smartcontractkit · HashWrangler · Apr 23, 2026 · Apr 23, 2026
@@ -44,9 +44,7 @@ jobs:
 
       - name: Detect prerelease phase
         id: detect-prerelease-phase
-        if: ${{ steps.release-tag-check.outputs.is-pre-release == 'true' &&
-          (contains(github.ref_name, '-beta.') || contains(github.ref_name,
-          '-rc.')) }}
+        if: ${{ steps.release-tag-check.outputs.is-pre-release == 'true' && (contains(github.ref_name, '-beta.') || contains(github.ref_name, '-rc.')) }}
         shell: bash
         env:
           GIT_TAG: ${{ github.ref_name }}
@@ -91,7 +89,7 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
 
   docker-core:
-    needs: [ checks ]
+    needs: [checks]
     # No need to build the final image as we promote the last RC to use the final tag
     # so we only run the builds for pre-releases.
     if: needs.checks.outputs.is-pre-release == 'true'
@@ -113,8 +111,7 @@ jobs:
       docker-cache-behaviour: "disable"
       docker-manifest-sign: true
       docker-registry-url-override: public.ecr.aws/chainlink
-      github-runner-arm64: ${{ github.repository != 'smartcontractkit/chainlink' &&
-        'ubuntu-24.04-4cores-16GB-ARM' || 'ubuntu-24.04-arm' }}
+      github-runner-arm64: ${{ github.repository != 'smartcontractkit/chainlink' && 'ubuntu-24.04-4cores-16GB-ARM' || 'ubuntu-24.04-arm' }}
       docker-image-tag-strip-prefix: v # strip out the "v" prefix from the git tag for the image tag.
       git-sha: ${{ github.sha }}
       github-event-name: ${{ github.event_name }}
@@ -128,7 +125,7 @@ jobs:
       AWS_LAMBDA_GATI_URL: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
 
   docker-ccip:
-    needs: [ checks ]
+    needs: [checks]
     # No need to build the final image as we promote the last RC to use the final tag
     # so we only run the builds for pre-releases.
     if: needs.checks.outputs.is-pre-release == 'true'
@@ -153,8 +150,7 @@ jobs:
       docker-cache-behaviour: "disable"
       docker-manifest-sign: true
       docker-registry-url-override: public.ecr.aws/chainlink
-      github-runner-arm64: ${{ github.repository != 'smartcontractkit/chainlink' &&
-        'ubuntu-24.04-4cores-16GB-ARM' || 'ubuntu-24.04-arm' }}
+      github-runner-arm64: ${{ github.repository != 'smartcontractkit/chainlink' && 'ubuntu-24.04-4cores-16GB-ARM' || 'ubuntu-24.04-arm' }}
       docker-image-tag-override: ${{ needs.checks.outputs.ccip-image-tag }}
       git-sha: ${{ github.sha }}
       github-event-name: ${{ github.event_name }}
@@ -169,10 +165,9 @@ jobs:
 
   deploy:
     name: "Deploy"
-    needs: [ checks, docker-ccip ]
+    needs: [checks, docker-ccip]
     # We are only deploying CCIP pre-releases and skipping hotfix deployments for now.
-    if: needs.checks.outputs.is-pre-release == 'true' &&
-      needs.checks.outputs.is-hotfix == 'false'
+    if: needs.checks.outputs.is-pre-release == 'true' && needs.checks.outputs.is-hotfix == 'false'
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -212,80 +207,28 @@ jobs:
           products: |
             ccip-prereleases-prod-testnet
 
-  emit-pre-release-image-published-event:
-    name: Emit pre-release image published event
-    needs: [ docker-core ]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: Emit pre-release image published event
-        env:
-          DOCKER_MANIFEST_TAG: ${{ needs.docker-core.outputs.docker-manifest-tag }}
-          GITHUB_REF_NAME: ${{ github.ref_name }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          gh api \
-            --method POST \
-            -H "Accept: application/vnd.github+json" \
-            "/repos/${GITHUB_REPOSITORY}/dispatches" \
-            --input - <<JSON
-          {
-            "event_type": "pre-release-image-published",
-            "client_payload": {
-              "chainlink_image_tag": "${DOCKER_MANIFEST_TAG}",
-              "chainlink_version": "${GITHUB_REF_NAME}"
-            }
-          }
-          JSON
-
-  emit-release-image-tagged-event:
-    name: Emit release image tagged event
-    needs: [ checks ]
-    if: needs.checks.outputs.is-release == 'true'
-    runs-on: ubuntu-latest
+  post-build:
+    needs: [docker-core, docker-ccip]
+    name: Post-Build Actions
+    uses: ./.github/workflows/post-build.yml
+    secrets: inherit
     permissions:
-      contents: write
-    steps:
-      - name: Compute image tag
-        id: compute-image-tag
-        shell: bash
-        env:
-          GIT_TAG: ${{ github.ref_name }}
-        run: |
-          # Compute image tag by removing 'v' prefix
-          # Examples:
-          #   v2.34.0   -> 2.34.0
-          tag_without_v="${GIT_TAG#v}"
-          echo "image-tag=$tag_without_v" | tee -a "$GITHUB_OUTPUT"
-      - name: Emit release image tagged event
-        env:
-          DOCKER_IMAGE_TAG: ${{ steps.compute-image-tag.outputs.image-tag }}
-          GITHUB_REF_NAME: ${{ github.ref_name }}
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          gh api \
-            --method POST \
-            -H "Accept: application/vnd.github+json" \
-            "/repos/${GITHUB_REPOSITORY}/dispatches" \
-            --input - <<JSON
-          {
-            "event_type": "release-image-tagged",
-            "client_payload": {
-              "chainlink_image_tag": "${DOCKER_IMAGE_TAG}",
-              "chainlink_version": "${GITHUB_REF_NAME}"
-            }
-          }
-          JSON
+      actions: read
+      checks: write
+      id-token: write
+      contents: read
+    with:
+      chainlink_core_full_image: ${{ needs.docker-core.result == 'success' && format('public.ecr.aws/chainlink/chainlink:{0}|{1}', needs.docker-core.outputs.docker-manifest-tag, needs.docker-core.outputs.docker-manifest-digest) || '' }}
+      chainlink_ccip_full_image: ${{ needs.docker-ccip.result == 'success' && format('public.ecr.aws/chainlink/ccip:{0}|{1}', needs.docker-ccip.outputs.docker-manifest-tag, needs.docker-ccip.outputs.docker-manifest-digest) || '' }}
+      chainlink_version: ${{ github.ref_name }}
 
   # Notify Slack channel for new git tags associated with pre-releases.
   # Final release notifications originate from the release coordinator repo.
   slack-notify:
     permissions:
       contents: read
-    if: always() && (needs.docker-core.result == 'success' ||
-      needs.docker-ccip.result == 'success')
-    needs: [ checks, docker-core, docker-ccip ]
+    if: always() && (needs.docker-core.result == 'success' || needs.docker-ccip.result == 'success')
+    needs: [checks, docker-core, docker-ccip]
     uses: ./.github/workflows/release-notifications.yml
     secrets: inherit
     with:

@@ -206,7 +206,7 @@ jobs:
       matrix:
         type:
           - cmd: go_core_tests
-            os: runs-on=${{ github.run_id }}-unit/cpu=48/ram=96/family=c6id+c5ad/spot=false/image=ubuntu24-full-x64/extras=s3-cache
+            os: runs-on=${{ github.run_id }}-unit/cpu=48/ram=96/family=c6i/spot=false/image=ubuntu24-full-x64/extras=s3-cache+tmpfs
             should-run: ${{ needs.filter.outputs.should-run-core-tests }}
             trunk-auto-quarantine: "true"
 

@@ -86,10 +86,6 @@ jobs:
 
           # Add list of tests with certain topologies
           PER_TEST_TOPOLOGIES_JSON=${PER_TEST_TOPOLOGIES_JSON:-'{
-            "Test_CRE_V2_Suite_Bucket_B": [
-               {"topology":"workflow-gateway-capabilities","configs":"configs/workflow-gateway-capabilities-don.toml"},
-               {"topology":"workflow-gateway-capabilities-vault-jwt_auth-enabled","configs":"configs/workflow-gateway-capabilities-don-vault-jwt_auth-enabled.toml"}
-             ],
             "Test_CRE_V2_Aptos_Suite": [
                {"topology":"workflow-gateway-aptos","configs":"configs/workflow-gateway-don-aptos.toml"}
              ],

@@ -73,7 +73,6 @@ on:
 
 jobs:
   compatibility:
-    name: Upgrade Compatibility Test
     permissions:
       id-token: write
       contents: read

@@ -48,10 +48,8 @@ jobs:
         id: runner-labels
         shell: bash
         env:
-          SH_RUNNER_LABEL_ARM64: runs-on=${{ github.run_id
-            }}/cpu=8/ram=16/family=c7g/volume=80gb/spot=false/image=ubuntu24-full-arm64
-          SH_RUNNER_LABEL_AMD64: runs-on=${{ github.run_id
-            }}/cpu=8/ram=16/family=c7a/volume=80gb/spot=false/image=ubuntu24-full-x64
+          SH_RUNNER_LABEL_ARM64: runs-on=${{ github.run_id }}/cpu=8/ram=16/family=c7g/volume=80gb/spot=false/image=ubuntu24-full-arm64
+          SH_RUNNER_LABEL_AMD64: runs-on=${{ github.run_id }}/cpu=8/ram=16/family=c7a/volume=80gb/spot=false/image=ubuntu24-full-x64
           GH_RUNNER_LABEL_ARM64: ubuntu-24.04-arm
           GH_RUNNER_LABEL_AMD64: ubuntu-24.04
         run: |
@@ -83,7 +81,7 @@ jobs:
           echo "version-tag=${version_tag}" | tee -a "$GITHUB_OUTPUT"
 
