From 78ba92bf70afbc895ba2dc8d87ce29234bb63ee2 Mon Sep 17 00:00:00 2001
From: Eric Wang <wrqatw@gmail.com>
Date: Wed, 11 Mar 2026 23:21:23 -0700
Subject: [PATCH 1/2] fix(ci): stop installer smoke depending on registry auth

- reuse a prebuilt local image instead of blindly pulling every time
- make installer smoke build its own image so CI stays hermetic
- keep 0.9.2 release notes aligned with the actual fix
---
 .github/workflows/ci.yml | 13 ++++---------
 CHANGELOG.md             |  1 +
 install.sh               | 27 +++++++++++++++++----------
 3 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 583cc51..aa3b2cd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -47,19 +47,12 @@ jobs:
   smoke:
     name: Installer Smoke Test
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Log in to GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build local smoke image
+        run: docker build -t deva-smoke:ci .
 
       - name: Install and launch each agent without a TTY
         shell: bash
@@ -68,6 +61,8 @@ jobs:
           export HOME="$(mktemp -d)"
           export PATH="$HOME/.local/bin:$PATH"
           export DEVA_INSTALL_BASE_URL="file://$PWD"
+          export DEVA_DOCKER_IMAGE="deva-smoke:ci"
+          export DEVA_DOCKER_IMAGE_FALLBACK=""
           export DEVA_NO_DOCKER=1
 
           bash ./install.sh
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0ecb0a3..b44f370 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Config-home fan-out skips loose credential files, backup files, VCS junk, and `.DS_Store`
 - Auth-specific persistent containers now include the agent in the name suffix, avoiding cross-agent reuse with the wrong env or mounts
 - `install.sh` now installs the full current agent set, including Gemini and `shared_auth.sh`
+- `install.sh` now reuses a prebuilt local image instead of blindly pulling, so CI smoke no longer depends on registry auth
 - release and nightly container workflows now resolve tool versions through the same script, and release no longer invents a local commit inside Actions
 
 ### Changed
diff --git a/install.sh b/install.sh
index 4e2b5de..f11e862 100644
--- a/install.sh
+++ b/install.sh
@@ -4,8 +4,8 @@ set -euo pipefail
 DEVA_LAUNCHER="deva.sh"
 LEGACY_WRAPPER="claude.sh"
 YOLO_WRAPPER="claude-yolo"
-DOCKER_IMAGE="ghcr.io/thevibeworks/deva:latest"
-DOCKER_IMAGE_FALLBACK="thevibeworks/deva:latest"
+DOCKER_IMAGE="${DEVA_DOCKER_IMAGE:-ghcr.io/thevibeworks/deva:latest}"
+DOCKER_IMAGE_FALLBACK="${DEVA_DOCKER_IMAGE_FALLBACK:-thevibeworks/deva:latest}"
 INSTALL_BASE_URL="${DEVA_INSTALL_BASE_URL:-https://raw.githubusercontent.com/thevibeworks/deva/main}"
 
 agent_files=(
@@ -55,14 +55,21 @@ for file in "${agent_files[@]}"; do
 done
 
 echo ""
-echo "Pulling Docker image..."
-if ! docker pull "$DOCKER_IMAGE"; then
-    echo "GHCR pull failed. Trying Docker Hub..."
-    docker pull "$DOCKER_IMAGE_FALLBACK"
-    echo ""
-    echo "warning: using Docker Hub fallback image"
-    echo "set this if you want Docker Hub by default:"
-    echo "  export DEVA_DOCKER_IMAGE=thevibeworks/deva"
+if docker image inspect "$DOCKER_IMAGE" >/dev/null 2>&1; then
+    echo "Using local Docker image: $DOCKER_IMAGE"
+else
+    echo "Pulling Docker image..."
+    if ! docker pull "$DOCKER_IMAGE"; then
+        if [ -n "$DOCKER_IMAGE_FALLBACK" ] && [ "$DOCKER_IMAGE_FALLBACK" != "$DOCKER_IMAGE" ]; then
+            echo "Primary pull failed. Trying fallback image..."
+            docker pull "$DOCKER_IMAGE_FALLBACK"
+            echo ""
+            echo "warning: using fallback image $DOCKER_IMAGE_FALLBACK"
+        else
+            echo "error: failed to pull Docker image $DOCKER_IMAGE" >&2
+            exit 1
+        fi
+    fi
 fi
 
 echo ""

From 99f505084c915732c62417706565a2104b58fdf0 Mon Sep 17 00:00:00 2001
From: Eric Wang <wrqatw@gmail.com>
Date: Wed, 11 Mar 2026 23:24:47 -0700
Subject: [PATCH 2/2] fix(ci): pass resolved versions into smoke image build

- build the local smoke image with the same version inputs as release
- stop failing on unset Dockerfile build args before install can run
---
 .github/workflows/ci.yml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index aa3b2cd..6057ed4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,8 +51,26 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+
+      - name: Resolve tool versions
+        id: versions
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: bash ./scripts/resolve-tool-versions.sh
+
       - name: Build local smoke image
-        run: docker build -t deva-smoke:ci .
+        run: |
+          docker build -t deva-smoke:ci \
+            --build-arg CLAUDE_CODE_VERSION="${{ steps.versions.outputs.claude_code_version }}" \
+            --build-arg CODEX_VERSION="${{ steps.versions.outputs.codex_version }}" \
+            --build-arg GEMINI_CLI_VERSION="${{ steps.versions.outputs.gemini_cli_version }}" \
+            --build-arg ATLAS_CLI_VERSION="${{ steps.versions.outputs.atlas_cli_version }}" \
+            --build-arg COPILOT_API_VERSION="${{ steps.versions.outputs.copilot_api_version }}" \
+            .
 
       - name: Install and launch each agent without a TTY
         shell: bash