A GitHub Action to automate Solana program upgrades through Squads multisig. This action creates and submits a multisig transaction that includes program upgrade, optional IDL update, and optional PDA verification.
The easiest way to use this squads action is to use the reusable workflow which will automatically handle the build, upload, and verify steps.
- Creates a Squads multisig transaction containing:
- Program upgrade instruction using a new buffer
- IDL upgrade instruction using a new IDL buffer
- Optional PDA verification instruction
- Handles automatic retries for RPC connections
- Supports custom RPC endpoints
- Works with any Squads v4 multisig
- uses: Woody4618/[email protected]
with:
# Required: RPC URL for Solana
rpc: ${{ secrets.RPC_URL }}
# Required: Program ID to upgrade
program: BhV84MZrRnEvtWLdWMRJGJr1GbusxfVMHAwc3pq92g4z
# Required: Buffer containing the new program
buffer: 7SGJSG8aoZj39NeAkZvbUvsPDMRcUUrhRhPzgzKv7743
# Optional: Buffer containing the new IDL
idl-buffer: E74BKk75nHtSScZJ4YZ5gB2orvhdzLjcFyxyqkNx6MNc
# Required: Squads multisig address
multisig: ${{ secrets.MULTISIG }}
# Required: Byte array of the keypair. Needs to have at least voter permission in squads. Format: [23,42,53...]
keypair: ${{ secrets.KEYPAIR }}
# Optional: Priority fee in lamports for the transaction (default: 100000)
priority-fee: 100000
# Optional: Index of the Squads vault to use (default: 0)
vault-index: 0
# Optional: Base64 encoded PDA verification transaction. Get this from solana verify cli using solana-verify export-pda-tx
pda-tx: ${{ secrets.PDA_TX }}Before using this action, you need:
- A Squads v4 multisig with:
- Program upgrade authority
- Required members set up
- Program buffer uploaded to Solana
- IDL buffer uploaded to Solana
- Keypair with permission to create transactions in the multisig
name: Upgrade Program
on:
workflow_dispatch:
inputs:
buffer:
description: 'Program buffer address'
required: true
idl-buffer:
description: 'IDL buffer address'
required: true
jobs:
upgrade:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Woody4618/squads-program-action@main
with:
rpc: ${{ secrets.RPC_URL }}
program: BhV84MZrRnEvtWLdWMRJGJr1GbusxfVMHAwc3pq92g4z
buffer: ${{ inputs.buffer }}
idl-buffer: ${{ inputs.idl-buffer }}
multisig: ${{ secrets.MULTISIG }}
keypair: ${{ secrets.KEYPAIR }}
# Optional: Increase priority fee for faster processing
priority-fee: 200000
# Optional: Use a different vault index
vault-index: 0- The action creates a transaction in your Squads multisig containing:
- Program upgrade instruction
- IDL upgrade instruction
- PDA verification (if provided)
- Visit Squads UI to:
- Review the transaction
- Approve with required signatures
- Once enough members approve, Squads executes:
- Program upgrade
- IDL update (if included)
- PDA verification (if included)
- The provided keypair only needs permission to create transactions
- Actual upgrade authority comes from the Squads vault
- Keep your keypair and multisig address secure in GitHub Secrets
- Use a reliable RPC endpoint as the action includes retry logic
To contribute or modify this action:
- Clone the repository
- Install dependencies:
npm install- Make your changes
- Build the action:
npm run bundle- Test locally:
npm run local-action
Use this template to bootstrap the creation of a TypeScript action. π
This template includes compilation support, tests, a validation workflow, publishing, and versioning guidance.
If you are new, there's also a simpler introduction in the Hello world JavaScript action repository.
To create your own action, you can use this repository as a template! Just follow the below instructions:
- Click the Use this template button at the top of the repository
- Select Create a new repository
- Select an owner and name for your new repository
- Click Create repository
- Clone your new repository
Important
Make sure to remove or update the CODEOWNERS file! For
details on how to use this file, see
About code owners.
After you've cloned the repository to your local machine or codespace, you'll need to perform some initial setup steps before you can develop your action.
Note
You'll need to have a reasonably modern version of
Node.js handy (20.x or later should work!). If you are
using a version manager like nodenv or
fnm, this template has a .node-version
file at the root of the repository that can be used to automatically switch to
the correct version when you cd into the repository. Additionally, this
.node-version file is used by GitHub Actions in any actions/setup-node
actions.
-
π οΈ Install the dependencies
npm install
-
ποΈ Package the TypeScript for distribution
npm run bundle
-
β Run the tests
$ npm test PASS ./index.test.js β throws invalid number (3ms) β wait 500 ms (504ms) β test runs (95ms) ...
The action.yml file defines metadata about your action, such as
input(s) and output(s). For details about this file, see
Metadata syntax for GitHub Actions.
When you copy this repository, update action.yml with the name, description,
inputs, and outputs for your action.
The src/ directory is the heart of your action! This contains the
source code that will be run when your action is invoked. You can replace the
contents of this directory with your own code.
There are a few things to keep in mind when writing your action code:
-
Most GitHub Actions toolkit and CI/CD operations are processed asynchronously. In
main.ts, you will see that the action is run in anasyncfunction.import * as core from '@actions/core' //... async function run() { try { //... } catch (error) { core.setFailed(error.message) } }
For more information about the GitHub Actions toolkit, see the documentation.
So, what are you waiting for? Go ahead and start customizing your action!
-
Create a new branch
git checkout -b releases/v1
-
Replace the contents of
src/with your action code -
Add tests to
__tests__/for your source code -
Format, test, and build the action
npm run all
This step is important! It will run
rollupto build the final JavaScript action code with all dependencies included. If you do not run this step, your action will not work correctly when it is used in a workflow. -
(Optional) Test your action locally
The
@github/local-actionutility can be used to test your action locally. It is a simple command-line tool that "stubs" (or simulates) the GitHub Actions Toolkit. This way, you can run your TypeScript action locally without having to commit and push your changes to a repository.The
local-actionutility can be run in the following ways:-
Visual Studio Code Debugger
Make sure to review and, if needed, update
.vscode/launch.json -
Terminal/Command Prompt
# npx local action <action-yaml-path> <entrypoint> <dotenv-file> npx local-action . src/main.ts .env
You can provide a
.envfile to thelocal-actionCLI to set environment variables used by the GitHub Actions Toolkit. For example, setting inputs and event payload data used by your action. For more information, see the example file,.env.example, and the GitHub Actions Documentation. -
-
Commit your changes
git add . git commit -m "My first action is ready!"
-
Push them to your repository
git push -u origin releases/v1
-
Create a pull request and get feedback on your action
-
Merge the pull request into the
mainbranch
Your action is now published! π
For information about versioning your action, see Versioning in the GitHub Actions toolkit.
After testing, you can create version tag(s) that developers can use to reference different stable versions of your action.
To include the action in a workflow in another repository, you can use the
uses syntax with the @ symbol to reference a specific branch, tag, or commit
hash.
steps:
- name: Checkout
id: checkout
uses: actions/checkout@v4
- name: Test Local Action
id: test-action
uses: actions/typescript-action@v1 # Commit with the `v1` tag
with:
milliseconds: 1000
- name: Print Output
id: output
run: echo "${{ steps.test-action.outputs.time }}"This project includes a helper script, script/release
designed to streamline the process of tagging and pushing new releases for
GitHub Actions.
GitHub Actions allows users to select a specific version of the action to use, based on release tags. This script simplifies this process by performing the following steps:
- Retrieving the latest release tag: The script starts by fetching the most recent SemVer release tag of the current branch, by looking at the local data available in your repository.
- Prompting for a new release tag: The user is then prompted to enter a new release tag. To assist with this, the script displays the tag retrieved in the previous step, and validates the format of the inputted tag (vX.X.X). The user is also reminded to update the version field in package.json.
- Tagging the new release: The script then tags a new release and syncs the
separate major tag (e.g. v1, v2) with the new release tag (e.g. v1.0.0,
v2.1.2). When the user is creating a new major release, the script
auto-detects this and creates a
releases/v#branch for the previous major version. - Pushing changes to remote: Finally, the script pushes the necessary commits, tags and branches to the remote repository. From here, you will need to create a new release in GitHub so users can easily reference the new tags in their workflows.