Skip to main content
ClaudeWave
Slash Command65 repo starsupdated yesterday

setup-ci-cd

Setup CI/CD pipeline with automated security checks for Solana programs

View sourceRepository: solana-ai-kit
Install in Claude Code
Copy
mkdir -p ~/.claude/commands && curl -fsSL https://raw.githubusercontent.com/solanabr/solana-ai-kit/HEAD/.claude/commands/setup-ci-cd.md -o ~/.claude/commands/setup-ci-cd.md
Then start a new Claude Code session; the slash command loads automatically.
Definition

setup-ci-cd.md

You are setting up a CI/CD pipeline for Solana program development. Modern Solana development requires automated security checks on every commit.

## Related Skills

- [deployment.md](../skills/deployment.md) - CI/CD patterns and workflows
- [testing.md](../skills/testing.md) - Test automation
- [security.md](../skills/security.md) - Security automation

## Overview

This command creates a GitHub Actions workflow that automatically:
- Builds programs with verifiable builds
- Runs comprehensive tests (unit, integration, fuzz)
- Performs security audits (cargo audit, clippy)
- Validates code formatting
- Generates security reports

## Step 1: Create GitHub Actions Workflow

```bash
# Create .github/workflows directory
mkdir -p .github/workflows

# Create workflow file
cat > .github/workflows/solana-security.yml << 'EOF'
name: Solana Security Pipeline

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

env:
  SOLANA_VERSION: '2.1.0'
  ANCHOR_VERSION: '0.31.1'
  RUST_VERSION: '1.82.0'

jobs:
  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}
          components: clippy, rustfmt

      - name: Cache Cargo dependencies
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
            ~/.cargo/git/db/
            target/
          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}

      - name: Install Solana
        run: |
          sh -c "$(curl -sSfL https://release.solana.com/v${{ env.SOLANA_VERSION }}/install)"
          echo "$HOME/.local/share/solana/install/active_release/bin" >> $GITHUB_PATH

      - name: Install Anchor
        run: |
          cargo install --git https://github.com/coral-xyz/anchor --tag v${{ env.ANCHOR_VERSION }} anchor-cli --locked

      - name: Format Check
        run: cargo fmt --all -- --check

      - name: Clippy Security Lints
        run: |
          cargo clippy --all-targets --all-features -- \
            -W clippy::all \
            -W clippy::pedantic \
            -W clippy::unwrap_used \
            -W clippy::expect_used \
            -W clippy::arithmetic_side_effects \
            -D warnings

      - name: Cargo Audit
        run: |
          cargo install cargo-audit
          cargo audit

      - name: Build Programs
        run: anchor build

      - name: Run Tests
        run: |
          # Unit tests
          cargo test
          # Integration tests
          anchor test --skip-deploy

      - name: Security Report
        if: always()
        run: |
          echo "## Security Audit Report" >> $GITHUB_STEP_SUMMARY
          echo "- ✅ Format check passed" >> $GITHUB_STEP_SUMMARY
          echo "- ✅ Clippy security lints passed" >> $GITHUB_STEP_SUMMARY
          echo "- ✅ Cargo audit passed" >> $GITHUB_STEP_SUMMARY
          echo "- ✅ All tests passed" >> $GITHUB_STEP_SUMMARY

  verifiable-build:
    name: Verifiable Build
    runs-on: ubuntu-latest
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}

      - name: Install Anchor
        run: |
          cargo install --git https://github.com/coral-xyz/anchor --tag v${{ env.ANCHOR_VERSION }} anchor-cli --locked

      - name: Verifiable Build
        run: anchor build --verifiable

      - name: Upload Build Artifacts
        uses: actions/upload-artifact@v4
        with:
          name: verifiable-build
          path: |
            target/deploy/*.so
            target/idl/*.json

  fuzz-testing:
    name: Fuzz Testing
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: actions-rust-lang/setup-rust-toolchain@v1
        with:
          toolchain: ${{ env.RUST_VERSION }}

      - name: Install Trident
        run: cargo install trident-cli

      - name: Run Fuzz Tests
        run: |
          cd trident-tests
          trident fuzz run --timeout 300
        timeout-minutes: 10
        continue-on-error: true

      - name: Upload Fuzz Results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: fuzz-results
          path: trident-tests/hfuzz_workspace/
EOF

echo "✅ GitHub Actions workflow created: .github/workflows/solana-security.yml"
```

## Step 2: Create Pre-commit Hooks

```bash
# Create pre-commit hook
cat > .git/hooks/pre-commit << 'EOF'
#!/bin/bash
set -e

echo "🔍 Running pre-commit security checks..."

# Format check
echo "📝 Checking code formatting..."
cargo fmt --all -- --check || {
    echo "❌ Format check failed. Run 'cargo fmt' to fix."
    exit 1
}

# Clippy check
echo "🔎 Running Clippy security lints..."
cargo clippy --all-targets -- \
    -W clippy::unwrap_used \
    -W clippy::expect_used \
    -W clippy::arithmetic_side_effects \
    -D warnings || {
    echo "❌ Clippy found issues. Please fix before committing."
    exit 1
}

# Quick test
if [ -f "Anchor.toml" ]; then
    echo "🧪 Running quick tests..."
    cargo test --lib || {
        echo "❌ Tests failed. Please fix before committing."
        exit 1
    }
fi

echo "✅ All pre-commit checks passed!"
EOF

# Make executable
chmod +x .git/hooks/pre-commit

echo "✅ Pre-commit hook installed"
```

## Step 3: Create Security Checklist Template

```bash
# Create pull request template
mkdir -p .github

cat > .github/PULL_REQUEST_TEMPLATE.md << 'EOF'
## Description
<!-- Describe your changes -->

## Security Checklist

### Code Quality
- [ ] Code is formatted (`cargo fmt`)
- [ ] Clippy passes with security lints
- [ ] No `unwra
More from this repository
anchor-engineerSubagent

Anchor framework specialist for rapid Solana program development. Use for building programs with Anchor macros, IDL generation, account validation, and standardized patterns. Prioritizes developer experience while maintaining security.\\n\\nUse when: Building new programs quickly, team projects needing standardization, projects requiring IDL for client generation, or when developer experience is prioritized over maximum CU optimization.

defi-engineerSubagent

DeFi integration specialist for composing with Solana protocols including Jupiter, Drift, Kamino, Raydium, Orca, Meteora, Marginfi, and Sanctum. Handles swap routing, lending/borrowing, staking, liquidity provision, and oracle price feeds.\n\nUse when: Integrating DeFi protocols, building swap interfaces, implementing lending/borrowing, setting up yield strategies, working with Pyth/Switchboard oracles, or composing multi-protocol transactions.

devops-engineerSubagent

CI/CD, infrastructure, and deployment specialist for Solana projects. Handles GitHub Actions, Docker, monitoring, RPC management, and Cloudflare Workers edge deployment.\n\nUse when: Setting up CI/CD pipelines, containerizing Solana validators or programs, configuring monitoring and alerting, managing RPC infrastructure, deploying edge workers, or automating build and deploy workflows.

game-architectSubagent

Senior Solana game architect for game system design, Unity/C# architecture, on-chain game state, player progression, NFT integration, and PlaySolana ecosystem. Use for high-level game design decisions, architecture reviews, and planning complex game systems.\n\nUse when: Designing new Solana games from scratch, planning game state on-chain, Unity project architecture, integrating with PlaySolana/PSG1, or deciding between implementation approaches.

mobile-engineerSubagent

React Native and Expo specialist for building Solana mobile dApps. Handles mobile wallet adapter integration, transaction signing UX, deep linking, and mobile-specific performance optimization.\n\nUse when: Building React Native or Expo mobile apps with Solana integration, implementing mobile wallet adapter flows, setting up deep links for transaction signing, or optimizing mobile dApp performance.

pinocchio-engineerSubagent

CU optimization specialist using Pinocchio framework. Use for performance-critical programs requiring 80-95% CU reduction vs Anchor. Specializes in zero-copy access, manual validation, and minimal binary size.\\n\\nUse when: CU limits are being hit, transaction costs are significant at scale, binary size must be minimized, or maximum throughput is required.

rust-backend-engineerSubagent

Rust backend specialist for building async services that interact with Solana blockchain. Builds APIs, indexing services, and off-chain processing using Axum, Tokio, and modern async patterns.\n\nUse when: Building REST/WebSocket APIs for Solana dApps, implementing transaction indexers, creating webhook services, or any Rust backend that interacts with Solana.

solana-architectSubagent

Senior Solana program architect for system design, account structures, PDA schemes, token economics, and cross-program composability. Use for high-level design decisions, architecture reviews, and planning complex multi-program systems.\n\nUse when: Designing new programs from scratch, planning account structures, optimizing PDA schemes, reviewing architecture for security, or deciding between implementation approaches.