Skip to content

chore: adapt CI for attested publish on npm #81

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
xchalle wants to merge 14 commits into
base: main
Choose a base branch
from
Open

chore: adapt CI for attested publish on npm #81

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
a07b94c
chore: adapt CI for attested publish on npm
xchalle Jan 20, 2026
555ccfc
chore: adapt CI for attested publish on npm
xchalle Jan 20, 2026
4e5f793
Merge branch 'main' into xchalle/release_workflows
xchalle Jan 28, 2026
46efe3a
Merge branch 'main' into xchalle/release_workflows
xchalle Feb 16, 2026
2bdb93a
Change NPM registry to sandbox environment
xchalle Feb 16, 2026
0468c08
Update NPM registry URL in publishBranch.yaml
xchalle Feb 16, 2026
86dd048
Fix tarball naming in publishBranch workflow
xchalle Feb 16, 2026
a7c8a1b
Refactor npm config and publish steps in workflow
xchalle Feb 16, 2026
4c30055
chore: point attest action to actions-security feature branch
xchalle Feb 24, 2026
e2281bb
chore: upload attested tarball as GitHub artifact (1-day retention)
xchalle Feb 24, 2026
93b42fb
Change package manager from pnpm to npm
xchalle Feb 24, 2026
770f143
chore: add direct publish test step to compare tarball behavior
xchalle Feb 24, 2026
4908cd2
Comment out JFrog tarball publishing step
xchalle Feb 24, 2026
f823ca7
Change package manager from npm to pnpm
xchalle Feb 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 26 additions & 18 deletions .github/workflows/publishBranch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ permissions:
attestations: write

env:
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ledgerlive-npm-prod-public
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ledgerlive-npm-sandbox-green

jobs:
publish:
Expand All @@ -39,28 +39,25 @@ jobs:
- name: Build project
run: pnpm run build

- name: Create tarball for attestation
- name: Set branch version
run: |
echo "TARBALL=$(pnpm pack --pack-destination dist)" >> $GITHUB_ENV
SANITIZED_BRANCH=$(echo "${{ github.event.inputs.branch }}" | sed 's/[\/\_]/-/g')
CURRENT_VERSION=$(node -p "require('./package.json').version")
NEW_VERSION="${CURRENT_VERSION}-${SANITIZED_BRANCH}"
npm version "$NEW_VERSION" --no-git-tag-version
echo "Publishing version: $NEW_VERSION"

- name: Get PR name
id: get-pr-name
run: echo "PR_NAME=${{ github.event.inputs.branch }}" >> $GITHUB_ENV

- name: Rename tarball with PR name
run: |
TARBALL=$(echo $TARBALL | sed "s/\.tgz/-${PR_NAME}.tgz/")
echo "TARBALL=${TARBALL}" >> $GITHUB_ENV

- name: Attest tarball
uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
- name: Attest for npmjs.com
id: attest
uses: LedgerHQ/actions-security/actions/attest-for-npmsjs-com@xchalle/attest-action-package-manager-support
with:
subject-path: ./lib/dist
subject-path: ./lib
package-manager: pnpm

- name: Sign tarball
uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
with:
path: ./lib/dist
path: ${{ steps.attest.outputs.tarball-path }}

- name: Login to JFrog Ledger
id: jfrog-login
Expand All @@ -75,5 +72,16 @@ jobs:
//${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
EOF

- name: Publish package to JFrog
run: pnpm publish $TARBALL --no-git-checks
#- name: Publish attested tarball to JFrog
# run: pnpm publish ${{ steps.attest.outputs.tarball-path }} --no-git-checks

- name: Test publish directly from lib (without tarball-path)
run: pnpm publish --no-git-checks
continue-on-error: true

- name: Upload tarball as artifact
uses: actions/upload-artifact@v4
with:
name: npm-package
path: ${{ steps.attest.outputs.tarball-path }}
retention-days: 1
17 changes: 10 additions & 7 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ permissions:
attestations: write

env:
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ledgerlive-npm-prod-public
NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ledgerlive-npm-sandbox-green

jobs:
publish:
Expand All @@ -39,25 +39,27 @@ jobs:
- name: Build project
run: pnpm run build

- name: Create tarball for attestation
- name: Create tarball
run: |
echo "TARBALL=$(pnpm pack --pack-destination dist)" >> $GITHUB_ENV
mkdir -p ../dist
echo "TARBALL=$(pnpm pack --pack-destination ../dist)" >> $GITHUB_ENV

- name: Attest tarball
uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
- name: Attest for npmjs.com
uses: LedgerHQ/actions-security/actions/attest-for-npmsjs-com@xchalle/attest-action-package-manager-support
with:
subject-path: ./lib/dist
subject-path: ./dist

- name: Sign tarball
uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
with:
path: ./lib/dist
path: ./dist

- name: Login to JFrog Ledger
id: jfrog-login
uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1

- name: Setup npm config for JFrog
working-directory: ./dist/
env:
NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
run: |
Expand All @@ -67,4 +69,5 @@ jobs:
EOF

- name: Publish package to JFrog
working-directory: ./dist/
run: pnpm publish $TARBALL --no-git-checks