@postman-cse/onboarding-insights 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Postman, Inc.
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,256 @@
1
+ # postman-insights-onboarding-action
2
+
3
+ GitHub Action that links Postman Insights discovered services to API Catalog workspaces and git repositories. Designed for Kubernetes discovery-mode deployments where the Insights DaemonSet agent automatically finds running services.
4
+
5
+ ## Scope
6
+
7
+ After the Postman Insights agent discovers a service on your cluster, this action:
8
+
9
+ - Polls the API Catalog discovered-services list until the service appears (with configurable timeout).
10
+ - Prepares an API Catalog collection for the discovered service in your workspace.
11
+ - Links the service to a GitHub repository through the API Catalog git onboarding flow.
12
+ - Acknowledges the service and workspace with the Insights backend (Akita).
13
+ - Creates an application binding with the observability API (required for service graph edges).
14
+ - Retrieves the team verification token for DaemonSet telemetry.
15
+
16
+ This action does **not** deploy the Insights agent, create workspaces, or manage environments. Use [postman-bootstrap-action](https://github.com/postman-cs/postman-bootstrap-action) and [postman-repo-sync-action](https://github.com/postman-cs/postman-repo-sync-action) for those concerns.
17
+
18
+ ## Prerequisites
19
+
20
+ - The Postman Insights DaemonSet agent must be running on your cluster in discovery mode.
21
+ - The target service must be deployed and running (the agent discovers it from live traffic).
22
+ - A Postman workspace and environment must already exist for the service.
23
+ - A `postman-access-token` (session token) is required for Bifrost API access.
24
+
25
+ ## Usage
26
+
27
+ ```yaml
28
+ jobs:
29
+ deploy:
30
+ runs-on: ubuntu-latest
31
+ steps:
32
+ - uses: actions/checkout@v4
33
+
34
+ # ... deploy your service to Kubernetes ...
35
+
36
+ - uses: postman-cs/postman-insights-onboarding-action@v0
37
+ with:
38
+ project-name: af-cards-activation
39
+ workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
40
+ environment-id: ${{ steps.sync.outputs.environment-uids-json && fromJSON(steps.sync.outputs.environment-uids-json).prod }}
41
+ cluster-name: my-cluster
42
+ postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
43
+ postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
44
+ github-token: ${{ secrets.GITHUB_TOKEN }}
45
+ poll-timeout-seconds: 180
46
+ ```
47
+
48
+ ### With the full onboarding pipeline
49
+
50
+ ```yaml
51
+ jobs:
52
+ provision:
53
+ runs-on: ubuntu-latest
54
+ steps:
55
+ - uses: actions/checkout@v4
56
+
57
+ - uses: postman-cs/postman-bootstrap-action@v0
58
+ id: bootstrap
59
+ with:
60
+ project-name: af-cards-activation
61
+ spec-url: https://example.com/openapi.yaml
62
+ postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
63
+ postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
64
+
65
+ # ... deploy service to Kubernetes ...
66
+
67
+ - uses: postman-cs/postman-repo-sync-action@v0
68
+ id: sync
69
+ with:
70
+ project-name: af-cards-activation
71
+ workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
72
+ baseline-collection-id: ${{ steps.bootstrap.outputs.baseline-collection-id }}
73
+ smoke-collection-id: ${{ steps.bootstrap.outputs.smoke-collection-id }}
74
+ contract-collection-id: ${{ steps.bootstrap.outputs.contract-collection-id }}
75
+ environments-json: '["prod"]'
76
+ env-runtime-urls-json: '{"prod":"https://api.example.com"}'
77
+ postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
78
+ postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
79
+
80
+ - uses: postman-cs/postman-insights-onboarding-action@v0
81
+ with:
82
+ project-name: af-cards-activation
83
+ workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
84
+ environment-id: ${{ fromJSON(steps.sync.outputs.environment-uids-json).prod }}
85
+ cluster-name: my-cluster
86
+ postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
87
+ postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
88
+ github-token: ${{ secrets.GITHUB_TOKEN }}
89
+ ```
90
+
91
+ ## CLI Usage (Non-GitHub CI)
92
+
93
+ The CLI is available for GitLab CI, Bitbucket Pipelines, Azure DevOps, and other CI systems. GitHub Actions users should continue using the `action.yml` interface.
