chore(release): v1.7.1 (#14640)

* fix(cheatcodes): fix solc 0.8.35 error keyword warning (#14509)

fix(cheatcodes): avoid solc error keyword warning

(cherry picked from commit f0bd9bb)

* chore: bump compiler version to 0.8.35 for tests (#14524)

* bump compiler version for tests

* fix CI: update gas snapshots and bump svm-rs to 0.5.25

Amp-Thread-ID: https://ampcode.com/threads/T-019dddbd-7f28-72cc-965b-d5a23ecb37ce
Co-authored-by: Amp <amp@ampcode.com>

* make fmt

Amp-Thread-ID: https://ampcode.com/threads/T-019dddbd-7f28-72cc-965b-d5a23ecb37ce
Co-authored-by: Amp <amp@ampcode.com>

* fix: add blockTimestamp to LegacyTransactionResult for testRpcTransactionByHash

DRPC now returns a blockTimestamp field, which shifts ABI decoding offsets
and breaks the test.

Amp-Thread-ID: https://ampcode.com/threads/T-019dddbd-7f28-72cc-965b-d5a23ecb37ce
Co-authored-by: Amp <amp@ampcode.com>

---------

Co-authored-by: Amp <amp@ampcode.com>
(cherry picked from commit 470d048)

* fix(ci): use `PATH_USD` fallback fee token in Mail templates (#14546)

(cherry picked from commit e8d0d89)

* fix(forge): ignore ETH_RPC_URL for test forking (#14555)

Co-authored-by: zerosnacks <95942363+zerosnacks@users.noreply.github.com>
Co-authored-by: Mablr <59505383+mablr@users.noreply.github.com>
(cherry picked from commit 6c9bbea)

* fix(cli): fix jsonwebtoken panic (#14562)

`cast` panicked with this message coming from jsonwebtoken:

```
Call CryptoProvider::install_default() before this point to select a provider manually, or make sure exactly one of the
'rust_crypto' and 'aws_lc_rs' features is enabled.
See the documentation of the CryptoProvider type for more information.
```

This seemingly was introduced with the bump of jsonwebtoken to 10. Now
it requires you to pick one backend used by default controlled by the
compile time cargo features or call `CryptoProvider::install_default()`
at the beginning.

I realized that probably it would be better to just select the feature
and I picked `aws_lc_rs` as it seems to be increasingly a default and
we already are using the C toolchain.

Co-authored-by: zerosnacks <95942363+zerosnacks@users.noreply.github.com>
(cherry picked from commit 6e40f56)

* ci: sign release archives, docker images, and publish SBOMs (#14563)

- release.yml: emit per-archive sha256 + SPDX SBOM (Syft), cosign
  keyless sign-blob of the archive, and use actions/attest@v4 for both
  build provenance and SBOM attestations. Upload all artifacts to the
  draft release.
- docker-publish.yml: enable BuildKit SBOM, capture the build digest,
  cosign keyless sign each pushed tag, and publish a Sigstore-signed
  SLSA provenance attestation via actions/attest with push-to-registry.
- SECURITY.md: document how external users verify archives and the
  docker image (gh attestation, cosign, plain sha256, buildx imagetools).
- README.md: link to the new verification section.

(cherry picked from commit 3e7f0ed)

* fix(ci): increase permissions for the enhanced attestation writing (#14584)

* increase permissions for artifact writing

* apply write permissions to release-docker

(cherry picked from commit 1fd6466)

* fix(forge): encode Tempo creates as AA calls (#14585)

(cherry picked from commit 8b44ae6)

* fix(cli): fix release version strings for immutable tags, bump to 1.7.1 (#14496)

* Fix release version metadata for immutable tags

Amp-Thread-ID: https://ampcode.com/threads/T-019dd617-b29f-7409-8523-9858a1504f17
Co-authored-by: Amp <amp@ampcode.com>

* Derive nightly release suffix from commit SHA

Amp-Thread-ID: https://ampcode.com/threads/T-019dd617-b29f-7409-8523-9858a1504f17
Co-authored-by: Amp <amp@ampcode.com>

* Apply suggestion from @zerosnacks

* Apply suggestion from @zerosnacks

* Apply suggestion from @zerosnacks

* bump to v1.7.1

* avoid appending whole sha hash, not necessary, handle version cmp correctly. after v1.7.1 release we need to bump to v1.7.2 for nightlies following it to compare correctly

* Make foundryVersionCmp tolerate new version format and add tests

- Strip both pre-release ('-nightly', '-dev') and build metadata ('+<sha>.<ts>.<profile>') from SEMVER_VERSION before comparison so the cheatcode keeps working for tagged releases (which have no '-' separator).
- Extract strip_semver_metadata helper and add Rust unit tests covering all SEMVER_VERSION shapes, version_cmp ordering, and parse_version rejection of pre-release/build/garbage input.
- Extend the Solidity test suite for vm.getFoundryVersion()/foundryVersionCmp/foundryVersionAtLeast: validate MAJOR.MINOR.PATCH parseability, build profile value, cmp/atLeast invariant, and error paths for invalid user-supplied versions.

Amp-Thread-ID: https://ampcode.com/threads/T-019dd971-fcb7-7149-9680-f0134130844c
Co-authored-by: Amp <amp@ampcode.com>

* fix(test): drop view from solidity tests using assert helpers and fix fmt

- assertTrue/assertEq aren't view, so testGetFoundryVersionBuildProfile and testFoundryVersionCmpAndAtLeastAreConsistent can't be view either.
- Collapse the buildType assertion onto one line to satisfy forge fmt.

Amp-Thread-ID: https://ampcode.com/threads/T-019dd971-fcb7-7149-9680-f0134130844c
Co-authored-by: Amp <amp@ampcode.com>

* test(version): assert build profile is non-empty instead of debug|release

The dist profile (used for distributed release binaries) is also valid; just require non-empty so any future profile works.

Amp-Thread-ID: https://ampcode.com/threads/T-019dd971-fcb7-7149-9680-f0134130844c
Co-authored-by: Amp <amp@ampcode.com>

* Normalize nightly-<sha> to nightly in release_version

Ensures tarball and Docker nightly artifacts produce the same version
string. The commit identifier is already included in the SemVer build
metadata (after `+`), so collapsing `nightly-<sha>` to `nightly`
avoids duplicating the SHA in the pre-release tag.

Co-authored-by: Amp <amp@ampcode.com>
Amp-Thread-ID: https://ampcode.com/threads/T-019df79e-d4c9-707c-85eb-2efbf59160b3

---------

Co-authored-by: Centaur AI <ai@centaur.local>
Co-authored-by: Amp <amp@ampcode.com>
Co-authored-by: zerosnacks <95942363+zerosnacks@users.noreply.github.com>
Co-authored-by: zerosnacks <zerosnacks@protonmail.com>
(cherry picked from commit a70d4aa)

* fix(evm): query `state_snapshot.storage` in `ForkDbStateSnapshot::storage_ref` (#14007)

* fix(evm): query `state_snapshot.storage` in `ForkDbStateSnapshot::storage_ref`

* test(evm): cover `ForkDbStateSnapshot::storage_ref` snapshot lookup

(cherry picked from commit fa5429a)

* fix(cast): consistent `--json` output for `keychain` subcommands (#14590)

- `keychain rl`: wrap remaining limit in `{"remaining":"..."}` object
  instead of emitting a bare JSON string
- `keychain policy add-call`: emit
  `{"status":"already_present","target":"..."}`
  when the rule already exists, instead of plain text
- `send_keychain_tx`: wrap sponsor hash in `{"sponsor_hash":"0x..."}`
  object when --tempo.print-sponsor-hash is used with --json

Add CLI tests covering the rl and sponsor-hash JSON output shapes.

(cherry picked from commit 7916719)

* fix(cheatcodes): transfer value for payable mock calls (#14547)

* test: updated tests

* fix: execute value transfer

* test: improve

* imp: review item

* test: vm.prank test

* imp: moved mocked-call handling after prank application

---------

Co-authored-by: Mablr <59505383+mablr@users.noreply.github.com>
(cherry picked from commit f2e09d2)

* fix(forge): `--fuzz-seed` parameter is not effective in `forge coverage` (#14610)

fix --fuzz-seed not effective in forge coverage

(cherry picked from commit bd9cf55)

* fix(cheatcodes): enforce `expectRevert` reverter address for CREATE frames (#14615)

* fix(cheatcodes): enforce `expectRevert` reverter address for CREATE
frames

The reverter address argument to `vm.expectRevert` was silently ignored
when the innermost reverting frame was a CREATE (top-level or nested),
because create_end never populated `expected_revert.reverted_by`.

