ci: pin solana-cli-version to 3.1.14 (setup-anchor's stable resolver 429s)#14
Merged
mikemaccana merged 6 commits intoMay 11, 2026
Conversation
Adds a one-line comment above the 'solana-cli-version: stable' lines in each setup-anchor / setup-solana workflow, so a future reader understands why CI sometimes fails on a green main with no code change. No behaviour change; the value remains 'stable'.
The 'stable' resolver in setup-anchor / setup-solana queries the unauthenticated GitHub Releases API for anza-xyz/agave, which 429s once CI runs at any meaningful volume. After 5 retries it returns empty and the subsequent install curl 404s, leaving CI without solana installed at all - this is what was breaking main and what was making this PR red. Pinning to 3.1.14 (current value of 'stable') makes CI deterministic. The 'beta' canary jobs in native/pinocchio/solana-asm are intentionally left floating.
mikemaccana
changed the title
The ASM workflow installed pnpm with 'npm install --global pnpm', which resolves to the latest pnpm release. Recent pnpm releases escalate 'Ignored build scripts' from a warning to a hard error (ERR_PNPM_IGNORED_BUILDS), which makes 'pnpm install --frozen-lockfile' fail for any project with transitive build scripts that aren't on an explicit allow-list. The asm projects pull in bufferutil + utf-8-validate via @solana/web3.js -> ws. Switch to pnpm/action-setup@v4 (which the anchor, native, pinocchio, and typescript workflows already use). That action currently installs pnpm 10.33.0, which still treats this as a warning and lets the install succeed.
Newer quasar-lang (post-PR-solana-developers#195 era) changed RemainingAccounts::iter() to yield Result<RemainingAccount, _> instead of Result<AccountView, _>, so the existing 'proof_views[i] = result?' assignments stopped compiling. RemainingAccount is a safe wrapper around AccountView. We only need the inner view to forward to the bubblegum / spl-account-compression CPI as read-only proof nodes (no data borrows, no aliasing risk), so reach for 'as_account_view_unchecked' inside an unsafe block. Affects: - compression/cnft-burn/quasar (burn CPI proof nodes) - compression/cnft-vault/quasar (withdraw / withdraw_two transfer CPI) - compression/cutils/quasar (verify_leaf CPI)
Newer quasar-lang's Account<T> derive emits <T as Discriminator>::BUMP_OFFSET
whenever the field carries an 'address = ...' constraint (it stores the
discriminator-owned bump offset). SPL 'Mint' does not implement Discriminator,
so build fails with:
the trait bound `quasar_spl::Mint: quasar_lang::prelude::Discriminator`
is not satisfied
InterfaceAccount<T> intentionally takes the generic existing-account
verifier path that doesn't require Discriminator (so it can accept both
SPL Token and Token-2022 mints), which makes it the right wrapper for an
address-bound SPL Mint.
Affects:
- tokens/pda-mint-authority/quasar (MintTokens.mint at MintPda)
- tokens/token-swap/quasar (deposit_liquidity / withdraw_liquidity
mint_liquidity at LiquidityMintPda)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pins
solana-cli-versionto3.1.14in all 5 setup-anchor / setup-solana workflow steps. Thestableresolver in those actions queries the unauthenticated GitHub Releases API foranza-xyz/agave, which hits a 429 rate limit once CI runs at any volume; after 5 retries it returns empty, the subsequent installcurl404s, andsolana: command not foundkills every build-and-test job. Concretely this is what's been breakingmainsince PR #12 merged.Comment above each pinned line explains the WHY and tells future-me to bump it alongside
anchor-version.3.1.14is the current value ofstableas of this PR.Untouched: the deliberate
solana-cli-version: betacanary jobs in native, pinocchio, solana-asm.Affects:
Note
Medium Risk
Pins toolchain versions in CI and updates several on-chain instruction handlers to match newer
quasar-langaccount/remaining-account APIs, including newunsafeaccessors. Moderate risk due to changes in CPI account-view handling and account type validation, though behavior should remain equivalent.Overview
CI hardening: Pins
solana-cli-versionto3.1.14across workflows that previously usedstableto avoid GitHub API rate-limit failures, and switchessolana-asmto usepnpm/action-setup@v4(removingnpm install -g pnpm) to prevent pnpm 10+ install errors.Quasar program compatibility: Updates multiple compressed-NFT CPI helpers to handle
RemainingAccounts::iter()yieldingResultby extracting proof-nodeAccountViews viaunsafe ...as_account_view_unchecked(), and changes several SPLMintaccounts underaddress = ...constraints fromAccount<Mint>toInterfaceAccount<Mint>to satisfy newquasar-langdiscriminator requirements.Reviewed by Cursor Bugbot for commit 8696e80. Bugbot is set up for automated code reviews on this repo. Configure here.