Skip to content

⚙️ (jfrog) [NO-ISSUE]: Attest and sign package #181

⚙️ (jfrog) [NO-ISSUE]: Attest and sign package

⚙️ (jfrog) [NO-ISSUE]: Attest and sign package #181

Workflow file for this run

name: publish npm packages
on:
pull_request:
# push:
# branches:
# - main
env:
FORCE_COLOR: "1"
# NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green
permissions:
id-token: write
contents: write
pull-requests: write
# Need to attest artifacts
attestations: write
jobs:
publish:
# environment: Production
runs-on: ledgerhq-shared-medium
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/setup-toolchain-composite
- name: install dependencies
run: pnpm install
- name: build libraries
run: pnpm build
- name: Login to internal JFrog registry
id: jfrog-login
uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
- name: Setup npm config for JFrog and prepare dist folder
env:
NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
run: |
mkdir -p dist
cat << EOF | tee .npmrc
registry=https://${NPM_REGISTRY}/
//${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
EOF
- name: Create Release Pull Request or Publish to npm
id: changesets
uses: changesets/action@v1
with:
publish: pnpm release
branch: fix/no-issue-jfrog-attest-sign-package
createGithubReleases: false
env:
GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
- name: Attest tarball
if: steps.changesets.outputs.published == 'true'
uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
with:
subject-path: ./dist
# The action currently doesn't support pushing the blob to the registry
- name: Sign tarball
if: steps.changesets.outputs.published == 'true'
uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
with:
path: ./dist