chore(infra): consolidate node services into single Docker image (#8352)

Author: paulbalaji

.claude/skills/build-docker-image/SKILL.md

@@ -9,11 +9,11 @@ Build and publish Docker images to GHCR (`ghcr.io/hyperlane-xyz/*`).
 
 ## Workflows
 
-| Workflow                   | Image(s)                                                                                                                             | Contents                         |
-| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------- |
-| `rust-docker.yml`          | `hyperlane-agent`                                                                                                                    | Rust relayer, validator, scraper |
-| `monorepo-docker.yml`      | `hyperlane-monorepo`                                                                                                                 | Full TS/Solidity monorepo        |
-| `node-services-docker.yml` | `hyperlane-rebalancer`, `hyperlane-warp-monitor`, `hyperlane-key-funder`, `hyperlane-ts-relayer`, `hyperlane-offchain-lookup-server` | TypeScript node services         |
+| Workflow                   | Image(s)                  | Contents                                                                         |
+| -------------------------- | ------------------------- | -------------------------------------------------------------------------------- |
+| `rust-docker.yml`          | `hyperlane-agent`         | Rust relayer, validator, scraper                                                 |
+| `monorepo-docker.yml`      | `hyperlane-monorepo`      | Full TS/Solidity monorepo                                                        |
+| `node-services-docker.yml` | `hyperlane-node-services` | All TS node services (rebalancer, warp-monitor, ccip-server, keyfunder, relayer) |
 
 ## How to Trigger
 
@@ -26,7 +26,7 @@ gh workflow run rust-docker.yml --ref <branch>
 # Monorepo image
 gh workflow run monorepo-docker.yml --ref <branch>
 
-# Node services (all 5 built together)
+# Node services (single unified image)
 gh workflow run node-services-docker.yml --ref <branch>
 
 # Include arm64 (multi-arch, slower)

.claude/skills/find-docker-image/SKILL.md

@@ -9,15 +9,13 @@ Find existing Hyperlane Docker images on GHCR (`ghcr.io/hyperlane-xyz/*`).
 
 ## Image Repositories
 
-| Image                              | Contents                         |
-| ---------------------------------- | -------------------------------- |
-| `hyperlane-agent`                  | Rust relayer, validator, scraper |
-| `hyperlane-monorepo`               | Full TS/Solidity monorepo        |
-| `hyperlane-rebalancer`             | Rebalancer node service          |
-| `hyperlane-warp-monitor`           | Warp monitor node service        |
-| `hyperlane-key-funder`             | Key funder node service          |
-| `hyperlane-ts-relayer`             | TypeScript relayer node service  |
-| `hyperlane-offchain-lookup-server` | Offchain lookup server           |
+| Image                     | Contents                                                                         |
+| ------------------------- | -------------------------------------------------------------------------------- |
+| `hyperlane-agent`         | Rust relayer, validator, scraper                                                 |
+| `hyperlane-monorepo`      | Full TS/Solidity monorepo                                                        |
+| `hyperlane-node-services` | All TS node services (rebalancer, warp-monitor, ccip-server, keyfunder, relayer) |
+
+The `hyperlane-node-services` image is a unified image. Set `SERVICE_NAME` env var at runtime to select which service to run.
 
 ## Tag Format
 

.github/workflows/ghcr-cleanup.yml

@@ -26,11 +26,7 @@ jobs:
           image-names: >-
             hyperlane-agent
             hyperlane-monorepo
-            hyperlane-rebalancer
-            hyperlane-warp-monitor
-            hyperlane-key-funder
-            hyperlane-ts-relayer
-            hyperlane-offchain-lookup-server
+            hyperlane-node-services
           tag-selection: untagged
           cut-off: 1w
           dry-run: ${{ github.event.inputs.dry-run || 'false' }}
@@ -43,11 +39,7 @@ jobs:
           image-names: >-
             hyperlane-agent
             hyperlane-monorepo
-            hyperlane-rebalancer
-            hyperlane-warp-monitor
-            hyperlane-key-funder
-            hyperlane-ts-relayer
-            hyperlane-offchain-lookup-server
+            hyperlane-node-services
           image-tags: "pr-*"
           tag-selection: tagged
           cut-off: 1w

.github/workflows/node-services-docker.yml

@@ -1,18 +1,18 @@
-name: Build and Push Node Services Images
+name: Build and Push Node Services Image
 
 on:
   push:
     branches: [main]
     paths:
-      - 'typescript/Dockerfile.node-service'
-      - 'typescript/docker-bake.hcl'
+      - 'typescript/Dockerfile'
+      - 'typescript/docker-entrypoint.sh'
       - '.dockerignore'
       - '.github/workflows/node-services-docker.yml'
       - 'pnpm-lock.yaml'
   pull_request:
     paths:
-      - 'typescript/Dockerfile.node-service'
-      - 'typescript/docker-bake.hcl'
+      - 'typescript/Dockerfile'
+      - 'typescript/docker-entrypoint.sh'
       - '.dockerignore'
       - '.github/workflows/node-services-docker.yml'
       - 'pnpm-lock.yaml'
@@ -55,28 +55,19 @@ jobs:
       - name: Generate tag data
         id: taggen
         run: |
-          set -euo pipefail
-          TAG_SHA=$(echo '${{ github.event.pull_request.head.sha || github.sha }}' | cut -b 1-7)
-          TAG_DATE=$(date +'%Y%m%d-%H%M%S')
-          echo "TAG_SHA_DATE=${TAG_SHA}-${TAG_DATE}" >> $GITHUB_OUTPUT
-
-          SANITIZED_REF=$(echo '${{ github.ref_name }}' | tr '/' '-')
-          if [ "${{ github.ref_type }}" = "tag" ]; then
-            echo "TAG=${SANITIZED_REF}" >> $GITHUB_OUTPUT
-          elif [ "${{ github.event_name }}" = "pull_request" ]; then
-            echo "TAG=pr-${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
-          else
-            echo "TAG=${SANITIZED_REF}" >> $GITHUB_OUTPUT
-          fi
+          echo "TAG_DATE=$(date +'%Y%m%d-%H%M%S')" >> $GITHUB_OUTPUT
+          echo "TAG_SHA=$(echo '${{ github.event.pull_request.head.sha || github.sha }}' | cut -b 1-7)" >> $GITHUB_OUTPUT
 
-          if [ "${{ github.event.inputs.include_arm64 }}" == "true" ]; then
-            echo "PLATFORMS=linux/amd64,linux/arm64" >> $GITHUB_OUTPUT
-          else
-            echo "PLATFORMS=linux/amd64" >> $GITHUB_OUTPUT
-          fi
-
-          FOUNDRY_VERSION=$(cat solidity/.foundryrc)
-          echo "FOUNDRY_VERSION=$FOUNDRY_VERSION" >> $GITHUB_OUTPUT
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/hyperlane-xyz/hyperlane-node-services
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=raw,value=${{ steps.taggen.outputs.TAG_SHA }}-${{ steps.taggen.outputs.TAG_DATE }}
 
       - name: Set up Depot CLI
         uses: depot/setup-action@v1
@@ -88,53 +79,58 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push all images
+      - name: Read Foundry version
+        run: |
+          FOUNDRY_VERSION=$(cat solidity/.foundryrc)
+          echo "FOUNDRY_VERSION=$FOUNDRY_VERSION" >> $GITHUB_ENV
+
+      - name: Determine platforms
+        id: determine-platforms
+        run: |
+          if [ "${{ github.event.inputs.include_arm64 }}" == "true" ]; then
+            echo "platforms=linux/amd64,linux/arm64" >> $GITHUB_OUTPUT
+          else
+            echo "platforms=linux/amd64" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build and push
         id: build
-        uses: depot/bake-action@v1
-        env:
-          TAG: ${{ steps.taggen.outputs.TAG }}
-          TAG_SHA_DATE: ${{ steps.taggen.outputs.TAG_SHA_DATE }}
-          PLATFORMS: ${{ steps.taggen.outputs.PLATFORMS }}
-          FOUNDRY_VERSION: ${{ steps.taggen.outputs.FOUNDRY_VERSION }}
-          SERVICE_VERSION: ${{ steps.taggen.outputs.TAG_SHA_DATE }}
+        uses: depot/build-push-action@v1
         with:
           project: 057xstl4t6
-          files: typescript/docker-bake.hcl
+          context: ./
+          file: ./typescript/Dockerfile
           push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
           provenance: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            FOUNDRY_VERSION=${{ env.FOUNDRY_VERSION }}
+            SERVICE_VERSION=${{ steps.taggen.outputs.TAG_SHA }}-${{ steps.taggen.outputs.TAG_DATE }}
+          platforms: ${{ steps.determine-platforms.outputs.platforms }}
 
