Merge branch 'main' into p25

Author: fnando

.github/workflows/binaries.yml

@@ -104,25 +104,46 @@ jobs:
           echo "STELLAR_CLI_INSTALLER_BASENAME=${installer_basename}" >> $GITHUB_ENV
           echo "STELLAR_CLI_INSTALLER=${installer_basename}.exe" >> $GITHUB_ENV
           echo "ARTIFACT_NAME=stellar-cli-${version}-x86_64-pc-windows-msvc.tar.gz" >> $GITHUB_ENV
+          echo "SM_CLIENT_CERT_FILE=D:\\sm_client_cert.p12" >> "$GITHUB_ENV"
 
       - name: Download Artifact
         uses: actions/download-artifact@v5
         with:
           name: ${{ env.ARTIFACT_NAME }}
+
       - name: Uncompress Artifact
         run: tar xvf ${{ env.ARTIFACT_NAME }}
+
       - shell: powershell
         run: winget install --id JRSoftware.InnoSetup --scope machine --silent --accept-package-agreements --accept-source-agreements --force
+
       - shell: powershell
         run: |
           $innoPath = "C:\Program Files (x86)\Inno Setup 6"
           echo $innoPath | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+
       - name: Build Installer
         shell: powershell
         run: |
           $Env:STELLAR_CLI_VERSION = "${{ env.VERSION }}"
           ISCC.exe installer.iss
           mv Output/stellar-installer.exe ${{ env.STELLAR_CLI_INSTALLER }}
+
+      - name: Setup SM_CLIENT_CERT_FILE
+        run: |
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/sm_client_cert.p12
+        shell: bash
+
+      - name: Setup Software Trust Manager
+        if:
+          github.event_name == 'release' || startsWith(github.ref, 'refs/heads/release/') || startsWith(github.head_ref, 'release/')
+        id: stm-setup
+        uses: digicert/[email protected]
+        with:
+          simple-signing-mode: true
+          keypair-alias: key_1412258126
+          input: ${{ env.STELLAR_CLI_INSTALLER }}
+
       - name: Upload Artifact
         uses: ./.github/actions/artifact-upload
         with:

cmd/soroban-cli/src/commands/contract/info/build.rs

@@ -84,16 +84,25 @@ impl Cmd {
         print.infoln(format!("Collecting GitHub attestation from {url}"));
         let resp = http::client().get(url).send().await?;
         let resp: gh_attest_resp::Root = resp.json().await?;
-        let Some(attestation) = resp.attestations.first() else {
-            return Err(Error::AttestationNotFound);
-        };
-        let Ok(payload) = base64::engine::general_purpose::STANDARD
-            .decode(&attestation.bundle.dsse_envelope.payload)
-        else {
-            return Err(Error::AttestationInvalid);
-        };
-        let payload: gh_payload::Root = serde_json::from_slice(&payload)?;
+
+        // Find the SLSA provenance attestation (not the Release attestation)
+        // GitHub may attach multiple attestations, and we need the one with predicate_type
+        // matching "https://slsa.dev/provenance/v1"
+        let payload = resp
+            .attestations
+            .iter()
+            .find_map(|attestation| {
+                let payload = base64::engine::general_purpose::STANDARD
+                    .decode(&attestation.bundle.dsse_envelope.payload)
+                    .ok()?;
+                let payload: gh_payload::Root = serde_json::from_slice(&payload).ok()?;
+
+                (payload.predicate_type == "https://slsa.dev/provenance/v1").then_some(payload)
+            })
+            .ok_or(Error::AttestationNotFound)?;
+
         print.checkln("Attestation found linked to GitHub Actions Workflow Run:");
+
         let workflow_repo = payload
             .predicate
             .build_definition
@@ -117,7 +126,7 @@ impl Cmd {
             .build_definition
             .resolved_dependencies
             .first()
-            .unwrap()
+            .ok_or(Error::AttestationInvalid)?
             .digest
             .git_commit;
         let runner_environment = payload