💚 (release): Push snapshot release to jfrog

LedgerHQ · Oct 3, 2024 · 4ef2077 · 4ef2077
1 parent 5e224ba
commit 4ef2077
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 13 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,11 +24,8 @@ jobs:
 
       - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-toolchain-composite@develop
 
-      - name: install dependencies
-        run: pnpm install
-
       - name: build libraries
-        run: pnpm build
+        run: pnpm build:libs
 
       - name: Login to internal JFrog registry
         id: jfrog-login

diff --git a/.github/workflows/snapshot_release.yml b/.github/workflows/snapshot_release.yml
@@ -18,30 +18,65 @@ env:
   # if no inputs it's considered as a cron job
   REF: ${{ inputs.ref || 'develop' }}
   TAG: ${{ inputs.tag || 'develop' }}
-  NPM_TOKEN: ${{ secrets.NPMJS_TOKEN }}
+  NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+  # Need to attest artifacts
+  attestations: write
 
 jobs:
   snapshot:
-    runs-on: ubuntu-latest
+    runs-on: ledgerhq-shared-medium
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ env.REF }}
 
       - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-toolchain-composite@develop
 
-      - name: install dependencies
-        run: pnpm install
-
       - name: build libraries
-        run: pnpm build
+        run: pnpm build:libs
+
+      - name: Login to internal JFrog registry
+        id: jfrog-login
+        uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
+
+      - name: Setup npm config for JFrog
+        env:
+          NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
+        run: |
+          cat << EOF | tee .npmrc
+          enable-pre-post-scripts=true
+          registry=https://${NPM_REGISTRY}/
+          //${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
+          EOF
 
-      - name: create .npmrc
-        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
+      - name: Create dist directory to store tarball
+        run: mkdir -p dist
+
+      # - name: create .npmrc
+      #   run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
 
       - name: create and publish snapshot release version
+        id: changesets
         run: |
           pnpm bump --snapshot ${{ env.TAG }}
           pnpm release --snapshot --no-git-tag --tag ${{ env.TAG }}
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
+
+      - name: Attest tarball
+        if: steps.changesets.conclusion == 'success'
+        uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
+        with:
+          subject-path: ./dist
+
+       # The action currently doesn't support pushing the blob to the registry
+      - name: Sign tarball
+        if: steps.changesets.conclusion == 'success'
+        uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
+        with:
+          path: ./dist