@postman-cse/onboarding-insights 2.1.0 → 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -158,7 +158,7 @@ The Insights agent takes time to discover services after pods start. The action
158
158
 
159
159
  ### Credential preflight modes
160
160
 
161
- Before any onboarding write, the action can verify that `postman-api-key` and `postman-access-token` resolve to the same parent organization. The default `warn` mode logs a note and continues. Set `credential-preflight` to `enforce` to fail fast on mismatched credentials:
161
+ Before any onboarding write, the action verifies that `postman-api-key` and `postman-access-token` resolve to the same parent organization. The default `enforce` mode fails the run fast on mismatched credentials; set `credential-preflight` to `warn` to log and continue as an explicit compatibility policy:
162
162
 
163
163
  ```yaml
164
164
  - uses: postman-cs/postman-insights-onboarding-action@v2
@@ -171,7 +171,7 @@ Before any onboarding write, the action can verify that `postman-api-key` and `p
171
171
  credential-preflight: enforce
172
172
  ```
173
173
 
174
- See [Credentials and Identity](docs/credentials.md) for the full policy, API key auto-creation behavior, and how to obtain the access token.
174
+ See [Credentials and Identity](docs/credentials.md) for the full policy, API-key opt-in creation, and how to obtain the access token.
175
175
 
176
176
  ### Non-GitHub CI via the CLI
177
177
 
@@ -206,14 +206,16 @@ See [CLI Usage](docs/cli.md) for provider auto-detection, output formats, and Gi
206
206
  | `postman-access-token` | Postman access token (x-access-token) for the Bifrost linking calls. When omitted, the action mints a service-account token from postman-api-key. The api-catalog discovery and git-link steps accept a service-account token (mint it with postman-resolve-service-token-action); the Insights (akita) acknowledgment and application-binding steps require a token carrying a Postman user identity — a service-account token answers 401 "Postman User not found" there. | No | |
207
207
  | `postman-team-id` | Explicit Postman team ID for org-mode integration request headers. When omitted, x-entity-team-id is not sent. | No | |
208
208
  | `github-token` | Optional GitHub token passed as git_api_key when repository auth is required by onboarding/git | No | |
209
- | `postman-api-key` | Service-account Postman API key (PMAK-*) for the application binding call. Auto-created from postman-access-token when omitted or invalid after a clear 401/403 validation failure. | No | |
210
- | `credential-preflight` | Credential identity preflight policy. warn (default) logs a note and continues when postman-api-key and postman-access-token resolve to different parent orgs; enforce fails the run on that condition before any onboarding write. Supported values are warn and enforce. | No | `warn` |
209
+ | `postman-api-key` | Service-account Postman API key (PMAK-*) for the application binding call. Required unless create-api-key=true. Ordinary reruns never auto-create durable keys. | No | |
210
+ | `create-api-key` | Explicit opt-in to create a durable Bifrost API key when postman-api-key is omitted or invalid. Default false never creates timestamp-named orphan keys on ordinary runs. Supported values: true, false. | No | `false` |
211
+ | `credential-preflight` | Credential identity preflight policy. enforce (default) fails before linking writes when postman-api-key and postman-access-token resolve to different parent orgs; warn is an explicit compatibility policy that logs and continues. Supported values are enforce and warn. | No | `enforce` |
212
+ | `service-not-found-policy` | Behavior when the discovered service is absent after polling. fail (default) aborts full linking; warn returns status=not-found without writes. Supported values: fail, warn. | No | `fail` |
211
213
  | `poll-timeout-seconds` | Maximum seconds to wait for the service to appear in the discovered list | No | `120` |
212
214
  | `poll-interval-seconds` | Seconds between discovery polling attempts | No | `10` |
213
215
  | `postman-region` | Postman data residency region for public API calls. One of: us or eu. | No | `us` |
214
216
  <!-- inputs-table:end -->
215
217
 
216
- Supply `postman-team-id` only for org-mode tokens that require an explicit team header. For non-org tokens, leave it unset so Postman can infer team context from the access token. Credential details, the preflight policy, and API key auto-creation are documented in [Credentials and Identity](docs/credentials.md).
218
+ Supply `postman-team-id` only for org-mode tokens that require an explicit team header. For non-org tokens, leave it unset so Postman can infer team context from the access token. Team id is never inferred from PMAK. Credential details, the preflight policy, and API-key opt-in creation are documented in [Credentials and Identity](docs/credentials.md).
217
219
 
218
220
  ## Outputs
219
221
 
package/action.yml CHANGED
@@ -33,12 +33,20 @@ inputs:
33
33
  description: 'Optional GitHub token passed as git_api_key when repository auth is required by onboarding/git'
34
34
  required: false
35
35
  postman-api-key:
36
- description: 'Service-account Postman API key (PMAK-*) for the application binding call. Auto-created from postman-access-token when omitted or invalid after a clear 401/403 validation failure.'
36
+ description: 'Service-account Postman API key (PMAK-*) for the application binding call. Required unless create-api-key=true. Ordinary reruns never auto-create durable keys.'
37
37
  required: false
38
+ create-api-key:
39
+ description: 'Explicit opt-in to create a durable Bifrost API key when postman-api-key is omitted or invalid. Default false — never creates timestamp-named orphan keys on ordinary runs. Supported values: true, false.'
40
+ required: false
41
+ default: 'false'
38
42
  credential-preflight:
39
- description: 'Credential identity preflight policy. warn (default) logs a note and continues when postman-api-key and postman-access-token resolve to different parent orgs; enforce fails the run on that condition before any onboarding write. Supported values are warn and enforce.'
43
+ description: 'Credential identity preflight policy. enforce (default) fails before linking writes when postman-api-key and postman-access-token resolve to different parent orgs; warn is an explicit compatibility policy that logs and continues. Supported values are enforce and warn.'
44
+ required: false
45
+ default: 'enforce'
46
+ service-not-found-policy:
47
+ description: 'Behavior when the discovered service is absent after polling. fail (default) aborts full linking; warn returns status=not-found without writes. Supported values: fail, warn.'
40
48
  required: false
41
- default: 'warn'
49
+ default: 'fail'
42
50
  poll-timeout-seconds:
43
51
  description: 'Maximum seconds to wait for the service to appear in the discovered list'
44
52
  required: false