   docker-core:
-    needs: [ init ]
+    needs: [init]
     if: ${{ needs.init.outputs.should-run == 'true' }}
     permissions:
       contents: read
@@ -115,7 +113,7 @@ jobs:
       AWS_LAMBDA_GATI_URL: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
 
   docker-core-plugins:
-    needs: [ init ]
+    needs: [init]
     if: ${{ needs.init.outputs.should-run == 'true' }}
     permissions:
       contents: read
@@ -149,7 +147,7 @@ jobs:
       AWS_LAMBDA_GATI_URL: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
 
   docker-core-plugins-testing:
-    needs: [ init ]
+    needs: [init]
     if: ${{ needs.init.outputs.should-run == 'true' }}
     permissions:
       contents: read
@@ -184,7 +182,7 @@ jobs:
       AWS_LAMBDA_GATI_URL: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
 
   docker-ccip:
-    needs: [ init ]
+    needs: [init]
     if: ${{ needs.init.outputs.should-run == 'true' }}
     permissions:
       contents: read
@@ -219,7 +217,7 @@ jobs:
       AWS_LAMBDA_GATI_URL: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
 
   docker-ccip-plugins:
-    needs: [ init ]
+    needs: [init]
     if: ${{ needs.init.outputs.should-run == 'true' }}
     permissions:
       contents: read
@@ -254,9 +252,8 @@ jobs:
       AWS_LAMBDA_GATI_URL: ${{ secrets.AWS_INFRA_RELENG_TOKEN_ISSUER_LAMBDA_URL }}
 
   call-post-docker-build:
-    if: ${{ github.event_name == 'schedule' || github.event_name ==
-      'workflow_dispatch' }}
-    needs: [ init, docker-core ]
+    if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
+    needs: [init, docker-core]
     uses: ./.github/workflows/post-docker-build.yml
     permissions:
       actions: read
@@ -271,7 +268,7 @@ jobs:
     if: false
     # temporarily disabled
     # if: ${{ github.event_name == 'schedule' }}
-    needs: [ docker-core ]
+    needs: [docker-core]
     permissions:
       contents: read
       id-token: write
@@ -286,15 +283,14 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           repo-destination: ${{ secrets.REPO_K8S_DEPLOY }}
           oci-image-tag: ${{ needs.docker-core.outputs.docker-manifest-tag }}
-          oci-repository-url: ${{ format('{0}.dkr.ecr.{1}.amazonaws.com/chainlink',
-            secrets.AWS_ACCOUNT_ID_SDLC, secrets.AWS_REGION) }}
+          oci-repository-url: ${{ format('{0}.dkr.ecr.{1}.amazonaws.com/chainlink', secrets.AWS_ACCOUNT_ID_SDLC, secrets.AWS_REGION) }}
           pr-close-enabled: false
           products: |
             cre
 
   deploy-nightly-ccip:
     if: ${{ github.event_name == 'schedule' }}
-    needs: [ docker-ccip ]
+    needs: [docker-ccip]
     permissions:
       contents: read
       id-token: write
@@ -309,8 +305,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           repo-destination: ${{ secrets.REPO_K8S_DEPLOY }}
           oci-image-tag: ${{ needs.docker-ccip.outputs.docker-manifest-tag }}
-          oci-repository-url: ${{ format('{0}.dkr.ecr.{1}.amazonaws.com/ccip',
-            secrets.AWS_ACCOUNT_ID_SDLC, secrets.AWS_REGION) }}
+          oci-repository-url: ${{ format('{0}.dkr.ecr.{1}.amazonaws.com/ccip', secrets.AWS_ACCOUNT_ID_SDLC, secrets.AWS_REGION) }}
           pr-close-enabled: false
           products: |
             ccip-nightlies
@@ -1,26 +1,14 @@
 name: Lint GH Workflows
-
 on:
-  pull_request:
-    paths:
-      - '.github/workflows/*.y*ml'
-      - '.github/actions/**/action.y*ml'
-
-permissions: {}
-
+  push:
 jobs:
   lint_workflows:
     name: Validate Github Action Workflows
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: write
     steps:
       - name: Check out Code
         uses: actions/checkout@v6
         with:
           persist-credentials: false
-
       - name: Run actionlint
-        uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1.72.0
+        uses: reviewdog/action-actionlint@c6ee1eb0a5d47b2af53a203652b5dac0b6c4016e # v1.43.0