From be724f4276306cecd532dbf0f51d71ab7eeacbb5 Mon Sep 17 00:00:00 2001
From: Kien Nguyen <kien.nguyen@ledger.fr>
Date: Thu, 19 Sep 2024 15:18:35 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9A=99=EF=B8=8F=20(INFRAPRJ-6622):=20Attest?=
 =?UTF-8?q?=20and=20sign=20package?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/release.yml | 39 ++++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dbc0153f2..c45db22ec 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,15 +1,16 @@
 name: publish npm packages
 on:
-  push:
-    branches:
-      - main
+  pull_request:
+  # push:
+  #   branches:
+  #     - main
 
 env:
   FORCE_COLOR: "1"
 
 jobs:
   publish:
-    environment: Production
+    # environment: Production
     runs-on: ledgerhq-shared-medium
     permissions:
       id-token: write
@@ -32,7 +33,8 @@ jobs:
 
       - name: Setup npm config for JFrog
         env:
-          NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
+          # NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public
+          NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-sandbox-green
           NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
         run: |
           cat << EOF | tee .npmrc
@@ -43,7 +45,34 @@ jobs:
       - name: Publish
         id: changesets
         uses: changesets/action@v1
+        # to remove
+        continue-on-error: true
         with:
           publish: pnpm release
+          # to remove
+          branch: feat/no-issue-jfrog-attest-sign-package
         env:
           GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}
+      
+      - name: Download published packages to attest and sign
+        if: steps.changesets.outputs.published == 'true'
+        run: |
+          # Extract package name
+          PACKAGE_NAME=${{ steps.changesets.outputs.publishedPackages }}
+          
+          echo $PACKAGE_NAME
+
+          mkdir dist
+
+      # - name: Attest tarball
+      #   if: steps.changesets.outputs.published == 'true'
+      #   uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
+      #   with:
+      #     subject-path: ./dist
+      #     push-to-registry: true
+
+      # - name: Sign tarball
+      #   if: steps.changesets.outputs.published == 'true'
+      #   uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
+      #   with:
+      #     path: ./dist