From 307674da7ed26dabfbf8d365d2cc14fe1dc75afd Mon Sep 17 00:00:00 2001 From: Kien Nguyen Date: Mon, 23 Sep 2024 13:56:27 +0200 Subject: [PATCH] =?UTF-8?q?=E2=9A=99=EF=B8=8F=20(jfrog):=20Attest=20and=20?= =?UTF-8?q?sign=20package?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/release.yml | 92 ++++++++++++++++++++--------------- 1 file changed, 52 insertions(+), 40 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5ec5247a0..35fd2fc06 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,12 +1,14 @@ name: publish npm packages on: - push: - branches: - - main + pull_request: + # push: + # branches: + # - main env: FORCE_COLOR: "1" - NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public + # NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public + NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green permissions: id-token: write @@ -17,7 +19,7 @@ permissions: jobs: publish: - environment: Production + # environment: Production runs-on: ledgerhq-shared-medium steps: - uses: actions/checkout@v4 @@ -43,49 +45,59 @@ jobs: //${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN} EOF - - name: Publish + - name: Create Release Pull Request or Publish to npm id: changesets uses: changesets/action@v1 with: - publish: pnpm release + # publish: pnpm release + branch: fix/no-issue-jfrog-attest-sign-package + createGithubReleases: false env: GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }} - - - name: Download published packages to attest and sign - if: steps.changesets.outputs.published == 'true' - env: - PUBLISHED_PACKAGE_JSON: published-packages.json - run: | - # Extract packages name - # output will be in the form of: [{"name":"@ledgerhq/package-name","version":"X.X.X"}] - cat << EOF | tee $PUBLISHED_PACKAGE_JSON - ${{ steps.changesets.outputs.publishedPackages }} - EOF - # Create dist directory + - name: Publish + if: steps.changesets.outputs.hasChangesets == 'false' + run: | mkdir -p dist + pnpm recursive exec -- pnpm pack --pack-destination dist + ls -al dist + pnpm publish -r - # Loop over package names and download the tarball into dist directory - for row in $(cat $PUBLISHED_PACKAGE_JSON | jq -r '.[] | @text'); do - PACKAGE_NAME=$(echo $row| jq -r '.name') - PACKAGE_VERSION=$(echo $row | jq -r '.version') - PACKAGE_NAME_BASENAME=$(basename ${PACKAGE_NAME}) + # - name: Download published packages to attest and sign + # if: steps.changesets.outputs.published == 'true' + # env: + # PUBLISHED_PACKAGE_JSON: published-packages.json + # run: | + # # Extract packages name + # # output will be in the form of: [{"name":"@ledgerhq/package-name","version":"X.X.X"}] + # cat << EOF | tee $PUBLISHED_PACKAGE_JSON + # ${{ steps.changesets.outputs.publishedPackages }} + # EOF - echo -e "\033[0;32mDownload artifact from\033[0m https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz" - curl -H "Authorization: Bearer ${{ steps.jfrog-login.outputs.oidc-token }}" \ - -o dist/${PACKAGE_NAME_BASENAME}-${PACKAGE_VERSION}.tgz \ - https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz - done + # # Create dist directory + # mkdir -p dist - - name: Attest tarball - if: steps.changesets.outputs.published == 'true' - uses: LedgerHQ/actions-security/actions/attest@actions/attest-1 - with: - subject-path: ./dist + # # Loop over package names and download the tarball into dist directory + # for row in $(cat $PUBLISHED_PACKAGE_JSON | jq -r '.[] | @text'); do + # PACKAGE_NAME=$(echo $row| jq -r '.name') + # PACKAGE_VERSION=$(echo $row | jq -r '.version') + # PACKAGE_NAME_BASENAME=$(basename ${PACKAGE_NAME}) + + # echo -e "\033[0;32mDownload artifact from\033[0m https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz" + # curl -H "Authorization: Bearer ${{ steps.jfrog-login.outputs.oidc-token }}" \ + # -o dist/${PACKAGE_NAME_BASENAME}-${PACKAGE_VERSION}.tgz \ + # https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz + # done + + # - name: Attest tarball + # if: steps.changesets.outputs.published == 'true' + # uses: LedgerHQ/actions-security/actions/attest@actions/attest-1 + # with: + # subject-path: ./dist - # The action currently doesn't support pushing the blob to the registry - - name: Sign tarball - if: steps.changesets.outputs.published == 'true' - uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1 - with: - path: ./dist + # # The action currently doesn't support pushing the blob to the registry + # - name: Sign tarball + # if: steps.changesets.outputs.published == 'true' + # uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1 + # with: + # path: ./dist