diff --git a/.github/workflows/nimbus_docker_build.yml b/.github/workflows/nimbus_docker_build.yml index c67b8be2dd..38038ec441 100644 --- a/.github/workflows/nimbus_docker_build.yml +++ b/.github/workflows/nimbus_docker_build.yml @@ -18,13 +18,12 @@ on: - 'portal/**' - '**/*.md' - '.github/workflows/portal*.yml' - - 'nimbus_verified_proxy/**' - - '.github/workflows/nimbus_verified_proxy.yml' workflow_dispatch: env: - REGISTRY_IMAGE: statusim/nimbus-eth1 + EL_REGISTRY_IMAGE: statusim/nimbus-eth1 + PROXY_REGISTRY_IMAGE: statusim/nimbus-verified-proxy jobs: build: @@ -52,11 +51,11 @@ jobs: # Replace '/' with '-' to create a unique identifier for this platform echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - name: Docker meta + - name: Docker meta (EL) id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY_IMAGE }} + images: ${{ env.EL_REGISTRY_IMAGE }} - name: Checkout Repository uses: actions/checkout@v4 @@ -77,7 +76,7 @@ jobs: context: . platforms: ${{ matrix.platform }} labels: ${{ steps.meta.outputs.labels }} - tags: ${{ env.REGISTRY_IMAGE }} + tags: ${{ env.EL_REGISTRY_IMAGE }} outputs: type=image,push-by-digest=true,name-canonical=true,push=true - name: Export digest @@ -94,18 +93,56 @@ jobs: if-no-files-found: error retention-days: 1 + - name: Docker meta (proxy) + id: meta-proxy + uses: docker/metadata-action@v5 + with: + images: ${{ env.PROXY_REGISTRY_IMAGE }} + + - name: Build and push proxy by digest + id: build-proxy + uses: docker/build-push-action@v6 + with: + context: . + file: Dockerfile.proxy + platforms: ${{ matrix.platform }} + labels: ${{ steps.meta-proxy.outputs.labels }} + tags: ${{ env.PROXY_REGISTRY_IMAGE }} + outputs: type=image,push-by-digest=true,name-canonical=true,push=true + + - name: Export proxy digest + run: | + mkdir -p ${{ runner.temp }}/proxy-digests + digest="${{ steps.build-proxy.outputs.digest }}" + touch "${{ runner.temp }}/proxy-digests/${digest#sha256:}" + + - name: Upload proxy digest + uses: actions/upload-artifact@v4 + with: + name: proxy-digests-${{ env.PLATFORM_PAIR }} + path: ${{ runner.temp }}/proxy-digests/* + if-no-files-found: error + retention-days: 1 + merge: runs-on: ubuntu-latest needs: - build steps: - - name: Download digests + - name: Download EL digests uses: actions/download-artifact@v4 with: path: ${{ runner.temp }}/digests pattern: digests-* merge-multiple: true + - name: Download proxy digests + uses: actions/download-artifact@v4 + with: + path: ${{ runner.temp }}/proxy-digests + pattern: proxy-digests-* + merge-multiple: true + - name: Login to Docker Hub uses: docker/login-action@v3 with: @@ -119,7 +156,16 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY_IMAGE }} + images: ${{ env.EL_REGISTRY_IMAGE }} + tags: | + type=ref,event=branch + type=sha,prefix={{branch}}- + + - name: Docker meta (proxy) + id: meta-proxy + uses: docker/metadata-action@v5 + with: + images: ${{ env.PROXY_REGISTRY_IMAGE }} tags: | type=ref,event=branch type=sha,prefix={{branch}}- @@ -129,8 +175,21 @@ jobs: run: | jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON" docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) + $(printf '${{ env.EL_REGISTRY_IMAGE }}@sha256:%s ' *) + + - name: Create proxy manifest list and push + working-directory: ${{ runner.temp }}/proxy-digests + env: + DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta-proxy.outputs.json }} + run: | + jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON" + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.PROXY_REGISTRY_IMAGE }}@sha256:%s ' *) - name: Inspect image run: | - docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} + docker buildx imagetools inspect ${{ env.EL_REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} + + - name: Inspect proxy image + run: | + docker buildx imagetools inspect ${{ env.PROXY_REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5cb3950295..e7470720a3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -137,6 +137,17 @@ jobs: docker push statusim/nimbus-eth1:${{ matrix.os }}-${{ matrix.cpu }}-${TAG} docker push statusim/nimbus-eth1:${{ matrix.os }}-${{ matrix.cpu }}-latest + - name: Build and push a Docker image for verified proxy + if: matrix.os == 'linux' && startsWith(github.ref, 'refs/tags/v') + run: | + cd docker/dist/binaries + cp -r nimbus-eth1 nimbus-verified-proxy + REFNAME="${{ github.ref }}" + TAG="${REFNAME#refs/tags/}" + DOCKER_BUILDKIT=1 docker build -f Dockerfile.proxy.