openbook-dex · binyebarwe · Dec 23, 2023 · Dec 23, 2023 · Dec 23, 2023 · Dec 23, 2023
diff --git a/.github/workflows/release-verifiable-build.yml b/.github/workflows/release-verifiable-build.yml
@@ -0,0 +1,59 @@
+name: Verifiable Release
+
+on:
+  push:
+    tags:
+      ['v*']
+
+env:
+  APP_NAME: 'openbook_v2'
+  SOLANA_VERSION: '1.16.1'
+  ANCHOR_VERSION: '0.28.0'
+
+jobs:
+  build:
+    name: Verifiable Release Artifacts
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+
+      - name: Cache dependencies
+        uses: Swatinem/rust-cache@v2
+
+      - name: Setup Anchor
+        run: |
+          cargo install --git https://github.com/coral-xyz/anchor --rev 4e5280be46d859ba1c57fabe4c3916bec742fd69 anchor-cli --locked --force
+
+      - name: Verifiable Build
+        run: |
+          anchor build --verifiable --docker-image backpackapp/build:v${{ env.ANCHOR_VERSION }} --solana-version ${{ env.SOLANA_VERSION }} -- --features enable-gpl
+
+      - name: Generate Checksum
+        run: |
+          echo "CHECKSUM=$(sha256sum ./target/verifiable/${{ env.APP_NAME }}.so | head -c 64)" >> $GITHUB_ENV
+          mv ./target/verifiable/${{ env.APP_NAME }}.so ./target/verifiable/${{ env.APP_NAME }}-${{ github.ref_name }}.so
+
+      # Complete supply chain inventory used for release
+      - name: Generate SBOM
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'cyclonedx'
+          output: '${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json'
+
+      - name: Update Release
+        id: create_release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ github.ref_name }}
+          name: ${{ github.ref_name }}
+          body: |
+            OpenBook V2 release: ${{ github.ref_name }}
+            Build sha256: ${{ env.CHECKSUM }}
+            GitHub commit: ${{ github.sha }}
+          files: |
+            ./target/verifiable/${{ env.APP_NAME }}-${{ github.ref_name }}.so
+            ./${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json
diff --git a/programs/openbook-v2/Cargo.toml b/programs/openbook-v2/Cargo.toml
@@ -29,6 +29,7 @@ arbitrary = { version = "~1.0", features = ["derive"], optional = true }
 raydium-amm-v3 = { git = "https://github.com/raydium-io/raydium-clmm.git", features = ["cpi"] }
 arrayref = "0.3.6"
 bytemuck = { version = "^1.7.2", features = ["derive", "min_const_generics"] }
+default-env = "0.1.1"
 derivative = "2.2.0"
 fixed = { workspace = true, features = ["serde", "borsh", "debug-assert-in-release"] }
 itertools = "0.10.3"

diff --git a/programs/openbook-v2/src/lib.rs b/programs/openbook-v2/src/lib.rs
@@ -624,7 +624,7 @@ pub struct PlaceTakeOrderArgs {
 
 // Add security details to explorer.solana.com
 #[cfg(not(feature = "no-entrypoint"))]
-use solana_security_txt::security_txt;
+use {default_env::default_env, solana_security_txt::security_txt};
 
 #[cfg(not(feature = "no-entrypoint"))]
 security_txt! {
@@ -634,5 +634,7 @@ security_txt! {
     policy: "https://github.com/openbook-dex/openbook-v2/blob/master/SECURITY.md",
     preferred_languages: "en",
     source_code: "https://github.com/openbook-dex/openbook-v2",
-    auditors: "https://github.com/openbook-dex/openbook-v2/blob/master/audit/openbook_audit.pdf"
+    auditors: "https://github.com/openbook-dex/openbook-v2/blob/master/audit/openbook_audit.pdf",
+    source_revision: default_env!("GITHUB_SHA", "Unknown source revision"),
+    source_release: default_env!("GITHUB_REF_NAME", "Unknown source release")
 }