foundry-rs · zerosnacks · Apr 24, 2026 · Apr 24, 2026 · Apr 24, 2026 · Apr 24, 2026
@@ -5,10 +5,12 @@ module.exports = async ({ github, context }, tagName) => {
             repo: context.repo.repo,
             ref: `refs/tags/${tagName}`,
             sha: context.sha,
-            force: true,
         });
     } catch (err) {
-        console.error(`Failed to create tag: ${tagName}`);
-        console.error(err);
+        if (err.status === 422 && String(err.message).includes("Reference already exists")) {
+            console.log(`Tag already exists: ${tagName}`);
+            return;
+        }
+        throw err;
     }
 };
@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
     inputs:
       tag_name:
-        default: nightly
+        default: nightly-dev
         description: The tag we're building for
         type: string
   workflow_call:
@@ -58,31 +58,28 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
-      # Creates an additional 'latest' or 'nightly' tag
-      # If the job is triggered via cron schedule, tag nightly and nightly-{SHA}
-      # If the job is triggered via workflow dispatch and on a master branch, tag branch and latest
-      # Otherwise, just tag as the branch name
+      # Derive Docker tags from inputs.tag_name:
+      # - v{major}.{minor}.{patch}: tagged as :v1.2.3, :v1.2, :v1, and :latest
+      # - nightly-{SHA}: tagged as :nightly-{SHA} and :nightly
+      # - anything else: tagged as-is
       - name: Finalize Docker Metadata
         id: docker_tagging
         run: |
           TAG="${{ inputs.tag_name }}"
           REGISTRY="${{ env.REGISTRY }}"
           IMAGE="${{ env.IMAGE_NAME }}"
 
-          if [[ "${{ github.event_name }}" == "schedule" ]]; then
-            printf "cron trigger, assigning nightly tag\n"
-            printf "docker_tags=%s/%s:nightly,%s/%s:nightly-%s\n" "$REGISTRY" "$IMAGE" "$REGISTRY" "$IMAGE" "$GITHUB_SHA" >> "$GITHUB_OUTPUT"
-          elif [[ "${GITHUB_REF##*/}" == "main" ]] || [[ "${GITHUB_REF##*/}" == "master" ]]; then
-            printf "manual trigger from master/main branch, assigning latest tag\n"
-            printf "docker_tags=%s/%s:%s,%s/%s:latest\n" "$REGISTRY" "$IMAGE" "${GITHUB_REF##*/}" "$REGISTRY" "$IMAGE" >> "$GITHUB_OUTPUT"
-          elif [[ "$TAG" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+          if [[ "$TAG" =~ ^v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
             MAJOR="v${BASH_REMATCH[1]}"
             MINOR="v${BASH_REMATCH[1]}.${BASH_REMATCH[2]}"
-            printf "version tag release, assigning %s, %s, and %s tags\n" "$TAG" "$MINOR" "$MAJOR"
-            printf "docker_tags=%s/%s:%s,%s/%s:%s,%s/%s:%s\n" "$REGISTRY" "$IMAGE" "$TAG" "$REGISTRY" "$IMAGE" "$MINOR" "$REGISTRY" "$IMAGE" "$MAJOR" >> "$GITHUB_OUTPUT"
+            printf "version tag release, assigning %s, %s, %s, and latest tags\n" "$TAG" "$MINOR" "$MAJOR"
+            printf "docker_tags=%s/%s:%s,%s/%s:%s,%s/%s:%s,%s/%s:latest\n" "$REGISTRY" "$IMAGE" "$TAG" "$REGISTRY" "$IMAGE" "$MINOR" "$REGISTRY" "$IMAGE" "$MAJOR" "$REGISTRY" "$IMAGE" >> "$GITHUB_OUTPUT"
+          elif [[ "$TAG" =~ ^nightly- ]]; then
+            printf "nightly release, assigning %s and nightly tags\n" "$TAG"
+            printf "docker_tags=%s/%s:%s,%s/%s:nightly\n" "$REGISTRY" "$IMAGE" "$TAG" "$REGISTRY" "$IMAGE" >> "$GITHUB_OUTPUT"
           else
-            printf "Neither scheduled nor manual release from main branch. Just tagging as branch name\n"
-            printf "docker_tags=%s/%s:%s\n" "$REGISTRY" "$IMAGE" "${GITHUB_REF##*/}" >> "$GITHUB_OUTPUT"
+            printf "tagging as %s\n" "$TAG"
+            printf "docker_tags=%s/%s:%s\n" "$REGISTRY" "$IMAGE" "$TAG" >> "$GITHUB_OUTPUT"
           fi
 
