Reconcile no-Actions local release workflow with accepted Hop implementation

Hop-State: A_06FN5GEZTNDD5V7A7PXHBR0
Hop-Proposal: R_06FN5GDDA8WVH1V6JW0FBY0
Hop-Task: T_06FN3MBF98GWD4NA5PA1RWG
Hop-Attempt: AT_06FN5FPYNDP5C49S0G52NQG
This commit is contained in:
Hop
2026-07-11 12:57:45 -07:00
parent aad987e762
commit 011f6fa102
8 changed files with 156 additions and 158 deletions
+5 -4
View File
@@ -33,11 +33,12 @@ sign `checksums.txt` with an offline-controlled release key and publish the
public key independently. Checksum signing is listed as a launch gate in the
[release checklist](Release-Checklist).
## Runner trust
## Release-machine trust
Release jobs execute on Gitea act runners. Only trusted, isolated runners should
receive release tags or release tokens. Do not run secret-bearing release jobs
from unreviewed fork pull requests.
Release builds execute on a maintainer machine, not on the Gitea server. Use a
trusted, patched machine; keep the release token out of shell history and source
files; scope it to the Hop repository; export it only for the publish command;
and unset it immediately afterward. Releases upload as drafts for review.
## Filesystem safety