⚙️ (jfrog) [NO-ISSUE]: Attest and sign package (#287)

LedgerHQ · Sep 23, 2024 · cc1b6e9 · cc1b6e9
1 parent 6f7db98
commit cc1b6e9
Showing 1 changed file with 47 additions and 5 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,15 +6,19 @@ on:
 
 env:
   FORCE_COLOR: "1"
+  NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+  # Need to attest artifacts
+  attestations: write
 
 jobs:
   publish:
     environment: Production
     runs-on: ledgerhq-shared-medium
-    permissions:
-      id-token: write
-      contents: write
-      pull-requests: write
     steps:
       - uses: actions/checkout@v4
 
@@ -32,7 +36,6 @@ jobs:
 
       - name: Setup npm config for JFrog
         env:
-          NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
           NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
         run: |
           cat << EOF | tee .npmrc
@@ -47,3 +50,42 @@ jobs:
           publish: pnpm release
         env:
           GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
+
+      - name: Download published packages to attest and sign
+        if: steps.changesets.outputs.published == 'true'
+        env:
+          PUBLISHED_PACKAGE_JSON: published-packages.json
+        run: |
+          # Extract packages name
+          # output will be in the form of: [{"name":"@ledgerhq/package-name","version":"X.X.X"}]
+          cat << EOF | tee $PUBLISHED_PACKAGE_JSON
+          ${{ steps.changesets.outputs.publishedPackages }}
+          EOF
+
+          # Create dist directory
+          mkdir -p dist
+
+          # Loop over package names and download the tarball into dist directory
+          for row in $(cat $PUBLISHED_PACKAGE_JSON | jq -r '.[] | @text'); do
+            PACKAGE_NAME=$(echo $row| jq -r '.name')
+            PACKAGE_VERSION=$(echo $row | jq -r '.version')
+            PACKAGE_NAME_BASENAME=$(basename ${PACKAGE_NAME})
+
+            echo -e "\033[0;32mDownload artifact from\033[0m https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz"
+            curl -H "Authorization: Bearer ${{ steps.jfrog-login.outputs.oidc-token }}" \
+              -o dist/${PACKAGE_NAME_BASENAME}-${PACKAGE_VERSION}.tgz \
+              https://${NPM_REGISTRY}/${PACKAGE_NAME}/-/${PACKAGE_NAME}-${PACKAGE_VERSION}.tgz
+          done
+
+      - name: Attest tarball
+        if: steps.changesets.outputs.published == 'true'
+        uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
+        with:
+          subject-path: ./dist
+
+      # The action currently doesn't support pushing the blob to the registry
+      - name: Sign tarball
+        if: steps.changesets.outputs.published == 'true'
+        uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
+        with:
+          path: ./dist