setup-ci-cd
Setup CI/CD pipeline with automated security checks for Solana programs
mkdir -p ~/.claude/commands && curl -fsSL https://raw.githubusercontent.com/solanabr/solana-ai-kit/HEAD/.claude/commands/setup-ci-cd.md -o ~/.claude/commands/setup-ci-cd.mdsetup-ci-cd.md
You are setting up a CI/CD pipeline for Solana program development. Modern Solana development requires automated security checks on every commit.
## Related Skills
- [deployment.md](../skills/deployment.md) - CI/CD patterns and workflows
- [testing.md](../skills/testing.md) - Test automation
- [security.md](../skills/security.md) - Security automation
## Overview
This command creates a GitHub Actions workflow that automatically:
- Builds programs with verifiable builds
- Runs comprehensive tests (unit, integration, fuzz)
- Performs security audits (cargo audit, clippy)
- Validates code formatting
- Generates security reports
## Step 1: Create GitHub Actions Workflow
```bash
# Create .github/workflows directory
mkdir -p .github/workflows
# Create workflow file
cat > .github/workflows/solana-security.yml << 'EOF'
name: Solana Security Pipeline
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
env:
SOLANA_VERSION: '2.1.0'
ANCHOR_VERSION: '0.31.1'
RUST_VERSION: '1.82.0'
jobs:
security-audit:
name: Security Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUST_VERSION }}
components: clippy, rustfmt
- name: Cache Cargo dependencies
uses: actions/cache@v4
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- name: Install Solana
run: |
sh -c "$(curl -sSfL https://release.solana.com/v${{ env.SOLANA_VERSION }}/install)"
echo "$HOME/.local/share/solana/install/active_release/bin" >> $GITHUB_PATH
- name: Install Anchor
run: |
cargo install --git https://github.com/coral-xyz/anchor --tag v${{ env.ANCHOR_VERSION }} anchor-cli --locked
- name: Format Check
run: cargo fmt --all -- --check
- name: Clippy Security Lints
run: |
cargo clippy --all-targets --all-features -- \
-W clippy::all \
-W clippy::pedantic \
-W clippy::unwrap_used \
-W clippy::expect_used \
-W clippy::arithmetic_side_effects \
-D warnings
- name: Cargo Audit
run: |
cargo install cargo-audit
cargo audit
- name: Build Programs
run: anchor build
- name: Run Tests
run: |
# Unit tests
cargo test
# Integration tests
anchor test --skip-deploy
- name: Security Report
if: always()
run: |
echo "## Security Audit Report" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Format check passed" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Clippy security lints passed" >> $GITHUB_STEP_SUMMARY
echo "- ✅ Cargo audit passed" >> $GITHUB_STEP_SUMMARY
echo "- ✅ All tests passed" >> $GITHUB_STEP_SUMMARY
verifiable-build:
name: Verifiable Build
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUST_VERSION }}
- name: Install Anchor
run: |
cargo install --git https://github.com/coral-xyz/anchor --tag v${{ env.ANCHOR_VERSION }} anchor-cli --locked
- name: Verifiable Build
run: anchor build --verifiable
- name: Upload Build Artifacts
uses: actions/upload-artifact@v4
with:
name: verifiable-build
path: |
target/deploy/*.so
target/idl/*.json
fuzz-testing:
name: Fuzz Testing
runs-on: ubuntu-latest
if: github.event_name == 'push'
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUST_VERSION }}
- name: Install Trident
run: cargo install trident-cli
- name: Run Fuzz Tests
run: |
cd trident-tests
trident fuzz run --timeout 300
timeout-minutes: 10
continue-on-error: true
- name: Upload Fuzz Results
if: always()
uses: actions/upload-artifact@v4
with:
name: fuzz-results
path: trident-tests/hfuzz_workspace/
EOF
echo "✅ GitHub Actions workflow created: .github/workflows/solana-security.yml"
```
## Step 2: Create Pre-commit Hooks
```bash
# Create pre-commit hook
cat > .git/hooks/pre-commit << 'EOF'
#!/bin/bash
set -e
echo "🔍 Running pre-commit security checks..."