       # Log docker metadata to explicitly know what is being pushed

@@ -5,9 +5,6 @@ permissions: {}
 on:
   push:
     tags:
-      - "stable"
-      - "rc"
-      - "rc-*"
       - "v*.*.*"
   schedule:
     - cron: "0 6 * * *"
@@ -21,8 +18,6 @@ env:
   RUST_PROFILE: dist
   RUST_FEATURES: aws-kms,gcp-kms,turnkey,cli,asm-keccak,js-tracer
 
-  LAST_STABLE_VERSION: "v1.5.1"
-
 jobs:
   prepare:
     name: Prepare release
@@ -47,9 +42,17 @@ jobs:
           if [[ ${IS_NIGHTLY} == 'true' ]]; then
             printf 'tag_name=%s\n' "nightly-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
             printf 'release_name=%s\n' "Nightly ($(date '+%Y-%m-%d'))" >> "$GITHUB_OUTPUT"
+            # Find the previous nightly tag for changelog generation,
+            # sorted by tag creation date (most recent first).
+            PREV_NIGHTLY=$(git tag -l 'nightly-*' --sort=-creatordate | head -n1)
+            printf 'from_tag=%s\n' "$PREV_NIGHTLY" >> "$GITHUB_OUTPUT"
           else
             printf 'tag_name=%s\n' "$GITHUB_REF_NAME" >> "$GITHUB_OUTPUT"
             printf 'release_name=%s\n' "$GITHUB_REF_NAME" >> "$GITHUB_OUTPUT"
+            # Find the previous stable release tag (v*.*.*) for changelog generation,
+            # skipping the current tag so we diff from the last stable release.
+            PREV_STABLE=$(git tag -l 'v*.*.*' --sort=-v:refname | grep -v "^${GITHUB_REF_NAME}$" | head -n1)
+            printf 'from_tag=%s\n' "$PREV_STABLE" >> "$GITHUB_OUTPUT"
           fi
 
       # Creates a `nightly-SHA` tag for this specific nightly
@@ -71,11 +74,44 @@ jobs:
         uses: mikepenz/release-changelog-builder-action@bcae7115752d4ed746ff92feb666574428a79415 # v6.2
         with:
           configuration: "./.github/changelog.json"
-          fromTag: ${{ env.IS_NIGHTLY == 'true' && 'nightly' || env.STABLE_VERSION }}
+          fromTag: ${{ steps.release_info.outputs.from_tag || '' }}
           toTag: ${{ steps.release_info.outputs.tag_name }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      # Create the GitHub release as a draft up-front so that all matrix jobs
+      # only upload assets to an existing draft. With immutable releases
+      # enabled, an immutable release is sealed when it is published, so all
+      # assets must be attached before that. Stable releases are then left as
+      # a draft for a maintainer to publish manually; nightlies are auto-
+      # published by the `publish-nightly` job at the end of the workflow.
+      - name: Create draft release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          TAG_NAME: ${{ steps.release_info.outputs.tag_name }}
+          RELEASE_NAME: ${{ steps.release_info.outputs.release_name }}
+          CHANGELOG: ${{ steps.build_changelog.outputs.changelog }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if release_json="$(gh release view "$TAG_NAME" --json isDraft 2>/dev/null)"; then
+            is_draft="$(printf '%s' "$release_json" | grep -o '"isDraft":[^,}]*' | cut -d: -f2 | tr -d ' ')"
+            if [[ "$is_draft" == "true" ]]; then
+              echo "Draft release $TAG_NAME already exists; reusing it."
+              exit 0
+            fi
+            echo "::error::Release $TAG_NAME is already published; cannot upload more assets to an immutable release."
+            exit 1
+          fi
+          notes_file="$(mktemp)"
+          printf '%s' "$CHANGELOG" > "$notes_file"
+          flags=(--draft --verify-tag --title "$RELEASE_NAME" --notes-file "$notes_file")
+          if [[ "$IS_NIGHTLY" == "true" ]]; then
+            flags+=(--prerelease)
+          fi
+          gh release create "$TAG_NAME" "${flags[@]}"
+
   release-docker:
     name: Release Docker
     needs: prepare
@@ -87,6 +123,10 @@ jobs:
     with:
       tag_name: ${{ needs.prepare.outputs.tag_name }}
 
+  # This job uploads assets to the draft release created in `prepare`.
+  # Stable releases stay as drafts for a maintainer to publish manually;
+  # nightlies are auto-published by the `publish-nightly` job below. Either
+  # way, GitHub's immutable-releases setting seals the release at publish.
   release:
     permissions:
       id-token: write
@@ -277,68 +317,50 @@ jobs:
           set -euo pipefail
           printf '%s\n' "$ATTESTATION_URL" > "$FOUNDRY_ATTESTATION"
 
-      # Creates the release for this specific version
-      - name: Create release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
-        with:
-          name: ${{ needs.prepare.outputs.release_name }}
-          tag_name: ${{ needs.prepare.outputs.tag_name }}
-          prerelease: ${{ env.IS_NIGHTLY == 'true' }}
-          body: ${{ needs.prepare.outputs.changelog }}
-          files: |
-            ${{ steps.artifacts.outputs.file_name }}
-            ${{ steps.artifacts.outputs.foundry_attestation }}
-            ${{ steps.man.outputs.foundry_man }}
-
-      # If this is a nightly release, it also updates the release
-      # tagged `nightly` for compatibility with `foundryup`
-      - name: Update nightly release
-        if: ${{ env.IS_NIGHTLY == 'true' }}
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
-        with:
-          name: "Nightly"
-          tag_name: "nightly"
-          prerelease: true
-          body: ${{ needs.prepare.outputs.changelog }}
-          files: |
-            ${{ steps.artifacts.outputs.file_name }}
-            ${{ steps.artifacts.outputs.foundry_attestation }}
-            ${{ steps.man.outputs.foundry_man }}
+      # Upload assets to the draft release created in `prepare`. Stable
+      # releases stay as drafts after this workflow finishes; a maintainer
+      # publishes them manually. Nightlies are auto-published below.
+      - name: Upload assets to draft release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          TAG_NAME: ${{ needs.prepare.outputs.tag_name }}
+          FILE_NAME: ${{ steps.artifacts.outputs.file_name }}
+          FOUNDRY_ATTESTATION: ${{ steps.artifacts.outputs.foundry_attestation }}
+          FOUNDRY_MAN: ${{ steps.man.outputs.foundry_man }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          files=("$FILE_NAME" "$FOUNDRY_ATTESTATION")
+          if [[ -n "${FOUNDRY_MAN:-}" ]]; then
+            files+=("$FOUNDRY_MAN")
+          fi
+          gh release upload "$TAG_NAME" "${files[@]}" --clobber
 
-  cleanup:
-    name: Release cleanup
+  # Auto-publish nightly releases once all assets have been uploaded so that
+  # foundryup and other consumers see them immediately. Stable releases are
+  # left as drafts for a maintainer to publish manually.
+  publish-nightly:
+    name: Publish nightly release
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    needs: [prepare, release-docker, release]
+    if: ${{ env.IS_NIGHTLY == 'true' }}
     permissions:
       contents: write
-    needs: release
-    if: always()
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      # Moves the `nightly` tag to `HEAD`
-      - name: Move nightly tag
-        if: ${{ env.IS_NIGHTLY == 'true' }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            const moveTag = require('./.github/scripts/move-tag.js')
-            await moveTag({ github, context }, 'nightly')
-
-      - name: Delete old nightlies
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        with:
-          script: |
-            const prunePrereleases = require('./.github/scripts/prune-prereleases.js')
-            await prunePrereleases({github, context})
+      - name: Publish release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          TAG_NAME: ${{ needs.prepare.outputs.tag_name }}
+        shell: bash
+        run: gh release edit "$TAG_NAME" --draft=false
 
   # If any of the jobs fail, this will create a high-priority issue to signal so.
   issue:
     name: Open an issue
     runs-on: ubuntu-latest
-    needs: [prepare, release-docker, release, cleanup]
+    needs: [prepare, release-docker, release, publish-nightly]
     if: failure()
     permissions:
       contents: read

@@ -12,18 +12,30 @@ curl -L https://foundry.paradigm.xyz | bash
 
 ## Usage
 
-To install the **nightly** version:
+To install the **latest** version:
 
 ```sh
 foundryup
 ```
 
-To **install** a specific **version** (in this case the `nightly` version):
+Or alternatively:
+
+```sh
+foundryup -i latest
+```
+
+To install the latest **nightly** version:
 
 ```sh
 foundryup --install nightly
 ```
 
+To install a specific version (e.g. `v1.6.0`):
+
+```sh
+foundryup --install v1.6.0
+```
+
 To **list** all **versions** installed:
 
 ```sh