Currently, we don't guarantee that. It's similar to how tools like Sentry work in that we just read the data from Git when the command is run. I am interested in providing more useful guarantees around this though. Just not clear what the ideal implementation is.
Some suggestions from Telegram group:
- Put bytecode hash in release tag and push tags to github
Hey one thing that I do is make a release tag on GitHub for the specific deployment commit. You can then point to that release tag as what's been deployed, and if you want to take it further you can hash the byte code and put that in the release tag. Ppl can then verify the bytecode deployed by hashing it and comparing themselves
- Use commit hash to clone and compile source code and compare bytecode to what's on-chain for the linked contract address
maybe a tool which does "git checkout deployment commit hash" + compilation + a match of the bytecode against what is deployed on-chain could work
Currently, we don't guarantee that. It's similar to how tools like Sentry work in that we just read the data from Git when the command is run. I am interested in providing more useful guarantees around this though. Just not clear what the ideal implementation is.
Some suggestions from Telegram group: