.github/workflows/snapshot_release.yml

name: "[Release] Snapshot Release"
on:
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
    inputs:
      ref:
        description: The base branch to publish a snapshot release from
        required: false
        default: "develop"
      tag:
        description: Snapshot version name
        required: false
        default: "develop"

env:
  FORCE_COLOR: "1"
  REF: ${{ inputs.ref }}
  TAG: ${{ inputs.tag }}
  # NPM_REGISTRY: jfrog.ledgerlabs.net/artifactory/api/npm/ldk-npm-prod-public

permissions:
  id-token: write
  contents: write
  pull-requests: write
  # Need to attest artifacts
  attestations: write

jobs:
  snapshot:
    runs-on: ledgerhq-device-sdk
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ env.REF }}

      - uses: LedgerHQ/device-sdk-ts/.github/actions/setup-toolchain-composite@develop

      - name: Build libraries
        run: pnpm build:libs

      - name: Login to internal JFrog registry
        id: jfrog-login
        uses: LedgerHQ/actions-security/actions/jfrog-login@actions/jfrog-login-1

      # - name: Setup npm config for JFrog
      #   env:
      #     NPM_REGISTRY_TOKEN: ${{ steps.jfrog-login.outputs.oidc-token }}
      #   run: |
      #     cat << EOF | tee .npmrc
      #     enable-pre-post-scripts=true
      #     registry=https://${NPM_REGISTRY}/
      #     //${NPM_REGISTRY}/:_authToken=${NPM_REGISTRY_TOKEN}
      #     EOF

      - name: Create dist directory to store tarball
        run: mkdir -p dist

      - name: create .npmrc
        run: |
          cat << EOF > "$HOME/.npmrc"
            //registry.npmjs.org/:_authToken=${NPM_TOKEN}
          EOF
        env:
          NPM_TOKEN: ${{ secrets.NPMJS_TOKEN }}

      - name: Create and publish snapshot release version
        id: changesets
        run: |
          pnpm bump --snapshot ${{ env.TAG }}
          pnpm release --snapshot --no-git-tag --tag ${{ env.TAG }}
        env:
          GITHUB_TOKEN: ${{ secrets.CI_BOT_TOKEN }}

      - name: Attest tarball
        if: steps.changesets.conclusion == 'success'
        uses: LedgerHQ/actions-security/actions/attest@actions/attest-1
        with:
          subject-path: ./dist

       # The action currently doesn't support pushing the blob to the registry
      - name: Sign tarball
        if: steps.changesets.conclusion == 'success'
        uses: LedgerHQ/actions-security/actions/sign-blob@actions/sign-blob-1
        with:
          path: ./dist