Integrate Postman Collections and Environments from File System

[cshein45]

Summary

This PR sets up integration between this repository and the linked Postman workspace.

The following assets are introduced:

• postman/ — Contains exported contents of the linked Postman workspace (collections, environments, APIs, etc.)
• .config/ — Stores workspace configuration required for synchronization
• .github/workflows/postman-publish.yaml — GitHub Actions workflow to keep repository files in sync with Postman Cloud

What this enables

The postman-publish.yaml workflow ensures that changes made locally to the Postman files are automatically synchronized with the linked Postman workspace in Postman Cloud.

This establishes GitHub as the source of truth while keeping the Postman workspace continuously up to date.

Required one-time setup (before merging)

To ensure the GitHub Action works correctly, the repository owner must complete the following step before merging this PR.

Add required GitHub Secret

Add the following secret in:
GitHub → Repository Settings → Secrets and variables → Actions

• POSTMAN_API_KEY — Postman API key of the repository owner

⚠️ The postman-publish.yaml workflow will fail if POSTMAN_API_KEY is not configured.

You can generate a Postman API key from:
Postman → Settings → API Keys

Files introduced in this PR

• postman/
• .config/
• .github/workflows/postman-publish.yaml

Why you're seeing this PR

This PR is created automatically to link this GitHub repository with its corresponding Postman workspace and enable continuous synchronization.

Checklist

• Added POSTMAN_API_KEY secret
• Verified postman-publish.yaml workflow runs successfully after merge

Summary by CodeRabbit

• Chores
  • Configured automated publishing workflow to keep Postman Cloud workspace synchronized with repository changes.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces Postman integration by adding a GitHub Actions workflow that automatically publishes workspace changes to Postman Cloud upon pushing to the main branch, complemented by a Postman configuration file defining the workspace structure.

Changes

Cohort / File(s)	Summary
Postman Integration Setup .github/workflows/postman-publish.yaml, .postman/config.json	Introduces automated Postman Cloud publishing via GitHub Actions workflow (checkout, install CLI, authenticate, publish) and defines workspace configuration with empty collections, environments, specs, flows, and globals.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hops through the clouds so bright,
Postman workflows take flight!
Config files rest in their place,
Automation runs at a pace,
Integration blooms with delight! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title 'Integrate Postman Collections and Environments from File System' is only partially related to the actual changes. The changes primarily add a GitHub Actions workflow to publish/sync Postman workspace to the cloud, plus a Postman configuration file. The title suggests integrating FROM the file system but doesn't reflect the main functionality: publishing TO Postman Cloud.	Consider revising the title to better reflect the primary change, such as 'Add Postman Cloud synchronization workflow' or 'Automate Postman workspace publishing to cloud' which more accurately describes what the workflow does.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/postman-integration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/postman-publish.yaml (1)

17-39: Add timeout and improve resilience.

The job lacks a timeout specification, which could lead to runaway jobs consuming runner resources. Additionally, there's no error handling or retry logic for network-dependent steps.

♻️ Suggested improvements

 jobs:
   publish-changes:
     name: Publish Changes
+    timeout-minutes: 10
     # Private runner not required here, but using it for cost-effectiveness. Switch to GH runners if load increases.
     runs-on: build9-arm-ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

       # Using canary CLI for consistency with E2E test workflow
       - name: Install Postman CLI
         run: curl -o- "https://dl-cli.pstmn.io/install/unix.sh" | sh
+        continue-on-error: false

       - name: Verify Postman CLI version
         run: postman --version

       - name: Login to Postman
         env:
           POSTMAN_API_KEY: ${{ secrets.POSTMAN_API_KEY }}
         run: postman login --with-api-key "$POSTMAN_API_KEY"
+        continue-on-error: false

       - name: Publish changes to Cloud
         run: postman workspace push -y --report-events
+        continue-on-error: false

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/postman-publish.yaml around lines 17 - 39, The job
"publish-changes" has no timeout and no retries for network steps; add a
job-level timeout-minutes to the publish-changes job and wrap the
network-dependent steps (steps named "Install Postman CLI", "Login to Postman",
and "Publish changes to Cloud") with retry logic and per-step timeouts:
implement a small retry loop (e.g., 3 attempts with backoff) around the curl
install, postman login, and postman workspace push commands and/or use the shell
timeout utility to bound each command's execution time; ensure failures still
fail the job after retries so error semantics remain intact.

.postman/config.json (1)

1-12: Valid Postman workspace configuration.

The JSON structure is correct and appropriate for an initial Postman workspace setup. The empty entity arrays will be populated as collections, environments, and other resources are added.

Consider adding a trailing newline at the end of the file, as this is a common convention in version control systems and some tools may flag its absence.

📝 Optional: Add trailing newline

     "globals": []
   }
 }
+

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.postman/config.json around lines 1 - 12, Add a trailing newline to the end
of the JSON file so the file ends with a single newline character after the
final closing brace (the block containing "workspace" and "entities"); simply
ensure the last line (the closing "}") is followed by a newline to satisfy
POSIX/VC standards.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/postman-publish.yaml:
- Around line 10-12: The workflow's push trigger is set to branches: - main but
the PR targets the mint branch, so update the push trigger (the push -> branches
entry) in the postman-publish workflow to include or replace "main" with "mint"
(i.e., change the branches list to reference "mint" or add "mint" alongside
"main") so the workflow will run for pushes/merges to the mint branch.
- Around line 26-28: Replace the insecure curl | sh installer step named
"Install Postman CLI" with the official Postman GitHub Action
(postmanlabs/postman-cli-action) to avoid supply-chain risks; remove the
existing run step and add a uses step for postmanlabs/postman-cli-action@v1 (or
specific version) and pass the postman-api-key via secrets and set
postman-cli-version and the desired command through the action inputs so the
workflow invokes the Postman CLI securely.

