Merge pull request #145 from LedgerHQ/jfrog

Leereen · web-flow · commit c3609d5e42f3 · 2025-02-27T14:21:27.000+01:00
Package pushed on JFrog
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,6 +10,11 @@ on:
   pull_request:
     branches:
       - master
+      - develop
+
+permissions:
+  id-token: write
+  attestations: write
 
 jobs:
   build_install:
@@ -35,7 +40,7 @@ jobs:
 
   package-deploy:
     name: Build the Python package, and deploy if needed
-    runs-on: ubuntu-latest
+    runs-on: public-ledgerhq-shared-small
     needs: build_install
     steps:
     - name: Clone
@@ -69,22 +74,43 @@ jobs:
         fi
         echo "- Tag version: ${{ env.TAG_VERSION }}";
 
-    - name: Publish Python package on test.pypi.org
-      if: success() && github.event_name == 'push'
-      run: python -m twine upload --repository testpypi dist/*
+    - name: Publish Python package on pypi.org
+      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+      run: python -m twine upload dist/*
       env:
         TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.TEST_PYPI_PUBLIC_API_TOKEN  }}
+        TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN  }}
         TWINE_NON_INTERACTIVE: 1
 
-    - name: Publish Python package on pypi.org
+    - name: Login to Ledger Artifactory
+      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+      timeout-minutes: 10
+      id: jfrog-login
+      uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
+
+    - name: Publish Python package on Ledger Artifactory
       if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
       run: python -m twine upload dist/*
       env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN  }}
+        TWINE_REPOSITORY_URL: https://jfrog.ledgerlabs.net/artifactory/api/pypi/embedded-apps-pypi-prod-green
+        TWINE_USERNAME: ${{ steps.jfrog-login.outputs.oidc-user }}
+        TWINE_PASSWORD: ${{ steps.jfrog-login.outputs.oidc-token }}
         TWINE_NON_INTERACTIVE: 1
 
+    - name: Generate library build attestations
+      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+      timeout-minutes: 10
+      uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
+      with:
+        subject-path: dist/*
+
+    - name: Sign library artifacts
+      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+      timeout-minutes: 10
+      uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
+      with:
+        path: dist
+
     - name: Publish a release on the repo
       if: |
         success() &&
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - master
+      - develop
 
 jobs:
   generate:
