187
|
+
|
|
188
|
+
**To obtain and configure the token:**
|
|
189
|
+
|
|
190
|
+
1. **Log in via the Postman CLI** (requires a browser):
|
|
191
|
+
```bash
|
|
192
|
+
postman login
|
|
193
|
+
```
|
|
194
|
+
|
|
195
|
+
2. **Extract the access token:**
|
|
196
|
+
```bash
|
|
197
|
+
cat ~/.postman/postmanrc | jq -r '.login._profiles[].accessToken'
|
|
198
|
+
```
|
|
199
|
+
|
|
200
|
+
3. **Set it as a GitHub secret:**
|
|
201
|
+
```bash
|
|
202
|
+
gh secret set POSTMAN_ACCESS_TOKEN --repo <owner>/<repo>
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
> **Important:** This token is session-scoped and will expire. When it does, the action will fail. You will need to repeat the login and secret update process.
|
|
206
|
+
|
|
207
|
+
## Outputs
|
|
208
|
+
|
|
209
|
+
| Output | Notes |
|
|
210
|
+
| --- | --- |
|
|
211
|
+
| `discovered-service-id` | Numeric ID from the API Catalog discovered-services list. |
|
|
212
|
+
| `discovered-service-name` | Full `cluster/service` name of the discovered service. |
|
|
213
|
+
| `collection-id` | Collection ID returned by the prepare-collection step. |
|
|
214
|
+
| `application-id` | Insights application binding ID from the observability API. |
|
|
215
|
+
| `verification-token` | Insights team verification token (`tvt_*`) for DaemonSet telemetry. |
|
|
216
|
+
| `status` | Result: `success`, `not-found`, or `error`. Failures set `status=error` before the action exits. |
|
|
217
|
+
|
|
218
|
+
## Discovery polling
|
|
219
|
+
|
|
220
|
+
The Insights agent takes time to discover services after pods start. This action polls the API Catalog discovered-services list at the configured interval until the service appears or the timeout is reached.
|
|
221
|
+
|
|
222
|
+
- Default timeout: 120 seconds (configurable via `poll-timeout-seconds`, clamped to 10--600).
|
|
223
|
+
- Default interval: 10 seconds (configurable via `poll-interval-seconds`, clamped to 2--60).
|
|
224
|
+
- If the service is not found after the timeout, the action sets `status` to `not-found` and emits a warning (does not fail the workflow).
|
|
225
|
+
|
|
226
|
+
For services that take longer to appear (cold cluster, large pod startup time), increase `poll-timeout-seconds` to 300 or more.
|
|
227
|
+
|
|
228
|
+
## How it works
|
|
229
|
+
|
|
230
|
+
The action calls the following API endpoints in order:
|
|
231
|
+
|
|
232
|
+
1. **List discovered services** -- `GET /api/v1/onboarding/discovered-services?status=discovered` (Bifrost api-catalog) to find the numeric service ID by matching the service name.
|
|
233
|
+
2. **Prepare collection** -- `POST /api/v1/onboarding/prepare-collection` (Bifrost api-catalog) to create the API Catalog collection entry.
|
|
234
|
+
3. **Onboard git** -- `POST /api/v1/onboarding/git` (Bifrost api-catalog) with `via_integrations: false` to link the service to the GitHub repository.
|
|
235
|
+
4. **Resolve provider service ID** -- `GET /v2/api-catalog/services?status=discovered&...` (Bifrost akita) to find the `svc_*` Akita service ID.
|
|
236
|
+
5. **Service-level acknowledge** -- `POST /v2/api-catalog/services/onboard` (Bifrost akita) to mark the service as managed.
|
|
237
|
+
6. **Application binding** -- `POST /v2/agent/api-catalog/workspaces/{id}/applications` (direct to `api.observability.postman.com`, NOT Bifrost) to bind the workspace to the Insights application. Required for service graph edge generation.
|
|
238
|
+
7. **Workspace acknowledge** -- `POST /v2/workspaces/{id}/onboarding/acknowledge` (Bifrost akita) to activate the Insights project.
|
|
239
|
+
8. **Team verification token** -- `GET /v2/workspaces/{id}/team-verification-token` (Bifrost akita) to retrieve the DaemonSet telemetry token.
