graphprotocol · RembrandtK · May 15, 2026 · May 11, 2026 · May 11, 2026 · Apr 29, 2026
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,40 @@
+# Patterns are path-anchored under packages/ rather than `**/<name>/` because
+# BuildKit treats `<name>/` as matching files too, so `**/build/` would also
+# hide the per-package `scripts/build` entry scripts.
+
+.git
+.github
+**/node_modules
+.pnpm-store
+
+# Build outputs (regenerated by `pnpm build`).
+packages/*/artifacts
+packages/*/cache
+packages/*/cache_forge
+packages/*/forge-artifacts
+packages/*/out
+packages/*/dist
+packages/*/build
+packages/*/typechain-types
+packages/*/coverage
+packages/*/types
+
+# Forge crash dumps (also gitignored). Match only the per-package `core` file at the
+# package root — NOT `**/core`, which would also exclude `packages/toolshed/src/core/`
+# and other directories named `core` deeper in the tree.
+packages/*/core
+
+# Editor / OS noise
+.vscode
+.idea
+.DS_Store
+
+# Local env / addresses (must not leak into a published image)
+.env
+**/.env
+**/addresses-local*.json
+**/localNetwork.json
+**/.keystore
+
+# Docs and audit PDFs aren't needed at runtime
+docs
diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml
@@ -0,0 +1,148 @@
+# Builds the workspace image multi-arch (linux/amd64 + linux/arm64) and pushes
+# to ghcr.io/graphprotocol/contracts. Consumed by local-network's
+# graph-contracts wrapper via CONTRACTS_VERSION (pin a `:sha-<short>` for
+# reproducibility).
+#
+# Native runner per platform (no QEMU), per-platform digest push, manifest
+# merge in a separate job. Runs independently of build-test.yml — they share
+# `pnpm install + pnpm build` but stay decoupled so test feedback isn't tied
+# to release packaging.
+
+name: Publish container image
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+      - 'deployment/**'
+    tags:
+      - 'v*'
+
+env:
+  IMAGE: ghcr.io/graphprotocol/contracts
+
+jobs:
+  build:
+    name: Build (${{ matrix.platform }})
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Prepare platform pair
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          submodules: recursive
+
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker labels
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ${{ env.IMAGE }}
+
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          file: Dockerfile
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          pull: true
+          cache-from: type=gha,scope=${{ env.PLATFORM_PAIR }}
+          cache-to: type=gha,mode=max,scope=${{ env.PLATFORM_PAIR }}
+          outputs: type=image,name=${{ env.IMAGE }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
+
+      - name: Export digest
+        if: github.event_name != 'pull_request'
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        if: github.event_name != 'pull_request'
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    name: Merge into multi-arch manifest
+    needs: build
+    # Avoids orphan per-platform digest blobs if a `need` is skipped or fails.
+    if: |
+      !cancelled()
+      && needs.build.result == 'success'
+      && github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker tags
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: ${{ env.IMAGE }}
+          tags: |
+            type=ref,event=tag
+            # Moving per-branch tag for casual use; pin :sha-<short> for reproducibility.
+            type=ref,event=branch
+            # Ensures workflow_dispatch from any branch yields a usable tag.
+            type=sha,enable=true
+
+      # Glob `*` expands to the digest-named files from the build job.
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create \
+            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.IMAGE }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.meta.outputs.version }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,27 @@
+# Workspace base image: deps + `pnpm install` + `pnpm build`, no entrypoint.
+# Consumers (e.g. local-network's graph-contracts wrapper) layer their own
+# deploy script on top, or `docker run` to invoke pnpm/hardhat directly.
+
+FROM node:24-bookworm-slim
+
+# libudev-dev / libusb-1.0-0-dev: native deps of hardhat-secure-accounts.
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+       curl git jq python3 make g++ libudev-dev libusb-1.0-0-dev \
+  && rm -rf /var/lib/apt/lists/*
+
+COPY --from=ghcr.io/foundry-rs/foundry:stable \
+  /usr/local/bin/forge /usr/local/bin/cast /usr/local/bin/
+
+ENV COREPACK_ENABLE_STRICT=1
+RUN corepack enable
+
+# Husky's postinstall needs .git and is pointless in an image build.
+ENV HUSKY=0
+
+WORKDIR /opt/contracts
+
+COPY . .
+
+RUN pnpm install --frozen-lockfile \
+  && pnpm build
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,13 @@
+# Local build of the workspace image. Pair with local-network's
+# CONTRACTS_VERSION=local to consume this build from there.
+#
+# `docker compose build` (or `just build-image`) produces
+# `ghcr.io/graphprotocol/contracts:${CONTRACTS_TAG:-local}`. Override
+# CONTRACTS_TAG to distinguish multiple in-flight checkouts.
+
+services:
+  contracts:
+    image: ghcr.io/graphprotocol/contracts:${CONTRACTS_TAG:-local}
+    build:
+      context: .
+      dockerfile: Dockerfile