Mirror call_end's logic in create_end: when the outcome reverts and a
reverter address is expected, record outcome.address (revm guarantees
this is Some(would-be address) whenever the constructor executed).

Adds positive regression tests for top-level and nested-CREATE reverts,
and a negative regression test asserting wrong-reverter now fails.

Co-authored-by: Amp <amp@ampcode.com>

* improve coverage

* add Derek's suggested test cases

* fix: forge fmt for ExpectRevert.t.sol

Amp-Thread-ID: https://ampcode.com/threads/T-019dfdc5-5414-70b6-9f49-cb5797a37a29
Co-authored-by: Amp <amp@ampcode.com>

---------

Co-authored-by: Amp <amp@ampcode.com>
Co-authored-by: zerosnacks <95942363+zerosnacks@users.noreply.github.com>
(cherry picked from commit 85cd75c)

* fix(cheatcodes): preserve reverts with `expectEmit` (#14619)

* test: added regression test

* fix: re-order revert handling

* refactor: simplify

* lint: fmt

* polish: tighten comment, extend test with revert reason and custom error

Amp-Thread-ID: https://ampcode.com/threads/T-019dfd96-7a03-7249-8c10-af20ee2729f5
Co-authored-by: Amp <amp@ampcode.com>

---------

Co-authored-by: zerosnacks <95942363+zerosnacks@users.noreply.github.com>
Co-authored-by: Amp <amp@ampcode.com>
(cherry picked from commit 2e8ae6c)

* fix(evm): preserve `CREATE` address on revert in isolation mode (#14637)

(cherry picked from commit 9584c6c)

* chore(clippy): fix for_kv_map and useless_borrows_in_formatting (#14554)

* chore(clippy): fix for_kv_map and useless_borrows_in_formatting

Amp-Thread-ID: https://ampcode.com/threads/T-019df0f9-62e7-74b8-bd5e-da2acce678fb
Co-authored-by: Amp <amp@ampcode.com>

* chore(clippy): drop redundant borrows in cheatcodes assert formatters

Amp-Thread-ID: https://ampcode.com/threads/T-019df0f9-62e7-74b8-bd5e-da2acce678fb
Co-authored-by: Amp <amp@ampcode.com>

---------

Co-authored-by: Amp <amp@ampcode.com>
(cherry picked from commit 84d3873)

* fix(ext): bump forge-std commit in external integration tests (#14504)

bump forge commit

(cherry picked from commit 024820c)

* chore(tests): bump forge-std version (#14510)

chore: bump forge-std version used for tests

Co-authored-by: zerosnacks <95942363+zerosnacks@users.noreply.github.com>
(cherry picked from commit 5766929)

* fix(config): suppress spurious unknown-key warning for `network` (#14534)

* fix(config): suppress spurious unknown-key warning for `network`

The `network` field in `NetworkConfigs` had `skip_serializing_if =
"Option::is_none"`, so it was missing from the serialized default
`Config`. The warnings provider builds its allowed-keys set from that
serialized default, so a valid `network = "tempo"` entry in
foundry.toml triggered:

    Warning: Found unknown `network` config for profile `default`
    defined in foundry.toml.

Replace `skip_serializing_if` with `#[serde(default)]` so `network`
appears (as null) in the default config and is recognized as a known
profile key. TOML output is unchanged (None is omitted by toml-rs);
only the JSON snapshot in `test_default_config` needed updating.

Amp-Thread-ID: https://ampcode.com/threads/T-019ddec8-2f04-7255-b8bf-70c1ce2a996d
Co-authored-by: Amp <amp@ampcode.com>

* test(config): add regression tests for network/tempo unknown-key warnings

Cover both the new `network = "tempo"` form and the legacy
`tempo = true` alias to ensure neither triggers UnknownKey warnings.

Amp-Thread-ID: https://ampcode.com/threads/T-019ddec8-2f04-7255-b8bf-70c1ce2a996d
Co-authored-by: Amp <amp@ampcode.com>

* fix(config): canonicalize network field on serialization

Previously, with `network = "tempo"` set, `forge config` would emit
both:

    network = "tempo"
    tempo = false

which is misleading — the legacy boolean alias contradicts the resolved
network. Conversely, with `tempo = true` (legacy), the output omitted
`network` entirely, hiding the actual resolved network.

Make `NetworkConfigs` use a custom `Serialize` impl that:

- Always emits the *resolved* network as the canonical `network = "..."`
  field.
- Never emits the legacy `tempo` / `optimism` boolean aliases (they are
  still accepted as deserialize-only aliases for backward compatibility).
- Continues to emit `celo` and `bypass_prevrandao` as before.

This ensures consistent output regardless of input form:

    network = "tempo"  (canonical)   →  network = "tempo"
    tempo = true        (legacy)       →  network = "tempo"
    optimism = true     (legacy)       →  network = "optimism"

Both legacy keys are added to `BACKWARD_COMPATIBLE_KEYS` in the
warnings provider so they don't trigger unknown-key warnings on input.
Test snapshots updated accordingly.

Amp-Thread-ID: https://ampcode.com/threads/T-019ddec8-2f04-7255-b8bf-70c1ce2a996d
Co-authored-by: Amp <amp@ampcode.com>

* style: cargo fmt

Amp-Thread-ID: https://ampcode.com/threads/T-019ddec8-2f04-7255-b8bf-70c1ce2a996d
Co-authored-by: Amp <amp@ampcode.com>

---------

Co-authored-by: Amp <amp@ampcode.com>
(cherry picked from commit 95bf101)

* feat(forge): use network = "tempo" and add rpc_endpoints in tempo template (#14528)

* feat(forge): use network = "tempo" and add rpc_endpoints in tempo template

Amp-Thread-ID: https://ampcode.com/threads/T-019dddff-1855-752f-b136-bd0465462ac8
Co-authored-by: Amp <amp@ampcode.com>

* feat(forge): add eth_rpc_url = "tempo" to tempo template

Amp-Thread-ID: https://ampcode.com/threads/T-019dddff-1855-752f-b136-bd0465462ac8
Co-authored-by: Amp <amp@ampcode.com>

* style: cargo fmt

Amp-Thread-ID: https://ampcode.com/threads/T-019dddff-1855-752f-b136-bd0465462ac8
Co-authored-by: Amp <amp@ampcode.com>

* fix: drop eth_rpc_url from tempo template (would silently fork all tests)

Amp-Thread-ID: https://ampcode.com/threads/T-019dddff-1855-752f-b136-bd0465462ac8
Co-authored-by: Amp <amp@ampcode.com>

* refactor: build tempo template foundry.toml in a single toml serialize

Amp-Thread-ID: https://ampcode.com/threads/T-019dddff-1855-752f-b136-bd0465462ac8
Co-authored-by: Amp <amp@ampcode.com>

---------

Co-authored-by: Amp <amp@ampcode.com>
(cherry picked from commit 323bceb)

* ci(tempo): align ci-tempo workflow with master, drop fork-schedule test step

Backport of CI Tempo workflow updates (#14501, #14537, #14556) so the
v1.7.1 release branch matches master:

- Devnet checks run on PR and push (re-enabled)
- Devnet wallet tests run on PR and push
- Testnet/mainnet checks moved to nightly schedule only
- Nightly failure issue creation

The 'Check Tempo fork schedule compatibility' step is intentionally
omitted: the underlying tempo::tests::test_fork_schedule_parses_configured_rpcs
test was added in #14485 (Tempo deps bump) which is not part of v1.7.1.

Amp-Thread-ID: https://ampcode.com/threads/T-019e01cd-cea5-72e8-8338-5f0594e06335
Co-authored-by: Amp <amp@ampcode.com>

---------

Co-authored-by: figtracer <me@figtracer.com>
Co-authored-by: Amp <amp@ampcode.com>
Co-authored-by: Mablr <59505383+mablr@users.noreply.github.com>
Co-authored-by: Sergei Shulepov <s.pepyakin@gmail.com>
Co-authored-by: grandizzy <38490174+grandizzy@users.noreply.github.com>
Co-authored-by: Derek Cofausper <256792747+decofe@users.noreply.github.com>
Co-authored-by: Centaur AI <ai@centaur.local>
Co-authored-by: zerosnacks <zerosnacks@protonmail.com>
Co-authored-by: Nikki <gutonosa@protonmail.com>
Co-authored-by: srdtrk <59252793+srdtrk@users.noreply.github.com>
Co-authored-by: lazymio <mio@lazym.io>
Co-authored-by: stevencartavia <112043913+stevencartavia@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: 13 people

.github/TEMPO_NIGHTLY_FAILURE_TEMPLATE.md

@@ -0,0 +1,10 @@
+---
+title: "bug: tempo nightly workflow failed"
+labels: P-high, T-bug
+---
+
+The nightly Tempo workflow (mainnet and testnet checks) has failed. This indicates a regression in Foundry's Tempo support or an issue with the Tempo mainnet/testnet endpoints.
+
+Check the [tempo nightly workflow page]({{ env.WORKFLOW_URL }}) for details.
+
+This issue was raised by the workflow at `.github/workflows/ci-tempo.yml`.

.github/workflows/ci-tempo.yml

@@ -6,6 +6,8 @@ on:
   push:
     branches: [master]
   pull_request:
+  schedule:
+    - cron: "0 2 * * *" # Run daily at 2 AM UTC (offset from other nightlies)
   workflow_dispatch:
     inputs:
       network:
@@ -59,36 +61,28 @@ jobs:
           cargo build --profile dev --locked -p forge -p cast -p anvil -p chisel
           echo "${{ github.workspace }}/target/debug" >> "$GITHUB_PATH"
 
-      # TODO: re-enable once devnet is up and stable
-      # - name: Run Tempo check on devnet
-      #   if: |
-      #     github.event_name == 'pull_request' ||
-      #     github.event.inputs.network == 'devnet' ||
-      #     github.event.inputs.network == 'all'
-      #   env:
-      #     ETH_RPC_URL: ${{ secrets.TEMPO_DEVNET_RPC_URL }}
-      #     SCRIPTS: ${{ github.event.inputs.scripts || 'both' }}
-      #   run: |
-      #     if [ "$SCRIPTS" = "check" ] || [ "$SCRIPTS" = "both" ]; then
-      #       ./.github/scripts/tempo-check.sh
-      #     fi
-      #     if [ "$SCRIPTS" = "deploy" ] || [ "$SCRIPTS" = "both" ]; then
-      #       ./.github/scripts/tempo-deploy.sh
-      #     fi
-
-      # TODO: re-enable once devnet is up and stable
-      # - name: Run Tempo wallet tests on devnet
-      #   if: |
-      #     github.event_name == 'pull_request' ||
-      #     github.event.inputs.network == 'devnet' ||
-      #     github.event.inputs.network == 'all'
-      #   env:
-      #     ETH_RPC_URL: ${{ secrets.TEMPO_DEVNET_RPC_URL }}
-      #   run: ./.github/scripts/tempo-wallet.sh
+      - name: Run Tempo check on mainnet
+        if: |
+          github.event_name == 'schedule' ||
+          github.event.inputs.network == 'mainnet' ||
+          github.event.inputs.network == 'all'
+        env:
+          ETH_RPC_URL: ${{ secrets.TEMPO_MAINNET_RPC_URL }}
+          TEMPO_FEE_TOKEN: "0x20c0000000000000000000000000000000000000"
+          VERIFIER_URL: ${{ secrets.VERIFIER_URL }}
+          PRIVATE_KEY: ${{ secrets.THROW_AWAY_MAINNET_PKEY }}
+          SCRIPTS: ${{ github.event.inputs.scripts || 'both' }}
+        run: |
+          if [ "$SCRIPTS" = "check" ] || [ "$SCRIPTS" = "both" ]; then
+            ./.github/scripts/tempo-check.sh
+          fi
+          if [ "$SCRIPTS" = "deploy" ] || [ "$SCRIPTS" = "both" ]; then
+            ./.github/scripts/tempo-deploy.sh
+          fi
 
       - name: Run Tempo check on testnet
         if: |
-          github.event_name == 'pull_request' ||
+          github.event_name == 'schedule' ||
           github.event.inputs.network == 'testnet' ||
           github.event.inputs.network == 'all'
         env:
@@ -103,15 +97,14 @@ jobs:
             ./.github/scripts/tempo-deploy.sh
           fi
 
-      - name: Run Tempo check on mainnet
+      - name: Run Tempo check on devnet
         if: |
-          github.event.inputs.network == 'mainnet' ||
+          github.event_name == 'push' ||
+          github.event_name == 'pull_request' ||
+          github.event.inputs.network == 'devnet' ||
           github.event.inputs.network == 'all'
         env:
-          ETH_RPC_URL: ${{ secrets.TEMPO_MAINNET_RPC_URL }}
-          TEMPO_FEE_TOKEN: "0x20c0000000000000000000000000000000000000"
-          VERIFIER_URL: ${{ secrets.VERIFIER_URL }}
-          PRIVATE_KEY: ${{ secrets.THROW_AWAY_MAINNET_PKEY }}
+          ETH_RPC_URL: ${{ secrets.TEMPO_DEVNET_RPC_URL }}
           SCRIPTS: ${{ github.event.inputs.scripts || 'both' }}
         run: |
           if [ "$SCRIPTS" = "check" ] || [ "$SCRIPTS" = "both" ]; then
@@ -120,3 +113,35 @@ jobs:
           if [ "$SCRIPTS" = "deploy" ] || [ "$SCRIPTS" = "both" ]; then
             ./.github/scripts/tempo-deploy.sh
           fi
+
+      - name: Run Tempo wallet tests on devnet
+        if: |
+          github.event_name == 'push' ||
+          github.event_name == 'pull_request' ||
+          github.event.inputs.network == 'devnet' ||
+          github.event.inputs.network == 'all'
+        env:
+          ETH_RPC_URL: ${{ secrets.TEMPO_DEVNET_RPC_URL }}
+        run: ./.github/scripts/tempo-wallet.sh
+
+  # If the nightly run fails, this will create an issue to signal so.
+  issue:
+    name: Open an issue
+    runs-on: ubuntu-latest
+    needs: [tempo-check]
+    if: failure() && github.event_name == 'schedule'
+    permissions:
+      contents: read
+      issues: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          WORKFLOW_URL: |
+            ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        with:
+          update_existing: true
+          filename: .github/TEMPO_NIGHTLY_FAILURE_TEMPLATE.md

.github/workflows/docker-publish.yml

@@ -32,6 +32,8 @@ jobs:
     name: build and push
     runs-on: depot-ubuntu-latest
     permissions:
+      attestations: write
+      artifact-metadata: write
       contents: read
       id-token: write
       packages: write
@@ -92,6 +94,7 @@ jobs:
         uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1.7.1
 
       - name: Build and push Foundry image
+        id: build
         uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
         with:
           build-args: |
@@ -106,3 +109,30 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           no-cache: true
+          sbom: true
+          provenance: mode=max
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+
+      - name: Sign image with cosign (keyless)
+        env:
+          DOCKER_TAGS: ${{ steps.docker_tagging.outputs.docker_tags }}
+          DIGEST: ${{ steps.build.outputs.digest }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          IFS=',' read -r -a tags <<< "$DOCKER_TAGS"
+          for tag in "${tags[@]}"; do
+            # Strip any tag suffix and pin to immutable digest, then sign.
+            ref="${tag%%:*}@${DIGEST}"
+            printf 'Signing %s\n' "$ref"
+            cosign sign --yes "$ref"
+          done
+
+      - name: Image build provenance attestation
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true

.github/workflows/release.yml

@@ -71,7 +71,7 @@ jobs:
 
