LedgerHQ · mbrousset-ledger · Jan 15, 2026 · Jan 14, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -34,94 +34,16 @@
         pip install -U pip
         pip install -U .
 
-  package-deploy:
-    name: Build the Python package, and deploy if needed
+  deploy:
+    name: Build and deploy ledgerblue package
     runs-on: public-ledgerhq-shared-small
     needs: build_install
-    permissions:
-      id-token: write
-      attestations: write
-      contents: write
-
-    steps:
-    - name: Clone
-      uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-
-    - name: Install dependencies
-      run: |
-        # Needed to workaround this bug https://github.com/pypa/setuptools/issues/4759
-        # To be removed when it's fixed
-        pip install -U packaging
-
-        python -m pip install pip --upgrade
-        pip install build twine
-
-    - name: Build the Python package
-      run: |
-        python -m build
-        twine check dist/*
-        echo "TAG_VERSION=$(python -c 'from ledgerblue import __version__; print(__version__)')" >> "$GITHUB_ENV"
-
-    - name: Display current status
-      run: |
-        echo "Current status is:"
-        if [[ ${{ github.ref }} == "refs/tags/"* ]];
-        then
-            echo "- Triggered from tag, will be deployed on pypi.org";
-        else
-            echo "- Not triggered from tag, will be deployed on test.pypi.org";
-        fi
-        echo "- Tag version: ${{ env.TAG_VERSION }}";
-
-    - name: Publish Python package on pypi.org
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      run: python -m twine upload dist/*
-      env:
-        TWINE_USERNAME: __token__
-        TWINE_PASSWORD: ${{ secrets.PYPI_PUBLIC_API_TOKEN  }}
-        TWINE_NON_INTERACTIVE: 1
-
-    - name: Login to Ledger Artifactory
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      timeout-minutes: 10
-      id: jfrog-login
-      uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1
-
-    - name: Publish Python package on Ledger Artifactory
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      run: python -m twine upload dist/*
-      env:
-        TWINE_REPOSITORY_URL: https://jfrog.ledgerlabs.net/artifactory/api/pypi/embedded-apps-pypi-prod-green
-        TWINE_USERNAME: ${{ steps.jfrog-login.outputs.oidc-user }}
-        TWINE_PASSWORD: ${{ steps.jfrog-login.outputs.oidc-token }}
-        TWINE_NON_INTERACTIVE: 1
-
-    - name: Generate library build attestations
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      timeout-minutes: 10
-      uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
-      with:
-        subject-path: dist/*
-
-    - name: Sign library artifacts
-      if: success() && github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
-      timeout-minutes: 10
-      uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
-      with:
-        path: dist
-
-    - name: Publish a release on the repo
-      if: |
-        success() &&
-        github.event_name == 'push' &&
-        startsWith(github.ref, 'refs/tags/')
-      uses: "marvinpinto/action-automatic-releases@latest"
-      with:
-        automatic_release_tag: "v${{ env.TAG_VERSION }}"
-        repo_token: "${{ secrets.GITHUB_TOKEN }}"
-        prerelease: false
-        files: |
-          LICENSE
-          dist/
+    uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_pypi_deployment.yml@v1
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    with:
+      package_name: ledgerblue
+      jfrog_deployment: true
+      release: true
+      publish: true
+    secrets:
+      pypi_token: ${{ secrets.PYPI_PUBLIC_API_TOKEN }}