ci: add docker publish

[zsluedem]

Summary by CodeRabbit

• New Features

  • Enhanced Docker build process with a more efficient multi-stage structure.
  • Updated workflow triggers for improved automation on the taiyi branch.

• Bug Fixes

  • Resolved issues related to Docker handling and build efficiency.

• Chores

  • Updated .dockerignore to exclude unnecessary directories from Docker context.
  • Modernized workflow configuration and Docker setup for better performance.

[coderabbitai]

Walkthrough

The changes include updates to the .dockerignore, modifications to the GitHub Actions workflow in .github/workflows/build_preconf.yml, and a restructuring of the Dockerfile. The .dockerignore now excludes the target directory. The workflow has been enhanced to trigger on specific events and includes new steps for Docker handling. The Dockerfile has been restructured into three stages for better caching and efficiency, with an updated base image and consolidated installation commands.

Changes

File	Change Summary
.dockerignore	Added entry: target to exclude the target directory from Docker build context.
.github/workflows/build_preconf.yml	Updated workflow trigger to include pushes to taiyi and closed pull requests. Added conditional execution for jobs, updated runner, and added new steps for Docker handling. Removed previous checkout and build steps.
Dockerfile	Updated base image to lukemathwalker/cargo-chef:latest-rust-1.81.0. Introduced three build stages: planner, builder, and runtime. Consolidated installation commands and added runtime dependencies. Entry point remains unchanged.

Poem

In the land of code where rabbits play,
New changes hop in, brightening the day.
With Docker and workflows, we build and we cheer,
A target ignored, our vision is clear!
From chef to runtime, our process refined,
In the garden of code, new wonders we find! 🐇✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

🧹 Outside diff range and nitpick comments (1)

Dockerfile (1)

1-1: Pin the base image to a specific version

Using a specific image digest or version ensures consistent builds and reduces the risk of unexpected changes due to upstream updates.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 03506d4 and fb0cf18.

📒 Files selected for processing (3)

• .dockerignore (1 hunks)
• .github/workflows/build_preconf.yml (1 hunks)
• Dockerfile (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .dockerignore

🧰 Additional context used

🪛 actionlint

.github/workflows/build_preconf.yml

21-21: the runner of "docker/setup-buildx-action@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

24-24: the runner of "docker/login-action@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

30-30: the runner of "docker/build-push-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint

.github/workflows/build_preconf.yml

[error] 36-36: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (2)

.github/workflows/build_preconf.yml (2)

17-19: LGTM! Using latest checkout action version.

---

20-36: 🛠️ Refactor suggestion

⚠️ Potential issue

Update Docker action versions and improve tag strategy

Several improvements are needed:

1. Docker actions are using outdated versions
2. Tag strategy could be more comprehensive
3. Missing newline at end of file

Apply these updates:

-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3

-        uses: docker/login-action@v1
+        uses: docker/login-action@v3

-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
           tags: |
             ${{ secrets.DOCKER_USERNAME }}/helix:latest
-            ${{ secrets.DOCKER_USERNAME }}/helix:${{ github.sha }}
+            ${{ secrets.DOCKER_USERNAME }}/helix:${{ github.sha }}
+            ${{ secrets.DOCKER_USERNAME }}/helix:${{ github.ref_name }}

Consider adding these improvements:

1. Add platforms specification for multi-arch support:

          platforms: linux/amd64,linux/arm64

2. Enable build cache:

          cache-from: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/helix:buildcache
          cache-to: type=registry,ref=${{ secrets.DOCKER_USERNAME }}/helix:buildcache,mode=max

Let's verify the Docker Hub repository exists:

✅ Verification successful

Docker action versions should be updated, but multi-arch and caching suggestions need revision

The review comment's version update recommendations are valid, but some suggestions need adjustment:

1. The repository uses a multi-stage Dockerfile with cargo-chef for Rust, which already implements efficient caching. Adding registry-based caching might not provide significant benefits.

2. Multi-arch platform specification isn't necessary as the project appears to be a Rust binary targeting specific platforms through the Dockerfile.

Recommended changes:

-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3

-        uses: docker/login-action@v1
+        uses: docker/login-action@v3

-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5

The tag strategy update to include github.ref_name is beneficial for better version tracking.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the Docker Hub repository exists and is accessible
curl -s "https://hub.docker.com/v2/repositories/$DOCKER_USERNAME/helix" | jq -r '.name'

Length of output: 126

---

Script:

#!/bin/bash
# Let's verify if there are any other Docker-related workflows or configurations
fd -e yml -e yaml . .github/workflows/ -x cat {}

# Also check for Dockerfile to understand the build context
fd Dockerfile . -x cat {}

Length of output: 5531

🧰 Tools

🪛 actionlint

21-21: the runner of "docker/setup-buildx-action@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

24-24: the runner of "docker/login-action@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

30-30: the runner of "docker/build-push-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint

[error] 36-36: no new line character at the end of file

(new-line-at-end-of-file)

[coderabbitai]

Actionable comments posted: 10

🧹 Outside diff range and nitpick comments (3)

crates/api/src/delegation.rs (1)

5-7: Add documentation for the DelegationContract struct.

Consider adding documentation comments to explain:

• The purpose of this contract
• The role of delegation_contract_address
• Usage examples

+/// Represents a delegation contract that manages validator delegations.
+/// 
+/// # Fields
+/// * `delegation_contract_address` - The Ethereum address where the delegation contract is deployed
 pub struct DelegationContract {
     delegation_contract_address: Address,
 }

crates/api/Cargo.toml (1)

43-43: Consider using workspace-level version management.

While the dependency addition is well-organized and justified for the new delegation contract functionality, consider moving the version specification to the workspace-level Cargo.toml for consistent dependency management across the workspace, similar to other dependencies.

Apply this change in the workspace root's Cargo.toml:

[workspace.dependencies]
alloy-sol-types = "0.8.8"

Then update this dependency to use workspace inheritance:

-alloy-sol-types = "0.8.8"
+alloy-sol-types.workspace = true

crates/common/src/config.rs (1)

103-113: Add documentation for ExecutionClientConfig.

While the implementation is correct, consider adding documentation comments to explain:

• The purpose of this configuration
• The expected URL format
• Any specific requirements or limitations

Example documentation:

/// Configuration for connecting to Ethereum execution clients
/// 
/// The URL should point to a JSON-RPC endpoint (default: http://localhost:8545)
#[derive(Serialize, Deserialize, Clone, Debug)]
pub struct ExecutionClientConfig {
    // ... rest of the implementation
}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between fb0cf18 and a754424.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (10)

• .dockerignore (1 hunks)
• .github/workflows/build_preconf.yml (1 hunks)
• Dockerfile (1 hunks)
• crates/api/Cargo.toml (1 hunks)
• crates/api/src/delegation.rs (1 hunks)
• crates/api/src/lib.rs (1 hunks)
• crates/api/src/proposer/api.rs (5 hunks)
• crates/api/src/router.rs (1 hunks)
• crates/common/src/api/constraints_api.rs (2 hunks)
• crates/common/src/config.rs (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .dockerignore

🧰 Additional context used

🪛 actionlint

.github/workflows/build_preconf.yml

23-23: the runner of "docker/setup-buildx-action@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

26-26: the runner of "docker/login-action@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

32-32: the runner of "docker/build-push-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint

.github/workflows/build_preconf.yml

[error] 38-38: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (13)

crates/api/src/lib.rs (1)

5-5: PR scope appears to exceed what's suggested by the title.

While the PR is titled "ci: add docker publish", this change introduces a new public API module with significant functionality around delegation contracts. Consider:

1. Updating the PR title and description to reflect these API changes
2. Splitting this into separate PRs: one for CI/Docker changes and another for API changes
3. Adding more context about the delegation feature in the PR description

This will help reviewers better understand and assess the changes.

