diff --git a/Dockerfile.client b/Dockerfile.client
index cf959e75c..0c01c8374 100644
--- a/Dockerfile.client
+++ b/Dockerfile.client
@@ -33,6 +33,7 @@ ENV BRIDGE_ADDRESS="Bridge1p5gheXUvJ6jGWGeCsgPKgnE3YgdGKRVCMY9o"
 
 RUN --mount=type=cache,target=/root/.cache \
     --mount=type=cache,target=target \
+    --mount=type=cache,target=/usr/local/cargo/registry,id=cargo_registry \
 	set -xe && \
     cargo build --manifest-path ./Cargo.toml --package bridge_client --release --locked && \
     cargo build --manifest-path ./Cargo.toml --package token_bridge_client --release --locked && \
diff --git a/solana/.dockerignore b/solana/.dockerignore
index 71574ea53..c73c18e9f 100644
--- a/solana/.dockerignore
+++ b/solana/.dockerignore
@@ -1,2 +1,7 @@
 bin
 **/target
+**/bundler
+**/nodejs
+artifacts-*
+**/Makefile
+*.md
diff --git a/solana/DOCKER.md b/solana/DOCKER.md
new file mode 100644
index 000000000..41fba614a
--- /dev/null
+++ b/solana/DOCKER.md
@@ -0,0 +1,18 @@
+# Docker images
+
+To speed up builds and ensure that upstream dependencies remain available, we
+publish prebuilt docker images to https://github.com/orgs/certusone/packages.
+
+The base images have names ending in `*.base`, such as `Dockerfile.base` and
+`Dockerfile.wasm.base`. To push a new image:
+
+```sh
+# first build the image
+DOCKER_BUILDKIT=1 docker build -f Dockerfile.wasm.base -t wasm-pack .
+# tag the image with the appropriate version
+docker tag wasm-pack:latest ghcr.io/certusone/wasm-pack:0.9.1
+# push to ghcr
+docker push ghcr.io/certusone/wasm-pack:0.9.1
+```
+
+Finally, modify the reference in `Dockerfile.wasm` (make sure to update the sha256 hash too).
diff --git a/solana/Dockerfile b/solana/Dockerfile
index 25cf08e14..8f2247b91 100644
--- a/solana/Dockerfile
+++ b/solana/Dockerfile
@@ -1,38 +1,11 @@
 #syntax=docker/dockerfile:1.2@sha256:e2a8561e419ab1ba6b2fe6cbdf49fd92b95912df1cf7d313c3e2230a333fdbcc
-FROM docker.io/library/rust:1.49@sha256:a50165ea96983c21832578afb1c8c028674c965bc1ed43b607871b1f362e06a5 AS solana
-
-RUN apt-get update && \
-    apt-get install -y \
-    clang \
-    libssl-dev \
-    libudev-dev \
-    llvm \
-    pkg-config \
-    zlib1g-dev \
-    && \
-    rm -rf /var/lib/apt/lists/* && \
-    rustup component add rustfmt && \
-    rustup default nightly-2021-12-03
+FROM ghcr.io/certusone/solana:1.9.4@sha256:5389eccba0ba59ae119bc1438b61be8904707e26df8f0732116a8dce0f64eb52 AS solana
 
 # Support additional root CAs
-COPY devnet_setup.sh cert.pem* /certs/
+COPY cert.pem* /certs/
 # Debian
 RUN if [ -e /certs/cert.pem ]; then cp /certs/cert.pem /etc/ssl/certs/ca-certificates.crt; fi
 
-RUN sh -c "$(curl -sSfL https://release.solana.com/v1.9.4/install)"
-
-ENV PATH="/root/.local/share/solana/install/active_release/bin:$PATH"
-
-# Solana does a questionable download at the beginning of a *first* build-bpf call. Trigger and layer-cache it explicitly.
-RUN cargo init --lib /tmp/decoy-crate && \
-    cd /tmp/decoy-crate && cargo build-bpf && \
-    rm -rf /tmp/decoy-crate
-
-# The strip shell script downloads criterion the first time it runs so cache it here as well.
-RUN touch /tmp/foo.so && \
-    /root/.local/share/solana/install/active_release/bin/sdk/bpf/scripts/strip.sh /tmp/foo.so /tmp/bar.so || \
-    rm /tmp/foo.so
-
 # Add bridge contract sources
 WORKDIR /usr/src/bridge
 
@@ -51,6 +24,7 @@ RUN [ -n "${BRIDGE_ADDRESS}" ]
 
 # Build Wormhole Solana programs
 RUN --mount=type=cache,target=target,id=build \
+    --mount=type=cache,target=/usr/local/cargo/registry,id=cargo_registry \
     cargo build-bpf --manifest-path "bridge/program/Cargo.toml" -- --locked && \
     cargo build-bpf --manifest-path "bridge/cpi_poster/Cargo.toml" -- --locked && \
     cargo build-bpf --manifest-path "modules/token_bridge/program/Cargo.toml" -- --locked && \
diff --git a/solana/Dockerfile.base b/solana/Dockerfile.base
new file mode 100644
index 000000000..3f41ed20d
--- /dev/null
+++ b/solana/Dockerfile.base
@@ -0,0 +1,17 @@
+#syntax=docker/dockerfile:1.2@sha256:e2a8561e419ab1ba6b2fe6cbdf49fd92b95912df1cf7d313c3e2230a333fdbcc
+FROM docker.io/library/rust:1.49@sha256:a50165ea96983c21832578afb1c8c028674c965bc1ed43b607871b1f362e06a5 AS solana
+
+RUN sh -c "$(curl -sSfL https://release.solana.com/v1.9.4/install)"
+
+ENV PATH="/root/.local/share/solana/install/active_release/bin:$PATH"
+
+COPY rust-toolchain .
+# Solana does a questionable download at the beginning of a *first* build-bpf call. Trigger and layer-cache it explicitly.
+RUN cargo init --lib /tmp/decoy-crate && \
+    cd /tmp/decoy-crate && cargo build-bpf && \
+    rm -rf /tmp/decoy-crate
+
+# The strip shell script downloads criterion the first time it runs so cache it here as well.
+RUN touch /tmp/foo.so && \
+    /root/.local/share/solana/install/active_release/bin/sdk/bpf/scripts/strip.sh /tmp/foo.so /tmp/bar.so || \
+    rm /tmp/foo.so
diff --git a/solana/Dockerfile.wasm b/solana/Dockerfile.wasm
index 200c67364..4da0c2a57 100644
--- a/solana/Dockerfile.wasm
+++ b/solana/Dockerfile.wasm
@@ -8,7 +8,7 @@ RUN rustup default nightly-2022-01-02
 WORKDIR /usr/src/bridge
 
 # Support additional root CAs
-COPY devnet_setup.sh cert.pem* /certs/
+COPY cert.pem* /certs/
 # Debian
 RUN if [ -e /certs/cert.pem ]; then cp /certs/cert.pem /etc/ssl/certs/ca-certificates.crt; fi
 
diff --git a/solana/devnet_setup.sh b/solana/devnet_setup.sh
index b1464e195..e985f6994 100755
--- a/solana/devnet_setup.sh
+++ b/solana/devnet_setup.sh
@@ -94,15 +94,16 @@ retry token-bridge-client create-bridge "$nft_bridge_address" "$bridge_address"
 
 # pass the chain registration VAAs sourced from .env to the client's execute-governance command:
 pushd /usr/src/clients/js
+make build
 # Register the Token Bridge Endpoint on ETH
-npm start -- submit -c solana -n devnet "$REGISTER_ETH_TOKEN_BRIDGE_VAA"
-npm start -- submit -c solana -n devnet "$REGISTER_TERRA_TOKEN_BRIDGE_VAA"
-npm start -- submit -c solana -n devnet "$REGISTER_BSC_TOKEN_BRIDGE_VAA"
-npm start -- submit -c solana -n devnet "$REGISTER_ALGO_TOKEN_BRIDGE_VAA"
-npm start -- submit -c solana -n devnet "$REGISTER_TERRA2_TOKEN_BRIDGE_VAA"
+node build/main.js submit -c solana -n devnet "$REGISTER_ETH_TOKEN_BRIDGE_VAA"
+node build/main.js submit -c solana -n devnet "$REGISTER_TERRA_TOKEN_BRIDGE_VAA"
+node build/main.js submit -c solana -n devnet "$REGISTER_BSC_TOKEN_BRIDGE_VAA"
+node build/main.js submit -c solana -n devnet "$REGISTER_ALGO_TOKEN_BRIDGE_VAA"
+node build/main.js submit -c solana -n devnet "$REGISTER_TERRA2_TOKEN_BRIDGE_VAA"
 # Register the NFT Bridge Endpoint on ETH
-npm start -- submit -c solana -n devnet "$REGISTER_ETH_NFT_BRIDGE_VAA"
-npm start -- submit -c solana -n devnet "$REGISTER_TERRA_NFT_BRIDGE_VAA"
+node build/main.js submit -c solana -n devnet "$REGISTER_ETH_NFT_BRIDGE_VAA"
+node build/main.js submit -c solana -n devnet "$REGISTER_TERRA_NFT_BRIDGE_VAA"
 popd
 
 # Let k8s startup probe succeed
diff --git a/solana/rust-toolchain.toml b/solana/rust-toolchain
similarity index 100%
rename from solana/rust-toolchain.toml
rename to solana/rust-toolchain