94
+
95
+ Install globally:
96
+
97
+ ```bash
98
+ npm install -g postman-insights-onboarding-action
99
+ ```
100
+
101
+ Basic usage:
102
+
103
+ ```bash
104
+ postman-insights-onboard \
105
+ --project-name af-cards-activation \
106
+ --workspace-id ws_123 \
107
+ --environment-id env_123 \
108
+ --postman-access-token "$POSTMAN_ACCESS_TOKEN" \
109
+ --postman-api-key "$POSTMAN_API_KEY" \
110
+ --cluster-name my-cluster \
111
+ --repo-url https://gitlab.com/acme/af-cards-activation \
112
+ --poll-timeout-seconds 180 \
113
+ --result-json /tmp/insights-result.json \
114
+ --dotenv-path /tmp/insights.env
115
+ ```
116
+
117
+ The CLI auto-detects the CI provider from environment variables and uses that to resolve the repo URL and owner. For non-GitHub repositories, API Catalog git onboarding is skipped because of a backend limitation, but the remaining Insights steps continue normally.
118
+
119
+ Output is JSON to stdout. Use `--result-json` to write the same payload to a file, or `--dotenv-path` to write shell-sourceable `KEY=VALUE` pairs with the `POSTMAN_INSIGHTS_` prefix. All logs go to stderr, and stdout is reserved for JSON output.
120
+
121
+ ### GitLab CI
122
+
123
+ ```yaml
124
+ onboarding:
125
+ image: node:20
126
+ script:
127
+ - npm install -g postman-insights-onboarding-action
128
+ - postman-insights-onboard --project-name af-cards-activation --workspace-id "$WORKSPACE_ID" --environment-id "$ENVIRONMENT_ID" --postman-access-token "$POSTMAN_ACCESS_TOKEN" --postman-api-key "$POSTMAN_API_KEY" --cluster-name "$CLUSTER_NAME" --repo-url "$CI_PROJECT_URL" --poll-timeout-seconds 180 --result-json insights-result.json --dotenv-path insights.env
129
+ ```
130
+
131
+ ### Bitbucket Pipelines
132
+
133
+ ```yaml
134
+ image: node:20
135
+
136
+ pipelines:
137
+ default:
138
+ - step:
139
+ script:
140
+ - npm install -g postman-insights-onboarding-action
141
+ - postman-insights-onboard --project-name af-cards-activation --workspace-id "$WORKSPACE_ID" --environment-id "$ENVIRONMENT_ID" --postman-access-token "$POSTMAN_ACCESS_TOKEN" --postman-api-key "$POSTMAN_API_KEY" --cluster-name "$CLUSTER_NAME" --repo-url "$BITBUCKET_GIT_HTTP_ORIGIN" --poll-timeout-seconds 180 --result-json insights-result.json --dotenv-path insights.env
142
+ ```
143
+
144
+ ### Azure DevOps
145
+
146
+ ```yaml
147
+ pool:
148
+ vmImage: ubuntu-latest
149
+
150
+ steps:
151
+ - task: NodeTool@0
152
+ inputs:
153
+ versionSpec: '20.x'
154
+ - script: |
155
+ npm install -g postman-insights-onboarding-action
156
+ postman-insights-onboard --project-name af-cards-activation --workspace-id "$(WORKSPACE_ID)" --environment-id "$(ENVIRONMENT_ID)" --postman-access-token "$(POSTMAN_ACCESS_TOKEN)" --postman-api-key "$(POSTMAN_API_KEY)" --cluster-name "$(CLUSTER_NAME)" --repo-url "$(BUILD_REPOSITORY_URI)" --poll-timeout-seconds 180 --result-json insights-result.json --dotenv-path insights.env
157
+ displayName: Run Postman Insights onboarding
158
+ ```
159
+
160
+ ## Inputs
161
+
162
+ | Input | Required | Default | Notes |
163
+ | --- | --- | --- | --- |
164
+ | `project-name` | Yes | | Service name to match against discovered service names. Matches `{cluster-name}/{project-name}` in the API Catalog. |
165
+ | `workspace-id` | Yes | | Postman workspace ID to link the discovered service to. |
166
+ | `environment-id` | Yes | | Postman environment UID for the onboarding association. |
167
+ | `system-environment-id` | No | | Postman system environment UUID for service-level Insights acknowledgment. Falls back to the value from the discovered service record. |
168
+ | `cluster-name` | No | | Insights cluster name. When set, the action matches `{cluster-name}/{project-name}` exactly. When omitted, falls back to suffix matching. |
169
+ | `git-owner` | No | `$GITHUB_REPOSITORY_OWNER` | GitHub organization or user for the repository URL. |
170
+ | `git-repository-name` | No | `project-name` | GitHub repository name. Defaults to the project name. |
171
+ | `postman-access-token` | Yes | | Postman session token for Bifrost API calls. See [Obtaining postman-access-token](#obtaining-postman-access-token-open-alpha). |
172
