🎩 You're Invited:Meet the Socket team at Black Hat in Las Vegas, August 3-6.RSVP
Sign In

@postman-cse/onboarding-repo-sync

Package Overview
Dependencies
Maintainers
1
Versions
26
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@postman-cse/onboarding-repo-sync

Postman repo sync GitHub Action.

latest
Source
npmnpm
Version
2.1.7
Version published
Weekly downloads
261
-37.56%
Maintainers
1
Weekly downloads
 
Created
Source

Postman Onboarding: Repo Sync

CI Release npm License: MIT

Exports Postman collections and environments into your repository and wires CI, mock servers, and monitors around them.

Part of the Postman API Onboarding suite; the composite action's README has the full action-picker table.

Usage

jobs:
  repo-sync:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      actions: write
    steps:
      - uses: actions/checkout@v5

      - id: postman-auth
        uses: postman-cs/postman-resolve-service-token-action@v2
        with:
          postman-region: us
          postman-api-key: ${{ secrets.POSTMAN_API_KEY }}

      - uses: postman-cs/postman-repo-sync-action@v2
        with:
          project-name: core-payments
          postman-region: us
          postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
          postman-access-token: ${{ steps.postman-auth.outputs.token }}
          team-id: ${{ steps.postman-auth.outputs.team-id }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

actions/checkout must run before this action. project-name is the only schema-required input. A useful sync also needs a Postman API key or a service-token step that can mint one, plus workspace and collection IDs from inputs or .postman/resources.yaml.

The example permissions let GITHUB_TOKEN commit generated artifacts and update the generated workflow file. contents: write is required for repo-write-mode: commit-only and commit-and-push. actions: write is required when generate-ci-workflow writes under .github/workflows/. Repository secret persistence, such as a generated POSTMAN_API_KEY or mTLS certificate secret, needs gh-fallback-token with permission to manage Actions secrets.

postman-region controls the Postman public API host and generated Postman CLI login region. Use us for https://api.getpostman.com and eu for https://api.eu.postman.com when the team uses EU data residency.

Examples

Full sync with workspace assets

- uses: postman-cs/postman-repo-sync-action@v2
  with:
    project-name: core-payments
    workspace-id: ws-123
    baseline-collection-id: col-baseline
    smoke-collection-id: col-smoke
    contract-collection-id: col-contract
    postman-region: us
    environments-json: '["prod","stage"]'
    env-runtime-urls-json: '{"prod":"https://api.example.com","stage":"https://stage-api.example.com"}'
    postman-api-key: ${{ secrets.POSTMAN_API_KEY }}
    postman-access-token: ${{ steps.postman-auth.outputs.token }}
    team-id: ${{ steps.postman-auth.outputs.team-id }}
    github-token: ${{ secrets.GITHUB_TOKEN }}

postman-access-token is required: every asset operation (environment create/get/update, collection read, mock, monitor) plus workspace-to-repository linking and system environment association runs through the access-token gateway. Use postman-resolve-service-token-action to mint it at runtime from a Postman service account PMAK. Without it the action fails fast — the PMAK is not an asset-routing fallback; it only mints/re-mints the access token, powers the generated CI workflow's postman login --with-api-key, and mints the CI POSTMAN_API_KEY secret. See docs/credentials.md.

Disable CI workflow generation

For existing repositories that already own their CI workflow, disable workflow generation:

with:
  generate-ci-workflow: false

Custom CI workflow path

Write the generated workflow somewhere other than .github/workflows/ci.yml:

with:
  ci-workflow-path: .github/workflows/postman-sync.yml

Commit-only mode for protected branches

If branch protection requires pull requests, run on a temporary branch with commit-only writes, then create the PR in a later workflow step. Use this for customer-managed PR workflows.

with:
  repo-write-mode: commit-only

repo-write-mode options:

ModeBehavior
commit-and-pushCommit generated files and push them back to the current checked out ref.
commit-onlyCommit generated files without pushing.
noneWrite files in the workspace only.

