refactor(docker): Implement optimized multi-stage Go/Rust build

Introduces a robust, cached, multi-stage Docker build for Juno.
- Uses cargo-chef in rust-builder stage for optimal Rust dependency caching.
- Builds Rust components as static libraries (.a) with C headers (.h).
- Copies Rust artifacts to relative paths expected by in-source #cgo
directives in go-builder stage (avoids modifying Go source).
- Adds `ranlib` step to ensure static library symbol tables are valid.
- Configures CGO to link necessary system libraries (libm, jemalloc, etc.).
- Creates minimal debian:bookworm-slim final image with runtime deps.
- Runs final image as root for backward compatibility with volume permissions.
- Adds Cargo.lock files (for reproducible Rust builds) and .dockerignore
(for optimized build context).
- Parameterizes Go, Rust, and Juno versions via ARGs.
- Updated pipeline to cache Docker layers.

Author: wojciechos

.dockerignore

@@ -1,3 +1,26 @@
 # do not copy local database files
 p2p-dbs/
-juno/
+
+.github/
+.git/
+.vscode/
+
+# Build artifacts
+build/
+coverage/
+
+# Local data/config
+.DS_Store
+docker-compose.yml
+juno/
+
+# Documentation
+docs/
+README.md
+LICENSE
+SECURITY.md
+CODE_OF_CONDUCT.md
+CONTRIBUTING.md
+
+# Scripts/Other
+scripts/

.github/workflows/build-image.yaml

@@ -13,7 +13,8 @@ on:
         required: true
 
 permissions:
-  contents: read  
+  contents: read
+  actions: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-image-build
@@ -37,22 +38,22 @@ jobs:
       - name: Define image tag
         id: set_tag
         run: |
-          export DOCKER_IMAGE_TAG=$(git describe --tags)
-          echo "DOCKER_IMAGE_TAG=$DOCKER_IMAGE_TAG" >> $GITHUB_ENV
-          echo "DOCKER_IMAGE_TAG=$DOCKER_IMAGE_TAG" >> $GITHUB_OUTPUT
+          TAG=$(git describe --tags)
+          echo "DOCKER_IMAGE_TAG=$TAG" | tee -a $GITHUB_ENV >> $GITHUB_OUTPUT
 
       - name: Setup Docker Buildx
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
 
       - name: Login to registry
-        run: |
-          docker login ${{ env.DOCKER_REGISTRY }} -u ${{ secrets.ARTIFACTORY_NUBIA_USERNAME }} -p ${{ secrets.ARTIFACTORY_NUBIA_TOKEN_DEVELOPER }}
+        run: docker login ${{ env.DOCKER_REGISTRY }} -u ${{ secrets.ARTIFACTORY_NUBIA_USERNAME }} -p ${{ secrets.ARTIFACTORY_NUBIA_TOKEN_DEVELOPER }}
 
-      - name: Build Docker Image
+      - name: Build & push Docker images
         uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4
         with:
           context: .
-          platforms: "linux/amd64"
           push: true
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/${{ env.REPO_DEV }}/juno:${{ env.DOCKER_IMAGE_TAG }} 
+          platforms: linux/amd64
+          tags: ${{ env.DOCKER_REGISTRY }}/${{ env.REPO_DEV }}/juno:${{ steps.set_tag.outputs.DOCKER_IMAGE_TAG  }}
+          build-args: JUNO_VERSION=${{ steps.set_tag.outputs.DOCKER_IMAGE_TAG }}
+          cache-from: type=gha,scope=${{ github.workflow }}
+          cache-to: type=gha,mode=min,scope=${{ github.workflow }}

.github/workflows/deploy-dev-and-test.yml

@@ -17,6 +17,9 @@ jobs:
   build:
     # Skip for PRs from forks as they don't have access to secrets
     if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork
+    permissions:
+      contents: read
+      actions: write
     uses: ./.github/workflows/build-image.yaml
     secrets:
       ARTIFACTORY_NUBIA_USERNAME: ${{ secrets.ARTIFACTORY_NUBIA_USERNAME }}

.github/workflows/docker-image-build-push.yml

@@ -66,6 +66,7 @@ jobs:
         with:
           context: .
           platforms: linux/amd64
+          build-args: JUNO_VERSION=${{ needs.setup.outputs.tag }}
           push: true
           tags: nethermindeth/juno:${{ needs.setup.outputs.tag }}
 
@@ -93,6 +94,7 @@ jobs:
         with:
           context: .
           platforms: linux/arm64
+          build-args: JUNO_VERSION=${{ needs.setup.outputs.tag }}
           push: true
           tags: nethermindeth/juno:${{ needs.setup.outputs.tag }}-arm64
 

Dockerfile

@@ -1,29 +1,147 @@
-# Stage 1: Build golang dependencies and binaries
-FROM ubuntu:25.04 AS build
+# Multi-stage Dockerfile for building Juno
 
-ARG VM_DEBUG
+ARG GO_VERSION=1.24.1
+ARG RUST_VERSION=1.85.1
+ARG JUNO_VERSION=unknown
 
+# ==================================================================
+# Stage 1: Build Rust libs with cargo-chef
+# ==================================================================
+FROM lukemathwalker/cargo-chef:0.1.71-rust-${RUST_VERSION}-slim-bookworm AS rust-builder
 
-RUN apt-get -qq update && \
-    apt-get -qq install curl build-essential git golang upx-ucl libjemalloc-dev libjemalloc2 libbz2-dev
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -q -y
+# Install Rust build tools (cbindgen) & C toolchain
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends build-essential && \
+    cargo install cbindgen --version 0.26.0 && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /build
+
+# --- Prepare shared dependencies using cargo-chef ---
+
+# Virtual workspace for cargo-chef
+RUN echo '[workspace]\nmembers = ["starknet_compiler", "core_rust", "vm_rust"]' > Cargo.toml
+
+# Copy manifests for cache
+COPY starknet/compiler/rust/Cargo.toml starknet/compiler/rust/Cargo.lock ./starknet_compiler/
+COPY core/rust/Cargo.toml core/rust/Cargo.lock ./core_rust/
+COPY vm/rust/Cargo.toml vm/rust/Cargo.lock ./vm_rust/
+
+# Prepare cargo-chef recipe (requires dummy lib.rs for libs)
+RUN mkdir -p ./starknet_compiler/src ./core_rust/src ./vm_rust/src && \
+    touch ./starknet_compiler/src/lib.rs ./core_rust/src/lib.rs ./vm_rust/src/lib.rs && \
+    cargo chef prepare --recipe-path recipe.json
+
+# Cook dependencies (cached layer)
+RUN cargo chef cook --release --recipe-path recipe.json
+
+# --- Build the actual projects ---
+
+# Copy source
+COPY starknet/compiler/rust/ ./starknet_compiler/
+COPY core/rust/ ./core_rust/
+COPY vm/rust/ ./vm_rust/
+
+# Args for package/library names
+ARG STARKNET_COMPILER_PKG_NAME=juno-starknet-compiler-rs
+ARG CORE_RUST_PKG_NAME=juno-starknet-core-rs
+ARG VM_RUST_PKG_NAME=juno-starknet-rs
+ARG STARKNET_COMPILER_LIB_NAME=juno_starknet_compiler_rs
+ARG CORE_RUST_LIB_NAME=juno_starknet_core_rs
+ARG VM_RUST_LIB_NAME=juno_starknet_rs
+
+# Build Rust libs & generate C headers
+RUN cargo build --release --package ${STARKNET_COMPILER_PKG_NAME} && \
+    cbindgen --crate ${STARKNET_COMPILER_PKG_NAME} --output target/release/${STARKNET_COMPILER_PKG_NAME}.h
+
+RUN cargo build --release --package ${CORE_RUST_PKG_NAME} && \
+    cbindgen --crate ${CORE_RUST_PKG_NAME} --output target/release/${CORE_RUST_PKG_NAME}.h
+
+RUN cargo build --release --package ${VM_RUST_PKG_NAME} && \
+    cbindgen --crate ${VM_RUST_PKG_NAME} --output target/release/${VM_RUST_PKG_NAME}.h
+
+# --- Collect build artifacts ---
+RUN mkdir /artifacts && \
+    cp target/release/lib${STARKNET_COMPILER_LIB_NAME}.a /artifacts/ && \
+    cp target/release/${STARKNET_COMPILER_PKG_NAME}.h /artifacts/ && \
+    \
+    cp target/release/lib${CORE_RUST_LIB_NAME}.a /artifacts/ && \
+    cp target/release/${CORE_RUST_PKG_NAME}.h /artifacts/ && \
+    \
+    cp target/release/lib${VM_RUST_LIB_NAME}.a /artifacts/ && \
+    cp target/release/${VM_RUST_PKG_NAME}.h /artifacts/
+
+
+# ==================================================================
+# Stage 2: Build Go application
+# ==================================================================
+FROM golang:${GO_VERSION}-bookworm AS go-builder
+
+ARG JUNO_VERSION
+
+# Install CGO dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        build-essential \
+        libjemalloc-dev \
+        libbz2-dev \
+    && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 
-# Copy source code
+# Cache Go dependencies
+COPY go.mod go.sum ./
+RUN go mod download && go mod verify
+
+# Copy source
 COPY . .
 
-# Build the project
-RUN bash -c 'source ~/.cargo/env && VM_DEBUG=${VM_DEBUG} make juno'
+# Args needed for artifact paths
+ARG STARKNET_COMPILER_PKG_NAME=juno-starknet-compiler-rs
+ARG CORE_RUST_PKG_NAME=juno-starknet-core-rs
+ARG VM_RUST_PKG_NAME=juno-starknet-rs
+ARG STARKNET_COMPILER_LIB_NAME=juno_starknet_compiler_rs
+ARG CORE_RUST_LIB_NAME=juno_starknet_core_rs
+ARG VM_RUST_LIB_NAME=juno_starknet_rs
+
+# Copy Rust libs (.a)
+COPY --from=rust-builder /artifacts/lib${STARKNET_COMPILER_LIB_NAME}.a /app/starknet/compiler/rust/target/release/
+COPY --from=rust-builder /artifacts/lib${CORE_RUST_LIB_NAME}.a /app/core/rust/target/release/
+COPY --from=rust-builder /artifacts/lib${VM_RUST_LIB_NAME}.a /app/vm/rust/target/release/
+
+# Copy Rust headers (.h)
+COPY --from=rust-builder /artifacts/${STARKNET_COMPILER_PKG_NAME}.h /app/starknet/compiler/
+COPY --from=rust-builder /artifacts/${CORE_RUST_PKG_NAME}.h /app/core/
+COPY --from=rust-builder /artifacts/${VM_RUST_PKG_NAME}.h /app/vm/
+
+# Index static libs (for linker)
+RUN ranlib /app/starknet/compiler/rust/target/release/lib${STARKNET_COMPILER_LIB_NAME}.a && \
+    ranlib /app/core/rust/target/release/lib${CORE_RUST_LIB_NAME}.a && \
+    ranlib /app/vm/rust/target/release/lib${VM_RUST_LIB_NAME}.a
+
+# Configure CGO
+ENV CGO_ENABLED=1
+ENV CGO_LDFLAGS="-ljemalloc -lm -lpthread -ldl"
+
+# Build Go binary (passing version, stripping symbols)
+RUN go build -ldflags="-X main.Version=${JUNO_VERSION} -s -w" -o /app/juno ./cmd/juno/
 
-# Compress the executable with UPX
-RUN upx-ucl /app/build/juno
 
-# Stage 2: Build Docker image
-FROM ubuntu:25.04 AS runtime
+# ==================================================================
+# Stage 3: Final runtime image
+# ==================================================================
+FROM debian:bookworm-slim AS final
 
-RUN apt-get update && apt-get install -y ca-certificates curl gawk grep libjemalloc-dev libjemalloc2
+# Install minimal runtime dependencies
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        ca-certificates \
+        libjemalloc2 \
+        libbz2-1.0 \
+        tzdata \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
 
-COPY --from=build /app/build/juno /usr/local/bin/
+# Copy final binary
+COPY --from=go-builder /app/juno /usr/local/bin/
 
 ENTRYPOINT ["juno"]

Makefile

@@ -44,7 +44,7 @@ juno-cached: ## Cached Juno compilation
 	@go build $(GO_TAGS) -ldflags="-X main.Version=$(shell git describe --tags)" -o build/juno ./cmd/juno/
 
 
-MINIMUM_RUST_VERSION = 1.85.0
+MINIMUM_RUST_VERSION = 1.85.1
 CURR_RUST_VERSION = $(shell rustc --version | grep -o '[0-9.]\+' | head -n1)
 check-rust: ## Ensure rust version is greater than minimum
 	@echo "Checking if current rust version >= $(MINIMUM_RUST_VERSION)"

README.md

@@ -47,7 +47,7 @@
 
 - Golang 1.24 or higher is required to build and run the project. You can find the installer on
   the official Golang [download](https://go.dev/doc/install) page.
-- [Rust](https://www.rust-lang.org/tools/install) 1.85.0 or higher.
+- [Rust](https://www.rust-lang.org/tools/install) 1.85.1 or higher.
 - A C compiler: `gcc`.
 - Install some dependencies on your system:
 

core/rust/.gitignore

@@ -6,4 +6,3 @@
 # already existing elements were commented out
 
 #/target
-/Cargo.lock