docker: build CLI in shared image

Co-authored-by: Evan Gray <battledingo@gmail.com>

Dockerfile.cli

@@ -0,0 +1,25 @@
+# syntax=docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2
+FROM node:18-alpine@sha256:44aaf1ccc80eaed6572a0f2ef7d6b5a2982d54481e4255480041ac92221e2f11 as cli-build
+
+# Support additional root CAs
+COPY README.md cert.pem* /certs/
+# Alpine
+RUN if [ -e /certs/cert.pem ]; then cp /certs/cert.pem /etc/ssl/cert.pem; fi
+
+# Copy package.json & package-lock.json by themselves to create a cache layer
+COPY clients/js/package.json clients/js/package-lock.json /clients/js/
+
+WORKDIR /clients/js
+
+RUN npm ci
+
+# Copy the rest of the source files, as a layer on top of the deps
+COPY clients/js /clients/js
+
+# Build CLI
+RUN npm run build
+
+FROM scratch AS cli-export
+
+COPY --from=cli-build clients/js/build/main.js clients/js/build/main.js
+COPY --from=cli-build clients/js/package.json clients/js/package.json

Dockerfile.const

@@ -1,5 +1,6 @@
 # syntax=docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2
-FROM node:16-alpine@sha256:004dbac84fed48e20f9888a23e32fa7cf83c2995e174a78d41d9a9dd1e051a20 as const-build
+FROM cli-gen as cli-export
+FROM node:18-alpine@sha256:44aaf1ccc80eaed6572a0f2ef7d6b5a2982d54481e4255480041ac92221e2f11 as const-build
 
 # fetch scripts/guardian-set-init.sh deps
 RUN apk update && apk add bash g++ make python3 curl jq findutils
@@ -9,22 +10,12 @@ COPY README.md cert.pem* /certs/
 # Alpine
 RUN if [ -e /certs/cert.pem ]; then cp /certs/cert.pem /etc/ssl/cert.pem; fi
 
-# install CLI deps & build
-WORKDIR /clients/js
+# Copy and link CLI
+COPY --from=cli-export clients/js /cli
 
-# copy package.json & package-lock.json by themselves to create a cache layer
-COPY clients/js/package.json clients/js/package-lock.json ./
-# mount the buildkit cache on npm's cache dir, install dependencies
+WORKDIR /cli
 
-# Commenting out npm cache due to heisenbug with github build machines
-# RUN --mount=type=cache,uid=1000,gid=1000,target=/home/node/.npm
-
-RUN npm ci
-
-# copy the rest of the source files, as a layer on top of the deps
-COPY clients/js ./
-# build CLI
-RUN make build
+RUN npm link
 
 WORKDIR /
 
@@ -41,14 +32,6 @@ RUN ./scripts/distribute-devnet-consts.sh
 RUN ./scripts/guardian-set-init.sh $NUM_GUARDIANS
 
 FROM scratch AS const-export
-COPY --from=const-build /scripts/.env.0x ethereum/.env
-COPY --from=const-build /scripts/.env.hex solana/.env
-COPY --from=const-build /scripts/.env.hex terra/tools/.env
-COPY --from=const-build /scripts/.env.hex cosmwasm/deployment/terra2/tools/.env
-COPY --from=const-build /scripts/.env.hex algorand/.env
-COPY --from=const-build /scripts/.env.hex near/.env
-COPY --from=const-build /scripts/.env.hex sui/.env
-COPY --from=const-build /scripts/.env.hex aptos/.env
-COPY --from=const-build /scripts/.env.hex wormchain/contracts/tools/.env
-
-COPY --from=const-build /scripts/devnet-consts.json wormchain/contracts/tools/
+COPY --from=const-build /scripts/.env.0x .env.0x
+COPY --from=const-build /scripts/.env.hex .env
+COPY --from=const-build /scripts/devnet-consts.json devnet-consts.json

Tiltfile

@@ -101,13 +101,17 @@ if not ci:
 def k8s_yaml_with_ns(objects):
     return k8s_yaml(namespace_inject(objects, namespace))
 
-local_resource(
-    name = "const-gen",
-    deps = ["scripts", "clients", "ethereum/.env.test"],
-    cmd = 'tilt docker build -- --target const-export -f Dockerfile.const -o type=local,dest=. --build-arg num_guardians=%s .' % (num_guardians),
-    env = {"DOCKER_BUILDKIT": "1"},
-    allow_parallel = True,
-    trigger_mode = trigger_mode,
+docker_build(
+    ref = "cli-gen",
+    context = ".",
+    dockerfile = "Dockerfile.cli",
+)
+
+docker_build(
+    ref = "const-gen",
+    context = ".",
+    dockerfile = "Dockerfile.const",
+    build_args={"num_guardians": '%s' % (num_guardians)},
 )
 
 # node
@@ -431,7 +435,6 @@ if solana or pythnet:
             port_forward(8899, name = "Solana RPC [:8899]", host = webHost),
             port_forward(8900, name = "Solana WS [:8900]", host = webHost),
         ],
-        resource_deps = ["const-gen"],
         labels = ["solana"],
         trigger_mode = trigger_mode,
     )
@@ -527,7 +530,6 @@ k8s_resource(
     port_forwards = [
         port_forward(8545, name = "Ganache RPC [:8545]", host = webHost),
     ],
-    resource_deps = ["const-gen"],
     labels = ["evm"],
     trigger_mode = trigger_mode,
 )
@@ -540,7 +542,6 @@ if evm2:
         port_forwards = [
             port_forward(8546, name = "Ganache RPC [:8546]", host = webHost),
         ],
-        resource_deps = ["const-gen"],
         labels = ["evm"],
         trigger_mode = trigger_mode,
     )
@@ -587,7 +588,7 @@ if ci_tests:
         "accountant-ci-tests",
         labels = ["ci"],
         trigger_mode = trigger_mode,
-        resource_deps = ["const-gen"], # uses devnet-consts.json, but wormchain/contracts/tools/test_accountant.sh handles waiting for guardian, not having deps gets the build earlier
+        resource_deps = [], # uses devnet-consts.json, but wormchain/contracts/tools/test_accountant.sh handles waiting for guardian, not having deps gets the build earlier
     )
 
 if terra_classic:
@@ -611,7 +612,6 @@ if terra_classic:
             port_forward(26657, name = "Terra RPC [:26657]", host = webHost),
             port_forward(1317, name = "Terra LCD [:1317]", host = webHost),
         ],
-        resource_deps = ["const-gen"],
         labels = ["terra"],
         trigger_mode = trigger_mode,
     )
@@ -659,7 +659,6 @@ if terra2:
             port_forward(26658, container_port = 26657, name = "Terra 2 RPC [:26658]", host = webHost),
             port_forward(1318, container_port = 1317, name = "Terra 2 LCD [:1318]", host = webHost),
         ],
-        resource_deps = ["const-gen"],
         labels = ["terra2"],
         trigger_mode = trigger_mode,
     )
@@ -707,7 +706,6 @@ if algorand:
             port_forward(4002, name = "KMD [:4002]", host = webHost),
             port_forward(8980, name = "Indexer [:8980]", host = webHost),
         ],
-        resource_deps = ["const-gen"],
         labels = ["algorand"],
         trigger_mode = trigger_mode,
     )
@@ -721,7 +719,7 @@ if sui:
         context = ".",
         dockerfile = "sui/Dockerfile",
         ignore = ["./sui/sui.log*", "sui/sui.log*", "sui.log.*"],
-        only = ["./sui", "./clients/js"],
+        only = ["./sui"],
     )
 
     k8s_resource(
@@ -731,12 +729,11 @@ if sui:
             port_forward(5003, name = "Faucet [:5003]", host = webHost),
             port_forward(9184, name = "Prometheus [:9184]", host = webHost),
         ],
-        resource_deps = ["const-gen"],
         labels = ["sui"],
         trigger_mode = trigger_mode,
     )
 
-if near:
+if near: 
     k8s_yaml_with_ns("devnet/near-devnet.yaml")
 
     docker_build(
@@ -759,7 +756,6 @@ if near:
             port_forward(3030, name = "Node [:3030]", host = webHost),
             port_forward(3031, name = "webserver [:3031]", host = webHost),
         ],
-        resource_deps = ["const-gen"],
         labels = ["near"],
         trigger_mode = trigger_mode,
     )
@@ -833,14 +829,13 @@ if wormchain:
             port_forward(9090, container_port = 9090, name = "GRPC", host = webHost),
             port_forward(26659, container_port = 26657, name = "TENDERMINT [:26659]", host = webHost)
         ],
-        resource_deps = ["const-gen"],
         labels = ["wormchain"],
         trigger_mode = trigger_mode,
     )
 
     k8s_resource(
         "wormchain-deploy",
-        resource_deps = ["const-gen", "wormchain"],
+        resource_deps = ["wormchain"],
         labels = ["wormchain"],
         trigger_mode = trigger_mode,
     )
@@ -901,7 +896,6 @@ if aptos:
             port_forward(6181, name = "FullNode [:6181]", host = webHost),
             port_forward(8081, name = "Faucet [:8081]", host = webHost),
         ],
-        resource_deps = ["const-gen"],
         labels = ["aptos"],
         trigger_mode = trigger_mode,
     )

algorand/Dockerfile

@@ -1,4 +1,5 @@
 # syntax=docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2
+FROM const-gen AS const-export
 FROM docker.io/python:3.10@sha256:eeed7cac682f9274d183f8a7533ee1360a26acb3616aa712b2be7896f80d8c5f
 