Reuse an existing mock server and monitor

Pass mock-url or monitor-id to validate and reuse existing mock servers or monitors instead of creating new ones:

with:
  mock-url: https://abc123.mock.pstmn.io
  monitor-id: 1e2f3a4b-monitor-id

mTLS certificates for Postman CLI runs

The generated CI workflow can run Postman CLI collection runs with client certificates. Pass the cert material as inputs; when a GitHub token and repository context are available, the action persists them as repository secrets (POSTMAN_SSL_CLIENT_CERT_B64, POSTMAN_SSL_CLIENT_KEY_B64, POSTMAN_SSL_CLIENT_PASSPHRASE, POSTMAN_SSL_EXTRA_CA_CERTS_B64) for the generated workflow:

with:
  ssl-client-cert: ${{ secrets.POSTMAN_SSL_CLIENT_CERT_B64 }}
  ssl-client-key: ${{ secrets.POSTMAN_SSL_CLIENT_KEY_B64 }}
  ssl-client-passphrase: ${{ secrets.POSTMAN_SSL_CLIENT_PASSPHRASE }}

Inputs

NameDescriptionRequiredDefault
generate-ci-workflowWhether to generate the CI workflow filenotrue
ci-workflow-pathPath to write the generated CI workflow file. Defaults to azure-pipelines.yml for Azure DevOps, .github/workflows/ci.yml otherwise.no
project-nameService project name used for environment, mock, and monitor naming.yes
workspace-idPostman workspace ID used for workspace-link and export metadata.no
baseline-collection-idBaseline collection ID used for exported artifacts and mock server creation.no
monitor-typeType of monitor to create ("cloud" or "cli"). "cli" will skip cloud monitor creation and rely on the CI workflow.nocloud
smoke-collection-idSmoke collection ID used for monitor creation.no
contract-collection-idContract collection ID used for exported artifacts.no
collection-sync-modeCollection sync lifecycle mode (refresh or version).norefresh
spec-sync-modeSpec sync lifecycle mode (update or version).noupdate
release-labelOptional release label used for versioned naming.no
monitor-idExisting smoke monitor ID. When set, the action validates and reuses this monitor instead of creating a new one.no
mock-urlExisting mock server URL. When set, the action validates and reuses this mock instead of creating a new one.no
monitor-cronCron expression for monitor scheduling (e.g. '0 */6 * * *'). When empty, the monitor is created disabled and triggered to run once per workflow invocation (and once on every subsequent run).no""
environments-jsonJSON array of environment slugs to create or update.no["prod"]
git-providerGit provider override ('github', 'gitlab', 'bitbucket', 'azure-devops'). Auto-detected from environment when omitted.no
ado-tokenAzure DevOps personal access token or system token used to push commits in Azure Pipelines. Defaults to SYSTEM_ACCESSTOKEN when available.no
repo-urlExplicit repository URL (GitHub, GitLab, or Azure DevOps). Defaults to the URL inferred from runner environment when omitted.no
workspace-link-enabledEnable workspace linking.notrue
environment-sync-enabledEnable association of Postman environments to system environments.notrue
system-env-map-jsonJSON map of environment slug to system environment id.no{}
environment-uids-jsonJSON map of environment slug to Postman environment uid.no{}
env-runtime-urls-jsonJSON map of environment slug to runtime base URL.no{}
artifact-dirRoot directory for exported Postman artifacts.nopostman
repo-write-modeRepo mutation mode for generated artifacts and workflow files.nocommit-and-push
current-refExplicit ref override for push-changes when the checkout is detached.no
committer-nameGit committer name for sync commits.noPostman
committer-emailGit committer email for sync commits.nosupport@postman.com
postman-api-keyPostman API key (PMAK). Used only to mint/re-mint the access token (via postman-resolve-service-token-action) and for the Postman CLI spec-lint login. Asset operations (environments, collections, mocks, monitors) run on the access-token gateway and do not use the PMAK. Optional when a valid postman-access-token is supplied; required only for the CLI lint path.no
postman-access-tokenPostman access token minted by postman-resolve-service-token-action. Required for all asset operations (environment create/get/update, collection read, mock, monitor) which run through the access-token gateway. Also used for workspace linking, system environment association, and generated API-key creation. When omitted, the action mints one from postman-api-key (service-account PMAK); if that mint also fails the action fails fast — PMAK is never an asset-routing fallback.no
team-idPostman team ID resolved by postman-resolve-service-token-action. Primary team scope for all downstream actions; included as x-entity-team-id in org-mode Bifrost calls. Falls back to POSTMAN_TEAM_ID when omitted. Set explicitly for org-mode teams.no""
credential-preflightCredential identity preflight policy. warn (default) logs a note and continues when postman-api-key and postman-access-token resolve to different parent orgs; enforce fails the run on that condition before any workspace is created. Both modes warn when postman-access-token is not a service-account token.nowarn
branch-strategyBranch-aware sync strategy. legacy (default) keeps branch-blind behavior; publish-gate restricts canonical writes to the canonical branch and skips repo-sync on other branches; preview additionally maintains suffixed per-branch preview asset sets.nolegacy
canonical-branchExplicit canonical branch (the sole writer of canonical assets and tracked state). Defaults to the provider-resolved default branch; required on providers without a default-branch variable (Bitbucket, Azure DevOps) when branch-strategy is not legacy.no
channelsComma-separated channel map for long-lived promotion branches, e.g. "develop=DEV, staging=STAGE, release/*=RC". Channel branches maintain prefix-named parallel asset sets and never mutate canonical assets.no
preview-ttlSliding TTL in days for preview asset sets (refreshed on every successful preview sync; the retention contract of last resort when no provider credential is available for branch-existence checks).no30
github-tokenGitHub token used for repo variable persistence and commits.no
gh-fallback-tokenFallback token for repository variable APIs and workflow-file pushes.no
org-modeWhether the Postman team uses org-mode. When true, x-entity-team-id is included in Postman integration API calls. Non-org teams must omit this header.nofalse
ci-workflow-base64Optional base64-encoded ci.yml content. Defaults to the built-in template.no
ssl-client-certBase64-encoded PEM client certificate for Postman CLI mTLS runs.no
ssl-client-keyBase64-encoded PEM client private key for Postman CLI mTLS runs.no
ssl-client-passphraseOptional passphrase for encrypted ssl-client-key.no
ssl-extra-ca-certsOptional base64-encoded PEM CA certificate bundle for custom trust.no
spec-idSpec Hub UID emitted by bootstrap's spec-id output. When set, it is persisted into .postman/resources.yaml cloudResources so later runs and the generated CI workflow can resolve the spec without re-discovery.no
spec-content-changedWhether bootstrap changed canonical spec content. Native Spec Hub tag publication is skipped on no-op syncs.notrue
spec-pathOptional repo-root-relative path to the local OpenAPI file. Recorded in .postman/resources.yaml and .postman/workflows.yaml metadata so the committed artifacts point back at the spec source in this repository; the file itself is not uploaded by this action.no
postman-regionPostman data residency region for public API and Postman CLI calls. One of: us or eu.nous

