action.yml

name: 'Install stellar-cli'
description: 'Install the stellar-cli'
inputs:
  version:
    description: |
      Recommended for use only in testing new versions of the action prior to
      release. For regular use, use the version of the action corresponding to
      the version of the stellar-cli that should be installed.
    required: false
runs:
  using: "composite"
  steps:
  - name: Setup install path
    shell: bash
    run: |
      mkdir -p $HOME/.local/bin
      echo "$HOME/.local/bin" >> $GITHUB_PATH
  - name: Determine version to install
    id: version
    shell: bash
    run: |
      echo "version=${{ inputs.version || github.action_ref }}" >> "$GITHUB_OUTPUT"
  - name: Copy binary to install location
    shell: bash
    run: |
      version="${{ steps.version.outputs.version }}"
      case "${{ runner.os }}-${{ runner.arch }}" in
      'Linux-X64')
        os_arch=x86_64-unknown-linux-gnu
        ;;
      'Linux-ARM64')
        os_arch=aarch64-unknown-linux-gnu
        ;;
      'macOS-X64')
        os_arch=x86_64-apple-darwin
        ;;
      'macOS-ARM64')
        os_arch=aarch64-apple-darwin
        ;;
      'Windows-X64')
        os_arch=x86_64-pc-windows-msvc
        ;;
      *)
        echo "Unsupported OS / Arch pair: ${{ runner.os }} ${{ runner.arch }}" >&2
        exit 1
      esac
      file="stellar-cli-$version-$os_arch.tar.gz"
      url="https://github.com/stellar/stellar-cli/releases/download/v$version/$file"
      echo "$url"
      curl -fL "$url" | tar xvz -C $HOME/.local/bin
  - name: Verify binary against attestation
    shell: bash
    env:
      GH_TOKEN: ${{ github.token }}
    run: |
      version="${{ steps.version.outputs.version }}"
      subject="$(gh attestation verify ~/.local/bin/stellar --repo stellar/stellar-cli --format json -q '.[].verificationResult.signature.certificate.subjectAlternativeName')"
      echo "Found subject: $subject" >&2
      expected_subject="https://github.com/stellar/stellar-cli/.github/workflows/binaries.yml@refs/tags/v$version"
      echo "Expected subject: $expected_subject" >&2
      if [[ "$subject" != "$expected_subject" ]]; then
        echo "Attestation verification found unexpected subject" >&2
        exit 1
      fi