Kong
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 57 additions & 2 deletions b/‎.github/workflows/build.yml‎
Lines changed: 57 additions & 2 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 58 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎.github/workflows/sast.yml‎
Lines changed: 25 additions & 0 deletions b/‎.github/workflows/sast.yml‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎.nvmrc‎
Lines changed: 1 addition & 0 deletions b/‎.nvmrc‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎SECURITY.md‎
Lines changed: 32 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 32 additions & 0 deletions
@@ -1,22 +1,45 @@
-name: Build
+name: Build and Publish Httpsnippet
 
 on:
   push:
     branches:
       - master
+    tags:
+      - '*' # Restrict any specific tag formats
   pull_request:
     types:
       - opened
       - synchronize
   workflow_dispatch:
 
 jobs:
+  scan:
+    permissions:
+      packages: write
+      contents: write # publish sbom to GH releases/tag assets
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@v3
+        with:
+          path: ${{ github.repository }}
+
+      # Perform SCA analysis for the code repository
+      # Produces SBOM and CVE report
+      # Helps understand vulnerabilities / license compliance across third party dependencies
+      - id: sca-project
+        uses: Kong/public-shared-actions/security-actions/sca@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2
+        with:
+          dir: ${{ github.repository }}
+          upload-sbom-release-assets: true
+
   build:
+    needs: [scan]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        node-version: [16, 18]
+        node-version: [16, 18, 20]
     steps:
       - name: Checkout branch
         uses: actions/checkout@v3
@@ -37,3 +60,35 @@ jobs:
 
       - name: Build
         run: npm run build
+
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write # For using token to sign images
+      actions: read # For getting workflow run info to build provenance
+      packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
+    if: ${{ github.ref_type == 'tag' && github.repository_owner == 'Kong' }}
+    steps:
+      # checkout tag
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.9.0
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Publish to NPM
+        run: npm publish --no-git-checks --provenance --tag ${{ github.sha }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -0,0 +1,58 @@
+name: Release httpsnippet
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Tag version to release'
+        required: true
+
+env:
+  # Release Tag to build and publish
+  TAG: ${{ github.event.inputs.version }}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.PAT_INSOMNIA_INFRA }}
+
+      - name: Configure Git user
+        uses: Homebrew/actions/git-user-config@master
+        with:
+          username: ${{ (github.event_name == 'workflow_dispatch' && github.actor) || 'insomnia-infra' }}
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      - name: Install
+        run: npm ci
+
+      - name: Create new package version
+        run: npm version "${{ env.TAG }}"
+
+      - name: DEBUG see tags
+        run: |
+          git tag --list
+          git remote -v
+
+      - name: Merge version commit into master
+        run: |
+          git push origin v${{ env.TAG }}
+          git push origin master
+
+      - name: Create Tag and Release
+        uses: ncipollo/release-action@v1
+        id: core_tag_and_release
+        with:
+          tag: v${{ env.TAG }}
+          name: 'httpsnippet v${{ env.TAG }} 📦'
+          generateReleaseNotes: true
+          prerelease: false
+          draft: false
@@ -0,0 +1,25 @@
+name: SAST
+
+on:
+  pull_request: {}
+  push:
+    branches:
+      - master
+  workflow_dispatch: {}
+
+jobs:
+  semgrep:
+    name: Semgrep SAST
+    runs-on: ubuntu-latest
+    permissions:
+      # required for all workflows
+      security-events: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: Kong/public-shared-actions/security-actions/semgrep@bd3d75259607dd015bea3b3313123f53b80e9d7f
@@ -0,0 +1 @@
+20
@@ -2,7 +2,7 @@
 
 [![version][npm-version]][npm-url] [![License][npm-license]][license-url]
 
-> HTTP Request snippet generator for _many_ languages & tools including: `cURL`, `HTTPie`, `JavaScript`, `Node`, `C`, `Java`, `PHP`, `Objective-C`, `Swift`, `Python`, `Ruby`, `C#`, `Go`, `OCaml` and [more](https://github.com/Kong/httpsnippet/wiki/Targets)!
+> HTTP Request snippet generator for _many_ languages & tools including: `cURL`, `HTTPie`, `JavaScript`, `Node`, `C`, `Java`, `PHP`, `Objective-C`, `Swift`, `Python`, `Ruby`, `C#`, `Go`, `OCaml`, `Crystal` and [more](https://github.com/Kong/httpsnippet/wiki/Targets)!
 
 Relies on the popular [HAR](http://www.softwareishard.com/blog/har-12-spec/#request) format to import data and describe HTTP calls.
 
 
@@ -0,0 +1,32 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+At HTTPSnippet, we take security issues very seriously. If you believe you have found a security vulnerability in our project, we encourage you to disclose it responsibly. Please report any potential security vulnerabilities to us by sending an email to [[email protected]](mailto:[email protected]).
+
+## How to Report
+
+1. **Do not publicly disclose the vulnerability**: Please do not create a GitHub issue or post the vulnerability on public forums. Instead, contact us directly at [[email protected]](mailto:[email protected]).
+1. **Provide detailed information**: When reporting a vulnerability, please include as much information as possible to help us understand and reproduce the issue. This may include:
+   - Description of the vulnerability
+   - Steps to reproduce the issue
+   - Potential impact
+   - Any relevant logs or screenshots
+
+## What to Expect
+
+- **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 48 hours.
+- **Investigation**: Our security team will investigate the report and will keep you informed of the progress. We aim to resolve critical vulnerabilities within 30 days of confirmation.
+- **Disclosure**: We prefer coordinated disclosure and will work with you to schedule the disclosure of the vulnerability in a way that minimizes the risk to users.
+
+## Bug Bounty Program
+
+We encourage security researchers to participate in our bug bounty program as outlined on the [Kong Vulnerability Disclosure](https://konghq.com/compliance/bug-bounty) page. This program provides rewards for discovering and reporting security vulnerabilities in accordance with our disclosure guidelines.
+
+Thank you for helping to keep HTTPSnippet secure.
+
+For more information on our security policies and guidelines, please visit the [Kong Vulnerability Disclosure](https://konghq.com/compliance/bug-bounty) page.
+
+## Contact
+
+For any questions or further assistance, please contact us at [[email protected]](mailto:[email protected]).