[Release|CI/CD] adjust release pipelines (#6366)

This PR contains adjustments to the release pipelines. 
- RC Automation and Branchoff pipelines now use the PGPKMS key generated
by the release team to sign related commits directly in the Github flow
- RC Automation does not use old tagging action. Instead, it creates a
tag and pushes it using git
- RC binary is going to be done on the larger github runners setup in
the` paritytech-release` org

Closes: paritytech/release-engineering#233

.github/scripts/common/lib.sh

@@ -306,9 +306,10 @@ function import_gpg_keys() {
   EGOR="E6FC4D4782EB0FA64A4903CCDB7D3555DD3932D3"
   MORGAN="2E92A9D8B15D7891363D1AE8AF9E6C43F7F8C4CF"
   PARITY_RELEASES="90BD75EBBB8E95CB3DA6078F94A4029AB4B35DAE"
+  PARITY_RELEASES_SIGN_COMMITS="D8018FBB3F534D866A45998293C5FB5F6A367B51"
 
   echo "Importing GPG keys from $GPG_KEYSERVER"
-  for key in $SEC $EGOR $MORGAN $PARITY_RELEASES; do
+  for key in $SEC $EGOR $MORGAN $PARITY_RELEASES $PARITY_RELEASES_SIGN_COMMITS; do
     (
       echo "Importing GPG key $key"
       gpg --no-tty --quiet --keyserver $GPG_KEYSERVER --recv-keys $key

.github/workflows/release-10_rc-automation.yml

@@ -23,12 +23,46 @@ jobs:
           - name: "RelEng: Polkadot Release Coordination"
             room: '!cqAmzdIcbOFwrdrubV:parity.io'
     environment: release
+    env:
+      PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }}
+      PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
 
     steps:
+      - name: Install pgpkkms
+        run: |
+          # Install pgpkms that is used to sign commits
+          pip install git+https://github.com/paritytech-release/pgpkms.git@5a8f82fbb607ea102d8c178e761659de54c7af69
+
+      - name: Generate content write token for the release automation
+        id: generate_write_token
+        uses: actions/create-github-app-token@v1
+        with:
+            app-id: ${{ vars.RELEASE_AUTOMATION_APP_ID }}
+            private-key: ${{ secrets.RELEASE_AUTOMATION_APP_PRIVATE_KEY }}
+            owner: paritytech-release
+
       - name: Checkout sources
         uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           fetch-depth: 0
+          token: ${{ steps.generate_write_token.outputs.token }}
+
+      - name: Import gpg keys
+        run: |
+          . ./.github/scripts/common/lib.sh
+
+          import_gpg_keys
+
+      - name: Config git
+        run: |
+          git config --global commit.gpgsign true
+          git config --global gpg.program /home/runner/.local/bin/pgpkms-git
+          git config --global user.name "ParityReleases"
+          git config --global user.email "release-team@parity.io"
+          git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51"
 
       - name: Compute next rc tag
         # if: ${{ steps.get_rel_product.outputs.product == 'polkadot' }}
@@ -58,13 +92,12 @@ jobs:
           fi
 
       - name: Apply new tag
-        uses: tvdias/github-tagger@ed7350546e3e503b5e942dffd65bc8751a95e49d # v0.0.2
-        with:
-          # We can't use the normal GITHUB_TOKEN for the following reason:
-          # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
-          # RELEASE_BRANCH_TOKEN requires public_repo OAuth scope
-          repo-token: "${{ secrets.RELEASE_BRANCH_TOKEN }}"
-          tag: ${{ steps.compute_tag.outputs.new_tag }}
+        env:
+          GH_TOKEN: ${{ steps.generate_write_token.outputs.token }}
+          RC_TAG: ${{ steps.compute_tag.outputs.new_tag }}
+        run: |
+         git tag -s $RC_TAG -m "new rc tag $RC_TAG"
+         git push origin $RC_TAG
 
       - name: Send Matrix message to ${{ matrix.channel.name }}
         uses: s3krit/matrix-message-action@70ad3fb812ee0e45ff8999d6af11cafad11a6ecf # v0.0.3

.github/workflows/release-branchoff-stable.yml

@@ -13,13 +13,7 @@ on:
         required: true
 
 jobs:
-  check-workflow-can-run:
-    uses: paritytech-release/sync-workflows/.github/workflows/check-syncronization.yml@main
-
-
   prepare-tooling:
-    needs: [check-workflow-can-run]
-    if: needs.check-workflow-can-run.outputs.checks_passed == 'true'
     runs-on: ubuntu-latest
     outputs:
       node_version: ${{ steps.validate_inputs.outputs.node_version }}
@@ -45,7 +39,7 @@ jobs:
     runs-on: ubuntu-latest
     environment: release
     env:
-      PGP_KMS_KEY: ${{ secrets.PGP_KMS_KEY }}
+      PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }}
       PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -58,32 +52,42 @@ jobs:
           # Install pgpkms that is used to sign commits
           pip install git+https://github.com/paritytech-release/pgpkms.git@5a8f82fbb607ea102d8c178e761659de54c7af69
 
+      - name: Generate content write token for the release automation
+        id: generate_write_token
+        uses: actions/create-github-app-token@v1
+        with:
+            app-id: ${{ vars.RELEASE_AUTOMATION_APP_ID }}
+            private-key: ${{ secrets.RELEASE_AUTOMATION_APP_PRIVATE_KEY }}
+            owner: paritytech-release
+
       - name: Checkout sources
         uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           ref: master
+          token: ${{ steps.generate_write_token.outputs.token }}
 
       - name: Import gpg keys
         run: |
           . ./.github/scripts/common/lib.sh
 
           import_gpg_keys
 
-
       - name: Config git
         run: |
           git config --global commit.gpgsign true
           git config --global gpg.program /home/runner/.local/bin/pgpkms-git
           git config --global user.name "ParityReleases"
           git config --global user.email "release-team@parity.io"
-          git config --global user.signingKey "90BD75EBBB8E95CB3DA6078F94A4029AB4B35DAE"
+          git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51"
 
       - name: Create stable branch
         run: |
           git checkout -b "$STABLE_BRANCH_NAME"
           git show-ref "$STABLE_BRANCH_NAME"
 
       - name: Bump versions, reorder prdocs and push stable branch
+        env:
+          GH_TOKEN: ${{ steps.generate_write_token.outputs.token }}
         run: |
           . ./.github/scripts/release/release_lib.sh
 
@@ -101,4 +105,6 @@ jobs:
 
           reorder_prdocs $STABLE_BRANCH_NAME
 
+          gh auth setup-git
+
           git push origin "$STABLE_BRANCH_NAME"

.github/workflows/release-build-rc.yml

@@ -55,6 +55,10 @@ jobs:
       AWS_DEFAULT_REGION:  ${{ secrets.AWS_DEFAULT_REGION }}
       AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
       AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
 
   build-polkadot-parachain-binary:
     needs: [validate-inputs]
@@ -72,3 +76,7 @@ jobs:
       AWS_DEFAULT_REGION:  ${{ secrets.AWS_DEFAULT_REGION }}
       AWS_RELEASE_ACCESS_KEY_ID: ${{ secrets.AWS_RELEASE_ACCESS_KEY_ID }}
       AWS_RELEASE_SECRET_ACCESS_KEY: ${{ secrets.AWS_RELEASE_SECRET_ACCESS_KEY }}
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read

.github/workflows/release-reusable-rc-buid.yml

@@ -58,7 +58,7 @@ jobs:
 
   build-rc:
     needs: [set-image]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-m
     environment: release
     container:
       image: ${{ needs.set-image.outputs.IMAGE }}