add reusable_deployment_npm.yml (build + jfrog login) #174
Conversation
mbrousset-ledger
commented
Dec 22, 2025
mbrousset-ledger
commented
- reusable workflow to deploy npm package on jfrog
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| jobs: | ||
| package_and_deploy: | ||
| name: Build and deploy a npm Package | ||
| runs-on: public-ledgerhq-shared-small |
Check failure
Code scanning / octoscan
label "public-ledgerhq-shared-small" is non default and might be a self-hosted runner. Error
| description: If the npm package should be pushed on Ledger Jfrog or not. | ||
| Ignored if `publish` is `false`. |
There was a problem hiding this comment.
so how can I publish on Jfrog but not on npm ?
There was a problem hiding this comment.
Initially I thought it would be possible as reusable_pypi_deployment.yml has two separate parameters to handle package deployment : jfrog_deployment and publish. Looks like there is no underlying logic using these parameters to deploy on jfrog and avoid publishing on pypi.
I let @AEnguerrand confirm but i don't think it is possible.
There was a problem hiding this comment.
At first it would good to understand if we need this use case when we publish on JFrog and not on npmjs.
For @ledgerhq/ledger-bitcoin we do not seem to need it.
If we do finally then we may consider using 2 different registries for it: green and public ones.
Today the logic in this script checks if a package is already present and it it is then it does not push at all.
Nevertheless I do not understand why this run has pushed @ledgerhq/ledger-bitcoin to JFrogh, but not to https://www.npmjs.com/search?q=%40ledgerhq%2Fledger-bitcoin. Could you explain ?
Also, the mention of publish parameter should be removed from the description if it is not used anymore.
There was a problem hiding this comment.
I do agree with your suggestion (having green and public registries), especially since this reusable workflow has a parameter to specify on which registry the package should be pushed.
There was a problem hiding this comment.
I'm not sure why it wasn't published on npmjs.com, i'm wondering if @AEnguerrand enabled jfrog/npmjs sync ?
|
@mbrousset-ledger |
mbrousset-ledger
force-pushed
the
mbr/reusable-workflow-jfrog-npm
branch
2 times, most recently
from
a81c4bf to
0f54d62
Compare
mbrousset-ledger
force-pushed
the
mbr/reusable-workflow-jfrog-npm
branch
from
0f54d62 to
01024b8
Compare
| jobs: | ||
| package_and_deploy: | ||
| name: Build and deploy a npm Package | ||
| runs-on: public-ledgerhq-shared-small |
Check failure
Code scanning / octoscan
label "public-ledgerhq-shared-small" is non default and might be a self-hosted runner. Error
| description: If the npm package should be pushed on Ledger Jfrog or not. | ||
| Ignored if `publish` is `false`. |
There was a problem hiding this comment.
At first it would good to understand if we need this use case when we publish on JFrog and not on npmjs.
For @ledgerhq/ledger-bitcoin we do not seem to need it.
If we do finally then we may consider using 2 different registries for it: green and public ones.
Today the logic in this script checks if a package is already present and it it is then it does not push at all.
Nevertheless I do not understand why this run has pushed @ledgerhq/ledger-bitcoin to JFrogh, but not to https://www.npmjs.com/search?q=%40ledgerhq%2Fledger-bitcoin. Could you explain ?
Also, the mention of publish parameter should be removed from the description if it is not used anymore.
mbrousset-ledger
force-pushed
the
mbr/reusable-workflow-jfrog-npm
branch
from
951915d to
6ff5f46
Compare
mbrousset-ledger
force-pushed
the
mbr/reusable-workflow-jfrog-npm
branch
from
6ff5f46 to
6abc44e
Compare
…/ledger-app-workflows into mbr/reusable-workflow-jfrog-npm
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
There was a problem hiding this comment.
docs/uage.md should be updated also 😉
|
|
||
| - `reusable_npm_deployment.yml` \ | ||
| This workflow will build, check and deploy an npm package. This workflow is optional and is meant | ||
| to help developers to deploy application npm clients on `Ledger Jfrog` and `npmjs.com`. |
There was a problem hiding this comment.
Seems the workflow only deploy on Ledger Jfrog, no?
