Skip to content

[refactor] - modernized the go-sdk hmy release workflow: added validated tag-based/manual releases, ARM64 builds, direct GPG signing, GitHub CLI release publishing, pinned actions, reduced checkout scope, and removed deprecated release actions.#311

Merged
mur-me merged 4 commits into
harmony-one:masterfrom
mur-me:refactor/make-release-job-great-again
Jun 30, 2026

Conversation

@mur-me

@mur-me mur-me commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Summary

Modernized the hmy release workflow and aligned it with the newer Harmony release flow.

This PR simplifies the release process, removes deprecated release actions, adds Linux ARM64 support, removes the old macOS Intel release path, and hardens the workflow with pinned actions, explicit tag handling, direct GPG signing, GitHub CLI release publishing, and cleaner dependency checkout behavior.

TL;DR:

flowchart LR
    BEFORE["Before<br/>latest tag lookup<br/>deprecated release actions<br/>third-party GPG import<br/>macOS Intel artifact<br/>amd64-focused flow"] 
    AFTER["Now<br/>resolved tag flow<br/>gh release create<br/>native gpg signing<br/>Linux amd64 + arm64<br/>pinned actions<br/>minimal permissions"]

    BEFORE --> AFTER
Loading

Testing runs

What was done

  • Added support for release runs from pushed v* tags.
  • Added manual release execution through workflow_dispatch with a required tag input.
  • Added a shared release tag resolution step.
  • Added strict release tag validation.
  • Added annotated tag validation before build/release publishing.
  • Replaced “latest tag” lookup with the resolved release tag.
  • Added Linux build matrix for:
    • amd64
    • arm64
  • Added GitHub-hosted ARM64 runner support with ubuntu-24.04-arm.
  • Disabled Go cache for release builds.
  • Removed the old macOS Intel release runner/job.
  • Removed the old hmy-darwin-x86_64 artifact download/signing path.
  • Reduced Harmony dependency checkout to only the required helper file:
    • scripts/setup_bls_build_flags.sh
  • Used sparse checkout for the Harmony helper file.
  • Used shallow checkouts for dependency repositories.
  • Replaced deprecated release actions:
    • removed actions/create-release@v1
    • removed actions/upload-release-asset@v1
  • Replaced GitHub release creation and asset upload with GitHub CLI:
    • gh release create
  • Removed crazy-max/ghaction-import-gpg.
  • Imported the GPG private key directly with native gpg.
  • Exported the public release signing key as a release asset.
  • Added detached GPG signatures for release binaries.
  • Added SHA256 checksum generation for release binaries.
  • Created release pages as draft releases.
  • Preserved legacy hmy asset name from the Linux amd64 binary.
  • Pinned GitHub Actions by full commit SHA.
  • Applied minimal workflow/job permissions.

Zizmor / workflow security

The workflow was reviewed with zizmor-style GitHub Actions hardening in mind.

The main security improvements are:

  • top-level permissions: {} where appropriate
  • minimal job-level permissions
  • full SHA pinning for GitHub Actions
  • removal of deprecated release actions
  • removal of third-party GPG import action
  • reduced checkout scope through sparse checkout
  • release signing isolated to the release publishing job
  • no Go cache in release builds

This makes the release workflow easier to audit and reduces the attack surface around signing keys and release publishing.

Why this is better

  • The release flow is now more deterministic.
  • Release jobs use the resolved release tag instead of guessing the latest tag.
  • The workflow supports both automatic tag releases and manual release testing.
  • Linux amd64 and arm64 binaries are built in the same release flow.
  • Deprecated GitHub release actions are removed.
  • GPG signing no longer depends on a third-party import action.
  • The old macOS Intel release path is removed from this workflow.
  • The release job produces clear assets, checksums, signatures, and a public signing key.
  • The workflow is easier to test, review, and operate.
  • Reviewed workflow hardening with zizmor expectations in mind.

Expected release assets

The previous hmy-darwin-x86_64 release asset is no longer produced by this workflow.

@mur-me mur-me changed the title Refactor/make release job great again [refactor] - modernized the go-sdk hmy release workflow: added validated tag-based/manual releases, ARM64 builds, direct GPG signing, GitHub CLI release publishing, pinned actions, reduced checkout scope, and removed deprecated release actions. Jun 29, 2026
@mur-me mur-me marked this pull request as ready for review June 29, 2026 16:21
@mur-me mur-me requested review from Frozen and GheisMohammadi June 29, 2026 16:21
@mur-me mur-me merged commit 18f3451 into harmony-one:master Jun 30, 2026
1 check passed
@mur-me mur-me deleted the refactor/make-release-job-great-again branch June 30, 2026 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants