diff --git a/.github/workflows/release-verifiable-build.yml b/.github/workflows/release-verifiable-build.yml new file mode 100644 index 000000000..87c02870e --- /dev/null +++ b/.github/workflows/release-verifiable-build.yml @@ -0,0 +1,59 @@ +name: Verifiable Release + +on: + push: + tags: + ['v*'] + +env: + APP_NAME: 'openbook_v2' + SOLANA_VERSION: '1.16.1' + ANCHOR_VERSION: '0.28.0' + +jobs: + build: + name: Verifiable Release Artifacts + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: 'recursive' + + - name: Cache dependencies + uses: Swatinem/rust-cache@v2 + + - name: Setup Anchor + run: | + cargo install --git https://github.com/coral-xyz/anchor --rev 4e5280be46d859ba1c57fabe4c3916bec742fd69 anchor-cli --locked --force + + - name: Verifiable Build + run: | + anchor build --verifiable --docker-image backpackapp/build:v${{ env.ANCHOR_VERSION }} --solana-version ${{ env.SOLANA_VERSION }} -- --features enable-gpl + + - name: Generate Checksum + run: | + echo "CHECKSUM=$(sha256sum ./target/verifiable/${{ env.APP_NAME }}.so | head -c 64)" >> $GITHUB_ENV + mv ./target/verifiable/${{ env.APP_NAME }}.so ./target/verifiable/${{ env.APP_NAME }}-${{ github.ref_name }}.so + + # Complete supply chain inventory used for release + - name: Generate SBOM + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'cyclonedx' + output: '${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json' + + - name: Update Release + id: create_release + uses: softprops/action-gh-release@v1 + with: + tag_name: ${{ github.ref_name }} + name: ${{ github.ref_name }} + body: | + OpenBook V2 release: ${{ github.ref_name }} + Build sha256: ${{ env.CHECKSUM }} + GitHub commit: ${{ github.sha }} + files: | + ./target/verifiable/${{ env.APP_NAME }}-${{ github.ref_name }}.so + ./${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json \ No newline at end of file diff --git a/programs/openbook-v2/Cargo.toml b/programs/openbook-v2/Cargo.toml index 10d204381..23f4eb18d 100644 --- a/programs/openbook-v2/Cargo.toml +++ b/programs/openbook-v2/Cargo.toml @@ -29,6 +29,7 @@ arbitrary = { version = "~1.0", features = ["derive"], optional = true } raydium-amm-v3 = { git = "https://github.com/raydium-io/raydium-clmm.git", features = ["cpi"] } arrayref = "0.3.6" bytemuck = { version = "^1.7.2", features = ["derive", "min_const_generics"] } +default-env = "0.1.1" derivative = "2.2.0" fixed = { workspace = true, features = ["serde", "borsh", "debug-assert-in-release"] } itertools = "0.10.3" diff --git a/programs/openbook-v2/src/lib.rs b/programs/openbook-v2/src/lib.rs index 821230dec..39d4f9f2d 100644 --- a/programs/openbook-v2/src/lib.rs +++ b/programs/openbook-v2/src/lib.rs @@ -624,7 +624,7 @@ pub struct PlaceTakeOrderArgs { // Add security details to explorer.solana.com #[cfg(not(feature = "no-entrypoint"))] -use solana_security_txt::security_txt; +use {default_env::default_env, solana_security_txt::security_txt}; #[cfg(not(feature = "no-entrypoint"))] security_txt! { @@ -634,5 +634,7 @@ security_txt! { policy: "https://github.com/openbook-dex/openbook-v2/blob/master/SECURITY.md", preferred_languages: "en", source_code: "https://github.com/openbook-dex/openbook-v2", - auditors: "https://github.com/openbook-dex/openbook-v2/blob/master/audit/openbook_audit.pdf" + auditors: "https://github.com/openbook-dex/openbook-v2/blob/master/audit/openbook_audit.pdf", + source_revision: default_env!("GITHUB_SHA", "Unknown source revision"), + source_release: default_env!("GITHUB_REF_NAME", "Unknown source release") }