From 15c255a634ba945b83d9f7da9a0fd1a56f397069 Mon Sep 17 00:00:00 2001 From: Lucas PASCAL Date: Thu, 27 Feb 2025 10:12:57 +0100 Subject: [PATCH 1/2] [ci][clean] Removing useless push to 'test.pypi.org' --- .github/workflows/ci.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4ba1911..3c8dd9c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -69,14 +69,6 @@ jobs: fi echo "- Tag version: ${{ env.TAG_VERSION }}"; - - name: Publish Python package on test.pypi.org - if: success() && github.event_name == 'push' - run: python -m twine upload --repository testpypi dist/* - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.TEST_PYPI_PUBLIC_API_TOKEN }} - TWINE_NON_INTERACTIVE: 1 - - name: Publish Python package on pypi.org if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') run: python -m twine upload dist/* From 6c8703649a102baaa15b4f3370dd6bae84540082 Mon Sep 17 00:00:00 2001 From: Lucas PASCAL Date: Thu, 27 Feb 2025 10:21:54 +0100 Subject: [PATCH 2/2] [ci][add] Push on Artifactory Python registry --- .github/workflows/ci.yml | 36 ++++++++++++++++++++++++++++- .github/workflows/documentation.yml | 1 + 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c8dd9c..dc0afda 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,6 +10,11 @@ on: pull_request: branches: - master + - develop + +permissions: + id-token: write + attestations: write jobs: build_install: @@ -35,7 +40,7 @@ jobs: package-deploy: name: Build the Python package, and deploy if needed - runs-on: ubuntu-latest + runs-on: public-ledgerhq-shared-small needs: build_install steps: - name: Clone @@ -77,6 +82,35 @@ jobs: TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN }} TWINE_NON_INTERACTIVE: 1 + - name: Login to Ledger Artifactory + if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + timeout-minutes: 10 + id: jfrog-login + uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1 + + - name: Publish Python package on Ledger Artifactory + if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + run: python -m twine upload dist/* + env: + TWINE_REPOSITORY_URL: https://jfrog.ledgerlabs.net/artifactory/api/pypi/embedded-apps-pypi-prod-green + TWINE_USERNAME: ${{ steps.jfrog-login.outputs.oidc-user }} + TWINE_PASSWORD: ${{ steps.jfrog-login.outputs.oidc-token }} + TWINE_NON_INTERACTIVE: 1 + + - name: Generate library build attestations + if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + timeout-minutes: 10 + uses: LedgerHQ/actions-security/actions/attest@actions/attest-1 + with: + subject-path: dist/* + + - name: Sign library artifacts + if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + timeout-minutes: 10 + uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1 + with: + path: dist + - name: Publish a release on the repo if: | success() && diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index df45088..4d83172 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -9,6 +9,7 @@ on: pull_request: branches: - master + - develop jobs: generate: