[ci][add] Push on Artifactory Python registry

Leereen · Leereen · commit 6c8703649a10 · 2025-02-27T11:59:48.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -10,6 +10,11 @@ on:
   pull_request:
     branches:
       - master
+      - develop
+
+permissions:
+  id-token: write
+  attestations: write
 
 jobs:
   build_install:
@@ -35,7 +40,7 @@ jobs:
 
   package-deploy:
     name: Build the Python package, and deploy if needed
-    runs-on: ubuntu-latest
+    runs-on: public-ledgerhq-shared-small
     needs: build_install
     steps:
     - name: Clone
@@ -77,6 +82,35 @@ jobs:
         TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN  }}
         TWINE_NON_INTERACTIVE: 1
 
+    - name: Login to Ledger Artifactory
+      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+      timeout-minutes: 10
+      id: jfrog-login
+      uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
+
+    - name: Publish Python package on Ledger Artifactory
+      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+      run: python -m twine upload dist/*
+      env:
+        TWINE_REPOSITORY_URL: https://jfrog.ledgerlabs.net/artifactory/api/pypi/embedded-apps-pypi-prod-green
+        TWINE_USERNAME: ${{ steps.jfrog-login.outputs.oidc-user }}
+        TWINE_PASSWORD: ${{ steps.jfrog-login.outputs.oidc-token }}
+        TWINE_NON_INTERACTIVE: 1
+
+    - name: Generate library build attestations
+      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+      timeout-minutes: 10
+      uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
+      with:
+        subject-path: dist/*
+
+    - name: Sign library artifacts
+      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+      timeout-minutes: 10
+      uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
+      with:
+        path: dist
+
     - name: Publish a release on the repo
       if: |
         success() &&
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - master
+      - develop
 
 jobs:
   generate:
