threshold-network · piotr-roslaniec · Oct 15, 2025 · Aug 12, 2025 · Aug 12, 2025 · Aug 12, 2025
diff --git a/.github/workflows/client.yml b/.github/workflows/client.yml
@@ -28,15 +28,15 @@ on:
         required: false
         default: "main"
 
-# TODO: Implement automatic releases creation on tags push with https://github.com/softprops/action-gh-release
+# Automatic releases are now handled by the dedicated release.yml workflow
 
 jobs:
   client-detect-changes:
     runs-on: ubuntu-latest
     outputs:
       path-filter: ${{ steps.filter.outputs.path-filter }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         if: github.event_name == 'pull_request'
 
       - uses: dorny/paths-filter@v2
@@ -52,7 +52,7 @@ jobs:
     outputs:
       path-filter: ${{ steps.filter.outputs.path-filter }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         if: github.event_name == 'pull_request'
 
       - uses: dorny/paths-filter@v2
@@ -71,7 +71,7 @@ jobs:
         || needs.client-detect-changes.outputs.path-filter == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           # Fetch the whole history for the `git describe` command to work.
           fetch-depth: 0
@@ -88,18 +88,18 @@ jobs:
           environment: ${{ github.event.inputs.environment }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Cache Docker layers
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-
 
       - name: Build Docker Build Image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           target: build-docker
           tags: go-build-env
@@ -123,7 +123,7 @@ jobs:
           docker save --output /tmp/go-build-env-image.tar go-build-env
 
       - name: Upload Docker Build Image
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: go-build-env-image
           path: /tmp/go-build-env-image.tar
@@ -133,11 +133,11 @@ jobs:
           docker run \
             --workdir /go/src/github.com/keep-network/keep-core \
             go-build-env \
-            gotestsum
+            gotestsum -- -timeout 15m
 
       - name: Build Docker Runtime Image
         if: github.event_name != 'workflow_dispatch'
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           target: runtime-docker
           labels: |
@@ -148,15 +148,15 @@ jobs:
 
       - name: Login to Google Container Registry
         if: github.event_name == 'workflow_dispatch'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.GCR_REGISTRY_URL }}
           username: _json_key
           password: ${{ secrets.KEEP_TEST_GCR_JSON_KEY }}
 
       - name: Build and publish Docker Runtime Image
         if: github.event_name == 'workflow_dispatch'
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         env:
           IMAGE_NAME: "keep-client"
         with:
@@ -177,7 +177,7 @@ jobs:
           context: .
 
       - name: Build Client Binaries
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           target: output-bins
           outputs: type=local,dest=./out/bin/
@@ -189,7 +189,7 @@ jobs:
           context: .
 
       - name: Archive Client Binaries
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: binaries
           path: |
@@ -240,10 +240,11 @@ jobs:
     env:
       GO111MODULE: on
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: securego/gosec@master
         with:
           args: |
+            -exclude=G115
             -exclude-dir=pkg/chain/ethereum/beacon/gen
             -exclude-dir=pkg/chain/ethereum/ecdsa/gen
             -exclude-dir=pkg/chain/ethereum/threshold/gen
@@ -257,8 +258,8 @@ jobs:
         || needs.client-detect-changes.outputs.path-filter == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: gofmt
@@ -275,8 +276,8 @@ jobs:
         || needs.client-detect-changes.outputs.path-filter == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - run: go vet
@@ -288,15 +289,16 @@ jobs:
         || needs.client-detect-changes.outputs.path-filter == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
       - name: Staticcheck
-        uses: dominikh/staticcheck-action@v1.3.0
+        uses: dominikh/staticcheck-action@v1.4.0
         with:
-          version: "2023.1.6"
+          version: "2025.1.1"
           install-go: false
+          checks: "-SA1019"
 
   client-integration-test:
     needs: [electrum-integration-detect-changes, client-build-test-publish]
@@ -306,10 +308,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Download Docker Build Image
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: go-build-env-image
           path: /tmp