Outputs

NameDescription
resolved-current-refResolved push target based on current-ref semantics.
workspace-link-statusWhether workspace linking succeeded, was skipped, or failed.
environment-sync-statusWhether environment sync succeeded, was skipped, or failed.
environment-uids-jsonJSON map of environment slug to Postman environment uid.
mock-urlCreated or reused mock server URL.
monitor-idCreated or reused smoke monitor ID.
repo-sync-summary-jsonJSON summary of repo materialization and workspace sync outputs.
commit-shaCommit SHA produced by repo-write-mode, if any.
sync-statusBranch-aware sync status: synced, skipped-branch-gate, or empty under branch-strategy legacy.
branch-decisionSerialized BranchDecision JSON for downstream actions (also exported as POSTMAN_BRANCH_DECISION).
spec-version-tagNative Spec Hub version tag created after successful canonical repo-sync finalization.
spec-version-urlRead-only URL for the tagged Spec Hub snapshot.

How it works

The action syncs a Postman workspace into the checked-out repository and can connect the workspace back to that repository:

  • Postman Collection v3 multi-file YAML exports under postman/collections/.
  • Postman environment exports under postman/environments/.
  • .postman/resources.yaml with local-to-cloud resource mappings.
  • Optional .postman/workflows.yaml spec-to-collection metadata.
  • Optional generated GitHub Actions workflow for Postman CLI smoke and contract runs.
  • Optional mock server, cloud monitor, workspace repository link, and system environment associations.

The generated files are intended to be committed when repo-write-mode is commit-only or commit-and-push. Treat postman/ and .postman/ as reviewable source artifacts for the onboarding workflow; commit and review them like any other tracked source.

