LedgerHQ · lpascal-ledger · Apr 22, 2025
diff --git a/.github/workflows/build_and_tests.yml b/.github/workflows/build_and_tests.yml
@@ -100,100 +100,11 @@ jobs:
         name: codecov-ragger
 
   package_and_deploy:
-    name: Build and deploy Ragger Python Package
+    name: Build and deploy the Ragger Python package
     needs: [build_install_test]
-    runs-on: public-ledgerhq-shared-small
-    permissions:
-      id-token: write
-      attestations: write
-      contents: write
-    steps:
-
-    - name: Clone
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-
-    - name: Build Ragger Python package
-      run: |
-        # Needed to workaround this bug https://github.com/pypa/setuptools/issues/4759
-        # To be removed when it's fixed
-        pip install -U packaging
-
-        pip install --upgrade pip build twine
-        python -m build
-        pip install .
-        python -m twine check dist/*
-        echo "TAG_VERSION=$(python -c 'from ragger import __version__; print(__version__)')" >> "$GITHUB_ENV"
-
-    - name: Display current status
-      run: |
-        echo "Current status is:"
-        if [[ ${{ github.ref }} == "refs/tags/"* ]];
-        then
-            echo "- Triggered from tag, package will be a release";
-        else
-            echo "- Not triggered from tag, package will be a pre-release";
-        fi
-        echo "- Tag version: ${{ env.TAG_VERSION }}"
-
-    - name: Check version against CHANGELOG
-      if: startsWith(github.ref, 'refs/tags/')
-      run: |
-        CHANGELOG_VERSION=$(grep -Po '(?<=## \[)(\d+\.)+[^\]]' CHANGELOG.md | head -n 1)
-        if [ "${{ env.TAG_VERSION }}" == "${CHANGELOG_VERSION}" ];
-        then
-            exit 0;
-        else
-            echo "Tag '${{ env.TAG_VERSION }}' and CHANGELOG '${CHANGELOG_VERSION}' versions mismatch!";
-            exit 1;
-        fi
-
-    - name: Publish Python package on pypi.org
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      run: python -m twine upload dist/*
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN  }}
-        TWINE_NON_INTERACTIVE: 1
-
-    - name: Login to Ledger Artifactory
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      timeout-minutes: 10
-      id: jfrog-login
-      uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
-
-    - name: Publish Python package on Ledger Artifactory
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      run: python -m twine upload dist/*
-      env:
-        TWINE_REPOSITORY_URL: https://jfrog.ledgerlabs.net/artifactory/api/pypi/embedded-apps-pypi-prod-green
-        TWINE_USERNAME: ${{ steps.jfrog-login.outputs.oidc-user }}
-        TWINE_PASSWORD: ${{ steps.jfrog-login.outputs.oidc-token }}
-        TWINE_NON_INTERACTIVE: 1
-
-    - name: Generate library build attestations
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      timeout-minutes: 10
-      uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
-      with:
-        subject-path: dist/*
-
-    - name: Sign library artifacts
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      timeout-minutes: 10
-      uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
-      with:
-        path: dist
-
-    - name: Publish a release on the repo
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      uses: "marvinpinto/action-automatic-releases@latest"
-      with:
-        automatic_release_tag: "v${{ env.TAG_VERSION }}"
-        repo_token: "${{ secrets.GITHUB_TOKEN }}"
-        prerelease: false
-        files: |
-          LICENSE
-          CHANGELOG.md
-          dist/
+    uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_pypi_deployment.yml@v1
+    with:
+      package_name: ragger
+      publish: ${{ startsWith(github.ref, 'refs/tags/') }}
+    secrets:
+      pypi_token: ${{ secrets.PYPI_PUBLIC_API_TOKEN  }}