stellar contract info build fails when multiple attestations exist (release + SLSA) #2358
Description
What version are you using?
23.4.1
What did you do?
stellar contract info build --contract-id CDV6FVU76E2UPXMXLZEBIF2PSKVXC7GGTNE6CBWNATTBYMID2FQPNO56
What did you expect to see?
The command should return build provenance info from the SLSA attestation (the GitHub Actions run details) without error.
What did you see instead?
stellar contract info build --contract-id CDV6FVU76E2UPXMXLZEBIF2PSKVXC7GGTNE6CBWNATTBYMID2FQPNO56
⚠️ This command displays information about the GitHub Actions run that attested to have built the wasm, and does not verify the source code. Please review the run, its workflow, and source code.
ℹ️ Network: Test SDF Network ; September 2015
🌎 Downloading contract spec: CDV6FVU76E2UPXMXLZEBIF2PSKVXC7GGTNE6CBWNATTBYMID2FQPNO56
ℹ️ Wasm Hash: 3c8d0b8b347752e57abe0b50380401ca8f5793bc971b685fd072571bbf5d54cc
ℹ️ Source Repo: github:stellar/sep45-reference
ℹ️ Collecting GitHub attestation from https://api.github.com/repos/stellar/sep45-reference/attestations/sha256:3c8d0b8b347752e57abe0b50380401ca8f5793bc971b685fd072571bbf5d54cc
❌ error: missing field `buildDefinition` at line 1 column 568
Additional context
There are multiple attestations for this Wasm because GitHub attached a Release attestation to the release, and the command expects the provenance attestation first. I suspect this was added because the release is immutable.
"https://api.github.com/repos/stellar/sep45-reference/attestations/sha256:3c8d0b8b347752e57abe0b50380401ca8f5793bc971b685fd072571bbf5d54cc" |
jq '{count: (.attestations | length), predicate_types: [.attestations[].bundle.dsseEnvelope.payload | @base64d | fromjson | .predicateType]}'
{
"count": 2,
"predicate_types": [
"https://in-toto.io/attestation/release/v0.2",
"https://slsa.dev/provenance/v1"
]
}