feat: auto-install Solana dev skill for AI coding agents

[Dargon789]

Summary by Sourcery

Automatically install the Solana dev skill during app creation and restructure CI/CD workflows for TypeScript build, test, and publish pipelines.

New Features:

• Add an app creation task that installs the Solana dev skill for AI coding agents by default.

Enhancements:

• Refactor pull request workflow to delegate build and test to reusable TypeScript workflows.
• Refine package versioning workflow to only create Changesets version pull requests with a consistent title and commit message.
• Introduce dedicated reusable TypeScript build and test workflows with shared environment configuration.

Build:

• Add a comprehensive TypeScript publish workflow that supports canary and manual releases, npm provenance, tarball validation, and GitHub release creation.
• Remove the old canary publish workflow in favor of the new TypeScript publish pipeline.

CI:

• Update pull request checks to depend on the new TypeScript build and test workflows.
• Grant appropriate GitHub permissions for publishing and release workflows.

Tests:

• Ensure TypeScript workflows run build, tests, linting, and type checks across multiple Node versions.

Chores:

• Bump package version from 4.8.2 to 4.8.4.
• Normalize workflow names for pull requests and package versioning.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[vercel]

@lgalabru is attempting to deploy a commit to the Foundry development Team on Vercel.

A member of the Team first needs to authorize it.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[sourcery-ai]

Reviewer's Guide

Refactors CI workflows into reusable TypeScript build/test/publish pipelines, simplifies versioning to changesets-only with GitHub permissions, and adds an optional post-init task that auto-installs the Solana dev skill for AI coding agents when creating a new app.

Sequence diagram for Solana dev skill auto-install during app creation

sequenceDiagram
  actor Developer
  participant CLI
  participant CreateApp
  participant InstallDevSkillTask
  participant ExecAndWait

  Developer->>CLI: run npx create-solana-dapp
  CLI->>CreateApp: createApp(args)
  CreateApp->>InstallDevSkillTask: createAppTaskInstallDevSkill(args)
  InstallDevSkillTask->>InstallDevSkillTask: enabled = !args.skipInstall

  alt install enabled
    InstallDevSkillTask->>ExecAndWait: execAndWait("npx -y skills add solana-dev-skill ...", args.targetDirectory)
    ExecAndWait-->>InstallDevSkillTask: success or error
    alt success
      InstallDevSkillTask-->>CreateApp: result(message: Installed Solana dev skill)
    else error
      InstallDevSkillTask-->>CreateApp: result(message: Skipped Solana dev skill installation)
    end
  else install skipped
    InstallDevSkillTask-->>CreateApp: skipped (skipInstall true)
  end

Loading

Class diagram for createAppTaskInstallDevSkill and related types

classDiagram
  class GetArgsResult {
    +boolean skipInstall
    +boolean verbose
    +string targetDirectory
  }

  class Task {
    +boolean enabled
    +function task(result)
    +string title
  }

  class CreateAppTaskInstallDevSkillModule {
    +createAppTaskInstallDevSkill(args)
  }

  class ExecAndWaitModule {
    +execAndWait(command, cwd)
  }

  class ClackLogModule {
    +log_warn(message)
    +log_error(message)
  }

  GetArgsResult --> CreateAppTaskInstallDevSkillModule : parameter
  CreateAppTaskInstallDevSkillModule ..> Task : returns
  CreateAppTaskInstallDevSkillModule ..> ExecAndWaitModule : uses
  CreateAppTaskInstallDevSkillModule ..> ClackLogModule : logs

Loading

File-Level Changes

Change	Details	Files
Refactor pull request CI into reusable TypeScript build and test workflows and adjust aggregation job.	Rename PR workflow and remove global env vars now handled in called workflows Replace inlined build-and-test job with reusable typescript-build and typescript-test workflows Update all-pr-checks job to depend on the new TypeScript workflows for Mergify grouping	.github/workflows/pull-requests.yml
Simplify package versioning workflow to just create a Changesets version PR with appropriate permissions.	Rename workflow to Version Packages and trigger on pushes to main only Add contents and pull-requests write permissions required by changesets/action Remove build and publish logic, leaving only changesets/action with custom PR title and commit message	.github/workflows/publish-packages.yml
Introduce reusable TypeScript build and test workflows used across CI and publish pipelines.	Add typescript-build workflow that checks out code, installs dependencies, builds, and runs type checks with telemetry disabled Add typescript-test workflow that runs matrixed build and pnpm test across current and LTS Node versions with DO_NOT_TRACK and TURBO_CONCURRENCY env vars	.github/workflows/typescript-build.yml .github/workflows/typescript-test.yml
Add a comprehensive TypeScript publish workflow that handles canary and release publishing, tagging, artifact validation, npm tagging, and GitHub releases.	Create typescript-publish workflow triggered on main pushes and manual dispatch with inputs controlling npm publish and GitHub release creation Run shared typescript-build and typescript-test jobs before publishing to ensure build and tests pass Determine canary vs release mode based on event type, including optional snapshot versioning for canaries Build, run type checks, derive version, and choose npm tag (canary/beta/latest) based on version semantics Pack npm tarball and validate required dist/ artifacts are present before publishing For releases, create and push git tag and optionally a GitHub release with basic install instructions Publish tarball to npm with correct tag and emit a human-readable summary in the job summary	.github/workflows/typescript-publish.yml
Remove legacy canary publish workflow now superseded by the new TypeScript publish pipeline.	Delete publish-canary-releases workflow that previously handled canary releases	.github/workflows/publish-canary-releases.yml
Add an optional post-init task that installs the Solana dev skill for AI coding agents when creating a new app.	Introduce createAppTaskInstallDevSkill Task which conditionally runs when install is not skipped Run npx -y skills add ... --skill "*" -y in the target directory, logging progress and errors when verbose mode is enabled Treat failures as non-fatal, updating the task result message to indicate skip instead of throwing	src/utils/create-app-task-install-dev-skill.ts src/utils/create-app.ts
Update package version to match latest release.	Bump create-solana-dapp package.json version from 4.8.2 to 4.8.4	package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the create-solana-dapp tool by integrating an automated setup for the Solana development skill, which is beneficial for AI coding agents. This addition streamlines the initial project configuration for developers utilizing AI tools. Concurrently, it includes important security and robustness improvements to how git commands are executed internally, ensuring a safer and more reliable process.

Highlights

• AI Coding Agent Integration: Introduced an automatic installation step for the Solana development skill, enabling AI coding agents to better interact with new Solana projects.
• Improved Git Command Execution: Refactored the internal git utility to enhance security by disabling shell spawning and correctly handling commit messages as separate arguments.
• Version Update: Bumped the package version to 4.8.4.

Ignored Files

• Ignored by pattern: .github/workflows/** (6)
  • .github/workflows/publish-canary-releases.yml
  • .github/workflows/publish-packages.yml
  • .github/workflows/pull-requests.yml
  • .github/workflows/typescript-build.yml
  • .github/workflows/typescript-publish.yml
  • .github/workflows/typescript-test.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
create-solana-dapp	Ready	Preview, Comment	Mar 25, 2026 9:34am

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• The Solana dev skill install step is tightly coupled to skipInstall; if users want to skip dependency installs but still add (or explicitly opt out of) the dev skill, consider introducing a separate flag or environment-based toggle so these behaviors can be controlled independently.
• The hard-coded npx -y skills add https://github.com/solana-foundation/solana-dev-skill --skill "*" -y command in createAppTaskInstallDevSkill could be made more maintainable by extracting the URL/skill spec into a constant or configuration so it’s easier to update or override (e.g., for forks or testing).
• In typescript-publish.yml, the publish job re-installs dependencies and rebuilds even though it depends on typescript-build/typescript-test; if publish frequency or workflow duration becomes an issue, consider passing build artifacts between jobs instead of rebuilding to reduce CI time.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The Solana dev skill install step is tightly coupled to `skipInstall`; if users want to skip dependency installs but still add (or explicitly opt out of) the dev skill, consider introducing a separate flag or environment-based toggle so these behaviors can be controlled independently.
- The hard-coded `npx -y skills add https://github.com/solana-foundation/solana-dev-skill --skill "*" -y` command in `createAppTaskInstallDevSkill` could be made more maintainable by extracting the URL/skill spec into a constant or configuration so it’s easier to update or override (e.g., for forks or testing).
- In `typescript-publish.yml`, the `publish` job re-installs dependencies and rebuilds even though it depends on `typescript-build`/`typescript-test`; if publish frequency or workflow duration becomes an issue, consider passing build artifacts between jobs instead of rebuilding to reduce CI time.

## Individual Comments

### Comment 1
<location path=".github/workflows/typescript-publish.yml" line_range="59-47" />
<code_context>
+      - name: Install Dependencies
+        uses: ./.github/workflows/actions/install-dependencies
+
+      - name: Setup npm registry auth
+        uses: actions/setup-node@v4
+        with:
+          registry-url: 'https://registry.npmjs.org'
+
</code_context>
<issue_to_address>
**issue (bug_risk):** npm publish will likely fail without an auth token configured for the registry

This workflow only sets the registry URL; it never configures credentials. `NPM_TOKEN` isn’t used anywhere and `NODE_AUTH_TOKEN` isn’t set in the `npm publish` step, so the job won’t have auth when publishing.

You can either:
- Configure `token` (and `node-version`) on `actions/setup-node@v4` to use its built‑in npm auth, or
- Explicitly set `NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}` on the publish step or at the job env level.

Since this replaces a flow that already used `NPM_TOKEN`, that secret should be wired into this workflow as well.
</issue_to_address>

### Comment 2
<location path="src/utils/create-app-task-install-dev-skill.ts" line_range="14-15" />
<code_context>
+        if (args.verbose) {
+          log.warn(`Installing Solana dev skill`)
+        }
+        await execAndWait(
+          'npx -y skills add https://github.com/solana-foundation/solana-dev-skill --skill "*" -y',
+          args.targetDirectory,
+        )
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Installing an unpinned CLI via `npx` on every run has security and stability implications

Since this scaffolding runs on users’ machines, relying on the latest `skills` CLI each time can introduce breaking changes and supply‑chain risk. Please either pin the CLI version in the command (e.g. `npx -y skills@<version> add …`) or invoke it via a wrapper script you control so updates happen deliberately and behavior stays predictable.

Suggested implementation:

```typescript
        if (args.verbose) {
          log.warn(`Installing Solana dev skill`)
        }

        // Use a pinned major version of the skills CLI to avoid unexpected breaking changes
        await execAndWait(
          'npx -y skills@1 add https://github.com/solana-foundation/solana-dev-skill --skill "*" -y',
          args.targetDirectory,
        )

```

If you maintain your own wrapper or know the exact version you want to support, replace `skills@1` with a more specific version (e.g. `skills@1.3.2`) or with the wrapper package name you control. You may also want to expose the pinned version as a constant or configuration value if it is shared across multiple tasks.
</issue_to_address>

Fix all in Cursor

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request updates the project version to 4.8.4 and introduces a new feature to install a Solana dev skill during app creation. The createAppTaskInstallDevSkill function was added to handle this installation, including verbose logging and error handling. Additionally, security improvements were made to the git initialization process by changing shell: true to shell: false and modifying the git commit command to pass arguments as separate elements, mitigating potential shell injection vulnerabilities. Review feedback suggests addressing a redundant -y flag in the npx command and logging error.message instead of the raw error object for better security and clarity.

[gemini-code-assist]

Code Review

This pull request introduces a new task to automatically install a 'Solana dev skill' for AI coding agents during the app creation process, and updates the project version. It also includes significant security and robustness improvements in the git.ts utility by disabling shell execution for git commands and correctly passing commit messages as separate arguments. A high-severity review comment points out an inconsistency and potential security risk in the newly added createAppTaskInstallDevSkill, where execAndWait (which implicitly uses a shell) is employed, suggesting it should align with the safer spawn pattern with shell: false adopted for git commands.