While the ability to produce the same exact binaries from the corresponding Git commits is a good idea for any open source project, it is a requirement for software that deals with digital tokens of significant value.
The easiest way to guarantee that users are able to replicate
our binaries for themselves is to give them the same software environment we used in CI. Docker
containers fit the bill, so everything starts with the architecture- and
OS-specific containers in
These images contain all the packages we need, are built and published once (to
Docker Hub), and are then reused as the basis for temporary Docker
images where the
nimbus-eth2 build is carried out.
These temporary images are controlled by Dockerfiles in
docker/dist/. Since we're not publishing them anywhere, we can customize them to the system
they run on (we ensure they use the host's UID/GID, the host's QEMU static
binaries, etc); they get access to the source code through the use of external volumes.
It all starts from the GitHub actions in
is a different job for each supported OS-architecture combination and they all
run in parallel (ideally).
build-amd64 CI job is special, because it creates a new
GitHub release draft, as soon as possible. All the other jobs will upload their
binary distribution tarballs to this draft release, but, since it's not feasible
to communicate between CI jobs, they simply use GitHub APIs to find out what
the latest release is, check that it has the right Git tag, and use that as their
The build itself is triggered by a Make target:
make dist-amd64. This invokes
scripts/make\_dist.sh which builds the corresponding Docker container from
docker/dist/ and runs it with the Git repository's top directory as an external
The entry point for that container is
docker/dist/entry\_point.sh and that's
where you'll find the Make invocations needed to finally build the software and
create distributable tarballs.
.github/workflows/release.yml (exclusively for the
build-amd64 job): we unpack the distribution tarball and copy its content into a third type of Docker image - this one meant for end users and defined by
We then publish that to Docker Hub.