paritytech · EgorPopelyaev · Nov 20, 2025 · Nov 18, 2025
@@ -140,11 +140,4 @@ jobs:
     uses: ./.github/workflows/release-11_rc-automation.yml
     with:
       version: polkadot-${{ needs.validate-inputs.outputs.stable_version }}
-    secrets:
-      PGP_KMS_SIGN_COMMITS_KEY:  ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }}
-      PGP_KMS_HASH:  ${{ secrets.PGP_KMS_HASH }}
-      AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      AWS_DEFAULT_REGION:  ${{ secrets.AWS_DEFAULT_REGION }}
-      RELEASE_AUTOMATION_APP_PRIVATE_KEY: ${{ secrets.RELEASE_AUTOMATION_APP_PRIVATE_KEY }}
-      RELEASENOTES_MATRIX_V2_ACCESS_TOKEN: ${{ secrets.RELEASENOTES_MATRIX_V2_ACCESS_TOKEN }}
+    secrets: inherit
@@ -9,21 +9,6 @@ on:
       version:
         description: Current release/rc version in format polkadot-stableYYMM
         type: string
-    secrets:
-      PGP_KMS_SIGN_COMMITS_KEY:
-        required: true
-      PGP_KMS_HASH:
-        required: true
-      AWS_ACCESS_KEY_ID:
-        required: true
-      AWS_SECRET_ACCESS_KEY:
-        required: true
-      AWS_DEFAULT_REGION:
-        required: true
-      RELEASE_AUTOMATION_APP_PRIVATE_KEY:
-        required: true
-      RELEASENOTES_MATRIX_V2_ACCESS_TOKEN:
-        required: true
 
 jobs:
   tag_rc:

@@ -0,0 +1,63 @@
+name: Release - Create polkadot-vX.YY.Z tag
+# This workflow creates a final release tag in the old format (e.g. polkadot-v1.20.0) for a published release.
+
+on:
+  release:
+    types: published
+
+jobs:
+  create-old-release-tag:
+    runs-on: parity-default
+    environment: release
+    env:
+      PGP_KMS_KEY: ${{ secrets.PGP_KMS_SIGN_COMMITS_KEY }}
+      PGP_KMS_HASH: ${{ secrets.PGP_KMS_HASH }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+
+    steps:
+      - name: Install pgpkkms
+        run: |
+          # Install pgpkms that is used to sign commits
+          pip install git+https://github.com/paritytech-release/pgpkms.git@6cb1cecce1268412189b77e4b130f4fa248c4151
+
+      - name: Generate content write token for the release automation
+        id: generate_write_token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        with:
+            app-id: ${{ vars.RELEASE_AUTOMATION_APP_ID }}
+            private-key: ${{ secrets.RELEASE_AUTOMATION_APP_PRIVATE_KEY }}
+            owner: paritytech
+
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: ${{ github.event.release.tag_name }}
+          token: ${{ steps.generate_write_token.outputs.token }}
+
+      - name: Import gpg keys
+        run: |
+          . ./.github/scripts/common/lib.sh
+
+          import_gpg_keys
+
+      - name: Config git
+        run: |
+          git config --global commit.gpgsign true
+          git config --global gpg.program /home/runner/.local/bin/pgpkms-git
+          git config --global user.name "ParityReleases"
+          git config --global user.email "[email protected]"
+          git config --global user.signingKey "D8018FBB3F534D866A45998293C5FB5F6A367B51"
+
+      - name: Create old release tag
+        env:
+          GH_TOKEN: ${{ steps.generate_write_token.outputs.token }}
+        run: |
+          . ./.github/scripts/common/lib.sh
+
+          version=$(get_polkadot_node_version_from_code)
+          echo "Extracted node version: $version"
+
+          git tag -s "polkadot-v${version}" -m "Old release tag polkadot-v${version}"
+          git push origin "polkadot-v${version}"