hashgraph · PavelSBorisov · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
@@ -0,0 +1,105 @@
+# SPDX-License-Identifier: Apache-2.0
+name: "000: [USER] Official Release"
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry-run-enabled:
+        description: "Perform Dry Run"
+        type: boolean
+        required: false
+        default: false
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+
+
+jobs:
+  publish:
+    name: Publish Official Release of Hedera Transaction Tool
+    # MacOS runner for future compatibility (when frontend builds get added to semantic release)
+    runs-on: macos-latest
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout Code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          token: ${{ secrets.GH_ACCESS_TOKEN }}
+
+      - name: Install GnuPG Tools
+        run: brew install gnupg
+
+      - name: Import GPG Key
+        id: gpg
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
+        with:
+          git_commit_gpgsign: true
+          git_user_signingkey: true
+          git_tag_gpgsign: false
+          git_config_global: true
+          gpg_private_key: ${{ secrets.GPG_KEY_CONTENTS }}
+          passphrase: ${{ secrets.GPG_KEY_PASSPHRASE }}
+
+      - name: Setup Node
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: 22
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        with:
+          version: latest
+
+      - name: Setup Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: "v3.12.3"
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # 3.5.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Semantic Release
+        if: ${{ github.event_name == 'workflow_dispatch' && !cancelled() && !failure() }}
+        run: |
+          npm install -g semantic-release@24.2.0 @semantic-release/git@10.0.1 @semantic-release/github@11.0.1 \
+            @semantic-release/exec@6.0.3 semantic-release-helm3@2.9.3 \
+            conventional-changelog-conventionalcommits@8.0.0 \
+            @commitlint/cli@19.5.0 @commitlint/config-conventional@19.5.0 \
+            marked-mangle@1.1.10 marked-gfm-heading-id@4.1.1 semantic-release-conventional-commits@3.0.0
+
+      # Both actual and dry-run semantic-release will output the new version
+      # in the logs but actual release should also publish a tag&release on GitHub
+      # The helm charts are published to the GitHub artifact registry
+      # as part of the release process (configured in .releaserc)
+      - name: Run Semantic Release
+        if: ${{ !cancelled() && !failure() }}
+        env:
+          GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
+          GIT_AUTHOR_NAME: ${{ steps.gpg.outputs.name}}
+          GIT_AUTHOR_EMAIL: ${{ steps.gpg.outputs.email}}
+          GIT_COMMITTER_NAME: ${{ steps.gpg.outputs.name}}
+          GIT_COMMITTER_EMAIL: ${{ steps.gpg.outputs.email}}
+        run: |
+          if [[ "${{ inputs.dry-run-enabled }}" == "true" ]]; then
+            echo "Dry Running semantic-release now..."
+            npx semantic-release --dry-run
+          else
+            echo "Running semantic-release now..."
+            npx semantic-release --debug
+          fi
@@ -0,0 +1,57 @@
+# SPDX-License-Identifier: Apache-2.0
+name: "001: [FLOW] PR Formatting"
+on:
+  pull_request_target:
+    types:
+      - assigned
+      - unassigned
+      - labeled
+      - unlabeled
+      - opened
+      - reopened
+      - edited
+      - converted_to_draft
+      - ready_for_review
+      - review_requested
+      - review_request_removed
+      - locked
+      - unlocked
+      - synchronize
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  statuses: write
+
+jobs:
+  title-check:
+    name: Title Check
+    runs-on: network-node-linux-medium
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - name: Check PR Title
+        uses: step-security/action-semantic-pull-request@bc0cf74f5be4ce34accdec1ae908dff38dc5def1 # v6.1.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
+
+  assignee-check:
+    name: Assignee Check
+    runs-on: network-node-linux-medium
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - name: Check Assignee
+        if: ${{ github.event.pull_request.assignees == null || github.event.pull_request.assignees[0] == null }}
+        run: |
+          echo "Assignee is not set. Failing the workflow."
+          exit 1
@@ -1,16 +1,16 @@
-name: Create and publish Transaction Tool Docker images
+name: "300: [FLOW] Docker Images"
 
 on:
-    push:
-        tags:
-          - 'v*'
-    workflow_dispatch:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
 
 permissions:
-    contents: read
-    packages: write
-    attestations: write
-    id-token: write
+  contents: read
+  packages: write
+  attestations: write
+  id-token: write
 
 env:
   REGISTRY: ghcr.io

@@ -1,4 +1,4 @@
-name: Test Backend
+name: "301: [FLOW] Test Backend"
 
 on:
   push:

@@ -1,4 +1,4 @@
-name: Test Frontend
+name: "302: [FLOW] Test Frontend"
 
 on:
   push:

@@ -0,0 +1,104 @@
+{
+  "plugins": [
+    [
+      "@semantic-release/commit-analyzer",
+      {
+        "preset": "conventionalcommits"
+      }
+    ],
+    [
+      "@semantic-release/release-notes-generator",
+      {
+        "preset": "conventionalcommits"
+      }
+    ],
+    [
+      "semantic-release-helm3",
+      {
+        "chartPath": "./charts/transaction-tool"
+      }
+    ],
+    "@semantic-release/git",
+    "@semantic-release/github"
+  ],
+  "verifyRelease": [
+    [
+      "@semantic-release/exec",
+      { "cmd": "echo 'Release version: ${nextRelease.version}'" }
+    ]
+  ],
+  "prepare": [
+    [
+      "semantic-release-helm3",
+      {
+        "chartPath": "./charts/transaction-tool"
+      }
+    ],
+    [
+      "@semantic-release/git",
+      {
+        "assets": [
+          "charts/transaction-tool/Chart.yaml"
+        ],
+        "message": "chore(release): ${nextRelease.version} [skip ci]\n\nSigned-off-by: Hedera Automation <hedera-eng-automation@swirldslabs.com>"
+      }
+    ]
+  ],
+  "publish": [
+    [
+      "@semantic-release/exec",
+      { "cmd": "helm dependency update charts/transaction-tool" }
+    ],
+    [
+      "@semantic-release/exec",
+      { "cmd": "helm package charts/transaction-tool" }
+    ],
+    [
+      "@semantic-release/exec",
+      { "cmd": "helm push transaction-tool-${nextRelease.version}.tgz oci://ghcr.io/hashgraph/transaction-tool" }
+    ],
+    [
+      "@semantic-release/github",
+      {
+        "assets": [
+          {
+            "path": "transaction-tool-*.tgz"
+          }
+        ]
+      }
+    ]
+  ],
+  "branches":[
+    {
+      "name": "main"
+    },
+    {
+      "name": "release/([0-9]+).([0-9]+)",
+      "channel": "${name.replace(/release\\//g, '').split('.')[0]}.${name.replace(/release\\//g, '').split('.')[1]}.x",
+      "range": "${name.replace(/release\\//g, '').split('.')[0]}.${name.replace(/release\\//g, '').split('.')[1]}.x"
+    },
+    {
+      "name": "alpha/*",
+      "prerelease": "alpha",
+      "channel": "alpha"
+    },
+    {
+      "name": "ci/*",
+      "prerelease": "alpha",
+      "channel": "alpha"
+    },
+    {
+      "name": "beta/*",
+      "prerelease": "beta",
+      "channel": "beta"
+    },
+    {
+      "name": "rc/*",
+      "prerelease": "rc",
+      "channel": "rc"
+    },
+    {
+      "name": "resd-455"
+    }
+  ]
+}