|
|
240
|
+
|
|
241
|
+
## Local development
|
|
242
|
+
|
|
243
|
+
```bash
|
|
244
|
+
npm install
|
|
245
|
+
npm test
|
|
246
|
+
npm run typecheck
|
|
247
|
+
npm run build
|
|
248
|
+
```
|
|
249
|
+
|
|
250
|
+
`npm run build` produces `dist/index.cjs`, the bundled action entrypoint referenced by `action.yml`.
|
|
251
|
+
|
|
252
|
+
## Open-Alpha Release Strategy
|
|
253
|
+
|
|
254
|
+
- Open-alpha channel tags use `v0.x.y`.
|
|
255
|
+
- Consumers can pin immutable tags such as `v0.1.0` for reproducibility.
|
|
256
|
+
- Moving tag `v0` is used as the rolling open-alpha channel.
|
package/action.yml
ADDED
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
name: 'postman-insights-onboarding-action'
|
|
2
|
+
description: 'Link Postman Insights discovered services to API Catalog workspaces and git repos'
|
|
3
|
+
inputs:
|
|
4
|
+
project-name:
|
|
5
|
+
description: 'Service name or spec ID to match against discovered service names'
|
|
6
|
+
required: true
|
|
7
|
+
workspace-id:
|
|
8
|
+
description: 'Postman workspace ID to link the discovered service to'
|
|
9
|
+
required: true
|
|
10
|
+
environment-id:
|
|
11
|
+
description: 'Postman environment UID for the onboarding association'
|
|
12
|
+
required: true
|
|
13
|
+
system-environment-id:
|
|
14
|
+
description: 'Postman system environment UUID for service-level Insights acknowledgment'
|
|
15
|
+
required: false
|
|
16
|
+
cluster-name:
|
|
17
|
+
description: 'Insights cluster name. Matches {cluster}/{project-name} in discovered services'
|
|
18
|
+
required: false
|
|
19
|
+
git-owner:
|
|
20
|
+
description: 'GitHub organization or user that owns the repository'
|
|
21
|
+
required: false
|
|
22
|
+
git-repository-name:
|
|
23
|
+
description: 'GitHub repository name. Defaults to project-name'
|
|
24
|
+
required: false
|
|
25
|
+
postman-access-token:
|
|
26
|
+
description: 'Postman access token for Bifrost API calls'
|
|
27
|
+
required: true
|
|
28
|
+
postman-team-id:
|
|
29
|
+
description: 'Explicit Postman team ID for org-mode Bifrost request headers. When omitted, x-entity-team-id is not sent.'
|
|
30
|
+
required: false
|
|
31
|
+
github-token:
|
|
32
|
+
description: 'Optional GitHub token passed as git_api_key when repository auth is required by onboarding/git'
|
|
33
|
+
required: false
|
|
34
|
+
postman-api-key:
|
|
35
|
+
description: 'Postman API key (PMAK-*) for the application binding call. Auto-created from postman-access-token when omitted or invalid after a clear 401/403 validation failure.'
|
|
36
|
+
required: false
|
|
37
|
+
poll-timeout-seconds:
|
|
38
|
+
description: 'Maximum seconds to wait for the service to appear in the discovered list'
|
|
39
|
+
required: false
|
|
40
|
+
default: '120'
|
|
41
|
+
poll-interval-seconds:
|
|
42
|
+
description: 'Seconds between discovery polling attempts'
|
|
43
|
+
required: false
|
|
44
|
+
default: '10'
|
|
45
|
+
outputs:
|
|
46
|
+
discovered-service-id:
|
|
47
|
+
description: 'Numeric ID from the API Catalog discovered-services list'
|
|
48
|
+
discovered-service-name:
|
|
49
|
+
description: 'Full cluster/service name of the discovered service'
|
|
50
|
+
collection-id:
|
|
51
|
+
description: 'Collection ID returned by the prepare-collection step'
|
|
52
|
+
application-id:
|
|
53
|
+
description: 'Insights application binding ID from the observability API'
|
|
54
|
+
verification-token:
|
|
55
|
+
description: 'Insights team verification token (tvt_*) for DaemonSet telemetry'
|
|
56
|
+
status:
|
|
57
|
+
description: 'Onboarding result: success, not-found, or error'
|
|
58
|
+
runs:
|
|
59
|
+
using: 'node20'
|
|
60
|
+
main: 'dist/index.cjs'
|