⚙️ (jfrog): Disable github release

LedgerHQ · Sep 20, 2024 · 6081015 · 6081015
1 parent e339e77
commit 6081015
Showing 1 changed file with 55 additions and 33 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,11 +7,15 @@ on:
 
 env:
   FORCE_COLOR: "1"
+  # NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
+  NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green
 
 permissions:
   id-token: write
   contents: write
   pull-requests: write
+  # Need to attest artifacts
+  attestations: write
 
 jobs:
   publish:
@@ -20,59 +24,77 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ./.github/actions/setup-toolchain-composite
+      # - uses: ./.github/actions/setup-toolchain-composite
 
-      - name: install dependencies
-        run: pnpm install
+      # - name: install dependencies
+      #   run: pnpm install
 
-      - name: build libraries
-        run: pnpm build
+      # - name: build libraries
+      #   run: pnpm build
 
       - name: Login to internal JFrog registry
         id: jfrog-login
         uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
 
       - name: Setup npm config for JFrog
         env:
-          # NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
-          NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green
           NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
         run: |
           cat << EOF | tee .npmrc
           registry=https://${NPM_REGISTRY}/
           //${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
           EOF
 
-      - name: Publish
-        id: changesets
-        uses: changesets/action@v1
-        # to remove
-        with:
-          publish: pnpm release
-          # to remove
-          branch: feat/no-issue-jfrog-attest-sign-package
-        env:
-          GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
+      # - name: Publish
+      #   id: changesets
+      #   uses: changesecahts/action@v1
+      #   with:
+      #     publish: pnpm release
+      #     # to remove
+      #     title: "⚙️ (release) [NO-ISSUE]: Version packages"
+      #     commit: "⚙️ (release): Version packages"
+      #     branch: feat/no-issue-jfrog-attest-sign-package
+      #     createGithubReleases: false
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
 
       - name: Download published packages to attest and sign
         # if: steps.changesets.outputs.published == 'true'
+        env:
+          PUBLISHED_PACKAGE_JSON: published-packages.json
         run: |
-          # Extract package name
-          PACKAGE_NAME=${{ steps.changesets.outputs.publishedPackages }}
-          
-          echo $PACKAGE_NAME
+          # Extract packages name
+          # output will be in the form of: [{"name":"@ledgerhq/package-name","version":"X.X.X"}]
+          cat << EOF | tee $PUBLISHED_PACKAGE_JSON
+          # ${{ steps.changesets.outputs.publishedPackages }}
+          [{"name":"@ledgerhq/device-sdk-ts","version":"0.4.0"}]
+          EOF
 
-          mkdir dist
+          # Create dist directory
+          mkdir -p dist
 
-      # - name: Attest tarball
-      #   if: steps.changesets.outputs.published == 'true'
-      #   uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
-      #   with:
-      #     subject-path: ./dist
-      #     push-to-registry: true
+          # Loop over package names and download the tarball into dist directory
+          for row in $(cat $PUBLISHED_PACKAGE_JSON | jq -r '.[] | @text'); do
+            PACKAGE_NAME=$(echo $row| jq -r '.name')
+            PACKAGE_VERSION=$(echo $row | jq -r '.version')
+            PACKAGE_NAME_BASENAME=$(basename ${PACKAGE_NAME})
 
-      # - name: Sign tarball
-      #   if: steps.changesets.outputs.published == 'true'
-      #   uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
-      #   with:
-      #     path: ./dist
+            echo -e "\033[0;32mDownload artifact from\033[0m https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz"
+            curl -H "Authorization: Bearer ${{ steps.jfrog-login.outputs.oidc-token }}" \
+              -o dist/${PACKAGE_NAME_BASENAME}-${PACKAGE_VERSION}.tgz \
+              https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz
+          done
+
+      - name: Attest tarball
+        # if: steps.changesets.outputs.published == 'true'
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ./dist
+          push-to-registry: false
+
+      # The action currently doesn't support pushing the blob to the registry
+      - name: Sign tarball
+        if: steps.changesets.outputs.published == 'true'
+        uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
+        with:
+          path: ./dist