Skip to content

Commit

Permalink
⚙️ (jfrog): Attest and sign package
Browse files Browse the repository at this point in the history
  • Loading branch information
dedsxc committed Sep 24, 2024
1 parent 11534cd commit 4bcb412
Showing 1 changed file with 52 additions and 40 deletions.
92 changes: 52 additions & 40 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
name: publish npm packages
on:
push:
branches:
- main
pull_request:
# push:
# branches:
# - main

env:
FORCE_COLOR: "1"
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
# NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green

permissions:
id-token: write
Expand All @@ -17,7 +19,7 @@ permissions:

jobs:
publish:
environment: Production
# environment: Production
runs-on: ledgerhq-shared-medium
steps:
- uses: actions/checkout@v4
Expand All @@ -43,49 +45,59 @@ jobs:
//${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
EOF
- name: Publish
- name: Create Release Pull Request or Publish to npm
id: changesets
uses: changesets/action@v1
with:
publish: pnpm release
# publish: pnpm release
branch: fix/no-issue-jfrog-attest-sign-package
createGithubReleases: false
env:
GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}

- name: Download published packages to attest and sign
if: steps.changesets.outputs.published == 'true'
env:
PUBLISHED_PACKAGE_JSON: published-packages.json
run: |
# Extract packages name
# output will be in the form of: [{"name":"@ledgerhq/package-name","version":"X.X.X"}]
cat << EOF | tee $PUBLISHED_PACKAGE_JSON
${{ steps.changesets.outputs.publishedPackages }}
EOF

# Create dist directory
- name: Publish
if: steps.changesets.outputs.hasChangesets == 'false'
run: |
mkdir -p dist
pnpm recursive exec -- pnpm pack --pack-destination dist
ls -al dist
pnpm publish -r
# Loop over package names and download the tarball into dist directory
for row in $(cat $PUBLISHED_PACKAGE_JSON | jq -r '.[] | @text'); do
PACKAGE_NAME=$(echo $row| jq -r '.name')
PACKAGE_VERSION=$(echo $row | jq -r '.version')
PACKAGE_NAME_BASENAME=$(basename ${PACKAGE_NAME})
# - name: Download published packages to attest and sign
# if: steps.changesets.outputs.published == 'true'
# env:
# PUBLISHED_PACKAGE_JSON: published-packages.json
# run: |
# # Extract packages name
# # output will be in the form of: [{"name":"@ledgerhq/package-name","version":"X.X.X"}]
# cat << EOF | tee $PUBLISHED_PACKAGE_JSON
# ${{ steps.changesets.outputs.publishedPackages }}
# EOF

echo -e "\033[0;32mDownload artifact from\033[0m https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz"
curl -H "Authorization: Bearer ${{ steps.jfrog-login.outputs.oidc-token }}" \
-o dist/${PACKAGE_NAME_BASENAME}-${PACKAGE_VERSION}.tgz \
https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz
done
# # Create dist directory
# mkdir -p dist

- name: Attest tarball
if: steps.changesets.outputs.published == 'true'
uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
with:
subject-path: ./dist
# # Loop over package names and download the tarball into dist directory
# for row in $(cat $PUBLISHED_PACKAGE_JSON | jq -r '.[] | @text'); do
# PACKAGE_NAME=$(echo $row| jq -r '.name')
# PACKAGE_VERSION=$(echo $row | jq -r '.version')
# PACKAGE_NAME_BASENAME=$(basename ${PACKAGE_NAME})

# echo -e "\033[0;32mDownload artifact from\033[0m https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz"
# curl -H "Authorization: Bearer ${{ steps.jfrog-login.outputs.oidc-token }}" \
# -o dist/${PACKAGE_NAME_BASENAME}-${PACKAGE_VERSION}.tgz \
# https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz
# done

# - name: Attest tarball
# if: steps.changesets.outputs.published == 'true'
# uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
# with:
# subject-path: ./dist

# The action currently doesn't support pushing the blob to the registry
- name: Sign tarball
if: steps.changesets.outputs.published == 'true'
uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
with:
path: ./dist
# # The action currently doesn't support pushing the blob to the registry
# - name: Sign tarball
# if: steps.changesets.outputs.published == 'true'
# uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
# with:
# path: ./dist

0 comments on commit 4bcb412

Please sign in to comment.