Automated deploy pipeline (CD with manual approval gate)

[alrimarleskovar]

Problem

docs/operations/deploy-runbook.md documents manual deploy steps (anchor build → solana program deploy → verify-build PDA). Reproducible per the runbook, but:

• Human error possible at each step (wrong cluster, wrong keypair, wrong build artifact)
• No git → deploy traceability
• No rollback automation
• No deploy-on-tag workflow

For mainnet, this needs to be a CI/CD pipeline with explicit gates.

Proposed solution

Add .github/workflows/deploy.yml with:

1. Trigger: push to main with a deploy:<env> label OR manual workflow_dispatch
2. Stages:
   • Build (anchor + verify-build Docker image, reproducible)
   • Test (existing CI gates must be green)
   • Manual approval via GitHub environments (production env requires reviewer)
   • Deploy (solana program deploy to target cluster)
   • Verify (refresh OtterSec verify-build PDA)
   • Smoke test (pnpm test:devnet-smoke against the just-deployed program)
3. Environments:
   • staging (devnet): 1-approver gate
   • production (mainnet, future): 2-approver gate + multi-sig confirmation
4. Rollback: revert PR triggers a parallel deploy lane targeting the previous bytecode hash

Acceptance criteria

• .github/workflows/deploy.yml shipped
• GitHub environments configured (staging + production)
• Approval gates enforced
• Devnet redeploy executed via pipeline (smoke test)
• OtterSec PDA refresh wired in
• Rollback path tested end-to-end
• docs/operations/deploy-runbook.md updated to point at the pipeline for normal deploys; manual steps preserved for emergency

Estimated scope

Medium — ~3 days. The reproducible-build Docker image already exists; this is wiring + approval-gate setup.

References

• docs/operations/deploy-runbook.md
• docs/verified-build.md