From 01fd9ce2314ea9b2530647d13ce9117bd27f1254 Mon Sep 17 00:00:00 2001
From: Leigh <351529+leighmcculloch@users.noreply.github.com>
Date: Mon, 8 Jun 2026 15:55:20 +0000
Subject: [PATCH 1/4] retry transient network failures in install action

---
 action.yml | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

diff --git a/action.yml b/action.yml
index 87fdf1a8d0..444312de34 100644
--- a/action.yml
+++ b/action.yml
@@ -66,7 +66,20 @@ runs:
         file="stellar-cli-$version-$os_arch.tar.gz"
         url="https://github.com/stellar/stellar-cli/releases/download/v$version/$file"
         echo "$url"
-        curl -fL "$url" | tar xvz -C $HOME/.local/bin
+        # Download to a file (rather than piping straight into tar) so that
+        # curl's retries can safely restart a transfer without corrupting the
+        # tar stream. Retry on transient network failures with backoff so a
+        # single blip doesn't fail the whole job.
+        curl -fL \
+          --retry 5 \
+          --retry-delay 5 \
+          --retry-connrefused \
+          --retry-all-errors \
+          --connect-timeout 30 \
+          --max-time 300 \
+          -o "$RUNNER_TEMP/$file" \
+          "$url"
+        tar xvz -C $HOME/.local/bin -f "$RUNNER_TEMP/$file"
 
     - name: Verify binary against attestation
       shell: bash
@@ -74,7 +87,22 @@ runs:
         GH_TOKEN: ${{ github.token }}
       run: |
         version="${{ steps.version.outputs.version }}"
-        subject="$(gh attestation verify ~/.local/bin/${{ env.stellar_binary }} --repo stellar/stellar-cli --format json -q '.[].verificationResult.signature.certificate.subjectAlternativeName')"
+        # gh attestation verify hits the network, so retry on transient
+        # failures with exponential backoff before giving up.
+        attempts=5
+        delay=5
+        for attempt in $(seq 1 "$attempts"); do
+          if subject="$(gh attestation verify ~/.local/bin/${{ env.stellar_binary }} --repo stellar/stellar-cli --format json -q '.[].verificationResult.signature.certificate.subjectAlternativeName')"; then
+            break
+          fi
+          if [[ "$attempt" -eq "$attempts" ]]; then
+            echo "Attestation verification failed after $attempts attempts" >&2
+            exit 1
+          fi
+          echo "Attestation verification attempt $attempt failed; retrying in ${delay}s" >&2
+          sleep "$delay"
+          delay=$((delay * 2))
+        done
         echo "Found subject: $subject" >&2
         expected_subject="https://github.com/stellar/stellar-cli/.github/workflows/binaries.yml@refs/tags/v$version"
         echo "Expected subject: $expected_subject" >&2

From 317725bc8be7a2a8c83c595cf642b6d69aa339e8 Mon Sep 17 00:00:00 2001
From: Leigh <351529+leighmcculloch@users.noreply.github.com>
Date: Mon, 8 Jun 2026 15:58:38 +0000
Subject: [PATCH 2/4] use fixed local download path to avoid version-derived
 path

---
 action.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/action.yml b/action.yml
index 444312de34..068f53679e 100644
--- a/action.yml
+++ b/action.yml
@@ -69,7 +69,9 @@ runs:
         # Download to a file (rather than piping straight into tar) so that
         # curl's retries can safely restart a transfer without corrupting the
         # tar stream. Retry on transient network failures with backoff so a
-        # single blip doesn't fail the whole job.
+        # single blip doesn't fail the whole job. Use a fixed local filename
+        # so the download path never depends on the (untrusted) version string.
+        archive="$RUNNER_TEMP/stellar-cli.tar.gz"
         curl -fL \
           --retry 5 \
           --retry-delay 5 \
@@ -77,9 +79,9 @@ runs:
           --retry-all-errors \
           --connect-timeout 30 \
           --max-time 300 \
-          -o "$RUNNER_TEMP/$file" \
+          -o "$archive" \
           "$url"
-        tar xvz -C $HOME/.local/bin -f "$RUNNER_TEMP/$file"
+        tar xvz -C $HOME/.local/bin -f "$archive"
 
     - name: Verify binary against attestation
       shell: bash

From fb73b14101e4e2d831521c6e7a840a6e49207c3a Mon Sep 17 00:00:00 2001
From: Leigh <351529+leighmcculloch@users.noreply.github.com>
Date: Mon, 8 Jun 2026 20:22:07 +0000
Subject: [PATCH 3/4] drop low-value comments from install action

---
 action.yml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/action.yml b/action.yml
index 068f53679e..690bf2f4a2 100644
--- a/action.yml
+++ b/action.yml
@@ -66,11 +66,6 @@ runs:
         file="stellar-cli-$version-$os_arch.tar.gz"
         url="https://github.com/stellar/stellar-cli/releases/download/v$version/$file"
         echo "$url"
-        # Download to a file (rather than piping straight into tar) so that
-        # curl's retries can safely restart a transfer without corrupting the
-        # tar stream. Retry on transient network failures with backoff so a
-        # single blip doesn't fail the whole job. Use a fixed local filename
-        # so the download path never depends on the (untrusted) version string.
         archive="$RUNNER_TEMP/stellar-cli.tar.gz"
         curl -fL \
           --retry 5 \
@@ -89,8 +84,6 @@ runs:
         GH_TOKEN: ${{ github.token }}
       run: |
         version="${{ steps.version.outputs.version }}"
-        # gh attestation verify hits the network, so retry on transient
-        # failures with exponential backoff before giving up.
         attempts=5
         delay=5
         for attempt in $(seq 1 "$attempts"); do

From cc47d44b4c0fb2f257f3ec744325413c5248615b Mon Sep 17 00:00:00 2001
From: Leigh <351529+leighmcculloch@users.noreply.github.com>
Date: Mon, 8 Jun 2026 20:30:45 +0000
Subject: [PATCH 4/4] drop attestation retry loop; gh retries 5xx internally

---
 action.yml | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/action.yml b/action.yml
index 690bf2f4a2..058ad699de 100644
--- a/action.yml
+++ b/action.yml
@@ -84,20 +84,7 @@ runs:
         GH_TOKEN: ${{ github.token }}
       run: |
         version="${{ steps.version.outputs.version }}"
-        attempts=5
-        delay=5
-        for attempt in $(seq 1 "$attempts"); do
-          if subject="$(gh attestation verify ~/.local/bin/${{ env.stellar_binary }} --repo stellar/stellar-cli --format json -q '.[].verificationResult.signature.certificate.subjectAlternativeName')"; then
-            break
-          fi
-          if [[ "$attempt" -eq "$attempts" ]]; then
-            echo "Attestation verification failed after $attempts attempts" >&2
-            exit 1
-          fi
-          echo "Attestation verification attempt $attempt failed; retrying in ${delay}s" >&2
-          sleep "$delay"
-          delay=$((delay * 2))
-        done
+        subject="$(gh attestation verify ~/.local/bin/${{ env.stellar_binary }} --repo stellar/stellar-cli --format json -q '.[].verificationResult.signature.certificate.subjectAlternativeName')"
         echo "Found subject: $subject" >&2
         expected_subject="https://github.com/stellar/stellar-cli/.github/workflows/binaries.yml@refs/tags/v$version"
         echo "Expected subject: $expected_subject" >&2