Skip to content

Handle contract build info when multiple attestations are available. #2359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fnando merged 2 commits into from
Jan 16, 2026
Merged

Handle contract build info when multiple attestations are available. #2359

fnando merged 2 commits into from
Jan 16, 2026
+19 −10

Conversation

@fnando
Copy link
Member

@fnando fnando commented Jan 16, 2026
edited
Loading

What

Handle contract build info when multiple attestations are available.

$ stellar contract info build --contract-id CDV6FVU76E2UPXMXLZEBIF2PSKVXC7GGTNE6CBWNATTBYMID2FQPNO56
⚠️ This command displays information about the GitHub Actions run that attested to have built the wasm, and does not verify the source code. Please review the run, its workflow, and source code.
ℹ️ Network: Test SDF Network ; September 2015
🌎 Downloading contract spec: CDV6FVU76E2UPXMXLZEBIF2PSKVXC7GGTNE6CBWNATTBYMID2FQPNO56
ℹ️ Wasm Hash: 3c8d0b8b347752e57abe0b50380401ca8f5793bc971b685fd072571bbf5d54cc
ℹ️ Source Repo: github:stellar/sep45-reference
ℹ️ Collecting GitHub attestation from https://api.github.com/repos/stellar/sep45-reference/attestations/sha256:3c8d0b8b347752e57abe0b50380401ca8f5793bc971b685fd072571bbf5d54cc
✅ Attestation found linked to GitHub Actions Workflow Run:
    Repository: https://github.com/stellar/sep45-reference
    Ref:        refs/tags/v0.1.3
    Path:       .github/workflows/release.yml
    Git Commit: 3dcabc965f01512a631d2c0c6999786f5f6a01cd
    Runner:     github-hosted
    Run:        https://github.com/stellar/sep45-reference/actions/runs/21009985939/attempts/1
🌎 View the workflow at https://github.com/stellar/sep45-reference/blob/3dcabc965f01512a631d2c0c6999786f5f6a01cd/.github/workflows/release.yml
🌎 View the repo at https://github.com/stellar/sep45-reference/tree/3dcabc965f01512a631d2c0c6999786f5f6a01cd

Why

Close #2358

Known limitations

N/A

Copilot AI review requested due to automatic review settings January 16, 2026 20:02
@github-project-automation github-project-automation bot moved this to Backlog (Not Ready) in DevX Jan 16, 2026
@fnando fnando self-assigned this Jan 16, 2026
@fnando fnando moved this from Backlog (Not Ready) to Needs Review in DevX Jan 16, 2026
Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates the contract build info command to handle scenarios where GitHub attaches multiple attestations to a single artifact. The fix specifically filters for the SLSA provenance attestation (with predicate type "https://slsa.dev/provenance/v1") rather than blindly using the first attestation.

Changes:

  • Modified attestation parsing logic to iterate through all attestations and filter for the SLSA provenance type
  • Replaced .unwrap() with proper error handling using .ok_or(Error::AttestationInvalid)?
  • Added comments explaining the SLSA provenance filtering requirement

leighmcculloch
leighmcculloch approved these changes Jan 16, 2026
View reviewed changes
@fnando fnando merged commit 6df7b5d into main Jan 16, 2026
29 of 30 checks passed
@fnando fnando deleted the fix-2358 branch January 16, 2026 21:01
@github-project-automation github-project-automation bot moved this from Needs Review to Done in DevX Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@leighmcculloch leighmcculloch leighmcculloch approved these changes

@mootz12 mootz12 Awaiting requested review from mootz12

Assignees

@fnando fnando

Labels

None yet

Projects

DevX
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

stellar contract info build fails when multiple attestations exist (release + SLSA)

3 participants

@fnando @leighmcculloch