From 810055f469449a0599fdd92e08c3847bf149c238 Mon Sep 17 00:00:00 2001
From: Jo D <dev-jodee@users.noreply.github.com>
Date: Thu, 30 Apr 2026 14:13:52 -0400
Subject: [PATCH 1/2] ci: pass deployer pubkey as buffer authority for devnet

The write-program-buffer action runs `solana program set-buffer-authority`
when the program already exists on-chain, regardless of whether a transfer
is actually intended. We were passing an empty `buffer-authority-address`
on devnet, which the CLI rejects with "The argument
'--new-buffer-authority <NEW_BUFFER_AUTHORITY>' requires a value but none
was supplied" and retries up to 50 times before failing.

Derive the deployer pubkey from the materialized keypair and use it as
the buffer authority on devnet. This is a no-op transfer (deployer keeps
authority) and satisfies the action's requirement. Mainnet still uses
SQUADS_VAULT.
---
 .github/workflows/release.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 86111c3..2265aa2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -58,6 +58,12 @@ jobs:
           install -m 600 /dev/null /tmp/deployer.json
           printf '%s' "$DEPLOYER_KEYPAIR" > /tmp/deployer.json
 
+      - name: Derive deployer pubkey
+        id: deployer
+        run: |
+          PUBKEY=$(solana-keygen pubkey /tmp/deployer.json)
+          echo "pubkey=$PUBKEY" >> "$GITHUB_OUTPUT"
+
       - name: Generate IDL
         run: just generate-idl
 
@@ -74,7 +80,7 @@ jobs:
           program-id: ${{ env.PROGRAM_ID }}
           rpc-url: ${{ env.RPC_URL }}
           keypair: ${{ env.DEPLOYER_KEYPAIR }}
-          buffer-authority-address: ${{ inputs.network == 'mainnet' && env.SQUADS_VAULT || '' }}
+          buffer-authority-address: ${{ inputs.network == 'mainnet' && env.SQUADS_VAULT || steps.deployer.outputs.pubkey }}
           priority-fee: ${{ inputs.priority-fee }}
 
       # ============================================

From 08347687100ff31b2f2fea15eb79571fb30aaf6c Mon Sep 17 00:00:00 2001
From: Jo D <dev-jodee@users.noreply.github.com>
Date: Thu, 30 Apr 2026 14:29:25 -0400
Subject: [PATCH 2/2] ci: pass keypair content to mainnet release sub-actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The write-metadata-buffer and verify-build (mainnet/use-squads) actions
take `keypair` as the keypair file content, not a path — same pattern as
the devnet sub-actions fixed previously. Pass `${{ env.DEPLOYER_KEYPAIR }}`
directly so a future mainnet release does not fail with "Input must be a
JSON array".

The Squads upgrade-proposal action is left as-is (still consumes
/tmp/deployer.json), so the materialize/cleanup steps remain.
---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2265aa2..e96a003 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -130,7 +130,7 @@ jobs:
         with:
           idl-path: idl/subscriptions.json
           rpc-url: ${{ env.RPC_URL }}
-          keypair: /tmp/deployer.json
+          keypair: ${{ env.DEPLOYER_KEYPAIR }}
           buffer-authority: ${{ env.SQUADS_VAULT }}
           priority-fees: ${{ inputs.priority-fee }}
 
@@ -142,7 +142,7 @@ jobs:
           program: ${{ env.PROGRAM }}
           program-id: ${{ env.PROGRAM_ID }}
           rpc-url: ${{ env.RPC_URL }}
-          keypair: /tmp/deployer.json
+          keypair: ${{ env.DEPLOYER_KEYPAIR }}
           repo-url: ${{ env.REPO_URL }}
           network: mainnet
           mount-path: program