ci(security:PLA-1612): harden release supply chain

[0x666c6f]

Summary

• Restrict release publishing to semver-like tag pushes guarded by the release environment.
• Re-enable CLI binary checksum verification before install-time chmod.
• Block benchmark runs from fork PR heads before privileged runner checkout.

Changes

• Remove morpho-main branch publish paths from release Docker/image publishing.
• Validate release tags from GITHUB_REF_NAME and keep GoReleaser/npm/Docker publishing behind release environment gates.
• Add workflow policy tests and run them in the security CI job.

Linear

• PLA-1612: https://linear.app/morpho-labs/issue/PLA-1612/harden-erpc-ci-release-publishing-and-cli-install-supply-chain

[devin-ai-integration]

Devin Review found 1 potential issue.

View 1 additional finding in Devin Review.

[Copilot]

Pull request overview

This PR hardens the release workflow by switching release publishing to be tag-triggered (semver tags) instead of relying on morpho-main commit messages, and by gating release-related Docker publishing/attestations on tag refs.

Changes:

• Change workflow trigger to run on push events for *.*.* tags rather than morpho-main branch pushes.
• Validate the release tag and remove workflow self-tagging (force-push tag creation).
• Gate Docker release images, manifests, and attestations on tag refs (replacing commit-message-based release detection).

Comments suppressed due to low confidence (3)

.github/workflows/release.yml:376

• The docker build job now runs on tag refs, but this version extraction still parses the commit message. On tag pushes, github.event.head_commit.message may not contain release X.Y.Z, leading to an empty steps.version.outputs.VERSION and incorrectly tagged images/build args. Prefer using GITHUB_REF_NAME (tag name) and validate it as semver, similar to the release job.

        if: "github.ref_type == 'tag'"
        env:
          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
        run: |
          VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)')

.github/workflows/release.yml:564

• The arm64 docker build job is gated on tag refs, but this version extraction still parses the commit message. On tag pushes this can produce an empty steps.version.outputs.VERSION and propagate a blank VERSION into build args and tags. Use GITHUB_REF_NAME and validate it instead.

        if: "github.ref_type == 'tag'"
        env:
          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
        run: |
          VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)')

.github/workflows/release.yml:735

• The manifest job is now tag-gated, but the version step still derives VERSION from the commit message. This will likely be empty on tag pushes and will break or mis-tag the release manifests (steps.version.outputs.VERSION). Use the pushed tag name (GITHUB_REF_NAME) and validate it.

        if: "github.ref_type == 'tag'"
        env:
          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
        run: |
          VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)')

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 36220406d9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".