ci: update release workflow

[jackstar12]

Summary by CodeRabbit

• Chores
  • Updated release signature verification guidance to use a new public key location and reflect the new GPG signing key in the verification output.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updated the release workflow's GPG verification: changed the GPG public-key import URL from a raw GitHub path to a boltz.exchange static URL and updated the displayed verification output to reflect a new signing key (fingerprint, signer, timestamp).

Changes

Cohort / File(s)	Change Summary
Release Workflow GPG Configuration \.github/workflows/release\.yml	Replaced GPG key import URL with boltz.exchange static URL; updated the GPG verification output block to show a new signature timestamp, RSA fingerprint, signer name/email, and added a "Primary key fingerprint" line.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the boltz.exchange URL is correct and serves the expected public key.
• Confirm the updated GPG fingerprint, signer identity, and timestamp match the intended signing key.
• Check for related references to the old key elsewhere (docs, other workflows).

Possibly related PRs

• fix: build bdk in static build #612: Modifies .github/workflows/release.yml (adds manual trigger) and touches the same workflow file, likely related.

Suggested reviewers

• michael1011

Poem

🐰 I hopped to the release, nose twitching bright,
A new key in my pouch, shining at night,
I fetched from boltz.exchange, checked every line,
Signature stamped — the release looks fine! ✨🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the release workflow in CI configuration, which matches the modifications to .github/workflows/release.yml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/update-release-workflow

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b863c4e and cd7c547.

📒 Files selected for processing (1)

• .github/workflows/release.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: CI (ubuntu-latest, 1.24.x)

🔇 Additional comments (1)

.github/workflows/release.yml (1)

63-63: Security improvement: Moving from raw GitHub to official domain for GPG key import.

Using the official domain boltz.exchange for GPG key distribution follows Boltz's established pattern, similar to canary.boltz.exchange/pgp.asc, which is more trustworthy than raw GitHub URLs and reduces exposure to potential repository compromise.

Note: Ensure the URL https://boltz.exchange/static/boltz.asc is accessible and serves a valid GPG public key in the release environment, as this endpoint is not currently documented in public-facing sources.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2604dea and b863c4e.

📒 Files selected for processing (1)

• .github/workflows/release.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: CI (ubuntu-latest, 1.24.x)

🔇 Additional comments (1)

.github/workflows/release.yml (1)

63-63: No action required—GPG key source and fingerprint are verified and legitimate.

The GPG key at https://boltz.exchange/static/boltz.asc has been verified and matches the fingerprint documented in line 78. The domain boltz.exchange is the official Boltz project domain used throughout the repository for documentation, API, and support resources. The key rotation and verification process are properly communicated in the release documentation itself, providing users with exactly what to expect when verifying releases.