fix(ci): simplify CLI workflow to fix fork PR permissions#787
Merged
Conversation
Remove ghcr.io push for cli-local image that was breaking fork PRs with
"installation not allowed to Write organization package" error.
Changes:
- Simplify cli.yml from 5 jobs to 2 parallel jobs (test-evm, test-solana)
- Remove ghcr.io push entirely for cli-local
- Use GHA layer caching (cache-from: type=gha) instead of registry
- Each job builds its own target directly with BuildKit
- Delete unused Dockerfile.cli-test-{evm,solana} files
- Add fork detection to anchor-base.yml with clear error message
Fork PRs now work because no registry writes are required. The anchor-base
image uses a default ARG in Dockerfile.cli pointing to a pre-built version
that fork PRs can pull (read-only access is allowed).
GHA layer cache provides sufficient performance by caching base layers
(apt, bun, foundry, anchor) and only rebuilding from source changes.
Fixes fork PR #756 permission error.
Use jlumbroso/free-disk-space to remove ~25GB of unused software (Android SDK, .NET, Haskell, large packages) before building Solana. This avoids dependence on limited tilt-kube-public runners.
- Build v1.0.0 and v2.0.0 artifacts in parallel matrix jobs - Cache artifacts by version + build script hash - Test job downloads pre-built artifacts (no compilation needed) - All jobs use ubuntu-latest with GHA layer cache (no tilt runners) - No ghcr.io writes (fork PRs work)
evan-gray
approved these changes
Jan 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Simplify the CLI workflow to fix fork PR permission errors and improve maintainability.
Before: 5 jobs with complex dependencies, ghcr.io writes required
After: 4 jobs (test-evm + 2 parallel builds + test-solana), no registry writes
Problem
Fork PR #756 failed with:
This was introduced in PR #773 (Dec 19) which added ghcr.io push to share images between jobs. Fork PRs don't have write access to the org's package registry.
Solution
Remove ghcr.io dependency entirely. Use GHA layer cache for Docker builds and actions/cache for Solana artifacts.
New Architecture
cli-local-testtarget with GHA layer cacheFork PR Support
Cache Key
Cache invalidates when build infrastructure changes. Since v1.0.0/v2.0.0 are immutable tags, this is sufficient.
Changes
cli.ymlworkflow (removed ghcr.io push complexity)Dockerfile.cli-test-evmandDockerfile.cli-test-solanaanchor-base.ymlwith clear error messageubuntu-latest(no tilt runner dependency)Test plan