Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge bc188de into f03c328
Browse files Browse the repository at this point in the history
dedsxc authored Sep 20, 2024
2 parents f03c328 + bc188de commit 7f5d1a7
Showing 2 changed files with 55 additions and 10 deletions.
2 changes: 1 addition & 1 deletion .changeset/config.json
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@
"fixed": [],
"linked": [],
"access": "public",
"baseBranch": "develop",
"baseBranch": "feat/no-issue-jfrog-attest-sign-package",
"updateInternalDependencies": "patch",
"ignore": []
}
63 changes: 54 additions & 9 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,24 @@
name: publish npm packages
on:
push:
branches:
- main
pull_request:
# push:
# branches:
# - main

env:
FORCE_COLOR: "1"
# NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green

permissions:
id-token: write
contents: write
pull-requests: write

jobs:
publish:
environment: Production
# environment: Production
runs-on: ledgerhq-shared-medium
permissions:
id-token: write
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4

@@ -32,7 +36,6 @@ jobs:

- name: Setup npm config for JFrog
env:
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
run: |
cat << EOF | tee .npmrc
@@ -43,7 +46,49 @@ jobs:
- name: Publish
id: changesets
uses: changesets/action@v1
# to remove
with:
publish: pnpm release
# to remove
title: "⚙️ (release) [NO-ISSUE]: Version packages"
commit: "⚙️ (release): Version packages"
branch: feat/no-issue-jfrog-attest-sign-package
createGithubReleases: false
env:
GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}

- name: Download published packages to attest and sign
if: steps.changesets.outputs.published == 'true'
run: |
# Extract package name
# output will be in the form of
# [{"name":"@ledgerhq/device-sdk-core","version":"0.4.0"}]
cat << EOF | tee published-packages.json
${{ steps.changesets.outputs.publishedPackages }}
EOF
PACKAGE_NAME=$(cat published-packages.json | jq -r '.[0].name')
PACKAGE_VERSION=$(cat published-packages.json | jq -r '.[0].version')
# Create dist directory
mkdir -p dist
ls -al
echo -e "\033[0;32mDownload artifact from\033[0m https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz"
curl -H "Authorization: Bearer ${{ steps.jfrog-login.outputs.oidc-token }}" \
-o dist/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz \
https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz
ls -al dist
- name: Attest tarball
if: steps.changesets.outputs.published == 'true'
uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
with:
subject-path: ./dist
push-to-registry: true

# The action currently doesn't support pushing the blob to the registry
- name: Sign tarball
if: steps.changesets.outputs.published == 'true'
uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
with:
path: ./dist

0 comments on commit 7f5d1a7

Please sign in to comment.