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,116 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # Fetch the whole history for the `git describe` command to work.
+          fetch-depth: 0
+
+      - name: Resolve versions
+        run: |
+          echo "version=$(git describe --tags --match 'v[0-9]*' HEAD)" \
+            >> $GITHUB_ENV
+          echo "revision=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Build Docker Build Image
+        uses: docker/build-push-action@v5
+        with:
+          target: build-docker
+          tags: go-build-env
+          build-args: |
+            VERSION=${{ env.version }}
+            REVISION=${{ env.revision }}
+          # load image to local registry to use it in next steps
+          load: true
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          context: .
+
+      - name: Run Go tests
+        run: |
+          docker run \
+            --workdir /go/src/github.com/keep-network/keep-core \
+            go-build-env \
+            gotestsum -- -timeout 15m
+
+      - name: Build Client Binaries
+        uses: docker/build-push-action@v5
+        with:
+          target: output-bins
+          outputs: type=local,dest=./out/bin/
+          build-args: |
+            ENVIRONMENT=mainnet
+            VERSION=${{ env.version }}
+            REVISION=${{ env.revision }}
+          push: false
+          context: .
+
+      - name: Generate release notes
+        id: release_notes
+        run: |
+          # Get the previous tag for release notes
+          PREV_TAG=$(git describe --tags --abbrev=0 --match 'v[0-9]*' \
+            HEAD^ 2>/dev/null || echo "")
+
+          # Create release notes
+          echo "RELEASE_NOTES<<EOF" >> $GITHUB_OUTPUT
+          echo "## Keep Core ${{ env.version }}" >> $GITHUB_OUTPUT
+          echo "" >> $GITHUB_OUTPUT
+          echo "Built from commit: ${{ env.revision }}" >> $GITHUB_OUTPUT
+          echo "" >> $GITHUB_OUTPUT
+          echo "### Downloads" >> $GITHUB_OUTPUT
+          echo "- **Linux AMD64**: \`keep-client-mainnet-${{ env.version }}-linux-amd64.tar.gz\`" \
+            >> $GITHUB_OUTPUT
+          echo "- **macOS AMD64**: \`keep-client-mainnet-${{ env.version }}-darwin-amd64.tar.gz\`" \
+            >> $GITHUB_OUTPUT
+          echo "" >> $GITHUB_OUTPUT
+          echo "### Verification" >> $GITHUB_OUTPUT
+          echo "All binaries include MD5 and SHA256 checksums for verification." \
+            >> $GITHUB_OUTPUT
+          echo "" >> $GITHUB_OUTPUT
+          if [ -n "$PREV_TAG" ]; then
+            echo "### Changes since $PREV_TAG" >> $GITHUB_OUTPUT
+            git log --oneline --no-merges "$PREV_TAG..HEAD" | head -20 \
+              >> $GITHUB_OUTPUT
+          fi
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: Release ${{ env.version }}
+          body: ${{ steps.release_notes.outputs.RELEASE_NOTES }}
+          files: |
+            out/bin/*.tar.gz
+            out/bin/*.md5
+            out/bin/*.sha256
+          draft: false
+          prerelease: ${{ contains(env.version, '-') }}
+          generate_release_notes: false
+
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
diff --git a/.gitignore b/.gitignore
@@ -55,6 +55,8 @@ yarn-error.log
 /solidity*/**/export.json
 
 # Go bindings generator
+# Note: Some specific _address files are committed as empty placeholders
+# to satisfy //go:embed directives during CI builds that don't run go generate
 /pkg/chain/**/gen/_address/
 /pkg/chain/**/gen/_contracts/
 /pkg/chain/**/gen/abi/*.abi

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.20.13-alpine3.19 AS build-sources
+FROM golang:1.24-alpine3.21 AS build-sources
 
 ENV GOPATH=/go \
 	GOBIN=/go/bin \
@@ -10,7 +10,7 @@ ENV GOPATH=/go \
 
 # TODO: Remove perl once go-ethereum is upgraded to 1.11.
 #       See pkg/chain/ethereum/tbtc/gen/Makefile and after_abi_hook for details.
-RUN apk add --update --no-cache \
+RUN apk update && apk upgrade && apk add --update --no-cache \
 	g++ \
 	linux-headers \
 	protobuf-dev \
@@ -26,7 +26,7 @@ RUN apk add --update --no-cache \
 	rm -rf /var/cache/apk/ && mkdir /var/cache/apk/ && \
 	rm -rf /usr/share/man
 
-RUN go install gotest.tools/gotestsum@latest
+RUN go install gotest.tools/gotestsum@v1.10.1
 
 RUN mkdir -p $APP_DIR $TEST_RESULTS_DIR
 
@@ -36,9 +36,6 @@ WORKDIR $APP_DIR
 COPY go.mod go.sum $APP_DIR/
 RUN go mod download
 
-# Install code generators.
-RUN go install google.golang.org/protobuf/cmd/[email protected]
-
 # Copy source code for generation.
 COPY ./pkg/beacon/dkg/result/gen $APP_DIR/pkg/beacon/dkg/result/gen
 COPY ./pkg/beacon/entry/gen $APP_DIR/pkg/beacon/entry/gen
@@ -57,6 +54,10 @@ COPY ./pkg/tecdsa/gen $APP_DIR/pkg/tecdsa/gen
 COPY ./pkg/protocol/announcer/gen $APP_DIR/pkg/protocol/announcer/gen
 COPY ./pkg/protocol/inactivity/gen $APP_DIR/pkg/protocol/inactivity/gen
 
+
+# Install code generators.
+RUN go install google.golang.org/protobuf/cmd/[email protected]
+
 # Environment is to download published and tagged NPM packages versions.
 ARG ENVIRONMENT
 
@@ -69,6 +70,9 @@ RUN make generate environment=$ENVIRONMENT
 
 COPY ./ $APP_DIR/
 
+# Update go.sum with any missing dependencies
+RUN go mod tidy && go mod download
+
 #
 # Build Docker Image
 #
@@ -84,12 +88,15 @@ RUN GOOS=linux make build \
 	version=$VERSION \
 	revision=$REVISION
 
-FROM alpine:3.19 as runtime-docker
+FROM alpine:3.21 as runtime-docker
 
 ENV APP_NAME=keep-client \
 	APP_DIR=/go/src/github.com/keep-network/keep-core \
 	BIN_PATH=/usr/local/bin
 
+# Update Alpine packages to get latest security patches
+RUN apk update && apk upgrade && rm -rf /var/cache/apk/*
+
 COPY --from=build-docker $APP_DIR/$APP_NAME $BIN_PATH
 
 # ENTRYPOINT cant handle ENV variables.
@@ -101,7 +108,7 @@ CMD []
 #
 # Build Binaries
 #
-FROM golang:1.20.13-bullseye AS build-bins
+FROM golang:1.24-bullseye AS build-bins
 
 ENV APP_DIR=/go/src/github.com/keep-network/keep-core