       - name: Generate image tags output
         id: image-tags
         if: always()
         run: |
-          TAG="${{ steps.taggen.outputs.TAG }}"
-          TAG_SHA_DATE="${{ steps.taggen.outputs.TAG_SHA_DATE }}"
+          TAG_SHA_DATE="${{ steps.taggen.outputs.TAG_SHA }}-${{ steps.taggen.outputs.TAG_DATE }}"
           REGISTRY="ghcr.io/hyperlane-xyz"
+          TAGS="${REGISTRY}/hyperlane-node-services:${TAG_SHA_DATE}"
 
-          TAGS=$(cat << EOF
-          ${REGISTRY}/hyperlane-rebalancer:${TAG_SHA_DATE}
-          ${REGISTRY}/hyperlane-warp-monitor:${TAG_SHA_DATE}
-          ${REGISTRY}/hyperlane-key-funder:${TAG_SHA_DATE}
-          ${REGISTRY}/hyperlane-ts-relayer:${TAG_SHA_DATE}
-          ${REGISTRY}/hyperlane-offchain-lookup-server:${TAG_SHA_DATE}
-          EOF
-          )
           echo "tags<<EOF" >> $GITHUB_OUTPUT
           echo "$TAGS" >> $GITHUB_OUTPUT
           echo "EOF" >> $GITHUB_OUTPUT
 
           cat >> $GITHUB_STEP_SUMMARY << EOF
-          ## ⚙️ Node Service Docker Images
+          ## Node Services Docker Image
+
+          | Image | Tag |
+          |-------|-----|
+          | hyperlane-node-services | \`${TAG_SHA_DATE}\` |
 
-          | Service | Tag |
-          |---------|-----|
-          | ♻️ rebalancer | \`${TAG_SHA_DATE}\` |
-          | 🕵️ warp-monitor | \`${TAG_SHA_DATE}\` |
-          | 🔑 key-funder | \`${TAG_SHA_DATE}\` |
-          | 🚀 ts-relayer | \`${TAG_SHA_DATE}\` |
-          | 🔍 offchain-lookup-server | \`${TAG_SHA_DATE}\` |
+          **Services included:** rebalancer, warp-monitor, ccip-server, keyfunder, relayer
 
-          **Full image paths:**
+          **Full image path:**
           \`\`\`
           ${TAGS}
           \`\`\`
@@ -145,8 +141,8 @@ jobs:
         uses: ./.github/actions/docker-image-comment
         with:
           comment_tag: typescript-docker-images
-          image_name: Node Service Docker Images
-          emoji: '⚙️'
+          image_name: Node Services Docker Image
+          emoji: ''
           image_tags: ${{ steps.image-tags.outputs.tags }}
           pr_number: ${{ github.event.pull_request.number }}
           github_token: ${{ steps.generate-token.outputs.token }}

.github/workflows/test.yml

@@ -164,7 +164,7 @@ jobs:
         with:
           base_sha: ${{ needs.set-base-sha.outputs.base_sha }}
           head_sha: ${{ needs.set-base-sha.outputs.current_sha }}
-          path_pattern: '(rust/|\.github/|typescript/docker-bake\.hcl)'
+          path_pattern: '(rust/|\.github/|typescript/Dockerfile|typescript/docker-entrypoint\.sh)'
           path_pattern_only: 'true'
 
       - name: Categorize changes for CLI e2e and VM detection

docs/docker-image-policy.md

@@ -8,12 +8,24 @@ GCR (`gcr.io/abacus-labs-dev`) is deprecated. A 30-day cleanup policy is applied
 
