💚 (release) [DSDK-500]: Push snapshot release to jfrog (#350)

.changeset/gorgeous-tables-cheer.md

@@ -1,5 +1,5 @@
 ---
-"@ledgerhq/device-signer-kit-btc": patch
+"@ledgerhq/device-signer-kit-bitcoin": patch
 ---
 
 Set bitcoin-js as peer dep

.changeset/tall-hairs-cheer.md

@@ -2,4 +2,4 @@
 "@ledgerhq/device-signer-kit-bitcoin": minor
 ---
 
-Create device-signer-kit-btc package
+Create device-signer-kit-bitcoin package

.github/workflows/snapshot_release.yml

@@ -6,23 +6,29 @@ on:
     inputs:
       ref:
         description: The base branch to publish a snapshot release from
-        required: true
+        required: false
         default: "develop"
       tag:
         description: Snapshot version name
         required: false
-        default: ""
+        default: "develop"
 
 env:
   FORCE_COLOR: "1"
-  # if no inputs it's considered as a cron job
-  REF: ${{ inputs.ref || 'develop' }}
-  TAG: ${{ inputs.tag || 'develop' }}
-  NPM_TOKEN: ${{ secrets.NPMJS_TOKEN }}
+  REF: ${{ inputs.ref }}
+  TAG: ${{ inputs.tag }}
+  NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+  # Need to attest artifacts
+  attestations: write
 
 jobs:
   snapshot:
-    runs-on: ubuntu-latest
+    runs-on: ledgerhq-device-sdk
     steps:
       - uses: actions/checkout@v4
         with:
@@ -31,14 +37,45 @@ jobs:
       - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-toolchain-composite@develop
 
       - name: build libraries
-        run: pnpm build
+        run: pnpm build:libs
+
+      - name: Login to internal JFrog registry
+        id: jfrog-login
+        uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
+
+      - name: Setup npm config for JFrog
+        env:
+          NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
+        run: |
+          cat << EOF | tee .npmrc
+          enable-pre-post-scripts=true
+          registry=https://${NPM_REGISTRY}/
+          //${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
+          EOF
+
+      - name: Create dist directory to store tarball
+        run: mkdir -p dist
 
-      - name: create .npmrc
-        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
+      # - name: create .npmrc
+      #   run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
 
       - name: create and publish snapshot release version
+        id: changesets
         run: |
           pnpm bump --snapshot ${{ env.TAG }}
           pnpm release --snapshot --no-git-tag --tag ${{ env.TAG }}
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
+
+      - name: Attest tarball
+        if: steps.changesets.conclusion == 'success'
+        uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
+        with:
+          subject-path: ./dist
+
+       # The action currently doesn't support pushing the blob to the registry
+      - name: Sign tarball
+        if: steps.changesets.conclusion == 'success'
+        uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
+        with:
+          path: ./dist