stellar · fnando · May 26, 2026 · May 19, 2026 · May 19, 2026 · May 19, 2026
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -34,11 +34,34 @@ jobs:
           dockerfile: Dockerfile
           config: .hadolint.yaml
 
+  shellcheck:
+    name: shellcheck
+    runs-on: ubuntu-24.04
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: shellcheck
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
+        with:
+          scandir: scripts
+          severity: style
+
+  matrix-smoke:
+    name: resolve-matrix smoke
+    runs-on: ubuntu-24.04
+    steps:
+      - name: checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: resolve and validate matrix
+        run: ./scripts/resolve-matrix.sh | jq -e '.include | length > 0' >/dev/null
+
   complete:
     if: always()
     needs:
       - json
       - dockerfile
+      - shellcheck
+      - matrix-smoke
     runs-on: ubuntu-24.04
     steps:
       - name: check upstream jobs

diff --git a/.shellcheckrc b/.shellcheckrc
@@ -0,0 +1,14 @@
+# Follow `source` directives so SC1091 doesn't fire on every lib/common.sh.
+external-sources=true
+
+# Resolve `# shellcheck source=...` paths relative to the script being
+# checked, so `source=lib/common.sh` works from any script under scripts/
+# regardless of the working directory shellcheck is invoked from.
+source-path=SCRIPTDIR
+
+# SC2016 fires whenever a single-quoted string contains `$something`, but
+# we use single-quoted jq expressions like '.foo[$v]' all over the place
+# where `$v` is a jq variable (passed via `--arg v ...`), not a bash one.
+# Disabling globally; if a real bash escape mistake creeps in, code review
+# is the safety net.
+disable=SC2016
diff --git a/Dockerfile b/Dockerfile
@@ -12,7 +12,6 @@ ARG RUST_VERSION
 ARG RUST_IMAGE_DIGEST
 ARG STELLAR_CLI_REV
 ARG STELLAR_CLI_VERSION
-ARG VARIANT=standard
 ARG BUILD_DATE
 ARG BUILDS_JSON_SHA
 
@@ -52,7 +51,6 @@ ARG RUST_VERSION
 ARG RUST_IMAGE_DIGEST
 ARG STELLAR_CLI_REV
 ARG STELLAR_CLI_VERSION
-ARG VARIANT
 ARG BUILD_DATE
 ARG BUILDS_JSON_SHA
 ARG TARGETARCH
@@ -100,6 +98,5 @@ LABEL org.opencontainers.image.title="stellar-cli" \
       org.stellar.stellar-cli-ref="${STELLAR_CLI_REV}" \
       org.stellar.stellar-cli-version="${STELLAR_CLI_VERSION}" \
       org.stellar.wasm-target="wasm32v1-none" \
-      org.stellar.variant="${VARIANT}" \
       org.stellar.build-arch="${TARGETARCH}" \
       org.stellar.builds-json-sha="${BUILDS_JSON_SHA}"
diff --git a/builds.json b/builds.json
@@ -24,6 +24,5 @@
       ],
       "version": "26.0.0"
     }
-  ],
-  "variants": []
+  ]
 }
diff --git a/builds.schema.json b/builds.schema.json
@@ -80,65 +80,11 @@
       },
       "minItems": 1,
       "type": "array"
-    },
-    "variants": {
-      "description": "Bespoke (stellar-cli, rust) combinations published under prefixed tags (e.g. :l0-...). Fully specified; do not participate in :<cli> or :latest aliases.",
-      "items": {
-        "additionalProperties": false,
-        "properties": {
-          "cli_ref": {
-            "$ref": "#/definitions/git_sha",
-            "description": "stellar/stellar-cli commit SHA this variant is built from."
-          },
-          "cli_version": {
-            "$ref": "#/definitions/semver",
-            "description": "stellar-cli version label for this variant. Goes into tags and labels."
-          },
-          "description": {
-            "description": "Human-readable explanation of why this variant exists.",
-            "type": "string"
-          },
-          "labels": {
-            "additionalProperties": {
-              "type": "string"
-            },
-            "description": "Extra OCI labels merged on top of the defaults for this variant.",
-            "type": "object"
-          },
-          "name": {
-            "description": "Short identifier used as the tag prefix, e.g. l0.",
-            "pattern": "^[a-z][a-z0-9-]*$",
-            "type": "string"
-          },
-          "rust_version": {
-            "$ref": "#/definitions/rust_version",
-            "description": "Pinned rust toolchain for this variant. Must be a key in rust_image_digests."
-          },
-          "tags": {
-            "description": "Optional extra tag aliases for this variant, in addition to the canonical :<name>-<cli>-rust<rust> form.",
-            "items": {
-              "type": "string"
-            },
-            "type": "array",
-            "uniqueItems": true
-          }
-        },
-        "required": [
-          "cli_ref",
-          "cli_version",
-          "description",
-          "name",
-          "rust_version"
-        ],
-        "type": "object"
-      },
-      "type": "array"
     }
   },
   "required": [
     "rust_image_digests",
-    "stellar_cli_versions",
-    "variants"
+    "stellar_cli_versions"
   ],
   "title": "stellar-cli-docker builds.json",
   "type": "object"

diff --git a/scripts/build-image.sh b/scripts/build-image.sh
@@ -5,7 +5,7 @@
 
 set -euo pipefail
 
-script_dir="$(CDPATH= builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+script_dir="$(CDPATH='' builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=lib/common.sh
 source "$script_dir/lib/common.sh"
 
@@ -23,24 +23,21 @@ Options:
                                host's native architecture.
   --tag <ref>                  Override the local tag. Default:
                                stellar-cli:<cli>-rust<rust>
-  --variant <name>             Used for the org.stellar.variant label and
-                               for variants[] entries. Default: standard
   --help                       Show this message.
 
 The script builds locally only. Publishing is handled by a separate script.
 EOF
 }
 
 main() {
-  local cli="" rust="" platform="" tag="" variant="standard"
+  local cli="" rust="" platform="" tag=""
 
   while [ $# -gt 0 ]; do
     case "$1" in
       --stellar-cli-version) cli="$2"; shift 2;;
       --rust-version)        rust="$2"; shift 2;;
       --platform)            platform="$2"; shift 2;;
       --tag)                 tag="$2"; shift 2;;
-      --variant)             variant="$2"; shift 2;;
       -h|--help)             usage; exit 0;;
       *)                     err "unknown argument: $1"; usage; exit 1;;
     esac
@@ -82,7 +79,6 @@ main() {
     --build-arg "RUST_IMAGE_DIGEST=$rust_digest" \
     --build-arg "STELLAR_CLI_REV=$stellar_ref" \
     --build-arg "STELLAR_CLI_VERSION=$cli" \
-    --build-arg "VARIANT=$variant" \
     --build-arg "BUILD_DATE=$build_date" \
     --build-arg "BUILDS_JSON_SHA=$builds_json_sha" \
     --tag "$tag" \

diff --git a/scripts/lib/common.sh b/scripts/lib/common.sh
@@ -11,6 +11,7 @@ repo_root() {
 }
 
 BUILDS_JSON_PATH="$(repo_root)/builds.json"
+# shellcheck disable=SC2034  # consumed by validate-json.sh which sources this file
 BUILDS_SCHEMA_PATH="$(repo_root)/builds.schema.json"
 
 log() {

diff --git a/scripts/newest-pair.sh b/scripts/newest-pair.sh
@@ -6,7 +6,7 @@
 
 set -euo pipefail
 
-script_dir="$(CDPATH= builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+script_dir="$(CDPATH='' builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=lib/common.sh
 source "$script_dir/lib/common.sh"
 

diff --git a/scripts/refresh-rust-digests.sh b/scripts/refresh-rust-digests.sh
@@ -9,7 +9,7 @@
 
 set -euo pipefail
 
-script_dir="$(CDPATH= builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+script_dir="$(CDPATH='' builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=lib/common.sh
 source "$script_dir/lib/common.sh"
 
@@ -88,6 +88,7 @@ main() {
       --format '{{.Manifest.Digest}}')"
     test -n "$new_digest" || die "empty digest returned for rust:${v}-slim-bookworm"
     log "  -> $new_digest"
+    # shellcheck disable=SC2034  # `updates` is consumed by apply_updates via `local -n`
     updates["$v"]="$new_digest"
   done <<<"$versions"
 

diff --git a/scripts/refresh-stellar-cli-digests.sh b/scripts/refresh-stellar-cli-digests.sh
@@ -9,7 +9,7 @@
 
 set -euo pipefail
 
-script_dir="$(CDPATH= builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+script_dir="$(CDPATH='' builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=lib/common.sh
 source "$script_dir/lib/common.sh"
 
@@ -88,6 +88,7 @@ main() {
     sha="$(resolve_tag_commit "v${v}")"
     test -n "$sha" || die "could not resolve tag v${v} in $STELLAR_CLI_REPO"
     log "  -> $sha"
+    # shellcheck disable=SC2034  # `resolved` is consumed by apply_updates via `local -n`
     resolved["$v"]="$sha"
   done <<<"$versions"
 

