Skip to content

⚙️ (jfrog) [NO-ISSUE]: Attest and sign package #135

⚙️ (jfrog) [NO-ISSUE]: Attest and sign package

⚙️ (jfrog) [NO-ISSUE]: Attest and sign package #135

Workflow file for this run

name: publish npm packages
on:
pull_request:
# push:
# branches:
# - main
env:
FORCE_COLOR: "1"
# NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green
permissions:
id-token: write
contents: write
pull-requests: write
jobs:
publish:
# environment: Production
runs-on: ledgerhq-shared-medium
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-toolchain-composite
- name: install dependencies
run: pnpm install
- name: build libraries
run: pnpm build
- name: Login to internal JFrog registry
id: jfrog-login
uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
- name: Setup npm config for JFrog
env:
NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
run: |
cat << EOF | tee .npmrc
registry=https://${NPM_REGISTRY}/
//${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
EOF
- name: Publish
id: changesets
uses: changesets/action@v1
# to remove
with:
publish: pnpm release
# to remove
branch: feat/no-issue-jfrog-attest-sign-package
createGithubReleases: false
env:
GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
- name: Download published packages to attest and sign
if: steps.changesets.outputs.published == 'true'
run: |
# Extract package name
# output will be in the form of
# [{name:@ledgerhq/device-sdk-core,version:0.4.0}]
METADATA=${{ steps.changesets.outputs.publishedPackages }}
PACKAGE_NAME=$(echo $METADATA | jq -r '.[0].name')
PACKAGE_VERSION=$(echo $METADATA | jq -r '.[0].version')
echo "PACKAGE_NAME: $PACKAGE_NAME"
echo "PACKAGE_VERSION: $PACKAGE_VERSION"
# Create dist directory
mkdir dist
curl --output dist/${PACKAGE_NAME}-{VERSION}.tgz https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-{VERSION}.tgz
ls -al
ls -al dist
# - name: Attest tarball
# if: steps.changesets.outputs.published == 'true'
# uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
# with:
# subject-path: ./dist
# push-to-registry: true
# - name: Sign tarball
# if: steps.changesets.outputs.published == 'true'
# uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
# with:
# path: ./dist