feat: Add reproducible builds release workflows and push images to DockerHub (#7614)

This pull request introduces workflows and updates to ensure reproducible builds for the Lighthouse project. It adds two GitHub Actions workflows for building and testing reproducible Docker images and binaries, updates the `Makefile` to streamline reproducible build configurations, and modifies the `Dockerfile.reproducible` to align with the new build process. Additionally, it removes the `reproducible` profile from `Cargo.toml`.


  ### New GitHub Actions Workflows:

* [`.github/workflows/docker-reproducible.yml`](diffhunk://#diff-222af23bee616920b04f5b92a83eb5106fce08abd885cd3a3b15b8beb5e789c3R1-R145): Adds a workflow to build and push reproducible multi-architecture Docker images for releases, including support for dry runs without pushing an image.

### Build Configuration Updates:

* [`Makefile`](diffhunk://#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52L85-R143): Refactors reproducible build targets, centralizes environment variables for reproducibility, and updates Docker build arguments for `x86_64` and `aarch64` architectures.
* [`Dockerfile.reproducible`](diffhunk://#diff-587298ff141278ce3be7c54a559f9f31472cc5b384e285e2105b3dee319ba31dL1-R24): Updates the base Rust image to version 1.86, removes hardcoded reproducibility settings, and delegates build logic to the `Makefile`.
* Switch to using jemalloc-sys from Debian repos instead of building it from source. A Debian version is [reproducible](https://tests.reproducible-builds.org/debian/rb-pkg/trixie/amd64/jemalloc.html) which is [hard to achieve](https://github.com/NixOS/nixpkgs/issues/380852) if you build it from source.

### Profile Removal:

* [`Cargo.toml`](diffhunk://#diff-2e9d962a08321605940b5a657135052fbcef87b5e360662bb527c96d9a615542L289-L295): Removes the `reproducible` profile, simplifying build configurations and relying on external tooling for reproducibility.


Co-Authored-By: Moe Mahhouk <mohammed-mahhouk@hotmail.com>

Co-Authored-By: chonghe <44791194+chong-he@users.noreply.github.com>

Co-Authored-By: Michael Sproul <michaelsproul@users.noreply.github.com>
This commit is contained in:
Moe Mahhouk
2025-11-28 00:06:31 +01:00
committed by GitHub
parent 847fa3f034
commit 713e477912
6 changed files with 230 additions and 48 deletions

View File

@@ -3,42 +3,22 @@ ARG RUST_IMAGE="rust:1.88-bullseye@sha256:8e3c421122bf4cd3b2a866af41a4dd52d87ad9
FROM ${RUST_IMAGE} AS builder
# Install specific version of the build dependencies
RUN apt-get update && apt-get install -y libclang-dev=1:11.0-51+nmu5 cmake=3.18.4-2+deb11u1
RUN apt-get update && apt-get install -y libclang-dev=1:11.0-51+nmu5 cmake=3.18.4-2+deb11u1 libjemalloc-dev=5.2.1-3
# Add target architecture argument with default value
ARG RUST_TARGET="x86_64-unknown-linux-gnu"
# Copy the project to the container
COPY . /app
COPY ./ /app
WORKDIR /app
# Get the latest commit timestamp and set SOURCE_DATE_EPOCH (default it to 0 if not passed)
ARG SOURCE_DATE=0
# Set environment variables for reproducibility
ARG RUSTFLAGS="-C link-arg=-Wl,--build-id=none -C metadata='' --remap-path-prefix $(pwd)=."
ENV SOURCE_DATE_EPOCH=$SOURCE_DATE \
CARGO_INCREMENTAL=0 \
LC_ALL=C \
TZ=UTC \
RUSTFLAGS="${RUSTFLAGS}"
# Set the default features if not provided
ARG FEATURES="gnosis,slasher-lmdb,slasher-mdbx,slasher-redb,jemalloc"
# Set the default profile if not provided
ARG PROFILE="reproducible"
# Build the project with the reproducible settings
RUN cargo build --bin lighthouse \
--features "${FEATURES}" \
--profile "${PROFILE}" \
--locked \
--target "${RUST_TARGET}"
RUN make build-reproducible
RUN mv /app/target/${RUST_TARGET}/${PROFILE}/lighthouse /lighthouse
# Move the binary to a standard location
RUN mv /app/target/${RUST_TARGET}/release/lighthouse /lighthouse
# Create a minimal final image with just the binary
FROM gcr.io/distroless/cc-debian12:nonroot-6755e21ccd99ddead6edc8106ba03888cbeed41a
COPY --from=builder /lighthouse /lighthouse
ENTRYPOINT [ "/lighthouse" ]