#!/bin/bash
# Check the extent of API changes vs CI changes
echo "=== Files changed in this PR ==="
fd -e rs -e yml -e dockerfile -e dockerignore . -x echo "{}"

crates/api/src/delegation.rs (2)

1-3: LGTM! Imports are appropriate and well-organized.

---

10-12: Consider adding address validation in the constructor.

The constructor accepts any Address without validation. Consider adding checks for:

• Zero address
• Contract existence at the given address

Dockerfile (1)

5-7: LGTM! Proper use of cargo-chef for dependency caching.

The planner stage correctly implements cargo-chef's recipe preparation step, which will help optimize build times through better layer caching.

.github/workflows/build_preconf.yml (2)

15-15: LGTM! Well-implemented job condition.

The condition properly handles both direct pushes and merged PRs, ensuring the workflow runs at appropriate times.

---

16-16: LGTM! Appropriate runner choice.

Using ubuntu-latest is perfect for Docker operations.

crates/api/src/router.rs (1)

94-96: Verify the impact of removing the ElectPreconfer route.

The commented-out code removes the ElectPreconfer route handling. This change could affect API consumers relying on this endpoint.

Let's verify the usage and document any breaking changes:

Consider:

1. Adding a deprecation notice if this is a permanent removal
2. Updating API documentation to reflect this change
3. If temporary, add a TODO comment explaining when this route will be re-enabled

Would you like me to help draft the documentation updates or deprecation notice?

crates/common/src/api/constraints_api.rs (2)

44-45: LGTM! Well-documented field addition.

The addition of proposer_pubkey field is well-structured and properly documented. This change improves the system by identifying proposers through their public keys rather than slots.

---

55-58: Verify the intentional use of same public key for different roles.

I notice that both proposer_pubkey and preconfer_pubkey are initialized with the same public key from duty.entry.registration.message.public_key. Please verify if this is intentional, as typically different roles (proposer vs. preconfer) might require different keys for security separation.

✅ Verification successful

Let me gather more context about the preconfer election and validation logic.

---

Let me check the PreconferElection struct implementation and related validation.

---

Let me check the BuilderGetValidatorsResponseEntry to understand the registration message structure.

---

Based on the gathered context, I can now provide a final response:

Using the same public key for proposer and preconfer roles is the intended behavior

The code shows that the preconfer is elected/delegated for a proposer, and the same public key is intentionally used for both roles as part of the delegation process. This is evidenced by:

1. The delegation contract logic that maps proposers to their elected preconfers
2. The validation checks in the codebase that verify this relationship
3. The consistent pattern of using the registration's public key for both roles throughout the codebase

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for any documentation or tests that might explain the relationship 
# between proposer and preconfer roles
rg -g '!target' -g '*.{rs,md}' -i 'proposer.*preconfer|preconfer.*proposer'

Length of output: 1742

---

Script:

#!/bin/bash
# Check the validation logic and key usage
ast-grep --pattern 'fn validate_set_constraints_request($$$)'

# Check the PreconferElection struct definition and related code
rg -g '!target' -g '*.rs' 'struct PreconferElection'

Length of output: 190

---

Script:

#!/bin/bash
# Get the PreconferElection struct implementation and context
rg -g '!target' -g '*.rs' -A 20 'struct PreconferElection'

# Check for any validation related to public keys
rg -g '!target' -g '*.rs' -B 2 -A 5 'validate.*public_key|public_key.*validate'

Length of output: 1790

---

Script:

#!/bin/bash
# Check the BuilderGetValidatorsResponseEntry struct and its usage
rg -g '!target' -g '*.rs' -A 10 'struct BuilderGetValidatorsResponseEntry'

# Look for any registration message related code
rg -g '!target' -g '*.rs' -A 5 'registration.*message|struct.*Registration'

Length of output: 22522

crates/common/src/config.rs (2)

10-10: LGTM!

The import of Address from reth_primitives is appropriate for Ethereum address handling.

---

25-27: LGTM! Verify configuration file updates.

