diff --git a/.github/workflows/build_and_tests.yml b/.github/workflows/build_and_tests.yml index 44065867..b0f5fc89 100644 --- a/.github/workflows/build_and_tests.yml +++ b/.github/workflows/build_and_tests.yml @@ -100,100 +100,11 @@ jobs: name: codecov-ragger package_and_deploy: - name: Build and deploy Ragger Python Package + name: Build and deploy the Ragger Python package needs: [build_install_test] - runs-on: public-ledgerhq-shared-small - permissions: - id-token: write - attestations: write - contents: write - steps: - - - name: Clone - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Build Ragger Python package - run: | - # Needed to workaround this bug https://github.com/pypa/setuptools/issues/4759 - # To be removed when it's fixed - pip install -U packaging - - pip install --upgrade pip build twine - python -m build - pip install . - python -m twine check dist/* - echo "TAG_VERSION=$(python -c 'from ragger import __version__; print(__version__)')" >> "$GITHUB_ENV" - - - name: Display current status - run: | - echo "Current status is:" - if [[ ${{ github.ref }} == "refs/tags/"* ]]; - then - echo "- Triggered from tag, package will be a release"; - else - echo "- Not triggered from tag, package will be a pre-release"; - fi - echo "- Tag version: ${{ env.TAG_VERSION }}" - - - name: Check version against CHANGELOG - if: startsWith(github.ref, 'refs/tags/') - run: | - CHANGELOG_VERSION=$(grep -Po '(?<=## \[)(\d+\.)+[^\]]' CHANGELOG.md | head -n 1) - if [ "${{ env.TAG_VERSION }}" == "${CHANGELOG_VERSION}" ]; - then - exit 0; - else - echo "Tag '${{ env.TAG_VERSION }}' and CHANGELOG '${CHANGELOG_VERSION}' versions mismatch!"; - exit 1; - fi - - - name: Publish Python package on pypi.org - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - run: python -m twine upload dist/* - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN }} - TWINE_NON_INTERACTIVE: 1 - - - name: Login to Ledger Artifactory - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - timeout-minutes: 10 - id: jfrog-login - uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1 - - - name: Publish Python package on Ledger Artifactory - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - run: python -m twine upload dist/* - env: - TWINE_REPOSITORY_URL: https://jfrog.ledgerlabs.net/artifactory/api/pypi/embedded-apps-pypi-prod-green - TWINE_USERNAME: ${{ steps.jfrog-login.outputs.oidc-user }} - TWINE_PASSWORD: ${{ steps.jfrog-login.outputs.oidc-token }} - TWINE_NON_INTERACTIVE: 1 - - - name: Generate library build attestations - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - timeout-minutes: 10 - uses: LedgerHQ/actions-security/actions/attest@actions/attest-1 - with: - subject-path: dist/* - - - name: Sign library artifacts - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - timeout-minutes: 10 - uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1 - with: - path: dist - - - name: Publish a release on the repo - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - uses: "marvinpinto/action-automatic-releases@latest" - with: - automatic_release_tag: "v${{ env.TAG_VERSION }}" - repo_token: "${{ secrets.GITHUB_TOKEN }}" - prerelease: false - files: | - LICENSE - CHANGELOG.md - dist/ + uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_pypi_deployment.yml@v1 + with: + package_name: ragger + publish: ${{ startsWith(github.ref, 'refs/tags/') }} + secrets: + pypi_token: ${{ secrets.PYPI_PUBLIC_API_TOKEN }}