fix(coprocessor): use npm ci for deterministic builds (#1870)

enitrat · web-flow · commit 2d6367381668 · 2026-02-03T13:42:51.000Z
* fix(docker): use npm ci for deterministic builds

Replace `npm install` with `npm ci` in Dockerfiles to ensure
reproducible builds from the lockfile. `npm install` can modify
package-lock.json and produce non-deterministic results.

* trigger CI

* revert: npm ci breaks in isolated Docker builds

The Dockerfiles build contracts in isolation without access to the
monorepo root package-lock.json. npm ci requires the lockfile to be
present, but only host-contracts/ or gateway-contracts/ directories
are copied into the build context.

npm install is the correct choice here since it resolves dependencies
from package.json without requiring a lockfile.

* fix(docker): use npm ci with root lockfile for deterministic builds

Copy root package.json and package-lock.json into Docker build context
to enable npm ci for workspace members (host-contracts).

Changes:
- host-listener/Dockerfile: Copy root lockfile, use npm ci --workspace
- Dockerfile.workspace: Copy root lockfile for host-contracts workspace,
  use npm ci directly for gateway-contracts (has own lockfile)

This ensures reproducible builds from the lockfile while respecting
the monorepo workspace structure.

* chore: remove redundant comments

* fix(docker): run npm ci from workspace root

npm workspace commands must be executed from the directory containing
the root package.json with the workspaces field, not from inside the
workspace directory.
diff --git a/coprocessor/fhevm-engine/Dockerfile.workspace b/coprocessor/fhevm-engine/Dockerfile.workspace
@@ -34,13 +34,16 @@ FROM ghcr.io/zama-ai/fhevm/gci/nodejs:22.14.0-alpine3.21 AS contract_builder
 USER root
 WORKDIR /app
 
+# Copy root lockfile for workspace resolution
+COPY package.json package-lock.json ./
+
 # Copy host-contracts for host-listener
 COPY host-contracts ./host-contracts
 
 # Compile host-contracts
-WORKDIR /app/host-contracts
-RUN cp .env.example .env && \
-    npm install && \
+RUN cp host-contracts/.env.example host-contracts/.env && \
+    npm ci --workspace=host-contracts --include-workspace-root=false && \
+    cd host-contracts && \
     HARDHAT_NETWORK=hardhat npm run deploy:emptyProxies && \
     npx hardhat compile
 
@@ -50,7 +53,7 @@ COPY gateway-contracts ./gateway-contracts
 
 # Compile gateway-contracts
 WORKDIR /app/gateway-contracts
-RUN npm install && \
+RUN npm ci && \
     DOTENV_CONFIG_PATH=.env.example npx hardhat task:deployAllGatewayContracts
 
 # =============================================================================
diff --git a/coprocessor/fhevm-engine/host-listener/Dockerfile b/coprocessor/fhevm-engine/host-listener/Dockerfile
@@ -5,12 +5,17 @@ USER root
 
 WORKDIR /app
 
+# Copy root lockfile for workspace resolution
+COPY package.json package-lock.json ./
+
 COPY host-contracts ./host-contracts
 
 # Compiled host-contracts for listeners
-WORKDIR /app/host-contracts
-RUN cp .env.example .env
-RUN npm install && HARDHAT_NETWORK=hardhat npm run deploy:emptyProxies && npx hardhat compile
+RUN cp host-contracts/.env.example host-contracts/.env && \
+    npm ci --workspace=host-contracts --include-workspace-root=false && \
+    cd host-contracts && \
+    HARDHAT_NETWORK=hardhat npm run deploy:emptyProxies && \
+    npx hardhat compile
 
 # Stage 1: Build Host Listener
 FROM ghcr.io/zama-ai/fhevm/gci/rust-glibc:1.91.0 AS builder