${{ matrix.os }}-${{ matrix.cpu }} -t statusim/nimbus-verified-proxy:${{ matrix.os }}-${{ matrix.cpu }}-${TAG} -t statusim/nimbus-verified-proxy:${{ matrix.os }}-${{ matrix.cpu }}-latest . + docker push statusim/nimbus-verified-proxy:${{ matrix.os }}-${{ matrix.cpu }}-${TAG} + docker push statusim/nimbus-verified-proxy:${{ matrix.os }}-${{ matrix.cpu }}-latest + docker-multiarch: name: Create multi-arch Docker manifest needs: build @@ -165,6 +176,19 @@ jobs: statusim/nimbus-eth1:linux-amd64-latest \ statusim/nimbus-eth1:linux-arm64-latest + - name: Create and push proxy multi-arch manifest (versioned) + run: | + TAG="${{ steps.extract_tag.outputs.tag }}" + docker buildx imagetools create -t statusim/nimbus-verified-proxy:${TAG} \ + statusim/nimbus-verified-proxy:linux-amd64-${TAG} \ + statusim/nimbus-verified-proxy:linux-arm64-${TAG} + + - name: Create and push proxy multi-arch manifest (latest) + run: | + docker buildx imagetools create -t statusim/nimbus-verified-proxy:latest \ + statusim/nimbus-verified-proxy:linux-amd64-latest \ + statusim/nimbus-verified-proxy:linux-arm64-latest + prepare-release: name: Prepare release draft needs: [build, docker-multiarch] diff --git a/Dockerfile.proxy b/Dockerfile.proxy new file mode 100644 index 0000000000..0215590924 --- /dev/null +++ b/Dockerfile.proxy @@ -0,0 +1,47 @@ +# Nimbus +# Copyright (c) 2026 Status Research & Development GmbH +# Licensed under either of +# * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or +# http://www.apache.org/licenses/LICENSE-2.0) +# * MIT license ([LICENSE-MIT](LICENSE-MIT) or +# http://opensource.org/licenses/MIT) +# at your option. This file may not be copied, modified, or distributed except +# according to those terms. + +FROM debian:trixie-slim AS build + +SHELL ["/bin/bash", "-c"] + +RUN apt-get clean && apt update \ + && apt -y install curl build-essential git-lfs + +RUN ldd --version + +ADD . /root/nimbus-eth1 + +RUN cd /root/nimbus-eth1 \ + && rm -rf build/ \ + && make -j$(nproc) init \ + && make -j$(nproc) DISABLE_MARCH_NATIVE=1 V=1 nimbus_verified_proxy + +# --------------------------------- # +# Starting new image to reduce size # +# --------------------------------- # +FROM debian:trixie-slim AS deploy + +SHELL ["/bin/bash", "-c"] +RUN apt-get clean && apt update \ + && apt -y install build-essential +RUN apt update && apt -y upgrade + +RUN ldd --version + +RUN rm -f /home/user/nimbus-eth1/build/nimbus_verified_proxy + +COPY --from=build /root/nimbus-eth1/build/nimbus_verified_proxy /home/user/nimbus-eth1/build/nimbus_verified_proxy + +ENV PATH="/home/user/nimbus-eth1/build:${PATH}" +ENTRYPOINT ["nimbus_verified_proxy"] +WORKDIR /home/user/nimbus-eth1/build + +STOPSIGNAL SIGINT diff --git a/docker/dist/binaries/Dockerfile.proxy.linux-amd64 b/docker/dist/binaries/Dockerfile.proxy.linux-amd64 new file mode 100644 index 0000000000..bf1186eb87 --- /dev/null +++ b/docker/dist/binaries/Dockerfile.proxy.linux-amd64 @@ -0,0 +1,26 @@ +# Nimbus +# Copyright (c) 2026 Status Research & Development GmbH +# Licensed under either of +# * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or +# http://www.apache.org/licenses/LICENSE-2.0) +# * MIT license ([LICENSE-MIT](LICENSE-MIT) or +# http://opensource.org/licenses/MIT) +# at your option. This file may not be copied, modified, or distributed except +# according to those terms. + +FROM --platform=linux/amd64 debian:trixie-slim + +SHELL ["/bin/bash", "-c"] + +# Likely to match the first regular user:group created on the host. +RUN groupadd -g 1000 user && \ + useradd -u 1000 -g 1000 -c "" -m -s /bin/bash -p '*' user + +USER user + +STOPSIGNAL SIGINT + +# Docker refuses to copy the source directory here, so read it as "nimbus-verified-proxy/*" +COPY "nimbus-verified-proxy" "/home/user/nimbus-verified-proxy/" +WORKDIR "/home/user/nimbus-verified-proxy/" +ENTRYPOINT ["/home/user/nimbus-verified-proxy/build/nimbus_verified_proxy"] diff --git a/docker/dist/binaries/Dockerfile.proxy.linux-arm64 b/docker/dist/binaries/Dockerfile.proxy.linux-arm64 new file mode 100644 index 0000000000..04eeb350a6 --- /dev/null +++ b/docker/dist/binaries/Dockerfile.proxy.linux-arm64 @@ -0,0 +1,32 @@ +# Nimbus +# Copyright (c) 2026 Status Research & Development GmbH +# Licensed under either of +# * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or +# http://www.apache.org/licenses/LICENSE-2.0) +# * MIT license ([LICENSE-MIT](LICENSE-MIT) or +# http://opensource.org/licenses/MIT) +# at your option. This file may not be copied, modified, or distributed except +# according to those terms. + +# Bring in the static QEMU binary (works when cross-building) +FROM --platform=$BUILDPLATFORM multiarch/qemu-user-static:latest AS qemu + +FROM --platform=linux/arm64/v8 debian:trixie-slim + +SHELL ["/bin/bash", "-c"] + +# Only needed when cross-building, but harmless otherwise +COPY --from=qemu /usr/bin/qemu-aarch64-static /usr/bin/ + +# Likely to match the first regular user:group created on the host. +RUN groupadd -g 1000 user && \ + useradd -u 1000 -g 1000 -c "" -m -s /bin/bash -p '*' user + +USER user + +STOPSIGNAL SIGINT + +# Docker refuses to copy the source directory here, so read it as "nimbus-verified-proxy/*" +COPY "nimbus-verified-proxy" "/home/user/nimbus-verified-proxy/" +WORKDIR "/home/user/nimbus-verified-proxy/" +ENTRYPOINT ["/home/user/nimbus-verified-proxy/build/nimbus_verified_proxy"]