Deployment Workflow

Language Rule

• Always respond in the same language the user is using. If the user asks in Chinese, respond in Chinese. If in English, respond in English.

Pre-deployment Checklist (all must pass)

forge fmt

forge test

forge test --gas-report

config/*.json

forge script <Script> --fork-url <RPC_URL> -vvvv

--broadcast

cast balance <DEPLOYER> --rpc-url <RPC_URL>

--gas-limit

Deployment Decision Rules

--verify

--verify

--etherscan-api-key

forge verify-contract

Post-deployment Operations (all required)

1. Update addresses in

   config/*.json

   and

   deployments/latest.env

2. Test critical functions:

   cast call

   to verify on-chain state is correct
3. Record changes in

   docs/CHANGELOG.md

4. Submit PR with deployment transaction hash link
5. If verification needed, run

   forge verify-contract

   separately

Key Security Rule

• Never pass private keys directly in commands. Use Foundry Keystore (

  cast wallet import

  ) to manage keys securely.
• Never include

  --broadcast

  in templates. The user must explicitly add it when ready to deploy.

Command Templates

# Dry-run (simulation only, no on-chain execution)
forge script script/Deploy.s.sol:DeployScript \
  --rpc-url <RPC_URL> \
  --gas-limit 5000000 \
  -vvvv

# When user is ready to deploy, instruct them to add:
#   --account <KEYSTORE_NAME> --broadcast

# Verify existing contract separately
forge verify-contract <ADDRESS> <CONTRACT> \
  --chain-id <CHAIN_ID> \
  --etherscan-api-key <API_KEY> \
  --constructor-args $(cast abi-encode "constructor(address)" <ARG>)

# Quick on-chain read test after deployment
cast call <CONTRACT_ADDRESS> "functionName()" --rpc-url <RPC_URL>

Upgradeable Contract Deployment (OpenZeppelin Upgrades Plugin)

For any upgradeable contract (UUPS, Transparent, Beacon), use the OpenZeppelin Foundry Upgrades Plugin instead of hand-rolling proxy deployment scripts.

Why Use the Plugin

Upgrades.deployUUPSProxy(...)

Upgrades.upgradeProxy(...)

_disableInitializers()

Installation

forge install OpenZeppelin/openzeppelin-foundry-upgrades
forge install OpenZeppelin/openzeppelin-contracts-upgradeable

Add to

remappings.txt

@openzeppelin/contracts/=lib/openzeppelin-contracts-upgradeable/lib/openzeppelin-contracts/contracts/
@openzeppelin/contracts-upgradeable/=lib/openzeppelin-contracts-upgradeable/contracts/

Deploy Script Template (UUPS)

// script/Deploy.s.sol
import {Script, console} from "forge-std/Script.sol";
import {Upgrades} from "openzeppelin-foundry-upgrades/Upgrades.sol";
import {MyContract} from "../src/MyContract.sol";

contract DeployScript is Script {
    function run() public {
        vm.startBroadcast();

        // One line: deploys impl + proxy + calls initialize
        address proxy = Upgrades.deployUUPSProxy(
            "MyContract.sol",
            abi.encodeCall(MyContract.initialize, (msg.sender))
        );

        console.log("Proxy:", proxy);
        console.log("Impl:", Upgrades.getImplementationAddress(proxy));

        vm.stopBroadcast();
    }
}

Upgrade Script Template

// script/Upgrade.s.sol
import {Script, console} from "forge-std/Script.sol";
import {Upgrades} from "openzeppelin-foundry-upgrades/Upgrades.sol";

contract UpgradeScript is Script {
    function run() public {
        address proxy = vm.envAddress("PROXY_ADDRESS");
        vm.startBroadcast();

        // One line: validates storage layout + deploys new impl + upgrades proxy
        Upgrades.upgradeProxy(proxy, "MyContractV2.sol", "");

        console.log("Upgraded. New impl:", Upgrades.getImplementationAddress(proxy));

        vm.stopBroadcast();
    }
}

Add

@custom:oz-upgrades-from MyContract

/// @custom:oz-upgrades-from MyContract
contract MyContractV2 is Initializable, OwnableUpgradeable, UUPSUpgradeable {
    // ...
}

Commands

# Deploy proxy (dry-run) — --ffi is required for storage layout checks
forge script script/Deploy.s.sol --rpc-url <RPC_URL> --ffi -vvvv

# Deploy proxy (broadcast)
forge script script/Deploy.s.sol --rpc-url <RPC_URL> --ffi --account <KEYSTORE_NAME> --broadcast

# Upgrade proxy (dry-run)
PROXY_ADDRESS=0x... forge script script/Upgrade.s.sol --rpc-url <RPC_URL> --ffi -vvvv

# Upgrade proxy (broadcast)
PROXY_ADDRESS=0x... forge script script/Upgrade.s.sol --rpc-url <RPC_URL> --ffi --account <KEYSTORE_NAME> --broadcast

# Validate upgrade without deploying (useful for CI)
# Use Upgrades.validateUpgrade("MyContractV2.sol", opts) in a test

Plugin API Quick Reference

Upgrades.deployUUPSProxy(contract, data)

Upgrades.deployTransparentProxy(contract, admin, data)

Upgrades.upgradeProxy(proxy, newContract, data)

Upgrades.validateUpgrade(contract, opts)

Upgrades.getImplementationAddress(proxy)

Upgrades.prepareUpgrade(contract, opts)

Key Rules

• Always use

  --ffi

  flag — the plugin needs it for storage layout validation
• Always add

  --sender <ADDRESS>

  for upgrades — must match proxy owner, otherwise

  OwnableUnauthorizedAccount

• Use

  Upgrades

  in scripts,

  UnsafeUpgrades

  only in tests —

  UnsafeUpgrades

  skips all safety checks
• Keep V1 source code in project when upgrading — plugin needs it for storage comparison. Or use

  @custom:oz-upgrades-from

  annotation
• Never hand-roll proxy deployment when this plugin is available — the storage layout check alone prevents critical bugs