feat: add trueblocks image

Author: MysticRyuujin

.github/actions/deploy/action.yml

@@ -168,6 +168,7 @@ runs:
       source_git_commit_hash: ${{ steps.git_commit_hash.outputs.git_commit_hash }}
       source_git_commit_hash_full: ${{ steps.git_commit_hash_full.outputs.git_commit_hash_full }}
       GOPROXY: ${{ inputs.GOPROXY }}
+      build_args: ${{ inputs.build_args }}
       build_method: ${{ inputs.build_method }}
     run: |
       ${{ inputs.build_script }}

.github/workflows/build-push-trueblocks.yml

@@ -0,0 +1,126 @@
+name: Build trueblocks docker image
+run-name: "${{ inputs.repository }}@${{ inputs.ref }}${{ inputs.correlation_id && format(' [{0}]', inputs.correlation_id) || '' }}"
+
+on:
+  workflow_dispatch:
+    inputs:
+      repository:
+        description: The source trueblocks-core repository to build from
+        default: TrueBlocks/trueblocks-core
+        type: string
+        required: true
+      ref:
+        description: The branch, tag or SHA to checkout and build from
+        default: v5.9.3
+        type: string
+        required: true
+      docker_tag:
+        description: Override target docker tag (defaults to the above source ref if left blank)
+        type: string
+        required: false
+      build_args:
+        description: Build arguments to pass to the Docker build
+        default: ""
+        type: string
+        required: false
+      correlation_id:
+        description: Optional correlation ID passed through to the run name (used by integrations)
+        type: string
+        required: false
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    outputs:
+      platforms: ${{ steps.setup.outputs.platforms }}
+      target_tag: ${{ steps.tag.outputs.docker_tag }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Prepare Matrix
+        id: setup
+        uses: ./.github/actions/prepare
+        with:
+          client: 'trueblocks'
+          repository: ${{ inputs.repository }}
+          ref: ${{ inputs.ref }}
+      - name: Generate target tag
+        id: tag
+        uses: ./.github/actions/docker-tag
+        with:
+          input: ${{ inputs.docker_tag || inputs.ref }}
+          repository: ${{ inputs.repository }}
+          upstream_repository: TrueBlocks/trueblocks-core
+          docker_tag: ${{ inputs.docker_tag }}
+  deploy:
+    needs:
+      - prepare
+    runs-on: ${{ matrix.runner }}
+    continue-on-error: true
+    strategy:
+      matrix:
+        include: ${{fromJson(needs.prepare.outputs.platforms)}}
+    outputs:
+      git_commit_hash: ${{ steps.set_output.outputs.git_commit_hash }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./.github/actions/install-deps
+        with:
+          repository: ${{ inputs.repository }}
+      - uses: ./.github/actions/deploy
+        id: deploy
+        with:
+          source_repository: ${{ inputs.repository }}
+          source_ref: ${{ inputs.ref }}
+          target_tag: ${{ needs.prepare.outputs.target_tag }}-${{ matrix.slug }}
+          target_repository: ethpandaops/trueblocks
+          target_dockerfile: ./trueblocks/Dockerfile
+          build_script: ./trueblocks/build.sh
+          platform: ${{ matrix.platform }}
+          build_args: ${{ inputs.build_args }}
+
+          DOCKER_USERNAME: "${{ vars.DOCKER_USERNAME }}"
+          DOCKER_PASSWORD: "${{ secrets.DOCKER_PASSWORD }}"
+          MACOS_PASSWORD: "${{ secrets.MACOS_PASSWORD }}"
+          GOPROXY: "${{ vars.GOPROXY }}"
+          HARBOR_USERNAME: "${{ vars.HARBOR_USERNAME }}"
+          HARBOR_PASSWORD: "${{ secrets.HARBOR_PASSWORD }}"
+          harbor_registry: ${{ vars.HARBOR_REGISTRY }}
+
+      - name: Set job output
+        id: set_output
+        run: echo "git_commit_hash=${{ steps.deploy.outputs.git_commit_hash }}" >> $GITHUB_OUTPUT
+        shell: bash
+  manifest:
+    needs:
+      - prepare
+      - deploy
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./.github/actions/manifest
+        with:
+          source_repository: ${{ inputs.repository }}
+          source_ref: ${{ inputs.ref }}
+          target_tag: ${{ needs.prepare.outputs.target_tag }}
+          target_repository: ethpandaops/trueblocks
+          platforms: ${{ needs.prepare.outputs.platforms }}
+          harbor_registry: ${{ vars.HARBOR_REGISTRY }}
+          HARBOR_USERNAME: "${{ vars.HARBOR_USERNAME }}"
+          HARBOR_PASSWORD: "${{ secrets.HARBOR_PASSWORD }}"
+          git_commit_hash: ${{ needs.deploy.outputs.git_commit_hash }}
+          DOCKER_USERNAME: "${{ vars.DOCKER_USERNAME }}"
+          DOCKER_PASSWORD: "${{ secrets.DOCKER_PASSWORD }}"
+  notify:
+    name: Discord Notification
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+      - deploy
+      - manifest
+    if: failure()
+    steps:
+      - name: Notify
+        uses: nobrayner/discord-webhook@1766a33bf571acdcc0678f00da4fb83aad01ebc7 # v1
+        with:
+          github-token: ${{ secrets.github_token }}
+          discord-webhook: ${{ secrets.DISCORD_WEBHOOK }}