+ | `postman-team-id` | No | | Explicit Postman team ID for org-mode Bifrost requests. When omitted, the action leaves `x-entity-team-id` unset so Bifrost resolves team context from the access token. |
173
+ | `github-token` | No | ambient `GITHUB_TOKEN` env when exported by the workflow | Optional GitHub token passed as `git_api_key` only when repository auth is required by the onboarding endpoint. |
174
+ | `postman-api-key` | No | | Postman API key (`PMAK-*`) for the application binding call to the observability API. Auto-created from `postman-access-token` when omitted or invalid after a clear 401/403 validation failure. |
175
+ | `poll-timeout-seconds` | No | `120` | Maximum seconds to wait for the service to appear in the discovered list. Clamped to 10--600. |
176
+ | `poll-interval-seconds` | No | `10` | Seconds between polling attempts. Clamped to 2--60. |
177
+
178
+ Supply `postman-team-id` only for org-mode tokens that require an explicit team header. For non-org tokens, leave it unset so Bifrost can infer team context from the access token.
179
+
180
+ If `postman-api-key` is omitted or the `/me` validation call returns `401` or `403`, the action creates a new API key via the Bifrost identity service using the `postman-access-token`. Network failures and unexpected validation responses fail the action instead of silently rotating credentials.
181
+
182
+ ### Obtaining `postman-access-token` (Open Alpha)
183
+
184
+ > **Open-alpha limitation:** The `postman-access-token` input requires a manually-extracted session token. There is currently no public API to exchange a Postman API key (PMAK) for an access token programmatically. This manual step will be eliminated before GA.
185
+
186
+ The `postman-access-token` is a Postman session token (`x-access-token`) required for the Bifrost API Catalog onboarding endpoints. Without it, this action cannot function.
187
+
188
+ **To obtain and configure the token:**
189
+
190
+ 1. **Log in via the Postman CLI** (requires a browser):
191
+ ```bash
192
+ postman login
193
+ ```
194
+
195
+ 2. **Extract the access token:**
196
+ ```bash
197
+ cat ~/.postman/postmanrc | jq -r '.login._profiles[].accessToken'
198
+ ```
199
+
200
+ 3. **Set it as a GitHub secret:**
201
+ ```bash
202
+ gh secret set POSTMAN_ACCESS_TOKEN --repo <owner>/<repo>
203
+ ```
204
+
205
+ > **Important:** This token is session-scoped and will expire. When it does, the action will fail. You will need to repeat the login and secret update process.
206
+
207
+ ## Outputs
208
+
209
+ | Output | Notes |
210
+ | --- | --- |
211
+ | `discovered-service-id` | Numeric ID from the API Catalog discovered-services list. |
212
+ | `discovered-service-name` | Full `cluster/service` name of the discovered service. |
213
+ | `collection-id` | Collection ID returned by the prepare-collection step. |
214
+ | `application-id` | Insights application binding ID from the observability API. |
215
+ | `verification-token` | Insights team verification token (`tvt_*`) for DaemonSet telemetry. |
216
+ | `status` | Result: `success`, `not-found`, or `error`. Failures set `status=error` before the action exits. |
217
+
218
+ ## Discovery polling
219
+
220
+ The Insights agent takes time to discover services after pods start. This action polls the API Catalog discovered-services list at the configured interval until the service appears or the timeout is reached.
221
+
222
+ - Default timeout: 120 seconds (configurable via `poll-timeout-seconds`, clamped to 10--600).
223
+ - Default interval: 10 seconds (configurable via `poll-interval-seconds`, clamped to 2--60).
224
+ - If the service is not found after the timeout, the action sets `status` to `not-found` and emits a warning (does not fail the workflow).
225
+
226
+ For services that take longer to appear (cold cluster, large pod startup time), increase `poll-timeout-seconds` to 300 or more.
227
+
228
+ ## How it works
229
+
230
+ The action calls the following API endpoints in order:
231
+
232
+ 1. **List discovered services** -- `GET /api/v1/onboarding/discovered-services?status=discovered` (Bifrost api-catalog) to find the numeric service ID by matching the service name.
