From 2dd5b8a814dd44c761558fa3b13d13a1cb747930 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Cs=C3=B3ka?= <csokat@gmail.com>
Date: Tue, 16 Jun 2026 14:50:46 +0200
Subject: [PATCH 1/2] feat(ci): migrate workflows to Workload Identity Provider
 auth

Pins hopr-workflows actions and reusable workflows to the new
commits that mint short-lived OIDC tokens. Removes legacy GCP
service-account keys and PATs from action inputs and secrets,
wires id-token: write into every consumer job, and adds the
GitHub App private key to release-version calls. Mirrors the
pattern established in hoprnet/blokli#377.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/merge.yaml   |  3 +--
 .github/workflows/pr.yaml      |  3 +--
 .github/workflows/release.yaml | 11 ++++-------
 3 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml
index 35f4eb54..c280720f 100644
--- a/.github/workflows/merge.yaml
+++ b/.github/workflows/merge.yaml
@@ -17,7 +17,7 @@ jobs:
   build-docker:
     name: Docker
     if: github.event.pull_request.merged == true
-    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@build-docker-v2
+    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@fa71078959cf9f892185e8df16551720693a2cd1
     permissions:
       contents: read
       pull-requests: write
@@ -38,7 +38,6 @@ jobs:
       docker_image_format: docker
       fail_on_scan_vulnerabilities: ${{ vars.FAIL_ON_SCAN_VULNERABILITIES }}
     secrets:
-      gcp_service_account: ${{ secrets.GCP_SA_GITHUB_RUNNER }}
       cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
   notify:
     name: Notify failure
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index b5064996..d4d13c2a 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -105,7 +105,7 @@ jobs:
         run: yarn test
   build-docker:
     name: Docker
-    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@build-docker-v2
+    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@fa71078959cf9f892185e8df16551720693a2cd1
     permissions:
       contents: read
       pull-requests: write
@@ -126,5 +126,4 @@ jobs:
       docker_image_format: docker
       fail_on_scan_vulnerabilities: ${{ vars.FAIL_ON_SCAN_VULNERABILITIES }}
     secrets:
-      gcp_service_account: ${{ secrets.GCP_SA_GITHUB_RUNNER }}
       cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e060214d..c35d1f9d 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -18,7 +18,7 @@ concurrency:
 jobs:
   build-docker:
     name: Docker
-    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@build-docker-v2
+    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@fa71078959cf9f892185e8df16551720693a2cd1
     permissions:
       contents: read
       pull-requests: write
@@ -39,10 +39,7 @@ jobs:
       docker_image_format: docker
       fail_on_scan_vulnerabilities: ${{ vars.FAIL_ON_SCAN_VULNERABILITIES }}
     secrets:
-      gcp_service_account: ${{ secrets.GCP_SA_GITHUB_RUNNER }}
       cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}
-      docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }}
-      docker_hub_token: ${{ secrets.DOCKER_HUB_TOKEN }}
   release:
     name: Close release
     needs:
@@ -50,12 +47,13 @@ jobs:
     runs-on: depot-ubuntu-24.04
     permissions:
       contents: write
+      id-token: write
     outputs:
       released_version: ${{ steps.release.outputs.current_version }}
     steps:
       - name: Release version
         id: release
-        uses: hoprnet/hopr-workflows/actions/release-version@release-version-v4
+        uses: hoprnet/hopr-workflows/actions/release-version@fa71078959cf9f892185e8df16551720693a2cd1
         with:
           source_branch: ${{ github.ref_name }}
           file: package.json
@@ -65,8 +63,7 @@ jobs:
           zulip_email: ${{ secrets.ZULIP_EMAIL }}
           zulip_channel: Products
           zulip_topic: Releases
-          gcp_service_account: ${{ secrets.GCP_SA_GITHUB_RUNNER }}
-          github_token: ${{ secrets.GH_RUNNER_TOKEN }}
+          github_app_private_key: ${{ secrets.GH_APP_HOPRNET_BOT_PRIVATE_KEY }}
   post-release:
     name: Post Release
     runs-on: depot-ubuntu-24.04

From 71c754bc63f1205f34bc7fb3e8adbf2b7f24006f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Cs=C3=B3ka?= <csokat@gmail.com>
Date: Wed, 17 Jun 2026 09:10:21 +0200
Subject: [PATCH 2/2] docs(ci): annotate pinned SHA refs with version tag
 comments

Adds inline # <tag> comments to all hopr-workflows SHA references
so the tag context is visible alongside the opaque hash.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/merge.yaml   | 2 +-
 .github/workflows/pr.yaml      | 2 +-
 .github/workflows/release.yaml | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml
index c280720f..7c874ee3 100644
--- a/.github/workflows/merge.yaml
+++ b/.github/workflows/merge.yaml
@@ -17,7 +17,7 @@ jobs:
   build-docker:
     name: Docker
     if: github.event.pull_request.merged == true
-    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@fa71078959cf9f892185e8df16551720693a2cd1
+    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@fa71078959cf9f892185e8df16551720693a2cd1 # 0.9.3
     permissions:
       contents: read
       pull-requests: write
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index d4d13c2a..35fc78a6 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -105,7 +105,7 @@ jobs:
         run: yarn test
   build-docker:
     name: Docker
-    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@fa71078959cf9f892185e8df16551720693a2cd1
+    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@fa71078959cf9f892185e8df16551720693a2cd1 # 0.9.3
     permissions:
       contents: read
       pull-requests: write
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c35d1f9d..4da29e80 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -18,7 +18,7 @@ concurrency:
 jobs:
   build-docker:
     name: Docker
-    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@fa71078959cf9f892185e8df16551720693a2cd1
+    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@fa71078959cf9f892185e8df16551720693a2cd1 # 0.9.3
     permissions:
       contents: read
       pull-requests: write
@@ -53,7 +53,7 @@ jobs:
     steps:
       - name: Release version
         id: release
-        uses: hoprnet/hopr-workflows/actions/release-version@fa71078959cf9f892185e8df16551720693a2cd1
+        uses: hoprnet/hopr-workflows/actions/release-version@fa71078959cf9f892185e8df16551720693a2cd1 # 0.9.3
         with:
           source_branch: ${{ github.ref_name }}
           file: package.json