[WIP] Chainlink image builder

.github/workflows/relayer-publish.yml

@@ -200,7 +200,7 @@ jobs:
       aws-ecr-name: chainlink-plugins-dev
       aws-region-ecr: ${{ vars.AWS_REGION }}
       aws-region-gati: ${{ vars.AWS_REGION }}
-      dockerfile: scripts/build/Dockerfile.build.nix
+      dockerfile: scripts/build/nix.build-final.Dockerfile
       docker-build-context: .
       docker-manifest-sign: true
       docker-tag-custom-suffix: "-chainlink-ton"

cmd/chainlink-ton/default.nix

@@ -3,34 +3,27 @@
   rev,
 }: let
   lock = pkgs.callPackage ./lock.nix {inherit pkgs;};
-  package-info = builtins.fromJSON (builtins.readFile ../../pkg/package.json);
-in
-  pkgs.buildGo124Module rec {
-    inherit (package-info) version;
-    pname = "chainlink-ton";
-
-    # source at the root of the module
-    src = ./../..;
-    subPackages = ["cmd/chainlink-ton"];
 
-    ldflags = [
-      "-X main.Version=${package-info.version}"
-      "-X main.GitCommit=${rev}"
-    ];
+  # Function to build a Go plugin given its build-info
+  buildGoPlugin = pkgs.callPackage ../../scripts/build/lib/build-go-plugin.nix {
+    inherit pkgs;
+    inherit lock;
+  };
 
-    # pin the vendor hash (update using 'pkgs.lib.fakeHash')
-    vendorHash = lock.chainlink-ton;
+  build-info = {
+    ton = rec {
+      pname = "chainlink-ton";
+      repo = {
+        inherit rev;
+        url = "https://github.com/smartcontractkit/chainlink-ton";
+      };
 
-    # postInstall script to write version and rev to share folder
-    postInstall = ''
-      mkdir $out/share
-      echo ${package-info.version} > $out/share/.version
-      echo ${rev} > $out/share/.rev
-    '';
+      # source at the root of the module
+      src = ./../..;
+      subPackages = ["cmd/chainlink-ton"];
 
-    meta = with pkgs.lib; {
-      inherit (package-info) description;
-      license = licenses.mit;
-      changelog = "https://github.com/smartcontractkit/chainlink-ton/releases/tag/v${version}";
+      package-info = builtins.fromJSON (builtins.readFile ../../pkg/package.json);
     };
-  }
+  };
+in
+  buildGoPlugin build-info.ton

docs/plugin/build.md

@@ -81,7 +81,7 @@ drwxr-xr-x 1 root root      4096 Apr  4 02:05 ..
 # ...
 ```
 
-### Using Dockerfile.build.nix builder
+### Using nix.build-final.Dockerfile builder
 
 Build the Chainlink core node image using a Nix builder.
 
@@ -90,15 +90,15 @@ Builds a specific Nix package (single bin or a bundle) and layers in the output
 ```bash
 docker build . \
     -t smartcontract/chainlink-plugins-dev:v0.0.1-beta.1-chainlink-ton \
-    -f ./scripts/build/Dockerfile.build.nix
+    -f ./scripts/build/nix.build-final.Dockerfile
 ```
 
 Or with using specific build args:
 
 ```bash
 docker build . \
     -t smartcontract/chainlink-plugins-dev:v0.0.1-beta.1-chainlink-ton \
-    -f ./scripts/build/Dockerfile.build.nix \
+    -f ./scripts/build/nix.build-final.Dockerfile \
     --build-arg NIX_BUILD_PKG=chainlink-ton \
     --build-arg BASE_IMAGE=public.ecr.aws/chainlink/chainlink:v2.23.0-plugins
 ```

docs/plugin/release.md

@@ -4,7 +4,7 @@
 
 Docker images are automatically built and published to the internal staging `chainlink-plugins-dev` ECR with a specific tag.
 
-The [build-publish-docker](../../.github/workflows/relayer-publish.yml) CI workflow is triggered on every tag and commit to the `main` branch. Additionally, it will also build and publish PR commits if the PR has a specific `build-publish-docker` label attached. The build process builds the specified (or default) repository package, using [a Docker/Nix builder](../../scripts/build/Dockerfile.build.nix), and layers in the output artifact on top of the official Chainlink plugins image (Dockerfile: ARG BASE_IMAGE).
+The [build-publish-docker](../../.github/workflows/relayer-publish.yml) CI workflow is triggered on every tag and commit to the `main` branch. Additionally, it will also build and publish PR commits if the PR has a specific `build-publish-docker` label attached. The build process builds the specified (or default) repository package, using [a Docker/Nix builder](../../scripts/build/nix.build-final.Dockerfile), and layers in the output artifact on top of the official Chainlink plugins image (Dockerfile: ARG BASE_IMAGE).
 
 Once the label is set, a multi-arch image will be built by the [smartcontrackit/.github/workflows/reusable-docker-build-publish](https://github.com/smartcontractkit/.github/blob/main/.github/workflows/reusable-docker-build-publish.yml) shared CI workflow, and published: `***.dkr.ecr.us-west-2.amazonaws.com/chainlink-plugins-dev:pr-<pr-num>-<sha-short>-chainlink-ton`
 

flake.nix

@@ -31,13 +31,16 @@
       chainlink-ton = pkgs.callPackage ./cmd/chainlink-ton commonArgs;
       # Resolve sub-modules
       contracts = pkgs.callPackage ./contracts commonArgs;
-      integration-tests = pkgs.callPackage ./integration-tests {
-        inherit pkgs;
-        inherit rev;
-        inherit chainlink-ton;
-        # TODO: why the pkg rename here?
-        jetton-contracts = contracts.packages.contracts-jetton-func;
-      };
+      integration-tests = pkgs.callPackage ./integration-tests (
+        commonArgs
+        // {
+          inherit chainlink-ton;
+          # TODO: why the pkg rename here?
+          jetton-contracts = contracts.packages.contracts-jetton-func;
+        }
+      );
+
+      build-pkgs = pkgs.callPackage ./scripts/build (commonArgs // {inherit chainlink-ton;});
       # Resolve tools
       dependency-analyzer = pkgs.callPackage ./tools/dependency_analyzer commonArgs;
 
@@ -77,6 +80,7 @@
 
           inherit lock-nix-tidy;
         }
-        // contracts.packages;
+        // contracts.packages
+        // build-pkgs.packages;
     });
 }

scripts/build/chainlink.from-builder.Dockerfile

@@ -0,0 +1,60 @@
+# syntax = docker/dockerfile:1.4
+
+# canonical copy from builder (BUILDER arg selects stage or external image)
+ARG BUILDER=chainlink-builder
+
+##
+# Build image: Chainlink binary with plugins for testing purposes only.
+# XXX: Experimental -- not to be used to build images for production use.
+# See: ../core/chainlink.Dockerfile for the production Dockerfile.
+##
+FROM ubuntu:24.04
+
+ARG CHAINLINK_USER=root
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y ca-certificates gnupg lsb-release curl && rm -rf /var/lib/apt/lists/*
+
+# Install Postgres for CLI tools, needed specifically for DB backups
+RUN curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+  && echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" |tee /etc/apt/sources.list.d/pgdg.list \
+  && apt-get update && apt-get install -y postgresql-client-16 \
+  && rm -rf /var/lib/apt/lists/*
+
+# keep user creation as before (we will run detector as root BEFORE switching to user)
+RUN if [ ${CHAINLINK_USER} != root ]; then useradd --uid 14933 --create-home ${CHAINLINK_USER}; fi
+
+# TODO: figure out how to pass these at build time whithout baking in specific context
+# # CCIP specific
+# COPY ./cci[p]/confi[g] /ccip-config
+# ARG CL_CHAIN_DEFAULTS
+# ENV CL_CHAIN_DEFAULTS=${CL_CHAIN_DEFAULTS}
+
+# copy Nix closure (may be empty for non-nix builders)
+COPY --from=${BUILDER} /tmp/nix-store-closure /nix/store
+# copy normalized build output into /usr/local (bins -> /usr/local/bin, libs -> /usr/local/lib)
+COPY --from=${BUILDER} /tmp/build-output/ /usr/local/
+# copy gobins as a fallback (some builders may put binaries here)
+COPY --from=${BUILDER} /gobins/ /usr/local/bin/
+# copy normalized libs (some builders may put libs directly here)
+COPY --from=${BUILDER} /tmp/lib/ /usr/lib/
+
+# Chainlink plugins detector (build-time) and entrypoint (runtime)
+# Notice: detect-plugins-prep-env-setup.sh will generate /etc/chainlink/env-setup.sh
+COPY ./scripts/build/detect-plugins-prep-env-setup.sh ./scripts/build/entrypoint-chainlink.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/detect-plugins-prep-env-setup.sh /usr/local/bin/entrypoint-chainlink.sh && \
+    /usr/local/bin/detect-plugins-prep-env-setup.sh
+
+# continue with the rest of the Dockerfile
+WORKDIR /home/${CHAINLINK_USER}
+
+# Explicitly set the cache dir. Needed so both root and non-root user has an explicit location.
+ENV XDG_CACHE_HOME=/home/${CHAINLINK_USER}/.cache
+RUN mkdir -p ${XDG_CACHE_HOME}
+
+# switch to unprivileged user for runtime
+USER ${CHAINLINK_USER}
+
+EXPOSE 6688
+ENTRYPOINT ["/usr/local/bin/entrypoint-chainlink.sh"]
+HEALTHCHECK CMD curl -f http://localhost:6688/health || exit 1
+CMD ["local", "node"]

scripts/build/chainlink.from-nix-builder.Dockerfile

@@ -0,0 +1,89 @@
+# syntax = docker/dockerfile:1.4
+
+# Notice: this is a fork from https://github.com/docker/babashka-pod-docker/blob/main/Dockerfile.nix
+FROM nixos/nix:latest AS chainlink-builder
+
+# Build the 'default' pkg if not set
+ARG NIX_BUILD_PKG=default
+ENV NIX_BUILD_PKG=${NIX_BUILD_PKG}
+
+WORKDIR /tmp/build
+RUN mkdir /tmp/nix-store-closure
+
+RUN \
+    --mount=type=cache,target=/nix,from=nixos/nix:latest,source=/nix \
+    --mount=type=cache,target=/root/.cache \
+    --mount=type=bind,target=/tmp/build \
+    <<EOF
+  nix \
+    --extra-experimental-features "nix-command flakes" \
+    --extra-substituters "http://host.docker.internal?priority=10" \
+    --option filter-syscalls false \
+    --show-trace \
+    --log-format raw \
+    build .#${NIX_BUILD_PKG} --out-link /tmp/output/result
+  # Evaluate the build result closure (runtime dependencies)
+  cp -R $(nix-store -qR /tmp/output/result) /tmp/nix-store-closure
+  # Evaluate and copy the symlink contents (build output)
+  cp -R /tmp/output/result/ /tmp/build-output
+EOF
+
+# normalize the builder output for standard chainlink image build
+# ensure all folders exist and libs are available in /tmp/lib
+RUN mkdir -p /gobins /tmp/lib && cp -a /tmp/build-output/lib/. /tmp/lib/ 2>/dev/null || true
+
+##
+# Build image: Chainlink binary with plugins for testing purposes only.
+# XXX: Experimental -- not to be used to build images for production use.
+# See: ../core/chainlink.Dockerfile for the production Dockerfile.
+##
+FROM ubuntu:24.04
+
+ARG CHAINLINK_USER=root
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y ca-certificates gnupg lsb-release curl && rm -rf /var/lib/apt/lists/*
+
+# Install Postgres for CLI tools, needed specifically for DB backups
+RUN curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+  && echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" |tee /etc/apt/sources.list.d/pgdg.list \
+  && apt-get update && apt-get install -y postgresql-client-16 \
+  && rm -rf /var/lib/apt/lists/*
+
+# keep user creation as before (we will run detector as root BEFORE switching to user)