---

Nitpick comments:
In @.github/workflows/postman-publish.yaml:
- Around line 17-39: The job "publish-changes" has no timeout and no retries for
network steps; add a job-level timeout-minutes to the publish-changes job and
wrap the network-dependent steps (steps named "Install Postman CLI", "Login to
Postman", and "Publish changes to Cloud") with retry logic and per-step
timeouts: implement a small retry loop (e.g., 3 attempts with backoff) around
the curl install, postman login, and postman workspace push commands and/or use
the shell timeout utility to bound each command's execution time; ensure
failures still fail the job after retries so error semantics remain intact.

In @.postman/config.json:
- Around line 1-12: Add a trailing newline to the end of the JSON file so the
file ends with a single newline character after the final closing brace (the
block containing "workspace" and "entities"); simply ensure the last line (the
closing "}") is followed by a newline to satisfy POSIX/VC standards.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 813cdbef-bfbf-439e-9611-d9802c75b1cd

📥 Commits

Reviewing files that changed from the base of the PR and between 0773521 and 7f740bf.

📒 Files selected for processing (2)

• .github/workflows/postman-publish.yaml
• .postman/config.json

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Branch mismatch: workflow will not trigger as expected.

The workflow is configured to trigger on pushes to the main branch, but according to the PR objectives, this PR targets the mint branch. This means the workflow will not run after merging this PR.

🔧 Proposed fix

 on:
   push:  # Temporary trigger; will be removed after migration to Argo
     branches:
-      - main
+      - mint
   workflow_dispatch:  # Will be used by Argo post-sync-hook to trigger this workflow

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	push: # Temporary trigger; will be removed after migration to Argo
	branches:
	- main
	on:
	push: # Temporary trigger; will be removed after migration to Argo
	branches:
	- mint
	workflow_dispatch: # Will be used by Argo post-sync-hook to trigger this workflow

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/postman-publish.yaml around lines 10 - 12, The workflow's
push trigger is set to branches: - main but the PR targets the mint branch, so
update the push trigger (the push -> branches entry) in the postman-publish
workflow to include or replace "main" with "mint" (i.e., change the branches
list to reference "mint" or add "mint" alongside "main") so the workflow will
run for pushes/merges to the mint branch.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the official and recommended method to install Postman CLI in GitHub Actions workflows? Does Postman provide checksum verification or a GitHub Action?

💡 Result:

The official and recommended method to install and use Postman CLI in GitHub Actions workflows is to use the official Postman CLI GitHub Action provided by postmanlabs. Use it in your workflow YAML like this: name: API Tests on: [push] jobs: test: runs-on: ubuntu-latest steps: - name: Run Postman Collection uses: postmanlabs/postman-cli-action@v1 with: postman-api-key: ${{ secrets.POSTMAN_API_KEY }} command: 'collection run 12345678-collection-id' This action automatically installs the specified version of Postman CLI (default: latest) and runs the provided CLI command (e.g., collection run, monitor run, spec lint). It supports local files and cloud resources, with inputs for api-key, command, postman-cli-version, region, and working-directory. Outputs include exit-code for success/failure checking. Postman docs explicitly state this is the way to run Postman CLI commands in GitHub Actions without maintaining custom actions. Older Newman-based actions are not recommended; Postman CLI replaces previous CI integrations. No evidence of official checksum verification for Postman CLI downloads in workflows or docs. The GitHub Action handles installation (likely via npm or direct download), but no checksum steps are mentioned in official sources. NPM optional dependencies for platform binaries exist, but no explicit verification process is documented for GitHub Actions use.

Citations:

• 1: https://learning.postman.com/docs/postman-cli/postman-cli-github-actions
• 2: https://github.com/marketplace/actions/postman-cli
• 3: https://learning.postman.com/docs/postman-cli/postman-cli-installation.mdx
• 4: https://learning.postman.com/docs/postman-cli/postman-cli-github-actions/
• 5: https://learning.postman.com/latest-v-12/docs/postman-cli/postman-cli-installation

---

Replace direct curl installation with the official Postman CLI GitHub Action.

The curl | sh approach exposes the workflow to supply-chain attacks. Postman provides an official GitHub Action (postmanlabs/postman-cli-action) that is the recommended and secure way to run Postman CLI in GitHub Actions workflows. According to Postman's official documentation, this is the endorsed method rather than custom installation scripts.

Consider using the official action:

- name: Run Postman CLI
  uses: postmanlabs/postman-cli-action@v1
  with:
    postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
    postman-cli-version: <desired-version>
    command: '<your-command>'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/postman-publish.yaml around lines 26 - 28, Replace the
insecure curl | sh installer step named "Install Postman CLI" with the official
Postman GitHub Action (postmanlabs/postman-cli-action) to avoid supply-chain
risks; remove the existing run step and add a uses step for
postmanlabs/postman-cli-action@v1 (or specific version) and pass the
postman-api-key via secrets and set postman-cli-version and the desired command
through the action inputs so the workflow invokes the Postman CLI securely.