fix(ci): simplify CLI workflow to fix fork PR permissions

.github/workflows/anchor-base.yml

@@ -47,6 +47,15 @@ jobs:
           ANCHOR_VERSION=$(grep 'anchor_version' solana/Anchor.toml | sed 's/.*"\(.*\)"/\1/')
           echo "version=${ANCHOR_VERSION}" >> $GITHUB_OUTPUT
 
+      - name: Check if fork PR
+        id: check-fork
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]]; then
+            echo "is_fork=true" >> $GITHUB_OUTPUT
+          else
+            echo "is_fork=false" >> $GITHUB_OUTPUT
+          fi
+
       - name: Check if anchor-base image exists
         id: check
         run: |
@@ -56,6 +65,11 @@ jobs:
           else
             echo "exists=false" >> $GITHUB_OUTPUT
             echo "Image not found, will build"
+            # Fork PRs cannot push new images
+            if [[ "${{ steps.check-fork.outputs.is_fork }}" == "true" ]]; then
+              echo "::error::Fork PRs cannot build anchor-base image. Image does not exist. A maintainer must first build this image by running this workflow from main."
+              exit 1
+            fi
           fi
 
       - name: Set up Docker Buildx

.github/workflows/cli.yml

@@ -12,99 +12,30 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}/cli-local
-
 jobs:
-  # Ensure anchor-base image exists (builds if needed, skips if exists)
-  anchor-base:
-    uses: ./.github/workflows/anchor-base.yml
-    permissions:
-      contents: read
-      packages: write
-
-  # Build the shared cli-local image once and push to registry
-  build:
-    needs: anchor-base
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    outputs:
-      image: ${{ steps.meta.outputs.tags }}
-    steps:
-      - uses: actions/checkout@v6
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=sha,prefix=
-
-      - name: Build and push cli-local image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: Dockerfile.cli
-          target: cli-local
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          build-args: |
-            ANCHOR_BASE_IMAGE=${{ needs.anchor-base.outputs.image }}
-          cache-from: type=gha,scope=cli-local
-          cache-to: type=gha,mode=max,scope=cli-local
-
-  # Run EVM tests using the shared image
+  # EVM tests - builds cli-local-test target with GHA layer caching
   test-evm:
-    needs: build
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
     steps:
       - uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run EVM tests
+      - name: Build and test EVM
         uses: docker/build-push-action@v6
         with:
           context: .
-          file: Dockerfile.cli-test-evm
-          build-args: |
-            BASE_IMAGE=${{ needs.build.outputs.image }}
-          cache-from: type=gha,scope=cli-test-evm
-          cache-to: type=gha,mode=max,scope=cli-test-evm
+          file: Dockerfile.cli
+          target: cli-local-test
+          push: false
+          cache-from: type=gha,scope=cli
+          cache-to: type=gha,mode=max,scope=cli
 
-  # Build Solana contracts (v1.0.0 and v2.0.0 in parallel via matrix)
+  # Build Solana contracts (v1.0.0 and v2.0.0 in parallel)
   # Artifacts are cached based on version tag + build script hash
   build-solana:
-    needs: build
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
     strategy:
       matrix:
         version: ["1.0.0", "2.0.0"]
@@ -118,13 +49,21 @@ jobs:
           path: /tmp/solana-artifacts/v${{ matrix.version }}
           key: solana-v${{ matrix.version }}-${{ hashFiles('cli/test/build-solana.sh', 'Dockerfile.cli', 'Dockerfile.anchor-base', 'solana/Anchor.toml') }}
 
-      - name: Log in to Container Registry
+      - name: Set up Docker Buildx
         if: steps.cache.outputs.cache-hit != 'true'
-        uses: docker/login-action@v3
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build cli-local image
+        if: steps.cache.outputs.cache-hit != 'true'
+        uses: docker/build-push-action@v6
         with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          context: .
+          file: Dockerfile.cli
+          target: cli-local
+          load: true
+          tags: cli-local:latest
+          cache-from: type=gha,scope=cli
+          cache-to: type=gha,mode=max,scope=cli
 
       - name: Build Solana v${{ matrix.version }}
         if: steps.cache.outputs.cache-hit != 'true'
@@ -135,7 +74,7 @@ jobs:
             -e OUTPUT_DIR=/tmp/solana-artifacts \
             -e HOME=/root \
             -w /workspace \
-            ${{ needs.build.outputs.image }} \
+            cli-local:latest \
             bash -c "./cli/test/build-solana.sh ${{ matrix.version }}"
 
       - name: Upload v${{ matrix.version }} artifacts
@@ -147,41 +86,43 @@ jobs:
 
   # Run Solana tests using pre-built artifacts
   test-solana:
-    needs: [build, build-solana]
+    needs: build-solana
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
-    container:
-      image: ${{ needs.build.outputs.image }}
-      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    env:
-      HOME: /root
-      PATH: /root/.bun/bin:/root/.nvm/versions/node/v18.18.0/bin:/root/.local/share/solana/install/active_release/bin:/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-      SOLANA_ARTIFACTS_DIR: /tmp/solana-artifacts
     steps:
       - uses: actions/checkout@v6
 
-      - name: Download v1 artifacts
+      - name: Download v1.0.0 artifacts
         uses: actions/download-artifact@v4
         with:
           name: solana-v1.0.0-artifacts
           path: /tmp/solana-artifacts/v1.0.0
 
-      - name: Download v2 artifacts
+      - name: Download v2.0.0 artifacts
         uses: actions/download-artifact@v4
         with:
           name: solana-v2.0.0-artifacts
           path: /tmp/solana-artifacts/v2.0.0
 
-      - name: List artifacts
-        run: |
-          echo "=== v1.0.0 artifacts ==="
-          ls -la /tmp/solana-artifacts/v1.0.0/
-          echo "=== v2.0.0 artifacts ==="
-          ls -la /tmp/solana-artifacts/v2.0.0/
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build cli-local image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile.cli
+          target: cli-local
+          load: true
+          tags: cli-local:latest
+          cache-from: type=gha,scope=cli
 
       - name: Run Solana tests
-        run: ./cli/test/solana.sh --use-tmp-dir
+        run: |
+          docker run --rm \
+            -v "${{ github.workspace }}:/workspace" \
+            -v "/tmp/solana-artifacts:/tmp/solana-artifacts" \
+            -e SOLANA_ARTIFACTS_DIR=/tmp/solana-artifacts \
+            -e HOME=/root \
+            -w /workspace \
+            cli-local:latest \
+            bash -ci "./cli/test/solana.sh --use-tmp-dir"