Skip to content

[Infra] Reproducible WASM build + size budget #32

Open
Open
[Infra] Reproducible WASM build + size budget#32
Labels
auditRequired before / part of a security auditinfraCI/CD, builds, tooling
Milestone
M1 — Security & Audit Prep

Description

@Gbangbolaoluwagbemiga
Gbangbolaoluwagbemiga
opened on Jun 17, 2026

Why this matters

Reviewers and auditors need to confirm that the deployed WASM matches the source. The build must be
reproducible and the artifact published with a checksum. A size budget prevents accidental bloat
(WASM size drives deploy cost on Soroban).

What needs to be done

  • Pin the build via rust-toolchain.toml (already present — verify it covers the wasm target)
  • Produce the optimized .wasm (stellar contract build / soroban contract optimize)
  • In release.yml, attach the optimized .wasm + its sha256sum to each GitHub Release
  • Add a CI gate failing if the optimized WASM exceeds a documented byte budget
  • Document the reproducible build steps in the README/CONTRIBUTING

Acceptance criteria

  • Two clean builds produce byte-identical WASM
  • Release contains .wasm + .sha256
  • Oversized WASM fails CI

Relevant files

.github/workflows/release.yml, rust-toolchain.toml, Cargo.toml

Metadata

Metadata

Assignees

No one assigned

    Labels

    auditRequired before / part of a security auditinfraCI/CD, builds, tooling

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions