proxy: build docker images for proxy

.github/workflows/nimbus_docker_build.yml

@@ -18,13 +18,12 @@ on:
       - 'portal/**'
       - '**/*.md'
       - '.github/workflows/portal*.yml'
-      - 'nimbus_verified_proxy/**'
-      - '.github/workflows/nimbus_verified_proxy.yml'
 
   workflow_dispatch:
 
 env:
-  REGISTRY_IMAGE: statusim/nimbus-eth1
+  EL_REGISTRY_IMAGE: statusim/nimbus-eth1
+  PROXY_REGISTRY_IMAGE: statusim/nimbus-verified-proxy
 
 jobs:
   build:
@@ -52,11 +51,11 @@ jobs:
           # Replace '/' with '-' to create a unique identifier for this platform
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
 
-      - name: Docker meta
+      - name: Docker meta (EL)
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY_IMAGE }}
+          images: ${{ env.EL_REGISTRY_IMAGE }}
 
       - name: Checkout Repository
         uses: actions/checkout@v4
@@ -77,7 +76,7 @@ jobs:
           context: .
           platforms: ${{ matrix.platform }}
           labels: ${{ steps.meta.outputs.labels }}
-          tags: ${{ env.REGISTRY_IMAGE }}
+          tags: ${{ env.EL_REGISTRY_IMAGE }}
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
 
       - name: Export digest
@@ -94,18 +93,56 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
+      - name: Docker meta (proxy)
+        id: meta-proxy
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.PROXY_REGISTRY_IMAGE }}
+
+      - name: Build and push proxy by digest
+        id: build-proxy
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile.proxy
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta-proxy.outputs.labels }}
+          tags: ${{ env.PROXY_REGISTRY_IMAGE }}
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export proxy digest
+        run: |
+          mkdir -p ${{ runner.temp }}/proxy-digests
+          digest="${{ steps.build-proxy.outputs.digest }}"
+          touch "${{ runner.temp }}/proxy-digests/${digest#sha256:}"
+
+      - name: Upload proxy digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: proxy-digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/proxy-digests/*
+          if-no-files-found: error
+          retention-days: 1
+
   merge:
     runs-on: ubuntu-latest
     needs:
       - build
     steps:
-      - name: Download digests
+      - name: Download EL digests
         uses: actions/download-artifact@v4
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*
           merge-multiple: true
 
+      - name: Download proxy digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/proxy-digests
+          pattern: proxy-digests-*
+          merge-multiple: true
+
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
@@ -119,7 +156,16 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY_IMAGE }}
+          images: ${{ env.EL_REGISTRY_IMAGE }}
+          tags: |
+            type=ref,event=branch
+            type=sha,prefix={{branch}}-
+
+      - name: Docker meta (proxy)
+        id: meta-proxy
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.PROXY_REGISTRY_IMAGE }}
           tags: |
             type=ref,event=branch
             type=sha,prefix={{branch}}-
@@ -129,8 +175,21 @@ jobs:
         run: |
           jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON"
           docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
+            $(printf '${{ env.EL_REGISTRY_IMAGE }}@sha256:%s ' *)
+
+      - name: Create proxy manifest list and push
+        working-directory: ${{ runner.temp }}/proxy-digests
+        env:
+          DOCKER_METADATA_OUTPUT_JSON: ${{ steps.meta-proxy.outputs.json }}
+        run: |
+          jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON"
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.PROXY_REGISTRY_IMAGE }}@sha256:%s ' *)
 
       - name: Inspect image
         run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
+          docker buildx imagetools inspect ${{ env.EL_REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
+
+      - name: Inspect proxy image
+        run: |
+          docker buildx imagetools inspect ${{ env.PROXY_REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}

.github/workflows/release.yml

@@ -137,6 +137,17 @@ jobs:
           docker push statusim/nimbus-eth1:${{ matrix.os }}-${{ matrix.cpu }}-${TAG}
           docker push statusim/nimbus-eth1:${{ matrix.os }}-${{ matrix.cpu }}-latest
 
+      - name: Build and push a Docker image for verified proxy
+        if: matrix.os == 'linux' && startsWith(github.ref, 'refs/tags/v')
+        run: |
+          cd docker/dist/binaries
+          cp -r nimbus-eth1 nimbus-verified-proxy
+          REFNAME="${{ github.ref }}"
+          TAG="${REFNAME#refs/tags/}"
+          DOCKER_BUILDKIT=1 docker build -f Dockerfile.proxy.${{ matrix.os }}-${{ matrix.cpu }} -t statusim/nimbus-verified-proxy:${{ matrix.os }}-${{ matrix.cpu }}-${TAG} -t statusim/nimbus-verified-proxy:${{ matrix.os }}-${{ matrix.cpu }}-latest .
+          docker push statusim/nimbus-verified-proxy:${{ matrix.os }}-${{ matrix.cpu }}-${TAG}
+          docker push statusim/nimbus-verified-proxy:${{ matrix.os }}-${{ matrix.cpu }}-latest
+
   docker-multiarch:
     name: Create multi-arch Docker manifest
     needs: build
@@ -165,6 +176,19 @@ jobs:
             statusim/nimbus-eth1:linux-amd64-latest \
             statusim/nimbus-eth1:linux-arm64-latest
 
+      - name: Create and push proxy multi-arch manifest (versioned)
+        run: |
+          TAG="${{ steps.extract_tag.outputs.tag }}"
+          docker buildx imagetools create -t statusim/nimbus-verified-proxy:${TAG} \
+            statusim/nimbus-verified-proxy:linux-amd64-${TAG} \
+            statusim/nimbus-verified-proxy:linux-arm64-${TAG}
+
+      - name: Create and push proxy multi-arch manifest (latest)
+        run: |
+          docker buildx imagetools create -t statusim/nimbus-verified-proxy:latest \
+            statusim/nimbus-verified-proxy:linux-amd64-latest \
+            statusim/nimbus-verified-proxy:linux-arm64-latest
+
   prepare-release:
     name: Prepare release draft
     needs: [build, docker-multiarch]

Dockerfile.proxy

@@ -0,0 +1,47 @@
+# Nimbus
+# Copyright (c) 2026 Status Research & Development GmbH
+# Licensed under either of
+#  * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or
+#    http://www.apache.org/licenses/LICENSE-2.0)
+#  * MIT license ([LICENSE-MIT](LICENSE-MIT) or
+#    http://opensource.org/licenses/MIT)
+# at your option. This file may not be copied, modified, or distributed except
+# according to those terms.
+
+FROM debian:trixie-slim AS build
+
+SHELL ["/bin/bash", "-c"]
+
+RUN apt-get clean && apt update \
+ && apt -y install curl build-essential git-lfs
+
+RUN ldd --version
+
+ADD . /root/nimbus-eth1
+
+RUN cd /root/nimbus-eth1 \
+ && rm -rf build/ \
+ && make -j$(nproc) init \
+ && make -j$(nproc) DISABLE_MARCH_NATIVE=1 V=1 nimbus_verified_proxy
+
+# --------------------------------- #
+# Starting new image to reduce size #
+# --------------------------------- #
+FROM debian:trixie-slim AS deploy
+
+SHELL ["/bin/bash", "-c"]
+RUN apt-get clean && apt update \
+ && apt -y install build-essential
+RUN apt update && apt -y upgrade
+
+RUN ldd --version
+
+RUN rm -f /home/user/nimbus-eth1/build/nimbus_verified_proxy
+
+COPY --from=build /root/nimbus-eth1/build/nimbus_verified_proxy /home/user/nimbus-eth1/build/nimbus_verified_proxy
+
+ENV PATH="/home/user/nimbus-eth1/build:${PATH}"
+ENTRYPOINT ["nimbus_verified_proxy"]
+WORKDIR /home/user/nimbus-eth1/build
+
+STOPSIGNAL SIGINT

docker/dist/binaries/Dockerfile.proxy.linux-amd64

@@ -0,0 +1,26 @@
+# Nimbus
+# Copyright (c) 2026 Status Research & Development GmbH
+# Licensed under either of
+#  * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or
+#    http://www.apache.org/licenses/LICENSE-2.0)
+#  * MIT license ([LICENSE-MIT](LICENSE-MIT) or
+#    http://opensource.org/licenses/MIT)
+# at your option. This file may not be copied, modified, or distributed except
+# according to those terms.
+
+FROM --platform=linux/amd64 debian:trixie-slim
+
+SHELL ["/bin/bash", "-c"]
+
+# Likely to match the first regular user:group created on the host.
+RUN groupadd -g 1000 user && \
+    useradd -u 1000 -g 1000 -c "" -m -s /bin/bash -p '*' user
+
+USER user
+
+STOPSIGNAL SIGINT
+
+# Docker refuses to copy the source directory here, so read it as "nimbus-verified-proxy/*"
+COPY "nimbus-verified-proxy" "/home/user/nimbus-verified-proxy/"
+WORKDIR "/home/user/nimbus-verified-proxy/"
+ENTRYPOINT ["/home/user/nimbus-verified-proxy/build/nimbus_verified_proxy"]

docker/dist/binaries/Dockerfile.proxy.linux-arm64

@@ -0,0 +1,32 @@
+# Nimbus
+# Copyright (c) 2026 Status Research & Development GmbH
+# Licensed under either of
+#  * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or
+#    http://www.apache.org/licenses/LICENSE-2.0)
+#  * MIT license ([LICENSE-MIT](LICENSE-MIT) or
+#    http://opensource.org/licenses/MIT)
+# at your option. This file may not be copied, modified, or distributed except
+# according to those terms.
+
+# Bring in the static QEMU binary (works when cross-building)
+FROM --platform=$BUILDPLATFORM multiarch/qemu-user-static:latest AS qemu
+
+FROM --platform=linux/arm64/v8 debian:trixie-slim
+
+SHELL ["/bin/bash", "-c"]
+
+# Only needed when cross-building, but harmless otherwise
+COPY --from=qemu /usr/bin/qemu-aarch64-static /usr/bin/
+
+# Likely to match the first regular user:group created on the host.
+RUN groupadd -g 1000 user && \
+    useradd -u 1000 -g 1000 -c "" -m -s /bin/bash -p '*' user
+
+USER user
+
+STOPSIGNAL SIGINT
+
+# Docker refuses to copy the source directory here, so read it as "nimbus-verified-proxy/*"
+COPY "nimbus-verified-proxy" "/home/user/nimbus-verified-proxy/"
+WORKDIR "/home/user/nimbus-verified-proxy/"
+ENTRYPOINT ["/home/user/nimbus-verified-proxy/build/nimbus_verified_proxy"]