A typical export looks like:

postman/collections/core-payments/
  collection.yaml
  <folder>.yaml
  <request>.yaml
postman/collections/[Smoke] core-payments/
  collection.yaml
  <folder>.yaml
  <request>.yaml
postman/environments/
  prod.postman_environment.json
.postman/
  resources.yaml
flowchart LR
    subgraph SYNC["repo-sync: once per onboarding run"]
        W["Postman workspace"] -->|"gateway v3 export"| ART["postman/ + .postman/<br/>committed artifacts"]
        ART --> WF["generated CI workflow"]
        W --> MM["mock server +<br/>smoke monitor"]
    end
    subgraph LOOP["customer CI: every push / PR / 6h schedule"]
        WF --> RUN["postman collection run<br/>Smoke then Contract"]
        RES[".postman/resources.yaml<br/>collection UIDs + environment"] --> RUN
        RUN --> API["live API or mock<br/>environment baseUrl"]
        API --> REP["pass/fail per assertion<br/>+ --report-events to<br/>Postman run history"]
    end

This is the execution half of the suite's contract-testing story: bootstrap injects the spec-derived pm.test() assertions into the collections, and the workflow this action generates is what actually runs them against a live target on every push and on schedule. See bootstrap's Contract Enforcement Layers for the full two-layer model.

What the generated CI workflow runs

When CI workflow generation is enabled, the committed GitHub Actions workflow runs on every push and pull request to main and on a six-hour schedule. Each run:

  • Checks out the repository and installs the Postman CLI from the region-appropriate install URL.
  • Logs the Postman CLI in with the POSTMAN_API_KEY repository secret (this action mints and stores that secret when repository write access allows).
  • Resolves the [Smoke] and [Contract] collection UIDs and the environment UID from the committed .postman/resources.yaml, failing fast if any are missing.
  • Decodes optional mTLS client certificates from the POSTMAN_SSL_* secrets and passes them to the runs.
  • Runs the [Smoke] collection and then the [Contract] collection with postman collection run against the resolved environment, with --report-events so results land in the Postman cloud run history, and with CI_ENVIRONMENT (the CI_ENVIRONMENT repository variable, default Production) available to scripts.

A matching Azure DevOps Pipelines template is generated for Azure DevOps repositories. The assertions those collections execute are generated upstream: the per-check reference is in postman-bootstrap-action's Generated Assertions, and the curated Smoke journey scripts are in postman-smoke-flow-action's Generated Test Scripts.

For commit-and-push, the push target is resolved from current-ref, then GITHUB_HEAD_REF, then GITHUB_REF_NAME. Pull request merge refs are normalized to the PR head branch.

Mocks and monitors: when baseline-collection-id, workspace-id, and at least one environment are available, the action creates or reuses a mock server. When smoke-collection-id is also available, it creates or reuses a cloud smoke monitor unless monitor-type: cli is set. With an empty monitor-cron, a new cloud monitor is created disabled and triggered once per workflow invocation.

Asset reuse priority is explicit inputs (environment-uids-json, mock-url, monitor-id), then live discovery by exact workspace-scoped name, collection UID, and environment UID, then create. Creates submit once and reconcile on ambiguous gateway errors; overlapping compatible creates inside one process share a single in-flight promise. Adopted environments are updated to the requested values. Mock environment assignment has no verified patch route, so a mock is reused only when its live environment already matches; mismatches are never claimed as converged. Concurrent jobs against the same workspace can still race because Postman does not expose create idempotency keys—serialize those workflows with GitHub Actions concurrency (or an equivalent CI lock) when duplicate mocks/monitors/environments would be harmful.

Deeper reference:

  • Artifact layout and Collection v3 format, including sync modes and versioned releases.
  • Credentials: postman-api-key, postman-access-token, credential preflight, GitHub tokens.
  • CLI usage: the postman-repo-sync binary for GitLab CI, Bitbucket Pipelines, and Azure DevOps.
  • Security: supported releases, reporting, and secret-handling expectations.
  • Support: where to ask usage questions and what diagnostics to include.
  • Release policy: immutable version tags and the rolling v1 alias.

Resources

Telemetry

The action sends one anonymous usage event per run (action name/version, outcome, coarse CI metadata; never secrets, spec content, or repo names). Disable with POSTMAN_ACTIONS_TELEMETRY=off or DO_NOT_TRACK=1; route events to your own collector with POSTMAN_ACTIONS_TELEMETRY_ENDPOINT.

License

MIT

Keywords

github-action

FAQs

Package last updated on 17 Jul 2026

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts