From 3dd4876c0711d435f50b70b1afd8013fe8b160e8 Mon Sep 17 00:00:00 2001
From: Alexander Melnikov <sanekmelnikov@gmail.com>
Date: Wed, 8 Oct 2025 00:05:11 -0600
Subject: [PATCH] workflow to build protocol docker image

---
 .github/workflows/build-docker.yaml | 61 +++++++++++++++++++++
 docker/protocol/Dockerfile          | 83 +++++++++++++++++++++++++++++
 2 files changed, 144 insertions(+)
 create mode 100644 .github/workflows/build-docker.yaml
 create mode 100644 docker/protocol/Dockerfile

diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml
new file mode 100644
index 0000000000..22ccb69ef8
--- /dev/null
+++ b/.github/workflows/build-docker.yaml
@@ -0,0 +1,61 @@
+name: Build Docker Image (manual)
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: "Branch, tag or commit to build the docker image from. If empty, ref that triggered the workflow will be used."
+        type: string
+        required: false
+      image_tag_override:
+        description: "Optional override of the default image tag name"
+        type: string
+        required: false
+
+jobs:
+  build-image:
+    name: Build and Push protocol Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    env:
+      IMAGE_NAME: protocol
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.ref != '' && inputs.ref || github.sha }}
+          submodules: recursive
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Compute image tag
+        shell: bash
+        run: |
+          if [ -n "${{ inputs.image_tag_override }}" ]; then
+            IMAGE_TAG="${{ inputs.image_tag_override }}"
+          else
+            IMAGE_TAG=$(git rev-parse --short HEAD)-$(date +%s)
+          fi
+          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
+          echo "Computed image tag: $IMAGE_TAG"
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build & Push Docker Image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          file: docker/protocol/Dockerfile
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
diff --git a/docker/protocol/Dockerfile b/docker/protocol/Dockerfile
new file mode 100644
index 0000000000..6e45830439
--- /dev/null
+++ b/docker/protocol/Dockerfile
@@ -0,0 +1,83 @@
+# syntax=docker/dockerfile:1.6
+
+########################################
+# 1) Build
+########################################
+FROM debian:bookworm-slim AS build
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    PATH=/usr/local/bin:$PATH \
+    YARN_CACHE_FOLDER=/tmp/yarn-cache
+
+# Build deps
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      ca-certificates curl git bash coreutils openssl jq xz-utils gnupg && \
+    rm -rf /var/lib/apt/lists/*
+
+# Node 18.18.0 + Yarn 1.22.19
+RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
+ && apt-get update && apt-get install -y --no-install-recommends nodejs=18.18.0-* \
+ && npm i -g yarn@1.22.19 \
+ && npm cache clean --force \
+ && rm -rf /var/lib/apt/lists/*
+
+# Foundry ZKSync (pinned)
+RUN curl -LO https://github.com/matter-labs/foundry-zksync/releases/download/nightly-ae913af65381734ad46c044a9495b67310bc77c4/foundry_nightly_linux_amd64.tar.gz \
+ && tar zxf foundry_nightly_linux_amd64.tar.gz -C /usr/local/bin/ \
+ && chmod +x /usr/local/bin/forge /usr/local/bin/cast \
+ && rm foundry_nightly_linux_amd64.tar.gz
+
+# Copy sources
+WORKDIR /contracts
+COPY . /contracts
+RUN yarn install --frozen-lockfile
+
+# Clean
+RUN forge clean --root da-contracts
+RUN yarn --cwd l1-contracts clean
+RUN forge clean --root l1-contracts
+RUN yarn --cwd l2-contracts clean
+RUN forge clean --root l2-contracts
+RUN yarn --cwd system-contracts clean
+RUN forge clean --root system-contracts
+
+# Compile contracts
+RUN yarn --cwd da-contracts build:foundry
+RUN yarn --cwd l1-contracts build:foundry
+RUN yarn --cwd l2-contracts build:foundry
+RUN yarn --cwd system-contracts build:foundry
+
+# Check hashes
+RUN yarn calculate-hashes:check
+
+# Remove node_modules
+RUN rm -rf node_modules
+
+########################################
+# 2) Runtime
+########################################
+FROM debian:bookworm-slim
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    PATH=/usr/local/bin:$PATH
+
+# Minimal runtime deps
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      ca-certificates bash openssl jq && \
+    rm -rf /var/lib/apt/lists/*
+
+# forge/cast
+COPY --from=build /usr/local/bin/forge /usr/local/bin/forge
+COPY --from=build /usr/local/bin/cast  /usr/local/bin/cast
+
+WORKDIR /contracts
+COPY --from=build /contracts/l1-contracts /contracts/l1-contracts
+COPY --from=build /contracts/l2-contracts /contracts/l2-contracts
+COPY --from=build /contracts/system-contracts /contracts/system-contracts
+COPY --from=build /contracts/da-contracts /contracts/da-contracts
+COPY --from=build /contracts/lib /contracts/lib
+COPY --from=build /contracts/AllContractsHashes.json /contracts/AllContractsHashes.json
+COPY --from=build /contracts/SystemConfig.json /contracts/SystemConfig.json
+
+# Sanity
+RUN forge --version