 ## Images
 
-| Workflow                   | Image(s)                                                                                                                             | Contents                         |
-| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------- |
-| `rust-docker.yml`          | `hyperlane-agent`                                                                                                                    | Rust relayer, validator, scraper |
-| `monorepo-docker.yml`      | `hyperlane-monorepo`                                                                                                                 | Full TS/Solidity monorepo        |
-| `node-services-docker.yml` | `hyperlane-rebalancer`, `hyperlane-warp-monitor`, `hyperlane-key-funder`, `hyperlane-ts-relayer`, `hyperlane-offchain-lookup-server` | TypeScript node services         |
-| `simapp-docker.yml`        | `hyperlane-cosmos-simapp`                                                                                                            | Cosmos simapp (manual only)      |
+| Workflow                   | Image(s)                  | Contents                                                                                 |
+| -------------------------- | ------------------------- | ---------------------------------------------------------------------------------------- |
+| `rust-docker.yml`          | `hyperlane-agent`         | Rust relayer, validator, scraper                                                         |
+| `monorepo-docker.yml`      | `hyperlane-monorepo`      | Full TS/Solidity monorepo                                                                |
+| `node-services-docker.yml` | `hyperlane-node-services` | All TypeScript node services (rebalancer, warp-monitor, ccip-server, keyfunder, relayer) |
+| `simapp-docker.yml`        | `hyperlane-cosmos-simapp` | Cosmos simapp (manual only)                                                              |
+
+### Node Services Image
+
+The `hyperlane-node-services` image is a single unified image containing all TypeScript service bundles. At runtime, set the `SERVICE_NAME` environment variable to select which service to run:
+
+| SERVICE_NAME   | Service                    |
+| -------------- | -------------------------- |
+| `rebalancer`   | Warp route rebalancer      |
+| `warp-monitor` | Warp route balance monitor |
+| `ccip-server`  | Offchain lookup server     |
+| `keyfunder`    | Agent key funder           |
+| `relayer`      | TypeScript relayer         |
 
 ## Tagging
 
@@ -41,11 +53,11 @@ Cleanup runs weekly (Sunday midnight UTC) via `.github/workflows/ghcr-cleanup.ym
 
 Builds are **not** triggered automatically on every PR or merge to main. They only fire when Docker build infrastructure files change:
 
-| Workflow                   | Trigger paths                                                                                                        |
-| -------------------------- | -------------------------------------------------------------------------------------------------------------------- |
-| `rust-docker.yml`          | `rust/Dockerfile`, `rust/main/Cargo.lock`, `.dockerignore`, workflow file                                            |
-| `monorepo-docker.yml`      | `Dockerfile`, `docker-entrypoint.sh`, `pnpm-lock.yaml`, `.registryrc`, `.dockerignore`, workflow file                |
-| `node-services-docker.yml` | `typescript/Dockerfile.node-service`, `typescript/docker-bake.hcl`, `pnpm-lock.yaml`, `.dockerignore`, workflow file |
+| Workflow                   | Trigger paths                                                                                                |
+| -------------------------- | ------------------------------------------------------------------------------------------------------------ |
+| `rust-docker.yml`          | `rust/Dockerfile`, `rust/main/Cargo.lock`, `.dockerignore`, workflow file                                    |
+| `monorepo-docker.yml`      | `Dockerfile`, `docker-entrypoint.sh`, `pnpm-lock.yaml`, `.registryrc`, `.dockerignore`, workflow file        |
+| `node-services-docker.yml` | `typescript/Dockerfile`, `typescript/docker-entrypoint.sh`, `pnpm-lock.yaml`, `.dockerignore`, workflow file |
 
 Additionally:
 
@@ -90,5 +102,5 @@ gh run list --workflow=rust-docker.yml --limit=1 --json url --jq '.[].url'
 | `typescript/infra/config/docker.ts`          | Registry config, image names, deployed tags |
 | `.github/workflows/ghcr-cleanup.yml`         | GHCR retention workflow                     |
 | `typescript/infra/src/utils/gcloud.ts`       | `checkDockerTagExists()`, `warnIfPrTag()`   |
-| `typescript/docker-bake.hcl`                 | Docker Bake config for node services        |
+| `typescript/docker-entrypoint.sh`            | Entrypoint script for service selection     |
 | `rust/main/helm/hyperlane-agent/values.yaml` | Helm chart defaults                         |