From faa20c042681854e99618ce1542ca2680d9793ac Mon Sep 17 00:00:00 2001 From: Mathias BROUSSET Date: Wed, 14 Jan 2026 17:38:57 +0100 Subject: [PATCH] replace deploy job with reusable workflow --- .github/workflows/ci.yml | 100 +++++---------------------------------- 1 file changed, 11 insertions(+), 89 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3764ade..02c3b68 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,94 +34,16 @@ jobs: pip install -U pip pip install -U . - package-deploy: - name: Build the Python package, and deploy if needed + deploy: + name: Build and deploy ledgerblue package runs-on: public-ledgerhq-shared-small needs: build_install - permissions: - id-token: write - attestations: write - contents: write - - steps: - - name: Clone - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Install dependencies - run: | - # Needed to workaround this bug https://github.com/pypa/setuptools/issues/4759 - # To be removed when it's fixed - pip install -U packaging - - python -m pip install pip --upgrade - pip install build twine - - - name: Build the Python package - run: | - python -m build - twine check dist/* - echo "TAG_VERSION=$(python -c 'from ledgerblue import __version__; print(__version__)')" >> "$GITHUB_ENV" - - - name: Display current status - run: | - echo "Current status is:" - if [[ ${{ github.ref }} == "refs/tags/"* ]]; - then - echo "- Triggered from tag, will be deployed on pypi.org"; - else - echo "- Not triggered from tag, will be deployed on test.pypi.org"; - fi - echo "- Tag version: ${{ env.TAG_VERSION }}"; - - - name: Publish Python package on pypi.org - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - run: python -m twine upload dist/* - env: - TWINE_USERNAME: __token__ - TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN }} - TWINE_NON_INTERACTIVE: 1 - - - name: Login to Ledger Artifactory - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - timeout-minutes: 10 - id: jfrog-login - uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1 - - - name: Publish Python package on Ledger Artifactory - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - run: python -m twine upload dist/* - env: - TWINE_REPOSITORY_URL: https://jfrog.ledgerlabs.net/artifactory/api/pypi/embedded-apps-pypi-prod-green - TWINE_USERNAME: ${{ steps.jfrog-login.outputs.oidc-user }} - TWINE_PASSWORD: ${{ steps.jfrog-login.outputs.oidc-token }} - TWINE_NON_INTERACTIVE: 1 - - - name: Generate library build attestations - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - timeout-minutes: 10 - uses: LedgerHQ/actions-security/actions/attest@actions/attest-1 - with: - subject-path: dist/* - - - name: Sign library artifacts - if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - timeout-minutes: 10 - uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1 - with: - path: dist - - - name: Publish a release on the repo - if: | - success() && - github.event_name == 'push' && - startsWith(github.ref, 'refs/tags/') - uses: "marvinpinto/action-automatic-releases@latest" - with: - automatic_release_tag: "v${{ env.TAG_VERSION }}" - repo_token: "${{ secrets.GITHUB_TOKEN }}" - prerelease: false - files: | - LICENSE - dist/ + uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_pypi_deployment.yml@v1 + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + with: + package_name: ledgerblue + jfrog_deployment: true + release: true + publish: true + secrets: + pypi_token: ${{ secrets.PYPI_PUBLIC_API_TOKEN }}