The new fields are properly added with default implementations for backward compatibility.

Let's verify if any existing configuration files need updates:

✅ Verification successful

Configuration changes are safe and no updates needed

The test configuration file custom.yaml is a chain specification file containing network parameters and does not contain application-specific configuration. Since the new fields execution_clients and onchain_delegation are application configuration fields with default implementations, no existing configuration files need to be updated.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for yaml/yml config files that might need updates
fd -e yml -e yaml | xargs rg -l 'execution_clients:|onchain_delegation:'

Length of output: 74

---

Script:

#!/bin/bash
# Let's first check if there are any yaml/yml files in the repository
fd -e yml -e yaml

# Then let's look for any config examples or templates
fd -g "*config*.{yml,yaml}"

# Also search for test configurations
fd -g "*test*.{yml,yaml}"

Length of output: 113

---

Script:

#!/bin/bash
# Let's examine the content of the test configuration file
cat crates/common/test_data/custom.yaml

Length of output: 1305

crates/api/src/proposer/api.rs (2)

98-98: ⚠️ Potential issue

Initialize delegation_contract to prevent runtime panic

The delegation_contract field is added to ProposerApi but is currently initialized with todo!(), which will cause a panic if accessed. Please provide a proper initialization for delegation_contract to prevent runtime errors.

Consider initializing delegation_contract in the new method with an appropriate instance:

-            delegation_contract: todo!(),
+            delegation_contract: Arc::new(DelegationContract::new(/* initialization parameters */)),

Replace /* initialization parameters */ with the actual parameters required for DelegationContract::new.

Likely invalid or redundant comment.

---

793-829: Commented out elect_preconfer method may affect functionality

The elect_preconfer method has been commented out, which removes the ability to elect preconfers. Confirm that this is intentional and that this change does not impact other parts of the application relying on this functionality.

Run the following script to check for any remaining references to elect_preconfer in the codebase:

This script searches for occurrences of elect_preconfer to ensure there are no unintended dependencies or references remaining.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (2)

Dockerfile (1)

5-7: Consider expanding .dockerignore file

While the AI summary mentions that target is already in .dockerignore, consider adding more entries to exclude other unnecessary files from the build context:

• .git
• .github
• tests
• docs
• *.md

.github/workflows/build_preconf.yml (1)

31-38: Enhance Docker image security with vulnerability scanning

Consider adding security scanning to your Docker build process to identify and address potential vulnerabilities early.

Add Trivy scanning step after the build:

      - name: Build and push Docker image
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: |
            ${{ secrets.DOCKER_USERNAME }}/helix:latest
            ${{ secrets.DOCKER_USERNAME }}/helix:${{ github.sha }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ secrets.DOCKER_USERNAME }}/helix:${{ github.sha }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'

This will:

• Scan for known vulnerabilities in OS packages and dependencies
• Fail the workflow on critical/high severity issues
• Skip unfixed vulnerabilities to avoid blocking on issues without available patches

🧰 Tools

🪛 actionlint

32-32: the runner of "docker/build-push-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint

[error] 38-38: no new line character at the end of file

(new-line-at-end-of-file)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between a754424 and f8570a2.

📒 Files selected for processing (3)

• .dockerignore (1 hunks)
• .github/workflows/build_preconf.yml (1 hunks)
• Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .dockerignore

🧰 Additional context used

🪛 actionlint

.github/workflows/build_preconf.yml

23-23: the runner of "docker/setup-buildx-action@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

26-26: the runner of "docker/login-action@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

32-32: the runner of "docker/build-push-action@v2" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🪛 yamllint

.github/workflows/build_preconf.yml

[error] 38-38: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (2)

Dockerfile (2)

1-3: LGTM with existing suggestions!

The base stage setup is correct, but please consider implementing the improvements suggested in the previous comments regarding version pinning and apt cache cleanup.

---

9-15: LGTM with existing suggestions!

The builder stage implementation is correct, but please consider implementing the previously suggested build optimizations and security improvements.