Verifiable Deployment Framework for Soroban

Every contract sealed to its source

Deterministic builds. Automated deployment. Cryptographic certification. SoroSeal links every Soroban smart contract to its exact source code, commit, and deployment record. Publicly verifiable, forever.

Start Verifying Coming Soon See How It Works
Deployment Certificate
{
  "repo": "stellar-org/token-contract",
  "commit": "a1b2c3d",
  "wasm_hash": "sha256:e3b0c44298fc...",
  "contract_id": "CDLZFC3S...2HHGCYSC",
  "network": "mainnet",
  "ledger": 48291037,
  "timestamp": "2026-03-09T12:00:00Z"
}
SHA-256 Artifact Hashing
100% Reproducible Builds
On-Chain Deployment Registry
Zero Custody of Funds
IPFS Metadata Anchoring
Core Capabilities

Built for trust-minimized deployments

Every component of SoroSeal is designed to eliminate ambiguity between source code and deployed contracts. No hidden processes, no black boxes.

WASM · SHA-256

Deterministic Builds

Compile Soroban contracts deterministically. The same source code always produces the same WASM, across any machine, any environment.

RPC · Ledger

Soroban Deployment Engine

Deploy compiled WASM directly to Soroban Testnet, Futurenet, or Mainnet. Retrieve your contract ID instantly.

CI/CD · Attestation

GitHub Certification

Every deployment leaves an immutable certificate in your repository. Commit comments, PR annotations, and structured metadata.

Automation · YAML

GitHub Actions

Official Action for seamless CI/CD. Automated build, deploy, and certify on every merge to main.

Soroban · Registry

On-Chain Registry

Soroban contract storing commit hash to contract ID mappings. Query any deployment, verify any provenance.

IPFS · CID

IPFS Anchoring

Deployment certificates stored on IPFS for decentralized, tamper-resistant metadata availability. CIDs anchored on-chain.

The Pipeline

From commit to certificate

Five steps. Fully automated. Every deployment produces a verifiable, immutable record linking your code to the chain.

01

Commit

Push code to your repository

02

Build

Deterministic WASM compilation

03

Hash

SHA-256 artifact verification

04

Deploy

Submit to Soroban network

05

Certify

Immutable on-chain record

.github/workflows/deploy.yml 
name: Deploy with SoroSeal
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build & Deploy
        uses: soroseal/action@v1
        with:
          network: testnet
          source_dir: ./contracts
        env:
          SOROBAN_SECRET_KEY: ${{ secrets.DEPLOYER_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Verification Model

Proof, not promises

Deployment Certificate

Every SoroSeal deployment produces a cryptographically signed JSON certificate. It contains the repository, commit hash, WASM hash, contract ID, network, ledger number, and timestamp. Anyone can independently verify authenticity using SoroSeal's public key.

  • Deterministic certificate generation
  • Cryptographic signature verification
  • Public accessibility via GitHub, Dashboard, or IPFS

On-Chain Registry

A Soroban smart contract stores immutable mappings between commit hashes and contract IDs. Query any contract and get its exact provenance. 

fn get_by_contract(
  contract_id: Address
) -> Result<DeploymentRecord, Error>

// Returns:
// - repo reference
// - commit hash
// - wasm hash
// - deployment timestamp

Public Explorer

Input any contract ID, repository URL, and commit hash. The explorer rebuilds the WASM, compares hashes, and confirms or denies the match.

Contract ID CDLZFC3S...2HHGCYSC
Status ✓ Verified
Hash Match ✓ Identical
Security Model

Trust-minimized by design

No Fund Custody

Users pay their own network fees directly. SoroSeal never holds, manages, or has access to deployment funds.

Deterministic Enforcement

Locked toolchain versions and Docker-based builds guarantee identical WASM output across all environments.

Hash-Based Verification

SHA-256 hashing of every artifact. No contract can be modified or swapped without detection.

No Server-Side Keys

Private keys remain in CI secrets, encrypted and environment-scoped. SoroSeal never stores signing material.

Transparent Sustainability

On-chain economics

No hidden fees. No off-chain billing. No custody. Every transaction is publicly auditable on the ledger.

Total Cost
deployment_fee + vault_fee
50% Network
50% SoroSeal Vault

Vault Contract

Collects maintenance fees, records deployment references, and funds long-term development. Every deposit is linked to a deployer address and contract ID.

Full Transparency

Vault transaction hash, deployment transaction hash, ledger number, amount paid, deployer address. All visible on the dashboard and any blockchain explorer.

Technology

Production-grade infrastructure

Core

  • Rust Soroban contracts
  • Node.js / TypeScript CLI + GitHub integration
  • Soroban RPC Network communication

CI/CD

  • GitHub Actions Workflow automation
  • Deterministic Docker Reproducible environment
  • Locked Toolchains Version pinning

Optional

  • IPFS Certificate storage
  • Registry Contract On-chain index
  • React + TypeScript Explorer frontend

Seal your deployments.
Verify everything.

Integrate SoroSeal into your Soroban workflow today. Deterministic builds, automated certification, and publicly verifiable provenance. One GitHub Action.

View on GitHub Coming Soon