release.yml

name: Publish npm packages
on:
  push:
    branches:
      - main

env:
  FORCE_COLOR: "1"
  NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public

permissions:
  id-token: write
  contents: write
  pull-requests: write
  # Need to attest artifacts
  attestations: write

jobs:
  publish:
    environment: Production
    runs-on: ledgerhq-device-sdk
    steps:
      - uses: actions/checkout@v4

      - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-toolchain-composite@develop

      - name: build libraries
        run: pnpm build:libs

      - name: Login to internal JFrog registry
        id: jfrog-login
        uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1

      - name: Setup npm config for JFrog
        env:
          NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
        run: |
          cat << EOF | tee .npmrc
          enable-pre-post-scripts=true
          registry=https://${NPM_REGISTRY}/
          //${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
          EOF

      - name: Create dist directory to store tarball
        run: mkdir -p dist

      - name: Publish
        id: changesets
        uses: changesets/action@v1
        with:
          version: echo "not running version"
          publish: pnpm release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Attest tarball
        if: steps.changesets.outputs.published == 'true'
        uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
        with:
          subject-path: ./dist

      # The action currently doesn't support pushing the blob to the registry
      - name: Sign tarball
        if: steps.changesets.outputs.published == 'true'
        uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
        with:
          path: ./dist