 # Support additional root CAs
@@ -21,4 +22,4 @@ RUN mkdir teal
 COPY *.py .
 COPY test/*.json .
 COPY deploy.sh deploy.sh 
-COPY .env .env
+COPY --from=const-export .env .env

aptos/Docker.md

@@ -1,6 +1,11 @@
 # first build the image
+
 (cd ..; DOCKER_BUILDKIT=1 docker build -f aptos/Dockerfile.base -t aptos .)
+
 # tag the image with the appropriate version
-docker tag aptos:latest ghcr.io/wormhole-foundation/aptos:1.0.4
+
+docker tag aptos:latest ghcr.io/wormhole-foundation/aptos:1.0.4_1
+
 # push to ghcr
-docker push ghcr.io/wormhole-foundation/aptos:1.0.4
+
+docker push ghcr.io/wormhole-foundation/aptos:1.0.4_1

aptos/Dockerfile

@@ -1,9 +1,15 @@
-FROM ghcr.io/wormhole-foundation/aptos:1.0.4@sha256:0610c97ba32aab7113765b05a0c71d75b3842f7ee11ff8d7f75bd0ea03ad95b2 as aptos
+FROM cli-gen AS cli-export
+FROM const-gen AS const-export
+FROM ghcr.io/wormhole-foundation/aptos:1.0.4_1@sha256:8d61205efab33e03375a146cdcf4838e2de4797ff2618b08a22cf74ec0843779 as aptos
 
 # Support additional root CAs
 COPY cert.pem* /certs/
 RUN if [ -e /certs/cert.pem ]; then cp /certs/cert.pem /etc/ssl/certs/ca-certificates.crt; fi
 
+# Install nodejs 
+# todo(aki): move this into base image?
+RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - && apt-get update && apt-get install -y nodejs
+
 WORKDIR /tmp
 
 COPY wormhole/ wormhole
@@ -14,11 +20,16 @@ COPY coin/ coin
 COPY examples/ examples
 COPY Makefile Makefile
 COPY scripts scripts
-# In this step we optionally copy the .env file too
-COPY start_node.sh .env* .
+COPY start_node.sh start_node.sh
+COPY --from=const-export .env .env
+COPY --from=cli-export clients/js /cli
+
+WORKDIR /cli
+
+RUN npm link
 
 FROM aptos AS tests
 
 WORKDIR /tmp
 
-RUN    make test
+RUN make test

aptos/Dockerfile.base

@@ -10,14 +10,3 @@ RUN cargo build -p aptos --profile cli
 
 FROM rust:1.62@sha256:5777f201f507075309c4d2d1c1e8d8219e654ae1de154c844341050016a64a0c as export-stage
 COPY --from=aptos-node /tmp/aptos-core/target/cli/aptos /usr/local/cargo/bin/aptos
-
-RUN apt-get update && apt-get -y install npm
-WORKDIR /tmp
-RUN npm install -g n typescript ts-node
-RUN n stable
-
-COPY clients/js  /tmp/clients/js
-
-WORKDIR /tmp/clients/js
-
-RUN make install

aptos/Makefile

@@ -7,4 +7,6 @@ $(TARGETS):
 	$(foreach dir,$(CONTRACT_DIRS), make -C $(dir) $@ &&) true
 
 test-docker:
+	DOCKER_BUILDKIT=1 docker build --progress plain  -f ../Dockerfile.cli -t cli-gen ..
+	DOCKER_BUILDKIT=1 docker build --build-arg num_guardians=1 --progress plain  -f ../Dockerfile.const -t const-gen ..
 	DOCKER_BUILDKIT=1 docker build --progress plain  -f Dockerfile --target tests .

aptos/scripts/wait_for_devnet

@@ -1,4 +1,6 @@
 #!/bin/bash
 set -e
-while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' 0.0.0.0:8080/v1/-/healthy)" != "200" ]]; do sleep 5; done
-while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' 0.0.0.0:8081/health)" != "200" ]]; do sleep 5; done
+
+# Logic from https://github.com/aptos-labs/aptos-core/blob/95b4388ab0e5fec6971236232b7a179839980989/crates/aptos/e2e/local_testnet.py#L79
+while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' 0.0.0.0:8080/v1)" != "200" ]]; do sleep 5; done
+while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' 0.0.0.0:8081/health)" != "200" && "$(curl -s -o /dev/null -w ''%{http_code}'' 0.0.0.0:8081/)" != "200" ]]; do sleep 5; done

clients/js/src/cmds/aptos.ts

@@ -398,7 +398,7 @@ export const builder = (y: typeof yargs) =>
     .command(
       "faucet",
       "Request money from the faucet for a given account",
-      (_yargs) =>
+      (yargs) =>
         yargs
           .option("rpc", {
             alias: "r",

cosmwasm/Dockerfile.deploy

@@ -1,3 +1,4 @@
+FROM const-gen AS const-export
 # This is a multi-stage docker file:
 #  1. The first stage contains the built contracts (wasm files)
 #  2. The second creates a node.js environment to deploy the contracts to devnet
@@ -26,3 +27,4 @@ COPY ./tools/package.json ./tools/package-lock.json /app/tools/
 RUN --mount=type=cache,uid=1000,gid=1000,target=/home/node/.npm \
     npm ci
 COPY ./tools /app/tools
+COPY --from=const-export .env /app/tools/.env

devnet/solana-devnet.yaml

@@ -97,7 +97,9 @@ spec:
         - name: setup
           image: bridge-client
           command:
-            - /usr/src/solana/devnet_setup.sh
+            - /bin/bash
+            - -c
+            - "cd /usr/src/solana && ./devnet_setup.sh"
           readinessProbe:
             tcpSocket:
               port: 2000

ethereum/Dockerfile

@@ -1,4 +1,5 @@
 # syntax=docker.io/docker/dockerfile:1.3@sha256:42399d4635eddd7a9b8a24be879d2f9a930d0ed040a61324cfdf59ef1357b3b2
+FROM const-gen AS const-export
 FROM node:lts-alpine@sha256:2ae9624a39ce437e7f58931a5747fdc60224c6e40f8980db90728de58e22af7c
 
 # npm wants to clone random Git repositories - lovely.
@@ -26,7 +27,7 @@ RUN if [ -e /certs/cert.pem ]; then git config --global http.sslCAInfo /certs/ce
 # Only invalidate the npm install step if package.json changed
 COPY --chown=node:node package.json .
 COPY --chown=node:node package-lock.json .
-COPY --chown=node:node .env.test .env
+COPY --from=const-export --chown=node:node .env.0x .env
 
 # We want to cache node_modules *and* incorporate it into the final image.
 RUN --mount=type=cache,uid=1000,gid=1000,target=/home/node/.npm \

near/Dockerfile.contracts

@@ -1,3 +1,4 @@
+FROM const-gen AS const-export
 FROM ghcr.io/wormhole-foundation/near:0.2@sha256:c2089c5e93df2396d74f9c07e7cd3d76983fad97bddb202030ca442c2c00c3c2 AS near-contracts
 
 RUN mkdir -p /.npm /home/node/appa /home/node/.npm
@@ -9,7 +10,7 @@ USER 1000
 
 ADD --chown=1000:1000 package.json .
 ADD --chown=1000:1000 package-lock.json .
-ADD --chown=1000:1000 .env .env
+COPY --from=const-export --chown=1000:1000 .env .
 
 RUN npm ci
 

near/Dockerfile.deploy

@@ -1,3 +1,4 @@
+FROM const-gen AS const-export
 FROM ghcr.io/wormhole-foundation/near:0.2@sha256:c2089c5e93df2396d74f9c07e7cd3d76983fad97bddb202030ca442c2c00c3c2 AS build
 
 WORKDIR /app
@@ -11,7 +12,7 @@ FROM node:16-alpine@sha256:004dbac84fed48e20f9888a23e32fa7cf83c2995e174a78d41d9a
 WORKDIR /app
 COPY package.json .
 COPY package-lock.json .
-COPY .env .
+COPY --from=const-export .env .
 COPY devnet_deploy.sh .
 COPY devnet_deploy.ts .
 COPY --from=build /app/contracts/*/target/wasm32-unknown-unknown/release/*.wasm .

scripts/check-docker-pin.sh

@@ -13,7 +13,7 @@
 #   - We ignore cosmwasm_artifacts AS artifacts because it's a local reference only, is built in tilt
 #   - We ignore base AS (ignite-go-build|ignite-vue-build) because the base image is already pinned in wormchain/Dockerfile.proto
 #
-git ls-files -z | grep -z "Dockerfile*" | xargs -r -0 grep -s "FROM" | egrep -v 'sha256|scratch|solana|aptos|sui|base|cosmwasm_artifacts AS (application|base|builder|ci_tests|tests|artifacts|ignite-go-build|ignite-vue-build)'
+git ls-files -z | grep -z "Dockerfile*" | xargs -r -0 grep -s "FROM" | egrep -v 'sha256|scratch|solana|aptos|sui|base|cosmwasm_artifacts|cli-gen|const-gen AS (application|base|builder|ci_tests|tests|artifacts|ignite-go-build|ignite-vue-build|cli-export|const-export)'
 if [ $? -eq 0 ]; then
    echo "[!] Unpinned docker files" >&2
    exit 1