Conversation
There was a problem hiding this comment.
Pull request overview
Adds a CI-time check to ensure WASM builds produced by the freshly built stellar-cli Docker image are reproducible (byte-identical outputs across repeated clean builds), using representative upstream Soroban example contracts.
Changes:
- Introduces
scripts/repro-test.shto clonestellar/soroban-examplesand run a double-build + hash comparison per contract. - Extends the
buildworkflow to run the reproducibility check after the existing smoke test.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| scripts/repro-test.sh | New repro test driver: clones examples repo, builds each contract twice in the image, compares produced WASM hashes. |
| .github/workflows/build.yml | Adds a “wasm reproducibility” step to run the new script against the just-built local image. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a WASM-reproducibility check to the smoke-build workflow. For each of three representative contracts pulled from
stellar/soroban-examples(tracked onmain), the test builds twice inside the just-built image withtarget/wiped between builds and asserts the resulting.wasmartifacts are byte-identical.scripts/repro-test.sh— clones a contracts repo into a temp dir, then runs the double-build against each named contract. Defaults tostellar/soroban-examples@mainand the three contractstoken,liquidity_pool,atomic_swap.--repo,--rev,--contract,--keep-workdiroverrides. Cleanup trap uses docker to wipe thetarget/directories the container wrote as root, so the script leaves no mess on Linux CI either..github/workflows/build.yml— new step after the existing smoke test callsrepro-test.shagainst the freshly-built local image. Adds roughly 3–5 minutes per CI run.Why
WASM reproducibility is the property SEP-58 verifiers rest on — without it the whole
bldimgmechanism is meaningless. The earlier PRs in this series (publish, attestation, release) all assume this property holds. This PR proves it on every PR run, against real-world contracts that consumers actually build.Notable choices
stellar/soroban-examples, not in this repo. The test driver clones at CI time. This mirrors how a real consumer uses the image (clone their contracts,docker runthe build) and avoids the drift / hand-sync burden of vendoring third-party sources.main, don't pin. A pinned release tag would hide upstream regressions until the next manual bump. Trackingmainmeans an upstream change that breaks reproducibility — whether in the contracts themselves or revealing a bug in our image — surfaces in our CI immediately. Occasional upstream flakes are a worthwhile price for catching real breakage early.token(largest, full token spec +soroban-token-sdkdep),liquidity_pool(arithmetic-heavy with anum-integerexternal dep),atomic_swap(multi-party auth). Different SDK surfaces and codegen paths — broader catch than a single hello-world.docker run --entrypoint sh -v "$dir:/source" "$image" -c 'rm -rf target && stellar contract build --locked && sha256sum target/.../*.wasm'. Single container per hash; cleanup happens inside the container so file ownership stays sane on Linux CI.Depends on
#4 (
attest) — this branch is based on it. Base auto-updates tomainonce #4 merges.Verification
Ran locally against
stellar-cli:26.0.0-rust1.94.0. All three contracts produce stable hashes across two clean-target builds;tokenwas verified twice — once againstv23.0.0and once against currentmain— and reproduced cleanly in both states (different content hashes, but stable across the double-build, which is the property we care about).shellcheckclean on the new script. End-to-end behavior verifiable by opening this PR — thebuildworkflow's newwasm reproducibilitystep should be green.