⚙️ (jfrog) [NO-ISSUE]: Attest and sign package

.github/workflows/release.yml

@@ -1,12 +1,14 @@
 name: publish npm packages
 on:
-  push:
-    branches:
-      - main
+  pull_request:
+  # push:
+  #   branches:
+  #     - main
 
 env:
   FORCE_COLOR: "1"
-  NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
+  # NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
+  NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green
 
 permissions:
   id-token: write
@@ -17,7 +19,7 @@ permissions:
 
 jobs:
   publish:
-    environment: Production
+    # environment: Production
     runs-on: ledgerhq-shared-medium
     steps:
       - uses: actions/checkout@v4
@@ -43,49 +45,59 @@ jobs:
           //${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
           EOF
 
-      - name: Publish
+      - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
         with:
-          publish: pnpm release
+          # publish: pnpm release
+          branch: fix/no-issue-jfrog-attest-sign-package
+          createGithubReleases: false
         env:
           GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
-
-      - name: Download published packages to attest and sign
-        if: steps.changesets.outputs.published == 'true'
-        env:
-          PUBLISHED_PACKAGE_JSON: published-packages.json
-        run: |
-          # Extract packages name
-          # output will be in the form of: [{"name":"@ledgerhq/package-name","version":"X.X.X"}]
-          cat << EOF | tee $PUBLISHED_PACKAGE_JSON
-          ${{ steps.changesets.outputs.publishedPackages }}
-          EOF
 
-          # Create dist directory
+      - name: Publish
+        if: steps.changesets.outputs.hasChangesets == 'false'
+        run: |
           mkdir -p dist
+          pnpm recursive exec -- pnpm pack --pack-destination dist
+          ls -al dist
+          pnpm publish -r
 
-          # Loop over package names and download the tarball into dist directory
-          for row in $(cat $PUBLISHED_PACKAGE_JSON | jq -r '.[] | @text'); do
-            PACKAGE_NAME=$(echo $row| jq -r '.name')
-            PACKAGE_VERSION=$(echo $row | jq -r '.version')
-            PACKAGE_NAME_BASENAME=$(basename ${PACKAGE_NAME})
+      # - name: Download published packages to attest and sign
+      #   if: steps.changesets.outputs.published == 'true'
+      #   env:
+      #     PUBLISHED_PACKAGE_JSON: published-packages.json
+      #   run: |
+      #     # Extract packages name
+      #     # output will be in the form of: [{"name":"@ledgerhq/package-name","version":"X.X.X"}]
+      #     cat << EOF | tee $PUBLISHED_PACKAGE_JSON
+      #     ${{ steps.changesets.outputs.publishedPackages }}
+      #     EOF
 
-            echo -e "\033[0;32mDownload artifact from\033[0m https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz"
-            curl -H "Authorization: Bearer ${{ steps.jfrog-login.outputs.oidc-token }}" \
-              -o dist/${PACKAGE_NAME_BASENAME}-${PACKAGE_VERSION}.tgz \
-              https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz
-          done
+      #     # Create dist directory
+      #     mkdir -p dist
 
-      - name: Attest tarball
-        if: steps.changesets.outputs.published == 'true'
-        uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
-        with:
-          subject-path: ./dist
+      #     # Loop over package names and download the tarball into dist directory
+      #     for row in $(cat $PUBLISHED_PACKAGE_JSON | jq -r '.[] | @text'); do
+      #       PACKAGE_NAME=$(echo $row| jq -r '.name')
+      #       PACKAGE_VERSION=$(echo $row | jq -r '.version')
+      #       PACKAGE_NAME_BASENAME=$(basename ${PACKAGE_NAME})
+
+      #       echo -e "\033[0;32mDownload artifact from\033[0m https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz"
+      #       curl -H "Authorization: Bearer ${{ steps.jfrog-login.outputs.oidc-token }}" \
+      #         -o dist/${PACKAGE_NAME_BASENAME}-${PACKAGE_VERSION}.tgz \
+      #         https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz
+      #     done
+
+      # - name: Attest tarball
+      #   if: steps.changesets.outputs.published == 'true'
+      #   uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
+      #   with:
+      #     subject-path: ./dist
 
-      # The action currently doesn't support pushing the blob to the registry
-      - name: Sign tarball
-        if: steps.changesets.outputs.published == 'true'
-        uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
-        with:
-          path: ./dist
+      # # The action currently doesn't support pushing the blob to the registry
+      # - name: Sign tarball
+      #   if: steps.changesets.outputs.published == 'true'
+      #   uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
+      #   with:
+      #     path: ./dist