@postman-cse/onboarding-insights 1.0.2 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -2,10 +2,32 @@
2
2
 
3
3
  [![CI](https://github.com/postman-cs/postman-insights-onboarding-action/actions/workflows/ci.yml/badge.svg)](https://github.com/postman-cs/postman-insights-onboarding-action/actions/workflows/ci.yml) [![Release](https://img.shields.io/github/v/release/postman-cs/postman-insights-onboarding-action?sort=semver)](https://github.com/postman-cs/postman-insights-onboarding-action/releases) [![npm](https://img.shields.io/npm/v/%40postman-cse%2Fonboarding-insights)](https://www.npmjs.com/package/@postman-cse/onboarding-insights) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
4
4
 
5
- Links Postman Insights discovered services to API Catalog workspaces and git repositories after deployment, so every service the Insights agent finds lands in your catalog with a collection, a repo link, and live telemetry.
5
+ Links [Postman Insights](https://learning.postman.com/docs/insights/overview/) discovered services to [API Catalog](https://learning.postman.com/docs/api-catalog/overview/) workspaces and git repositories after deployment, so every service the Insights agent finds lands in your catalog with a collection, a repo link, and live telemetry.
6
6
 
7
7
  Part of the [Postman API Onboarding suite](https://github.com/postman-cs/postman-api-onboarding-action).
8
8
 
9
+ ## Prerequisites
10
+
11
+ - The [Postman Insights DaemonSet agent](https://learning.postman.com/docs/api-catalog/connect/insights/) must already be running on your cluster in discovery mode.
12
+ - The target service must already be deployed, running, and receiving enough traffic for the agent to discover it.
13
+ - A [Postman workspace](https://learning.postman.com/docs/collaborating-in-postman/using-workspaces/overview/) and environment must already exist for the service.
14
+ - A [Postman service account](https://learning.postman.com/docs/administration/service-accounts/) API key must be available as a CI secret. Use [postman-resolve-service-token-action](https://github.com/postman-cs/postman-resolve-service-token-action) to mint the `postman-access-token` and `postman-team-id` at runtime.
15
+ - Choose the Postman data residency region up front with `postman-region` (`us` or `eu`).
16
+
17
+ This action does **not** deploy the Insights agent, create workspaces, create environments, upload OpenAPI specs, or sync repo artifacts. It only links a service that Insights has already discovered.
18
+
19
+ ## Which action should I use?
20
+
21
+ | Need | Action |
22
+ | --- | --- |
23
+ | Mint a service-account access token and team ID | [Postman Onboarding: Service Token](https://github.com/postman-cs/postman-resolve-service-token-action) |
24
+ | Run the full workspace, collection, repo sync, and optional Insights pipeline | [Postman API Onboarding](https://github.com/postman-cs/postman-api-onboarding-action) |
25
+ | Create a workspace, upload an OpenAPI spec, and generate collections | [Postman Onboarding: Workspace Bootstrap](https://github.com/postman-cs/postman-bootstrap-action) |
26
+ | Sync Postman artifacts, mocks, monitors, and CI files back to the repo | [Postman Onboarding: Repo Sync](https://github.com/postman-cs/postman-repo-sync-action) |
27
+ | Link an already discovered Insights service to an existing workspace | [Postman Onboarding: Insights Linking](https://github.com/postman-cs/postman-insights-onboarding-action) |
28
+ | Discover OpenAPI specs from AWS services | [Postman Onboarding: AWS Spec Discovery](https://github.com/postman-cs/postman-aws-spec-discovery-action) |
29
+ | Apply a curated smoke flow to an existing Smoke collection | [Postman Onboarding: Smoke Flow](https://github.com/postman-cs/postman-smoke-flow-action) |
30
+
9
31
  ## Usage
10
32
 
11
33
  ```yaml
@@ -17,23 +39,23 @@ jobs:
17
39
 
18
40
  # ... deploy your service to Kubernetes ...
19
41
 
42
+ - id: postman_token
43
+ uses: postman-cs/postman-resolve-service-token-action@v1
44
+ with:
45
+ postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
46
+ postman-region: us
47
+
20
48
  - uses: postman-cs/postman-insights-onboarding-action@v1
21
49
  with:
22
- project-name: af-cards-activation
50
+ project-name: core-payments
23
51
  workspace-id: ${{ vars.POSTMAN_WORKSPACE_ID }}
24
52
  environment-id: ${{ vars.POSTMAN_ENVIRONMENT_ID }}
25
- postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
53
+ postman-region: us
54
+ postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
55
+ postman-access-token: ${{ steps.postman_token.outputs.token }}
56
+ postman-team-id: ${{ steps.postman_token.outputs.team-id }}
26
57
  ```
27
58
 
28
- ### Prerequisites
29
-
30
- - The Postman Insights DaemonSet agent must be running on your cluster in discovery mode.
31
- - The target service must be deployed and running (the agent discovers it from live traffic).
32
- - A Postman workspace and environment must already exist for the service.
33
- - A `postman-access-token` (session token) is required for Bifrost API access. See [Credentials and Identity](docs/credentials.md).
34
-
35
- This action does **not** deploy the Insights agent, create workspaces, or manage environments. Use [postman-bootstrap-action](https://github.com/postman-cs/postman-bootstrap-action) and [postman-repo-sync-action](https://github.com/postman-cs/postman-repo-sync-action) for those concerns.
36
-
37
59
  ## Examples
38
60
 
39
61
  ### Standalone after a Kubernetes deploy
@@ -47,14 +69,22 @@ jobs:
47
69
 
48
70
  # ... deploy your service to Kubernetes ...
49
71
 
72
+ - id: postman_token
73
+ uses: postman-cs/postman-resolve-service-token-action@v1
74
+ with:
75
+ postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
76
+ postman-region: us
77
+
50
78
  - uses: postman-cs/postman-insights-onboarding-action@v1
51
79
  with:
52
- project-name: af-cards-activation
53
- workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
54
- environment-id: ${{ steps.sync.outputs.environment-uids-json && fromJSON(steps.sync.outputs.environment-uids-json).prod }}
80
+ project-name: core-payments
81
+ workspace-id: ${{ vars.POSTMAN_WORKSPACE_ID }}
82
+ environment-id: ${{ vars.POSTMAN_ENVIRONMENT_ID }}
55
83
  cluster-name: my-cluster
56
- postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
84
+ postman-region: us
57
85
  postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
86
+ postman-access-token: ${{ steps.postman_token.outputs.token }}
87
+ postman-team-id: ${{ steps.postman_token.outputs.team-id }}
58
88
  github-token: ${{ secrets.GITHUB_TOKEN }}
59
89
  poll-timeout-seconds: 180
60
90
  ```
@@ -68,51 +98,62 @@ jobs:
68
98
  steps:
69
99
  - uses: actions/checkout@v5
70
100
 
101
+ - id: postman_token
102
+ uses: postman-cs/postman-resolve-service-token-action@v1
103
+ with:
104
+ postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
105
+ postman-region: us
106
+
71
107
  - uses: postman-cs/postman-bootstrap-action@v1
72
108
  id: bootstrap
73
109
  with:
74
- project-name: af-cards-activation
75
- spec-url: https://example.com/openapi.yaml
110
+ project-name: core-payments
111
+ spec-url: https://raw.githubusercontent.com/postman-cs/postman-insights-onboarding-action/main/examples/core-payments-openapi.yaml
112
+ postman-region: us
76
113
  postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
77
- postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
114
+ postman-access-token: ${{ steps.postman_token.outputs.token }}
78
115
 
79
116
  # ... deploy service to Kubernetes ...
80
117
 
81
118
  - uses: postman-cs/postman-repo-sync-action@v1
82
119
  id: sync
83
120
  with:
84
- project-name: af-cards-activation
121
+ project-name: core-payments
85
122
  workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
86
123
  baseline-collection-id: ${{ steps.bootstrap.outputs.baseline-collection-id }}
87
124
  smoke-collection-id: ${{ steps.bootstrap.outputs.smoke-collection-id }}
88
125
  contract-collection-id: ${{ steps.bootstrap.outputs.contract-collection-id }}
89
126
  environments-json: '["prod"]'
90
127
  env-runtime-urls-json: '{"prod":"https://api.example.com"}'
128
+ postman-region: us
91
129
  postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
92
- postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
130
+ postman-access-token: ${{ steps.postman_token.outputs.token }}
93
131
 
94
132
  - uses: postman-cs/postman-insights-onboarding-action@v1
95
133
  with:
96
- project-name: af-cards-activation
134
+ project-name: core-payments
97
135
  workspace-id: ${{ steps.bootstrap.outputs.workspace-id }}
98
136
  environment-id: ${{ fromJSON(steps.sync.outputs.environment-uids-json).prod }}
99
137
  cluster-name: my-cluster
100
- postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
138
+ postman-region: us
101
139
  postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
140
+ postman-access-token: ${{ steps.postman_token.outputs.token }}
141
+ postman-team-id: ${{ steps.postman_token.outputs.team-id }}
102
142
  github-token: ${{ secrets.GITHUB_TOKEN }}
103
143
  ```
104
144
 
105
145
  ### Tuning discovery polling
106
146
 
107
- The Insights agent takes time to discover services after pods start. The action polls the API Catalog discovered-services list until the service appears or the timeout is reached. For services that take longer to appear (cold cluster, large pod startup time), raise the timeout:
147
+ The Insights agent takes time to discover services after pods start. The action polls the [API Catalog](https://learning.postman.com/docs/api-catalog/connect/insights/) discovered-services list until the service appears or the timeout is reached. For services that take longer to appear (cold cluster, large pod startup time), raise the timeout:
108
148
 
109
149
  ```yaml
110
150
  - uses: postman-cs/postman-insights-onboarding-action@v1
111
151
  with:
112
- project-name: af-cards-activation
152
+ project-name: core-payments
113
153
  workspace-id: ${{ vars.POSTMAN_WORKSPACE_ID }}
114
154
  environment-id: ${{ vars.POSTMAN_ENVIRONMENT_ID }}
115
- postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
155
+ postman-region: us
156
+ postman-access-token: ${{ steps.postman_token.outputs.token }}
116
157
  poll-timeout-seconds: 300
117
158
  poll-interval-seconds: 15
118
159
  ```
@@ -121,15 +162,15 @@ The Insights agent takes time to discover services after pods start. The action
121
162
 
122
163
  ### Credential preflight modes
123
164
 
124
- Before any onboarding write, the action can verify that `postman-api-key` and `postman-access-token` resolve to the same parent organization. Set `credential-preflight` to `enforce` to fail fast on mismatched credentials, or `off` to skip the probes (the default `warn` logs and continues):
165
+ Before any onboarding write, the action can verify that `postman-api-key` and `postman-access-token` resolve to the same parent organization. The default `warn` mode logs a note and continues. Set `credential-preflight` to `enforce` to fail fast on mismatched credentials:
125
166
 
126
167
  ```yaml
127
168
  - uses: postman-cs/postman-insights-onboarding-action@v1
128
169
  with:
129
- project-name: af-cards-activation
170
+ project-name: core-payments
130
171
  workspace-id: ${{ vars.POSTMAN_WORKSPACE_ID }}
131
172
  environment-id: ${{ vars.POSTMAN_ENVIRONMENT_ID }}
132
- postman-access-token: ${{ secrets.POSTMAN_ACCESS_TOKEN }}
173
+ postman-access-token: ${{ steps.postman_token.outputs.token }}
133
174
  postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
134
175
  credential-preflight: enforce
135
176
  ```
@@ -143,10 +184,13 @@ The same logic ships as a CLI (`postman-insights-onboard`) for GitLab CI, Bitbuc
143
184
  ```bash
144
185
  npm install -g @postman-cse/onboarding-insights
145
186
  postman-insights-onboard \
146
- --project-name af-cards-activation \
187
+ --project-name core-payments \
147
188
  --workspace-id ws_123 \
148
189
  --environment-id env_123 \
149
190
  --postman-access-token "$POSTMAN_ACCESS_TOKEN" \
191
+ --postman-team-id "$POSTMAN_TEAM_ID" \
192
+ --postman-api-key "$POSTMAN_API_KEY" \
193
+ --postman-region us \
150
194
  --cluster-name my-cluster
151
195
  ```
152
196
 
@@ -163,16 +207,17 @@ See [CLI Usage](docs/cli.md) for provider auto-detection, output formats, and Gi
163
207
  | `system-environment-id` | Postman system environment UUID for service-level Insights acknowledgment | No | |
164
208
  | `cluster-name` | Insights cluster name. Matches {cluster}/{project-name} in discovered services | No | |
165
209
  | `repo-url` | Repository URL for Git onboarding. Auto-detected from CI context when omitted. | No | |
166
- | `postman-access-token` | Postman access token for Bifrost API calls | Yes | |
167
- | `postman-team-id` | Explicit Postman team ID for org-mode Bifrost request headers. When omitted, x-entity-team-id is not sent. | No | |
210
+ | `postman-access-token` | Service-account Postman access token for integration API calls. Prefer minting it with postman-resolve-service-token-action. | Yes | |
211
+ | `postman-team-id` | Explicit Postman team ID for org-mode integration request headers. When omitted, x-entity-team-id is not sent. | No | |
168
212
  | `github-token` | Optional GitHub token passed as git_api_key when repository auth is required by onboarding/git | No | |
169
- | `postman-api-key` | Postman API key (PMAK-*) for the application binding call. Auto-created from postman-access-token when omitted or invalid after a clear 401/403 validation failure. | No | |
170
- | `credential-preflight` | Credential identity preflight policy. warn (default) logs a note and continues when postman-api-key and postman-access-token resolve to different parent orgs; enforce fails the run on that condition before any onboarding write; off skips the identity probes entirely (the reactive error guidance still applies). A rejected or auto-created postman-api-key is never failed on. | No | `warn` |
213
+ | `postman-api-key` | Service-account Postman API key (PMAK-*) for the application binding call. Auto-created from postman-access-token when omitted or invalid after a clear 401/403 validation failure. | No | |
214
+ | `credential-preflight` | Credential identity preflight policy. warn (default) logs a note and continues when postman-api-key and postman-access-token resolve to different parent orgs; enforce fails the run on that condition before any onboarding write. Supported values are warn and enforce. | No | `warn` |
171
215
  | `poll-timeout-seconds` | Maximum seconds to wait for the service to appear in the discovered list | No | `120` |
172
216
  | `poll-interval-seconds` | Seconds between discovery polling attempts | No | `10` |
217
+ | `postman-region` | Postman data residency region for public API calls. One of: us or eu. | No | `us` |
173
218
  <!-- inputs-table:end -->
174
219
 
175
- Supply `postman-team-id` only for org-mode tokens that require an explicit team header. For non-org tokens, leave it unset so Bifrost can infer team context from the access token. Credential details, the preflight policy, and API key auto-creation are documented in [Credentials and Identity](docs/credentials.md).
220
+ Supply `postman-team-id` only for org-mode tokens that require an explicit team header. For non-org tokens, leave it unset so Postman can infer team context from the access token. Credential details, the preflight policy, and API key auto-creation are documented in [Credentials and Identity](docs/credentials.md).
176
221
 
177
222
  ## Outputs
178
223
 
@@ -191,15 +236,15 @@ Failures set `status=error` before the action exits.
191
236
 
192
237
  ## How it works
193
238
 
194
- **Discovery poll.** The action polls the API Catalog discovered-services list (`GET /api/v1/onboarding/discovered-services?status=discovered` on Bifrost api-catalog) at the configured interval until a service matching `{cluster-name}/{project-name}` appears (suffix matching when `cluster-name` is omitted) or the timeout is reached.
239
+ **Discovery poll.** The action polls the API Catalog discovered-services list at the configured interval until a service matching `{cluster-name}/{project-name}` appears (suffix matching when `cluster-name` is omitted) or the timeout is reached.
195
240
 
196
241
  **Catalog prep.** It then calls `POST /api/v1/onboarding/prepare-collection` to create the API Catalog collection entry for the discovered service in your workspace.
197
242
 
198
- **Git link.** `POST /api/v1/onboarding/git` with `via_integrations: false` links the service to the GitHub repository (`repo-url` input, auto-detected from CI context when omitted; `github-token` is passed as `git_api_key` only when the endpoint requires repository auth).
243
+ **Git link.** `POST /api/v1/onboarding/git` with `via_integrations: false` links the service to the GitHub repository (`repo-url` input, auto-detected from CI context when omitted; `github-token` is passed as `git_api_key` only when the endpoint requires repository auth). Postman's [connect code](https://learning.postman.com/docs/api-catalog/connect/code/) docs cover the product workflow this binding supports.
199
244
 
200
245
  **Acknowledgment.** The action resolves the `svc_*` Akita service ID, marks the service as managed (`POST /v2/api-catalog/services/onboard`), and acknowledges the workspace (`POST /v2/workspaces/{id}/onboarding/acknowledge`) to activate the Insights project.
201
246
 
202
- **Binding.** Finally it creates an application binding with the observability API (`POST /v2/agent/api-catalog/workspaces/{id}/applications`, sent directly to `api.observability.postman.com` rather than through Bifrost), which is required for service graph edge generation, and retrieves the team verification token (`tvt_*`) for DaemonSet telemetry.
247
+ **Binding.** Finally it creates an application binding with the observability API, which is required for service graph edge generation, and retrieves the team verification token (`tvt_*`) for DaemonSet telemetry.
203
248
 
204
249
  For local builds, contract smoke monitoring, and release channels, see [Development and Operations](docs/development.md).
205
250
 
@@ -224,7 +269,52 @@ For local builds, contract smoke monitoring, and release channels, see [Developm
224
269
  - [postman-repo-sync-action](https://github.com/postman-cs/postman-repo-sync-action): artifact sync, environments, mocks, monitors, and CI templates.
225
270
  - [postman-aws-spec-discovery-action](https://github.com/postman-cs/postman-aws-spec-discovery-action): discovers API specs from AWS.
226
271
  - npm package: [@postman-cse/onboarding-insights](https://www.npmjs.com/package/@postman-cse/onboarding-insights)
227
- - [Postman Insights documentation](https://learning.postman.com/docs/insights/insights-overview/)
272
+ - Postman Learning Center: [Insights overview](https://learning.postman.com/docs/insights/overview/), [connect Insights](https://learning.postman.com/docs/api-catalog/connect/insights/), [Insights API Catalog agent reference](https://learning.postman.com/docs/insights/reference/agent/api-catalog/), [API Catalog overview](https://learning.postman.com/docs/api-catalog/overview/), [connect code](https://learning.postman.com/docs/api-catalog/connect/code/)
273
+ - [Credentials and Identity](docs/credentials.md)
274
+ - [Development and Operations](docs/development.md)
275
+ - [Support](SUPPORT.md)
276
+ - [Security Policy](SECURITY.md)
277
+ - [Release Policy](RELEASE_POLICY.md)
278
+
279
+
280
+ ## Telemetry
281
+
282
+ This action sends a single non-identifying usage event when a run completes, so the
283
+ Postman team can measure adoption across CI systems. The event contains the
284
+ action name and version, your Postman team ID, the detected CI provider and
285
+ runner kind, the run outcome, the CI run identifier, an event timestamp, and a one-way SHA-256 hash of the repository
286
+ identifier. Each event also carries a schema version and a constant event marker (always `completion`). The Postman team ID is sent in the clear on a legitimate-interest
287
+ basis to measure product adoption.
288
+
289
+ The `events.pm-cse.dev` endpoint is operated by the Postman Customer Success
290
+ Engineering team. Postman, Inc. processes these events only to measure
291
+ onboarding adoption in aggregate, retains them only as aggregated counts for
292
+ product-adoption trend analysis, and includes no payload field that identifies
293
+ an individual person.
294
+
295
+ It never sends API keys, access tokens, spec content, workspace or repository
296
+ names, or any personal data. It is fire-and-forget with a hard
297
+ timeout and can never block or fail your pipeline. Corporate HTTP and HTTPS
298
+ proxies are honored through the standard `HTTPS_PROXY`, `HTTP_PROXY`, and
299
+ `NO_PROXY` environment variables.
300
+
301
+ Disable it by setting either environment variable in your CI:
302
+
303
+ ```sh
304
+ POSTMAN_ACTIONS_TELEMETRY=off
305
+ # or the cross-tool standard
306
+ DO_NOT_TRACK=1
307
+ ```
308
+
309
+ Telemetry is also skipped automatically when no Postman team ID can be resolved.
310
+
311
+ A run that ends in the `not-found` state (no matching Insights project) is
312
+ recorded with a `failure` outcome.
313
+
314
+ Events are sent over HTTPS to `https://events.pm-cse.dev/v1/events`. To
315
+ allowlist this destination on a restricted network, or to route events to a
316
+ collector you operate, set the `POSTMAN_ACTIONS_TELEMETRY_ENDPOINT` environment
317
+ variable to your own URL.
228
318
 
229
319
  ## License
230
320
 
package/action.yml CHANGED
@@ -24,19 +24,19 @@ inputs:
24
24
  description: 'Repository URL for Git onboarding. Auto-detected from CI context when omitted.'
25
25
  required: false
26
26
  postman-access-token:
27
- description: 'Postman access token for Bifrost API calls'
27
+ description: 'Service-account Postman access token for integration API calls. Prefer minting it with postman-resolve-service-token-action.'
28
28
  required: true
29
29
  postman-team-id:
30
- description: 'Explicit Postman team ID for org-mode Bifrost request headers. When omitted, x-entity-team-id is not sent.'
30
+ description: 'Explicit Postman team ID for org-mode integration request headers. When omitted, x-entity-team-id is not sent.'
31
31
  required: false
32
32
  github-token:
33
33
  description: 'Optional GitHub token passed as git_api_key when repository auth is required by onboarding/git'
34
34
  required: false
35
35
  postman-api-key:
36
- description: 'Postman API key (PMAK-*) for the application binding call. Auto-created from postman-access-token when omitted or invalid after a clear 401/403 validation failure.'
36
+ description: 'Service-account Postman API key (PMAK-*) for the application binding call. Auto-created from postman-access-token when omitted or invalid after a clear 401/403 validation failure.'
37
37
  required: false
38
38
  credential-preflight:
39
- description: 'Credential identity preflight policy. warn (default) logs a note and continues when postman-api-key and postman-access-token resolve to different parent orgs; enforce fails the run on that condition before any onboarding write; off skips the identity probes entirely (the reactive error guidance still applies). A rejected or auto-created postman-api-key is never failed on.'
39
+ description: 'Credential identity preflight policy. warn (default) logs a note and continues when postman-api-key and postman-access-token resolve to different parent orgs; enforce fails the run on that condition before any onboarding write. Supported values are warn and enforce.'
40
40
  required: false
41
41
  default: 'warn'
42
42
  poll-timeout-seconds:
@@ -47,8 +47,12 @@ inputs:
47
47
  description: 'Seconds between discovery polling attempts'
48
48
  required: false
49
49
  default: '10'
50
+ postman-region:
51
+ description: 'Postman data residency region for public API calls. One of: us or eu.'
52
+ required: false
53
+ default: 'us'
50
54
  postman-stack:
51
- description: 'Postman stack profile.'
55
+ description: 'Postman stack profile. Defaults to the public production stack. Marketplace workflows should leave this as prod.'
52
56
  required: false
53
57
  default: 'prod'
54
58
  outputs: