Add gated_mint to CI/CD workflows (MET-429)

[metapileks]

Summary

Wires gated_mint (GaTEjZy6eMdHg2BcL8dk3iE78jkJ9sPtyw1q2tMNi8PA) into CI/CD, following the exact pattern of every other program:

• generate-verifiable-builds.yaml: new generate-verifiable-gated-mint job — builds the verifiable .so on every push to develop/production and commits it to verifiable-builds/gated_mint.so.
• deploy-programs.yaml: gated_mint added to the program dropdown + new gated-mint job calling reusable-build.yaml with use-squads: true (Squads multisig as upgrade authority, same secrets as all other programs).

Note: initial deploy is a one-time manual step

gated_mint is not on mainnet yet, and the Squads deploy path only handles upgrades of an existing program (precedent: launchpad_v8 was deployed manually before its first workflow run). After this merges and CI commits verifiable-builds/gated_mint.so:

1. solana program deploy the verifiable .so with the GaTE… program keypair (deployer as initial upgrade authority)
2. anchor idl init + anchor idl set-authority → 6awyHMshBGVjJ3ozdSJdyyDE1CTAXUwrpNMaRGMsb4sf (the CI IDL step skips silently if the IDL account doesn't exist)
3. solana program set-upgrade-authority → 6awyHMshBGVjJ3ozdSJdyyDE1CTAXUwrpNMaRGMsb4sf
4. Dispatch the deploy workflow for gated_mint to smoke-test the pipeline (byte-identical no-op upgrade + IDL set + verify PDA)

From then on, all upgrades go through the workflow as usual.

Verification

• yarn repo:guard passes (action SHA pins, solana-cli-version: 1.17.31 consistency)
• Both YAMLs parse; new blocks are byte-identical to their launchpad_v8 counterparts apart from program name/ID
• programs/gated_mint/Cargo.toml has the production = [] feature required by features: 'production'

🤖 Generated with Claude Code

[github-actions]

Repository Guard

• Cargo.lock: pass
• yarn.lock (root): pass
• yarn.lock (sdk): pass
• Repo guard: pass

Repository Guard

Cargo dependency pinning

• Status: pass
• Every programs/*/Cargo.toml dep uses =x.y.z, a path = .. workspace ref, or a git dep with a 40-char rev.

Cross-program Anchor/Solana version consistency

• Status: pass
• anchor-lang and anchor-spl are pinned to the version declared in repo-guard.toml across every program.

solana-program crate pin

• Status: pass
• Every solana-program = "=X" declaration is =1.17.14 (locked to match Cargo.lock).

Anchor.toml solana_version

• Status: pass
• Anchor.toml declares solana_version = "1.17.34" (local-dev install for anchor test).

Crate minimum age

• Status: pass
• All Cargo deps changed by this PR are at least 14 days old on crates.io.

Yarn package.json pinning

• Status: pass
• All package.json deps use exact versions (no ^, ~, ranges).

npm minimum age

• Status: pass
• All npm deps changed by this PR are at least 14 days old.

Workflow toolchain consistency

• Status: pass
• Every workflow declares anchor-version: 0.29.0.
• Per-file solana-cli-version values match [toolchain.workflow_solana_cli] in repo-guard.toml.

GitHub Action SHA pinning

• Status: pass
• Every third-party action is pinned to a SHA in [actions.sha_allowlist].

Sensitive program / config changes

• Status: warn
• Review hint only (CODEOWNERS is the merge gate). Lines below match heuristics for security-sensitive changes:
• .github/workflows/deploy-programs.yaml:227 Hardcoded Solana address literal -> + override-program-id: "GaTEjZy6eMdHg2BcL8dk3iE78jkJ9sPtyw1q2tMNi8PA"

Overall status: pass

Lockfile freshness (Cargo.lock + yarn.lock) is checked by the workflow directly and cannot be bypassed. The sensitive-diff section is a review hint - CODEOWNERS handles the actual merge gate.