device-sdk-ts/.github/workflows/release.yml at develop · code-z2/device-sdk-ts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: "[Release] Publish Packages"
on:
  push:
    branches:
      - main

env:
  FORCE_COLOR: "1"
  NPM_REGISTRY: ${{ vars.NPM_REGISTRY }}

permissions:
  id-token: write
  contents: write
  pull-requests: write
  # Need to attest artifacts
  attestations: write

jobs:
  public-runner:
    name: Build and Attest Release Packages
    # npmjs requires attestation to be generated on a public runner
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-with-cache-composite@develop

      - name: Canonicalize package.json
        run: pnpm ldmk-tool canonicalize

      - name: Build libraries
        run: pnpm build:libs

      - name: Prepare dist directory
        run: pnpm ldmk-tool pack

      - name: Attest for npmjs.com
        uses: LedgerHQ/actions-security/actions/attest-for-npmsjs-com@attest-npm-dir-support
        with:
          subject-path: ./dist

      # The action currently doesn't support pushing the blob to the registry
      - name: Sign tarball
        uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
        with:
          path: ./dist

      - name: Upload packages to GitHub Artifacts
        uses: actions/upload-artifact@v4
        with:
          name: npm-release-packages
          path: dist/*.tgz
          retention-days: 1
          if-no-files-found: error

      # This action will publish to github and create tags on main branch
      - name: Publish to Github Release
        uses: LedgerHQ/actions-security/actions/create-github-release@create-github-release
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

  ledger-runner:
    name: Publish Release to JFrog
    environment: Production
    needs: public-runner
    # JFrog is accessible only from a ledger private runner
    runs-on: ledgerhq-device-sdk
    steps:
      - uses: actions/checkout@v5

      - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-with-cache-composite@develop

      - name: Download packages from GitHub Artifacts
        uses: actions/download-artifact@v4
        with:
          name: npm-release-packages
          path: dist

      - name: Publish release packages to JFrog
        uses: LedgerHQ/device-sdk-ts/.github/actions/publish-to-jfrog-composite@develop
        with:
          npm-registry: ${{ env.NPM_REGISTRY }}
          dist-path: dist