       - name: Build changelog
         id: build_changelog
-        uses: mikepenz/release-changelog-builder-action@bcae7115752d4ed746ff92feb666574428a79415 # v6.2
+        uses: mikepenz/release-changelog-builder-action@bcae7115752d4ed746ff92feb666574428a79415 # v6.2.1
         with:
           configuration: "./.github/changelog.json"
           fromTag: ${{ steps.release_info.outputs.from_tag || '' }}
@@ -117,6 +117,8 @@ jobs:
     needs: prepare
     uses: ./.github/workflows/docker-publish.yml
     permissions:
+      attestations: write
+      artifact-metadata: write
       contents: read
       id-token: write
       packages: write
@@ -129,9 +131,10 @@ jobs:
   # way, GitHub's immutable-releases setting seals the release at publish.
   release:
     permissions:
-      id-token: write
-      contents: write
       attestations: write
+      artifact-metadata: write
+      contents: write
+      id-token: write
     name: release ${{ matrix.target }} (${{ matrix.runner }})
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 240
@@ -264,6 +267,38 @@ jobs:
             printf "file_name=%s\n" "foundry_${VERSION_NAME}_${PLATFORM_NAME}_${ARCH}.zip" >> "$GITHUB_OUTPUT"
           fi
           printf "foundry_attestation=%s\n" "foundry_${VERSION_NAME}_${PLATFORM_NAME}_${ARCH}.attestation.txt" >> "$GITHUB_OUTPUT"
+          printf "foundry_sbom=%s\n" "foundry_${VERSION_NAME}_${PLATFORM_NAME}_${ARCH}.spdx.json" >> "$GITHUB_OUTPUT"
+          printf "foundry_checksum=%s\n" "foundry_${VERSION_NAME}_${PLATFORM_NAME}_${ARCH}.sha256" >> "$GITHUB_OUTPUT"
+          printf "foundry_signature=%s\n" "foundry_${VERSION_NAME}_${PLATFORM_NAME}_${ARCH}.sigstore.json" >> "$GITHUB_OUTPUT"
+
+      - name: Generate archive checksum
+        env:
+          FILE_NAME: ${{ steps.artifacts.outputs.file_name }}
+          FOUNDRY_CHECKSUM: ${{ steps.artifacts.outputs.foundry_checksum }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          if command -v sha256sum >/dev/null 2>&1; then
+            sha256sum "$FILE_NAME" > "$FOUNDRY_CHECKSUM"
+          else
+            shasum -a 256 "$FILE_NAME" > "$FOUNDRY_CHECKSUM"
+          fi
+          cat "$FOUNDRY_CHECKSUM"
+
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+
+      - name: Generate SBOM (SPDX)
+        env:
+          FOUNDRY_SBOM: ${{ steps.artifacts.outputs.foundry_sbom }}
+          VERSION_NAME: ${{ (env.IS_NIGHTLY == 'true' && 'nightly') || needs.prepare.outputs.tag_name }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          syft scan dir:. \
+            --source-name foundry \
+            --source-version "$VERSION_NAME" \
+            -o spdx-json="$FOUNDRY_SBOM"
 
       - name: Upload build artifacts
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
@@ -292,15 +327,37 @@ jobs:
           tar -czvf "foundry_man_${VERSION_NAME}.tar.gz" forge.1.gz cast.1.gz anvil.1.gz chisel.1.gz
           printf 'foundry_man=%s\n' "foundry_man_${VERSION_NAME}.tar.gz" >> "$GITHUB_OUTPUT"
 
-      - name: Binaries attestation
+      - name: Binaries and archive provenance attestation
         id: attestation
-        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-path: |
             ${{ env.anvil_bin_path }}
             ${{ env.cast_bin_path }}
             ${{ env.chisel_bin_path }}
             ${{ env.forge_bin_path }}
+            ${{ steps.artifacts.outputs.file_name }}
+
+      - name: Archive SBOM attestation
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          subject-path: ${{ steps.artifacts.outputs.file_name }}
+          sbom-path: ${{ steps.artifacts.outputs.foundry_sbom }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+
+      - name: Sign archive with cosign (keyless)
+        env:
+          FILE_NAME: ${{ steps.artifacts.outputs.file_name }}
+          FOUNDRY_SIGNATURE: ${{ steps.artifacts.outputs.foundry_signature }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          cosign sign-blob \
+            --yes \
+            --bundle "$FOUNDRY_SIGNATURE" \
+            "$FILE_NAME"
 
       - name: Record attestation URL
         env:
@@ -321,11 +378,20 @@ jobs:
           TAG_NAME: ${{ needs.prepare.outputs.tag_name }}
           FILE_NAME: ${{ steps.artifacts.outputs.file_name }}
           FOUNDRY_ATTESTATION: ${{ steps.artifacts.outputs.foundry_attestation }}
+          FOUNDRY_SBOM: ${{ steps.artifacts.outputs.foundry_sbom }}
+          FOUNDRY_CHECKSUM: ${{ steps.artifacts.outputs.foundry_checksum }}
+          FOUNDRY_SIGNATURE: ${{ steps.artifacts.outputs.foundry_signature }}
           FOUNDRY_MAN: ${{ steps.man.outputs.foundry_man }}
         shell: bash
         run: |
           set -euo pipefail
-          files=("$FILE_NAME" "$FOUNDRY_ATTESTATION")
+          files=(
+            "$FILE_NAME"
+            "$FOUNDRY_ATTESTATION"
+            "$FOUNDRY_SBOM"
+            "$FOUNDRY_CHECKSUM"
+            "$FOUNDRY_SIGNATURE"
+          )
           if [[ -n "${FOUNDRY_MAN:-}" ]]; then
             files+=("$FOUNDRY_MAN")
           fi