README.md

@@ -39,6 +39,7 @@ Run the *Build **tooling*** workflow;
 - [Build Syncoor](https://github.com/ethpandaops/eth-client-docker-image-builder/actions/workflows/build-push-syncoor.yml) [[source](https://github.com/ethpandaops/syncoor)]
 - [Build Slashoor](https://github.com/ethpandaops/eth-client-docker-image-builder/actions/workflows/build-push-slashoor.yml) [[source](https://github.com/ethpandaops/slashoor)]
 - [Build ere-server-zisk](https://github.com/ethpandaops/eth-client-docker-image-builder/actions/workflows/build-push-ere-server-zisk.yml) [[source](https://github.com/eth-act/ere)]
+- [Build TrueBlocks](https://github.com/ethpandaops/eth-client-docker-image-builder/actions/workflows/build-push-trueblocks.yml) [[source](https://github.com/TrueBlocks/trueblocks-core)]
 
 ## Adding a new image to build on schedule
 

branches.yaml

@@ -234,3 +234,8 @@ fuzztools:
 slashoor:
   branches:
     - master
+
+trueblocks:
+  branches:
+    - main
+    - v5.9.3

generate_config.py

@@ -46,6 +46,7 @@
     'ere-server-zisk': 'eth-act/ere',
     'zkboost': 'eth-act/zkboost',
     'fuzztools': 'protocol-security/fuzztools',
+    'trueblocks': 'TrueBlocks/trueblocks-core',
     # Add more defaults as needed
 }
 

platforms.yaml

@@ -131,3 +131,6 @@ fuzztools:
 slashoor:
   - linux/amd64
   - linux/arm64
+trueblocks:
+  - linux/amd64
+  - linux/arm64

trueblocks/Dockerfile

@@ -0,0 +1,48 @@
+# Builds chifra from trueblocks-core source.
+#
+# Invoked via ./trueblocks/build.sh, which stages ./entrypoint.sh into the
+# build context as .trueblocks-entrypoint.sh before running docker build.
+
+FROM golang:1.25.1-bookworm AS builder
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        cmake \
+        g++ \
+        gcc \
+        git \
+        libcurl4-openssl-dev \
+        make \
+        python3 \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY . /src
+WORKDIR /src
+
+RUN git submodule update --init --recursive
+RUN scripts/go-work-sync.sh
+RUN mkdir build && cd build && cmake ../src && make -j"$(nproc)"
+
+# ---------------------------------------------------------------------------
+
+FROM debian:bookworm-slim
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        curl \
+        libcurl4 \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /src/bin/chifra /usr/local/bin/chifra
+
+# Ship chifra's bundled per-chain configs (allocs.csv etc.) for known public
+# networks; without them chifra's IsNodeArchive can't validate against block 0.
+COPY --from=builder /src/src/other/install/per-chain /root/.local/share/trueblocks/config
+
+COPY .trueblocks-entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 8080
+ENTRYPOINT ["/entrypoint.sh"]