233
+ 2. **Prepare collection** -- `POST /api/v1/onboarding/prepare-collection` (Bifrost api-catalog) to create the API Catalog collection entry.
234
+ 3. **Onboard git** -- `POST /api/v1/onboarding/git` (Bifrost api-catalog) with `via_integrations: false` to link the service to the GitHub repository.
235
+ 4. **Resolve provider service ID** -- `GET /v2/api-catalog/services?status=discovered&...` (Bifrost akita) to find the `svc_*` Akita service ID.
236
+ 5. **Service-level acknowledge** -- `POST /v2/api-catalog/services/onboard` (Bifrost akita) to mark the service as managed.
237
+ 6. **Application binding** -- `POST /v2/agent/api-catalog/workspaces/{id}/applications` (direct to `api.observability.postman.com`, NOT Bifrost) to bind the workspace to the Insights application. Required for service graph edge generation.
238
+ 7. **Workspace acknowledge** -- `POST /v2/workspaces/{id}/onboarding/acknowledge` (Bifrost akita) to activate the Insights project.
239
+ 8. **Team verification token** -- `GET /v2/workspaces/{id}/team-verification-token` (Bifrost akita) to retrieve the DaemonSet telemetry token.
240
+
241
+ ## Local development
242
+
243
+ ```bash
244
+ npm install
245
+ npm test
246
+ npm run typecheck
247
+ npm run build
248
+ ```
249
+
250
+ `npm run build` produces `dist/index.cjs`, the bundled action entrypoint referenced by `action.yml`.
251
+
252
+ ## Open-Alpha Release Strategy
253
+
254
+ - Open-alpha channel tags use `v0.x.y`.
255
+ - Consumers can pin immutable tags such as `v0.1.0` for reproducibility.
256
+ - Moving tag `v0` is used as the rolling open-alpha channel.
package/action.yml ADDED
@@ -0,0 +1,60 @@
1
+ name: 'postman-insights-onboarding-action'
2
+ description: 'Link Postman Insights discovered services to API Catalog workspaces and git repos'
3
+ inputs:
4
+ project-name:
5
+ description: 'Service name or spec ID to match against discovered service names'
6
+ required: true
7
+ workspace-id:
8
+ description: 'Postman workspace ID to link the discovered service to'
9
+ required: true
10
+ environment-id:
11
+ description: 'Postman environment UID for the onboarding association'
12
+ required: true
13
+ system-environment-id:
14
+ description: 'Postman system environment UUID for service-level Insights acknowledgment'
15
+ required: false
16
+ cluster-name:
17
+ description: 'Insights cluster name. Matches {cluster}/{project-name} in discovered services'
18
+ required: false
19
+ git-owner:
20
+ description: 'GitHub organization or user that owns the repository'
21
+ required: false
22
+ git-repository-name:
23
+ description: 'GitHub repository name. Defaults to project-name'
24
+ required: false
25
+ postman-access-token:
26
+ description: 'Postman access token for Bifrost API calls'
27
+ required: true
28
+ postman-team-id:
29
+ description: 'Explicit Postman team ID for org-mode Bifrost request headers. When omitted, x-entity-team-id is not sent.'
30
+ required: false
31
+ github-token:
32
+ description: 'Optional GitHub token passed as git_api_key when repository auth is required by onboarding/git'
33
+ required: false
34
+ postman-api-key:
35
+ description: 'Postman API key (PMAK-*) for the application binding call. Auto-created from postman-access-token when omitted or invalid after a clear 401/403 validation failure.'
36
+ required: false
37
+ poll-timeout-seconds:
38
+ description: 'Maximum seconds to wait for the service to appear in the discovered list'
39
+ required: false
40
+ default: '120'
41
+ poll-interval-seconds:
42
+ description: 'Seconds between discovery polling attempts'
43
+ required: false
44
+ default: '10'
45
+ outputs:
46
+ discovered-service-id:
47
+ description: 'Numeric ID from the API Catalog discovered-services list'
48
+ discovered-service-name:
49
+ description: 'Full cluster/service name of the discovered service'
50
+ collection-id:
51
+ description: 'Collection ID returned by the prepare-collection step'
52
+ application-id:
53
+ description: 'Insights application binding ID from the observability API'
54
+ verification-token:
55
+ description: 'Insights team verification token (tvt_*) for DaemonSet telemetry'
56
+ status:
57
+ description: 'Onboarding result: success, not-found, or error'
58
+ runs:
59
+ using: 'node20'
60
+ main: 'dist/index.cjs'