+RUN if [ ${CHAINLINK_USER} != root ]; then useradd --uid 14933 --create-home ${CHAINLINK_USER}; fi
+
+# TODO: figure out how to pass these at build time whithout baking in specific context
+# # CCIP specific
+# COPY ./cci[p]/confi[g] /ccip-config
+# ARG CL_CHAIN_DEFAULTS
+# ENV CL_CHAIN_DEFAULTS=${CL_CHAIN_DEFAULTS}
+
+# copy Nix closure (may be empty for non-nix builders)
+COPY --from=chainlink-builder /tmp/nix-store-closure /nix/store
+# copy normalized build output into /usr/local (bins -> /usr/local/bin, libs -> /usr/local/lib)
+COPY --from=chainlink-builder /tmp/build-output/ /usr/local/
+# copy gobins as a fallback (some builders may put binaries here)
+COPY --from=chainlink-builder /gobins/ /usr/local/bin/
+# copy normalized libs (some builders may put libs directly here)
+COPY --from=chainlink-builder /tmp/lib/ /usr/lib/
+
+# Chainlink plugins detector (build-time) and entrypoint (runtime)
+# Notice: detect-plugins-prep-env-setup.sh will generate /etc/chainlink/env-setup.sh
+COPY ./scripts/build/detect-plugins-prep-env-setup.sh ./scripts/build/entrypoint-chainlink.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/detect-plugins-prep-env-setup.sh /usr/local/bin/entrypoint-chainlink.sh && \
+    /usr/local/bin/detect-plugins-prep-env-setup.sh
+
+# continue with the rest of the Dockerfile
+WORKDIR /home/${CHAINLINK_USER}
+
+# Explicitly set the cache dir. Needed so both root and non-root user has an explicit location.
+ENV XDG_CACHE_HOME=/home/${CHAINLINK_USER}/.cache
+RUN mkdir -p ${XDG_CACHE_HOME}
+
+# switch to unprivileged user for runtime
+USER ${CHAINLINK_USER}
+
+EXPOSE 6688
+ENTRYPOINT ["/usr/local/bin/entrypoint-chainlink.sh"]
+HEALTHCHECK CMD curl -f http://localhost:6688/health || exit 1
+CMD ["local", "node"]

scripts/build/default.nix

@@ -0,0 +1,80 @@
+{
+  pkgs,
+  rev,
+  chainlink-ton,
+}: let
+  lock = pkgs.callPackage ./lock.nix {inherit pkgs;};
+
+  # Function to build a Go plugin given its build-info
+  buildGoPlugin = pkgs.callPackage ./lib/build-go-plugin.nix {
+    inherit pkgs;
+    inherit lock;
+  };
+
+  build-info = {
+    solana = rec {
+      pname = "chainlink-solana";
+      repo = {
+        url = "https://github.com/smartcontractkit/chainlink-solana";
+        rev = "fa42dad2d413c116560ada2923dd122ff2812cd5";
+      };
+
+      src = builtins.fetchGit repo;
+      subPackages = ["pkg/solana/cmd/chainlink-solana"];
+
+      package-info = {
+        version = "1.0.0";
+        description = "Chainlink Solana LOOP plugin";
+      }; # we don't have a package.json here, how to fetch version and description?
+    };
+
+    aptos = rec {
+      pname = "chainlink-aptos";
+      repo = {
+        url = "https://github.com/smartcontractkit/chainlink-aptos";
+        rev = "ad2cb3166a0d377b7ade9a9bd71f4c1a4eb4ac3f";
+      };
+
+      src = builtins.fetchGit repo;
+      subPackages = ["cmd/chainlink-aptos"];
+
+      package-info = {
+        version = "1.0.0";
+        description = "Chainlink Aptos LOOP plugin";
+      }; # we don't have a package.json here, how to fetch version and description?
+    };
+  };
+
+  chainlink = pkgs.callPackage ./lib/chainlink.nix {
+    inherit pkgs;
+    inherit lock;
+
+    # operator-ui tag
+    tag = "v0.8.0-371c5cf"; # latest as of Jun 30, 2025
+  };
+in {
+  packages =
+    rec {
+      chainlink-solana = buildGoPlugin build-info.solana;
+      chainlink-aptos = buildGoPlugin build-info.aptos;
+
+      chainlink-plugins-bundle = pkgs.symlinkJoin {
+        name = "chainlink-plugins-bundle";
+        paths = [
+          chainlink.packages.chainlink
+
+          chainlink-ton
+          chainlink-solana
+          chainlink-aptos
+
+          # Added for debugging purposes (should not be needed for production pkgs/image)
+          pkgs.delve
+        ];
+        # Make sure the output path is deterministic
+        # (otherwise, it would include the hash of the input paths)
+        dontPatchELF = true;
+        dontStrip = true;
+      };
+    }
+    // chainlink.packages;
+}