wormhole-foundation · DBosley · Jan 12, 2026 · Dec 12, 2025 · Jan 9, 2026 · Jan 9, 2026
diff --git a/.github/actions/setup-anchor/action.yml b/.github/actions/setup-anchor/action.yml
@@ -35,5 +35,5 @@ runs:
       run: echo "/home/runner/.local/share/solana/install/active_release/bin" >> $GITHUB_PATH
       shell: bash
     - name: Install Anchor
-      run: npm i -g @coral-xyz/anchor-cli@${{ inputs.anchor-version }}
+      run: bun add -g @coral-xyz/anchor-cli@${{ inputs.anchor-version }}
       shell: bash
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
@@ -49,6 +49,10 @@ jobs:
           path: /tmp/solana-artifacts/v${{ matrix.version }}
           key: solana-v${{ matrix.version }}-${{ hashFiles('cli/test/build-solana.sh', 'Dockerfile.cli', 'Dockerfile.anchor-base', 'solana/Anchor.toml') }}
 
+      - name: Free disk space
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: sudo rm -rf /usr/local/lib/android
+
       - name: Set up Docker Buildx
         if: steps.cache.outputs.cache-hit != 'true'
         uses: docker/setup-buildx-action@v3
@@ -103,6 +107,9 @@ jobs:
           name: solana-v2.0.0-artifacts
           path: /tmp/solana-artifacts/v2.0.0
 
+      - name: Free disk space
+        run: sudo rm -rf /usr/local/lib/android
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 

diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml
@@ -20,35 +20,34 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
 
-      - name: Setup Node
-        uses: actions/setup-node@v6
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
         with:
-          node-version: "20"
-          cache: "npm"
+          bun-version: latest
 
       - name: Install dependencies
-        run: npm ci
+        run: bun ci
 
       - name: Verify Prettier version
         run: |
           EXPECTED_VERSION=$(node -p "require('./package.json').devDependencies.prettier")
-          ACTUAL_VERSION=$(npx prettier --version)
+          ACTUAL_VERSION=$(bunx prettier --version)
           echo "Expected Prettier version (from package.json): $EXPECTED_VERSION"
           echo "Actual Prettier version: $ACTUAL_VERSION"
           if [ "$EXPECTED_VERSION" != "$ACTUAL_VERSION" ]; then
             echo "Error: Prettier version mismatch!"
-            echo "This usually means package-lock.json is out of sync with package.json - try running 'npm install' locally and committing the updated package-lock.json"
+            echo "This usually means bun.lock is out of sync with package.json - try running 'bun install' locally and committing the updated bun.lock"
             exit 1
           fi
           echo "✓ Prettier version matches"
 
       - name: Run Prettier check
         run: |
-          npm run prettier:check || {
+          bun run prettier:check || {
             echo "Prettier found code style issues."
             echo
             echo "To fix locally, from the repo root run:"
-            echo "  npm run prettier"
+            echo "  bun run prettier"
             echo
             echo "Then commit the changes and push to rerun this check."
             exit 1

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -17,16 +17,18 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
       - uses: actions/setup-node@v6
         with:
           node-version: 24.11.0
-          cache: "npm"
           registry-url: "https://registry.npmjs.org"
-          # Node 24 ships with npm 11.x which includes OIDC support (requires 11.5.1+)
-      - run: npm ci
-      - run: npm run version ${{ inputs.version }}
-      - run: npm run build --if-present
-      - run: npm test
+          # Node required for npm publish with OIDC (npm CLI 11.5.1+)
+      - run: bun ci
+      - run: bun run version ${{ inputs.version }}
+      - run: bun --if-present run build
+      - run: bun run test
       - run: |
           if [[ $VERSION == *"beta"* ]]; then
             tag=beta

diff --git a/.github/workflows/sdk.yml b/.github/workflows/sdk.yml
@@ -17,11 +17,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: oven-sh/setup-bun@v2
         with:
-          node-version: 24.11.0
-          cache: "npm"
-          registry-url: "https://registry.npmjs.org"
-      - run: npm ci
-      - run: npm run build --if-present
-      - run: npm test
+          bun-version: latest
+      - run: bun ci
+      - run: bun --if-present run build
+      - run: bun run test
diff --git a/.github/workflows/solana.yml b/.github/workflows/solana.yml
@@ -62,6 +62,9 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
+      - name: Free disk space
+        run: sudo rm -rf /usr/local/lib/android
+
       - name: Get rust toolchain version
         id: toolchain
         run: |
@@ -178,6 +181,10 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
       - uses: ./.github/actions/setup-anchor
         with:
           anchor-version: ${{ env.anchor-version }}

diff --git a/.gitignore b/.gitignore
@@ -31,5 +31,5 @@ node_modules
 # Claude code
 .claude/settings.local.json
 
-# Bun lock files (created during manual CLI installation)
-bun.lock
+# Bun lockb (binary format, we use text format bun.lock instead)
+*.lockb
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -19,12 +19,12 @@ Do not change the dependencies of the package.json by hand!
 