# Format check
echo "📝 Checking code formatting..."
cargo fmt --all -- --check || {
echo "❌ Format check failed. Run 'cargo fmt' to fix."
exit 1
}
# Clippy check
echo "🔎 Running Clippy security lints..."
cargo clippy --all-targets -- \
-W clippy::unwrap_used \
-W clippy::expect_used \
-W clippy::arithmetic_side_effects \
-D warnings || {
echo "❌ Clippy found issues. Please fix before committing."
exit 1
}
# Quick test
if [ -f "Anchor.toml" ]; then
echo "🧪 Running quick tests..."
cargo test --lib || {
echo "❌ Tests failed. Please fix before committing."
exit 1
}
fi
echo "✅ All pre-commit checks passed!"
EOF
# Make executable
chmod +x .git/hooks/pre-commit
echo "✅ Pre-commit hook installed"
```
## Step 3: Create Security Checklist Template
```bash
# Create pull request template
mkdir -p .github
cat > .github/PULL_REQUEST_TEMPLATE.md << 'EOF'
## Description
<!-- Describe your changes -->
## Security Checklist
### Code Quality
- [ ] Code is formatted (`cargo fmt`)
- [ ] Clippy passes with security lints
- [ ] No `unwraAnchor framework specialist for rapid Solana program development. Use for building programs with Anchor macros, IDL generation, account validation, and standardized patterns. Prioritizes developer experience while maintaining security.\\n\\nUse when: Building new programs quickly, team projects needing standardization, projects requiring IDL for client generation, or when developer experience is prioritized over maximum CU optimization.
DeFi integration specialist for composing with Solana protocols including Jupiter, Drift, Kamino, Raydium, Orca, Meteora, Marginfi, and Sanctum. Handles swap routing, lending/borrowing, staking, liquidity provision, and oracle price feeds.\n\nUse when: Integrating DeFi protocols, building swap interfaces, implementing lending/borrowing, setting up yield strategies, working with Pyth/Switchboard oracles, or composing multi-protocol transactions.
CI/CD, infrastructure, and deployment specialist for Solana projects. Handles GitHub Actions, Docker, monitoring, RPC management, and Cloudflare Workers edge deployment.\n\nUse when: Setting up CI/CD pipelines, containerizing Solana validators or programs, configuring monitoring and alerting, managing RPC infrastructure, deploying edge workers, or automating build and deploy workflows.
Senior Solana game architect for game system design, Unity/C# architecture, on-chain game state, player progression, NFT integration, and PlaySolana ecosystem. Use for high-level game design decisions, architecture reviews, and planning complex game systems.\n\nUse when: Designing new Solana games from scratch, planning game state on-chain, Unity project architecture, integrating with PlaySolana/PSG1, or deciding between implementation approaches.
React Native and Expo specialist for building Solana mobile dApps. Handles mobile wallet adapter integration, transaction signing UX, deep linking, and mobile-specific performance optimization.\n\nUse when: Building React Native or Expo mobile apps with Solana integration, implementing mobile wallet adapter flows, setting up deep links for transaction signing, or optimizing mobile dApp performance.
CU optimization specialist using Pinocchio framework. Use for performance-critical programs requiring 80-95% CU reduction vs Anchor. Specializes in zero-copy access, manual validation, and minimal binary size.\\n\\nUse when: CU limits are being hit, transaction costs are significant at scale, binary size must be minimized, or maximum throughput is required.
Rust backend specialist for building async services that interact with Solana blockchain. Builds APIs, indexing services, and off-chain processing using Axum, Tokio, and modern async patterns.\n\nUse when: Building REST/WebSocket APIs for Solana dApps, implementing transaction indexers, creating webhook services, or any Rust backend that interacts with Solana.
Senior Solana program architect for system design, account structures, PDA schemes, token economics, and cross-program composability. Use for high-level design decisions, architecture reviews, and planning complex multi-program systems.\n\nUse when: Designing new programs from scratch, planning account structures, optimizing PDA schemes, reviewing architecture for security, or deciding between implementation approaches.