stellar
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/build.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/lint.yml‎
Lines changed: 10 additions & 0 deletions b/‎.github/workflows/lint.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎.github/workflows/publish.yml‎
Lines changed: 352 additions & 0 deletions b/‎.github/workflows/publish.yml‎
Lines changed: 352 additions & 0 deletions
@@ -35,6 +35,10 @@ jobs:
             --image "stellar-cli:${{ steps.pair.outputs.cli }}-rust${{ steps.pair.outputs.rust }}" \
             --stellar-cli-version "${{ steps.pair.outputs.cli }}" \
             --rust-version "${{ steps.pair.outputs.rust }}"
+      - name: wasm reproducibility
+        run: |
+          ./scripts/repro-test.sh \
+            --image "stellar-cli:${{ steps.pair.outputs.cli }}-rust${{ steps.pair.outputs.rust }}"
 
   complete:
     if: always()
 
@@ -46,6 +46,15 @@ jobs:
           scandir: scripts
           severity: style
 
+  shell:
+    name: validate shell
+    runs-on: ubuntu-24.04
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: validate shell scripts
+        run: ./scripts/validate-shell.sh
+
   matrix-smoke:
     name: resolve-matrix smoke
     runs-on: ubuntu-24.04
@@ -61,6 +70,7 @@ jobs:
       - json
       - dockerfile
       - shellcheck
+      - shell
       - matrix-smoke
     runs-on: ubuntu-24.04
     steps:
 
@@ -0,0 +1,352 @@
+---
+name: publish
+
+on:
+  release:
+    types:
+      - published
+
+permissions:
+  contents: write           # release job creates/updates the GitHub Release
+  attestations: write       # actions/attest-build-provenance + actions/attest publish to the repo's attestation store
+  id-token: write           # OIDC token used by buildx provenance and the attest actions
+  artifact-metadata: write  # actions/attest creates an artifact storage record
+
+env:
+  # Override per-repo via Settings → Variables → Actions (vars.REGISTRY).
+  # Useful for forks that want to publish to a personal registry for
+  # testing without forking the workflow itself.
+  REGISTRY: ${{ vars.REGISTRY || 'docker.io/stellar/stellar-cli' }}
+
+jobs:
+  matrix:
+    name: resolve matrix
+    runs-on: ubuntu-24.04
+    outputs:
+      matrix: ${{ steps.resolve.outputs.matrix }}
+      stellar_cli_version: ${{ steps.scope.outputs.version }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: install check-jsonschema
+        run: pipx install check-jsonschema
+      - name: validate builds.json
+        run: ./scripts/validate-json.sh
+      - name: scope to one cli version
+        id: scope
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          # Tag is "v<version>" or "v<version>-<N>" (refresh iterations).
+          # Strip leading "v" and trailing "-<N>" if present to derive
+          # the stellar-cli version.
+          no_prefix="${RELEASE_TAG#v}"
+          version="${no_prefix%%-*}"
+          test -n "$version" || { echo "::error::could not determine stellar_cli_version from release tag '$RELEASE_TAG'"; exit 1; }
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+      - name: resolve matrix
+        id: resolve
+        env:
+          STELLAR_CLI_VERSION: ${{ steps.scope.outputs.version }}
+        run: |
+          matrix="$(./scripts/resolve-matrix.sh \
+            --stellar-cli-version "$STELLAR_CLI_VERSION")"
+          echo "matrix=$matrix" >> "$GITHUB_OUTPUT"
+
+  build:
+    name: ${{ matrix.stellar_cli_version }} rust${{ matrix.rust_version }} ${{ matrix.arch }}
+    needs: matrix
+    strategy:
+      matrix: ${{ fromJson(needs.matrix.outputs.matrix) }}
+      fail-fast: false
+    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: set up buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: resolve tag
+        id: tag
+        run: |
+          tag="$(./scripts/tag-names.sh \
+            --stellar-cli-version ${{ matrix.stellar_cli_version }} \
+            --rust-version ${{ matrix.rust_version }} \
+            --platform ${{ matrix.platform }})"
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+          echo "image=$REGISTRY:$tag" >> "$GITHUB_OUTPUT"
+
+      - name: login to Docker Hub
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: check whether already published
+        id: skip
+        run: |
+          if docker buildx imagetools inspect "${{ steps.tag.outputs.image }}" >/dev/null 2>&1; then
+            echo "::warning::${{ steps.tag.outputs.image }} already exists in the registry; skipping build (per-arch tags are immutable)"
+            {
+              echo "## ⚠️ Skipped — already published"
+              echo ""
+              echo "\`${{ steps.tag.outputs.image }}\` was already in the registry."
+              echo ""
+              echo "Per-arch tags are immutable, so no build or push happened for this row. If this is a corrupt-push recovery, delete the tag in Docker Hub by hand and re-run the workflow."
+            } >> "$GITHUB_STEP_SUMMARY"
+            echo "skipped=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "skipped=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: build metadata
+        id: meta
+        if: steps.skip.outputs.skipped != 'true'
+        run: |
+          {
+            echo "build_date=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+            echo "builds_json_sha=$(sha256sum builds.json | awk '{print $1}')"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: build and push
+        id: build
+        if: steps.skip.outputs.skipped != 'true'
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          push: true
+          platforms: ${{ matrix.platform }}
+          tags: ${{ steps.tag.outputs.image }}
+          provenance: mode=max
+          sbom: true
+          build-args: |
+            RUST_VERSION=${{ matrix.rust_version }}
+            RUST_IMAGE_DIGEST=${{ matrix.rust_image_digest }}
+            STELLAR_CLI_REV=${{ matrix.stellar_cli_ref }}
+            STELLAR_CLI_VERSION=${{ matrix.stellar_cli_version }}
+            BUILD_DATE=${{ steps.meta.outputs.build_date }}
+            BUILDS_JSON_SHA=${{ steps.meta.outputs.builds_json_sha }}
+            SOURCE_REPO=${{ github.repository }}
+
+      - name: generate SBOM file
+        if: steps.skip.outputs.skipped != 'true'
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          image: ${{ steps.tag.outputs.image }}@${{ steps.build.outputs.digest }}
+          format: spdx-json
+          output-file: sbom-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_version }}-${{ matrix.arch }}.spdx.json
+          upload-release-assets: false
+          upload-artifact: false
+
+      - name: attest build provenance
+        id: attest-prov
+        if: steps.skip.outputs.skipped != 'true'
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-name: ${{ env.REGISTRY }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          # Also push the signed Sigstore attestation alongside the image
+          # in the registry, so consumers can verify with cosign without
+          # needing the gh CLI or access to the GitHub attestations API.
+          push-to-registry: true
+
+      - name: attest SBOM
+        id: attest-sbom
+        if: steps.skip.outputs.skipped != 'true'
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          subject-name: ${{ env.REGISTRY }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          sbom-path: sbom-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_version }}-${{ matrix.arch }}.spdx.json
+          push-to-registry: true
+
+      - name: write per-arch metadata
+        if: steps.skip.outputs.skipped != 'true'
+        run: |
+          out="meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_version }}-${{ matrix.arch }}.json"
+          jq -n \
+            --arg arch "${{ matrix.arch }}" \
+            --arg cli "${{ matrix.stellar_cli_version }}" \
+            --arg digest "${{ steps.build.outputs.digest }}" \
+            --arg image "${{ steps.tag.outputs.image }}" \
+            --arg rust "${{ matrix.rust_version }}" \
+            --arg tag "${{ steps.tag.outputs.tag }}" \
+            '{arch: $arch, digest: $digest, image: $image, rust_version: $rust, stellar_cli_version: $cli, tag: $tag}' \
+            > "$out"
+
+      - name: rename provenance bundle
+        if: steps.skip.outputs.skipped != 'true'
+        run: |
+          cp "${{ steps.attest-prov.outputs.bundle-path }}" \
+            "prov-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_version }}-${{ matrix.arch }}.intoto.jsonl"
+
+      # Skipped pairs still need metadata so the release-body composer can
+      # show the full state of every declared pair, not just the freshly
+      # built ones. Queries the existing tag's manifest digest from the
+      # registry and writes the same meta-*.json shape we'd write on a
+      # fresh build (just without the SBOM/provenance files — those stay
+      # attached to the previously-published image's attestation store).
+      - name: write per-arch metadata (skipped pair)
+        if: steps.skip.outputs.skipped == 'true'
+        run: |
+          existing_digest="$(docker buildx imagetools inspect \
+            "${{ steps.tag.outputs.image }}" \
+            --format '{{.Manifest.Digest}}')"
+          out="meta-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_version }}-${{ matrix.arch }}.json"
+          jq -n \
+            --arg arch "${{ matrix.arch }}" \
+            --arg cli "${{ matrix.stellar_cli_version }}" \
+            --arg digest "$existing_digest" \
+            --arg image "${{ steps.tag.outputs.image }}" \
+            --arg rust "${{ matrix.rust_version }}" \
+            --arg tag "${{ steps.tag.outputs.tag }}" \
+            '{arch: $arch, digest: $digest, image: $image, rust_version: $rust, stellar_cli_version: $cli, tag: $tag}' \
+            > "$out"
+
+      - name: upload release artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: release-artifacts-${{ matrix.stellar_cli_version }}-rust${{ matrix.rust_version }}-${{ matrix.arch }}
+          path: |
+            sbom-*.spdx.json
+            prov-*.intoto.jsonl
+            meta-*.json
+          retention-days: 7
+          # warn (not error) because the skipped path only produces meta-*.json;
+          # the sbom-*/prov-* globs find nothing in that case.
+          if-no-files-found: warn
+
+  manifest:
+    name: assemble manifest lists
+    needs: [matrix, build]
+    runs-on: ubuntu-24.04
+    env:
+      STELLAR_CLI_VERSION: ${{ needs.matrix.outputs.stellar_cli_version }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: set up buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - name: login to Docker Hub
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: create manifest list per (cli, rust) pair
+        run: |
+          while IFS= read -r rust; do
+            list_tag="$(./scripts/tag-names.sh \
+              --stellar-cli-version "$STELLAR_CLI_VERSION" --rust-version "$rust")"
+            amd64_tag="$(./scripts/tag-names.sh \
+              --stellar-cli-version "$STELLAR_CLI_VERSION" --rust-version "$rust" \
+              --platform linux/amd64)"
+            arm64_tag="$(./scripts/tag-names.sh \
+              --stellar-cli-version "$STELLAR_CLI_VERSION" --rust-version "$rust" \
+              --platform linux/arm64)"
+            if docker buildx imagetools inspect "$REGISTRY:$list_tag" >/dev/null 2>&1; then
+              echo "::warning::manifest list $REGISTRY:$list_tag already exists; skipping (lists are immutable)"
+              {
+                echo "## ⚠️ Manifest list skipped — already published"
+                echo ""
+                echo "\`$REGISTRY:$list_tag\` was already in the registry."
+              } >> "$GITHUB_STEP_SUMMARY"
+              continue
+            fi
+            echo "::group::manifest $REGISTRY:$list_tag"
+            docker buildx imagetools create \
+              --tag "$REGISTRY:$list_tag" \
+              "$REGISTRY:$amd64_tag" \
+              "$REGISTRY:$arm64_tag"
+            echo "::endgroup::"
+          done < <(jq -r --arg v "$STELLAR_CLI_VERSION" '
+            .stellar_cli_versions[]
+            | select(.version == $v)
+            | .rust_versions[]
+          ' builds.json)
+
+  aliases:
+    name: publish moving aliases
+    needs: [matrix, manifest]
+    runs-on: ubuntu-24.04
+    env:
+      STELLAR_CLI_VERSION: ${{ needs.matrix.outputs.stellar_cli_version }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: set up buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - name: login to Docker Hub
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: publish :<cli> and :latest aliases
+        run: |
+          default_rust="$(jq -r --arg v "$STELLAR_CLI_VERSION" \
+            '.stellar_cli_versions[] | select(.version == $v) | .default_rust' \
+            builds.json | head -n1)"
+          target_tag="$(./scripts/tag-names.sh \
+            --stellar-cli-version "$STELLAR_CLI_VERSION" \
+            --rust-version "$default_rust")"
+          target="$REGISTRY:$target_tag"
+
+          echo "::group::alias $REGISTRY:$STELLAR_CLI_VERSION -> $target"
+          docker buildx imagetools create --tag "$REGISTRY:$STELLAR_CLI_VERSION" "$target"
+          echo "::endgroup::"
+
+          newest_cli="$(./scripts/newest-pair.sh --stellar-cli-version)"
+          if [ "$STELLAR_CLI_VERSION" = "$newest_cli" ]; then
+            echo "::group::alias $REGISTRY:latest -> $target"
+            docker buildx imagetools create --tag "$REGISTRY:latest" "$target"
+            echo "::endgroup::"
+          else
+            echo "cli $STELLAR_CLI_VERSION is not the newest ($newest_cli); skipping :latest"
+          fi
+
+  release:
+    name: enrich github release with sbom and provenance
+    needs: [matrix, aliases]
+    runs-on: ubuntu-24.04
+    env:
+      STELLAR_CLI_VERSION: ${{ needs.matrix.outputs.stellar_cli_version }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: download per-arch release artifacts
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          path: release-artifacts
+          pattern: release-artifacts-*
+          merge-multiple: true
+      - name: compose structural body section
+        run: |
+          ./scripts/release-body.sh \
+            --stellar-cli-version "$STELLAR_CLI_VERSION" \
+            --metadata-dir release-artifacts \
+            --registry "$REGISTRY" \
+            --repo "${{ github.repository }}" \
+            > release-body.md
+      - name: update the github release
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
+        with:
+          tag_name: ${{ github.event.release.tag_name }}
+          body_path: release-body.md
+          append_body: true
+          files: |
+            release-artifacts/sbom-*.spdx.json
+            release-artifacts/prov-*.intoto.jsonl
+
+  complete:
+    if: always()
+    needs:
+      - matrix
+      - build
+      - manifest
+      - aliases
+      - release
+    runs-on: ubuntu-24.04
+    steps:
+      - name: check upstream jobs
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+        run: exit 1