 Instead:
 
-- When initially installing OR pulling what has been changed: `npm ci`.
-  If you do not do this, you may not get exactly what is specified in the file, inadvertently update dependencies, or even pull exploits down to your machine! **Never use `npm install` for this use case**.
-- When needing to add or update a package: `npm i <package>@<version>`. If you do not do this, you may inadvertently update other packages or fail to update the lock file.
-- When needing to remove a package: `npm r <package>`. If you do not do this, you may inadvertently update other packages or fail to update the lock file.
+- When initially installing OR pulling what has been changed: `bun ci`.
+  If you do not do this, you may not get exactly what is specified in the file, inadvertently update dependencies, or even pull exploits down to your machine! **Never use `bun install` for this use case**.
+- When needing to add or update a package: `bun add <package>@<version>`. If you do not do this, you may inadvertently update other packages or fail to update the lock file.
+- When needing to remove a package: `bun remove <package>`. If you do not do this, you may inadvertently update other packages or fail to update the lock file.
 
-Always commit your `package-lock.json`.
+Always commit your `bun.lock`.
 
 Using specific versions improves security because package versions cannot be overwritten after they are released.
 
@@ -33,33 +33,33 @@ Using specific versions improves security because package versions cannot be ove
 ##### If installing a package locally
 
 - Copy in package.json and the lock file
-- Then run `npm ci`
+- Then run `bun ci`
 
 ```dockerfile
 # NOTE: Dockerfile must be pinned too
-FROM node:18.19.0-alpine@sha256:12345...
+FROM oven/bun:1.2-alpine@sha256:12345...
 
 WORKDIR /app
 
 # Include package files
-COPY package.json package-lock.json ./
+COPY package.json bun.lock ./
 
-# Use npm ci so that packages are not upgraded
-RUN npm ci
+# Use bun ci so that packages are not upgraded
+RUN bun ci
 
 ...
 ```
 
 ##### If installing a package globally
 
-- Use `npm i <package>@<version>`
+- Use `bun add -g <package>@<version>`
 
 ```dockerfile
 # NOTE: Dockerfile must be pinned too
-FROM node:18.19.0-alpine@sha256:12345...
+FROM oven/bun:1.2-alpine@sha256:12345...
 
 # Pin global packages to specific versions
-RUN npm install -g [email protected]
+RUN bun add -g [email protected]
 
 ...
 

diff --git a/Dockerfile.cli b/Dockerfile.cli
@@ -17,7 +17,7 @@ RUN apt install -y git
 RUN apt install -y curl
 RUN apt install -y unzip
 
-RUN curl -fsSL https://bun.sh/install | bash -s "bun-v1.2.23"
+RUN curl -fsSL https://bun.sh/install | bash -s "bun-v1.3.4"
 
 RUN curl -L https://foundry.paradigm.xyz | bash
 RUN bash -ci "foundryup --install v1.3.6"
@@ -54,15 +54,15 @@ COPY tsconfig.json tsconfig.json
 COPY tsconfig.esm.json tsconfig.esm.json
 COPY tsconfig.cjs.json tsconfig.cjs.json
 COPY package.json package.json
-COPY package-lock.json package-lock.json
+COPY bun.lock bun.lock
+COPY bunfig.toml bunfig.toml
 COPY sdk sdk
 COPY solana/package.json solana/package.json
 COPY solana/ts solana/ts
 COPY evm/ts evm/ts
 COPY solana/tsconfig.*.json solana/
 COPY sui/ts sui/ts
 COPY cli/package.json cli/package.json
-COPY cli/package-lock.json cli/package-lock.json
 COPY cli/src cli/src
 COPY cli/install.sh cli/install.sh
 RUN bash -ci "./cli/install.sh"

diff --git a/Tiltfile b/Tiltfile
@@ -15,7 +15,7 @@ REGISTRY = "ghcr.io/wormhole-foundation/native-token-transfers"
 docker_build(
     ref = "ntt-solana-contract",
     context = "./",
-    only = ["./sdk", "./solana"],
+    only = ["./sdk", "./solana", "./cli/package.json", "./sui/ts/package.json", "./evm/ts/package.json", "./package.json", "./bun.lock", "./bunfig.toml", "./tsconfig.json", "./tsconfig.cjs.json", "./tsconfig.esm.json"],
     ignore=["./sdk/__tests__", "./sdk/Dockerfile", "./sdk/ci.yaml", "./sdk/**/dist", "./sdk/node_modules", "./sdk/**/node_modules"],
     target = "builder",
     dockerfile = "./solana/Dockerfile",
@@ -44,16 +44,19 @@ docker_build(
     cache_from = [REGISTRY + "/ntt-evm-contract:latest"],
 )
 
-# CI tests
+# CI tests - uses cache_from for faster CI builds
 docker_build(
     ref = "ntt-ci",
     context = "./",
-    only=["./sdk", "./package.json", "./package-lock.json", "jest.config.ts", "tsconfig.json", "tsconfig.esm.json", "tsconfig.cjs.json", "tsconfig.test.json"],
+    only=["./sdk", "./cli/package.json", "./sui/ts/package.json", "./package.json", "./bun.lock", "./bunfig.toml", "jest.config.ts", "tsconfig.json", "tsconfig.esm.json", "tsconfig.cjs.json", "tsconfig.test.json"],
     dockerfile = "./sdk/Dockerfile",
+    cache_from = [REGISTRY + "/ntt-ci:latest"],
 )
 k8s_yaml_with_ns("./sdk/ci.yaml")
 k8s_resource(
     "ntt-ci-tests",
     labels = ["ntt"],
-    resource_deps = ["eth-devnet", "eth-devnet2", "solana-devnet", "guardian", "relayer-engine", "wormchain"],
+    # relayer-engine transitively depends on guardian, which depends on eth-devnet, eth-devnet2,
+    # solana-devnet, and wormchain. The init container in ci.yaml does the real health checks.
+    resource_deps = ["relayer-engine"],
 )