trueblocks/build.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Builds the ethpandaops/trueblocks image. Invoked by the deploy action with
+# ${target_dockerfile} pointing at ./trueblocks/Dockerfile and the trueblocks-core
+# source already checked out at ./source. We stage entrypoint.sh into the
+# source tree (so the Dockerfile's COPY can reach it from the build context)
+# then build & push the standard tags.
+set -euo pipefail
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+cd "${SCRIPT_DIR}/../source"
+
+cp "${SCRIPT_DIR}/entrypoint.sh" ./.trueblocks-entrypoint.sh
+
+build_arg_flags=()
+while IFS= read -r arg; do
+  [ -n "${arg}" ] && build_arg_flags+=(--build-arg "${arg}")
+done <<< "${build_args:-}"
+
+docker build \
+  "${build_arg_flags[@]}" \
+  -t "${target_repository}:${target_tag}" \
+  -t "${target_repository}:${target_tag}-${source_git_commit_hash}" \
+  -f "../${target_dockerfile}" \
+  .
+
+docker push "${target_repository}:${target_tag}"
+docker push "${target_repository}:${target_tag}-${source_git_commit_hash}"

trueblocks/entrypoint.sh

@@ -0,0 +1,57 @@
+#!/bin/sh
+# Bootstrap entrypoint for the ethpandaops/trueblocks image.
+#
+# Inputs are read from env vars; the ethereum-package launcher sets them, and
+# users running the image standalone can too (`docker run -e TB_CHAIN=…`).
+set -u
+
+CHAIN="${TB_CHAIN:-mainnet}"
+RPC_URL="${TB_RPC_URL:-}"
+PROBE_ADDR="${TB_PROBE_ADDR:-}"
+SCRAPE_SLEEP="${TB_SCRAPE_SLEEP:-3}"
+HTTP_PORT="${TB_HTTP_PORT:-8080}"
+CONFIG_STAGING="${TB_CONFIG_STAGING:-/tb-config}"
+
+CONFIG_DIR=/root/.local/share/trueblocks
+CHAIN_DIR="$CONFIG_DIR/config/$CHAIN"
+
+mkdir -p "$CHAIN_DIR"
+
+if [ -f "$CONFIG_STAGING/trueBlocks.toml" ]; then
+    cp "$CONFIG_STAGING/trueBlocks.toml" "$CONFIG_DIR/trueBlocks.toml"
+fi
+
+# chifra's IsNodeArchive picks the largest prefund in <chain>/allocs.csv and
+# compares its balance to the RPC's balance at block 0; without a matching row
+# it refuses to scrape. For chains we don't ship a bundled allocs.csv for, the
+# caller passes TB_PROBE_ADDR and we write a self-consistent row at runtime.
+# (The zero address won't work — chifra's Address.Hex() short-circuits to
+# "0x0", which fails its own IsValidAddress length check.)
+if [ -n "$PROBE_ADDR" ] && [ -n "$RPC_URL" ] && [ ! -f "$CHAIN_DIR/allocs.csv" ]; then
+    BAL=""
+    for _ in $(seq 1 60); do
+        BAL=$(curl -fsS -X POST -H 'Content-Type: application/json' \
+            -d "{\"jsonrpc\":\"2.0\",\"method\":\"eth_getBalance\",\"params\":[\"$PROBE_ADDR\",\"0x0\"],\"id\":1}" \
+            "$RPC_URL" 2>/dev/null \
+            | sed -n 's/.*"result":"\([^"]*\)".*/\1/p')
+        echo "$BAL" | grep -qE '^0x[0-9a-fA-F]+$' && break
+        sleep 2
+    done
+    echo "$BAL" | grep -qE '^0x[0-9a-fA-F]+$' || {
+        echo "trueblocks entrypoint: balance probe of $PROBE_ADDR at $RPC_URL failed" >&2
+        exit 1
+    }
+    printf 'address,balance\n%s,%s\n' "$PROBE_ADDR" "$BAL" > "$CHAIN_DIR/allocs.csv"
+fi
+
+# chifra scrape exits non-zero before block 1 has been mined (it reads the RPC
+# error as "node lacks tracing"). Retry forever so it catches up once the
+# chain starts producing blocks.
+(
+    while true; do
+        chifra scrape --sleep "$SCRAPE_SLEEP" 2>&1
+        sleep 5
+    done
+) &
+
+exec chifra daemon --url ":$HTTP_PORT"