[refactor] - modernized the go-sdk hmy release workflow: added validated tag-based/manual releases, ARM64 builds, direct GPG signing, GitHub CLI release publishing, pinned actions, reduced checkout scope, and removed deprecated release actions.#311
Merged
mur-me merged 4 commits intoJun 30, 2026
Conversation
…ith darwin, it is not supported by github ci now, add ubuntu arm runner, fix zizmore autofixable issues
…parse checkout to get exactly one file
GheisMohammadi
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Modernized the
hmyrelease workflow and aligned it with the newer Harmony release flow.This PR simplifies the release process, removes deprecated release actions, adds Linux ARM64 support, removes the old macOS Intel release path, and hardens the workflow with pinned actions, explicit tag handling, direct GPG signing, GitHub CLI release publishing, and cleaner dependency checkout behavior.
TL;DR:
flowchart LR BEFORE["Before<br/>latest tag lookup<br/>deprecated release actions<br/>third-party GPG import<br/>macOS Intel artifact<br/>amd64-focused flow"] AFTER["Now<br/>resolved tag flow<br/>gh release create<br/>native gpg signing<br/>Linux amd64 + arm64<br/>pinned actions<br/>minimal permissions"] BEFORE --> AFTERTesting runs
What was done
v*tags.workflow_dispatchwith a requiredtaginput.amd64arm64ubuntu-24.04-arm.hmy-darwin-x86_64artifact download/signing path.scripts/setup_bls_build_flags.shactions/create-release@v1actions/upload-release-asset@v1gh release createcrazy-max/ghaction-import-gpg.gpg.hmyasset name from the Linuxamd64binary.Zizmor / workflow security
The workflow was reviewed with
zizmor-style GitHub Actions hardening in mind.The main security improvements are:
permissions: {}where appropriateThis makes the release workflow easier to audit and reduces the attack surface around signing keys and release publishing.
Why this is better
amd64andarm64binaries are built in the same release flow.zizmorexpectations in mind.Expected release assets
The previous
hmy-darwin-x86_64release asset is no longer produced by this workflow.