diff --git a/scripts/resolve-matrix.sh b/scripts/resolve-matrix.sh
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# Read builds.json and emit a JSON matrix suitable for `fromJson()` in a
+# GitHub Actions workflow. The output drives per-image build jobs.
+#
+# For each stellar_cli_versions[] entry, for each rust in that entry's
+# rust_versions, emits one row per architecture (amd64, arm64). Rows carry
+# the inputs build-image.sh needs plus the precomputed arch suffix for
+# callers that don't want to translate the platform string themselves.
+
+set -euo pipefail
+
+script_dir="$(CDPATH='' builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck source=lib/common.sh
+source "$script_dir/lib/common.sh"
+
+usage() {
+  cat <<'EOF'
+Usage: scripts/resolve-matrix.sh [--compact|--pretty] [--help]
+
+Prints {"include": [...]} on stdout. Each include entry has:
+  arch                  amd64 | arm64
+  platform              linux/amd64 | linux/arm64
+  rust_version          e.g. 1.94.0
+  stellar_cli_version   e.g. 26.0.0
+
+Options:
+  --compact   One-line JSON (default; matches what fromJson() consumes).
+  --pretty    Pretty-printed JSON, for human inspection.
+  --help      Show this message.
+EOF
+}
+
+main() {
+  local mode="compact"
+
+  while [ $# -gt 0 ]; do
+    case "$1" in
+      --compact) mode="compact"; shift;;
+      --pretty)  mode="pretty"; shift;;
+      -h|--help) usage; exit 0;;
+      *)         err "unknown argument: $1"; usage; exit 1;;
+    esac
+  done
+
+  preflight_checks jq
+
+  local jq_flags=(-c)
+  if [ "$mode" = "pretty" ]; then
+    jq_flags=()
+  fi
+
+  builds_json "${jq_flags[@]}" '
+    def archs: ["amd64", "arm64"];
+    def row(cli; rust; arch):
+      {
+        arch: arch,
+        platform: ("linux/" + arch),
+        rust_version: rust,
+        stellar_cli_version: cli
+      };
+
+    {
+      include:
+        [ .stellar_cli_versions[]
+          | . as $e
+          | $e.rust_versions[] as $rust
+          | archs[] as $arch
+          | row($e.version; $rust; $arch)
+        ]
+    }
+  '
+}
+
+main "$@"
diff --git a/scripts/smoke-test-image.sh b/scripts/smoke-test-image.sh
@@ -8,7 +8,7 @@
 
 set -euo pipefail
 
-script_dir="$(CDPATH= builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+script_dir="$(CDPATH='' builtin cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck source=lib/common.sh
 source "$script_dir/lib/common.sh"
 
@@ -18,7 +18,6 @@ Usage: scripts/smoke-test-image.sh \
          --image <ref> \
          --stellar-cli-version <v> \
          --rust-version <v> \
-         [--variant <name>] \
          [--help]
 
 Required:
@@ -30,26 +29,24 @@ Required:
   --rust-version <v>           The rust version the image should label with.
 
 Options:
-  --variant <name>             Expected org.stellar.variant value. Default: standard
   --help                       Show this message.
 
 Checks:
   1. `stellar version --only-version` equals --stellar-cli-version.
   2. `stellar contract build --help` exits 0 (no network).
   3. Labels org.stellar.stellar-cli-version, org.stellar.rust-version,
-     org.stellar.wasm-target, org.stellar.variant all match expectations.
+     and org.stellar.wasm-target match expectations.
 EOF
 }
 
 main() {
-  local image="" cli="" rust="" variant="standard"
+  local image="" cli="" rust=""
 
   while [ $# -gt 0 ]; do
     case "$1" in
       --image)               image="$2"; shift 2;;
       --stellar-cli-version) cli="$2"; shift 2;;
       --rust-version)        rust="$2"; shift 2;;
-      --variant)             variant="$2"; shift 2;;
       -h|--help)             usage; exit 0;;
       *)                     err "unknown argument: $1"; usage; exit 1;;
     esac
@@ -64,7 +61,7 @@ main() {
   local rc=0
   check_version_output "$image" "$cli" || rc=1
   check_contract_build_help "$image"   || rc=1
-  check_labels "$image" "$cli" "$rust" "$variant" || rc=1
+  check_labels "$image" "$cli" "$rust" || rc=1
 
   if [ "$rc" -eq 0 ]; then
     log "smoke-test: image $image passed all checks"
@@ -99,7 +96,7 @@ check_contract_build_help() {
 }
 
 check_labels() {
-  local image="$1" cli="$2" rust="$3" variant="$4"
+  local image="$1" cli="$2" rust="$3"
   log "checking org.stellar.* labels ..."
 
   local labels
@@ -109,7 +106,6 @@ check_labels() {
   assert_label "$labels" "org.stellar.stellar-cli-version" "$cli" || rc=1
   assert_label "$labels" "org.stellar.rust-version" "$rust" || rc=1
   assert_label "$labels" "org.stellar.wasm-target" "wasm32v1-none" || rc=1
-  assert_label "$labels" "org.stellar.variant" "$variant" || rc=1
   if [ "$rc" -eq 0 ]; then
     log "  ok"
   fi
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,6 +24,5 @@ @@
           ],
           "version": "26.0.0"
         }
-      ],
-      "variants": []
+      ]
     }