Reliability (catch a bad image revision before prod):
- Smoke-test the exact pushed digest in update-image-on-push.yml BEFORE the
merge job tags it 'latest' (previously the prod artifact was never run).
- Assert the p2pool banner reports the pinned P2POOL_BRANCH tag, and verify
the container starts and stays up, instead of just sleeping 30s.
Hardening:
- Least-privilege 'permissions:' blocks (default contents: read; packages:
write only on push/merge jobs; repo default token is currently write-all).
- Concurrency groups (cancel superseded PR builds; serialize prod pushes).
- persist-credentials: false on checkout; timeout-minutes on jobs.
Build cache:
- cache-to registry buildcache (mode=max, per-arch); read buildcache + latest.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- 'FROM ... as build' -> 'AS' (FromAsCasing)
- 'ENV key value' -> 'ENV key=value' for USE_SINGLE_BUILDDIR and
BOOST_DEBUG (LegacyKeyValueFormat)
No functional change; 'docker build --check' now reports no warnings.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Adds .github/renovate.json based on the gold-standard config in
sethforprivacy/simple-monerod-docker, plus a `# renovate:` annotation
above ARG P2POOL_BRANCH so Renovate tracks the upstream p2pool release.
- renovate.json: same extends + customManager regex as monerod. The
customManager already matches `ARG ..._BRANCH=<value>` patterns, so it
picks up P2POOL_BRANCH directly. The docker manager (via
docker:enableMajor) will also keep the pinned ubuntu base image current.
- Dockerfile: add
`# renovate: datasource=github-releases depName=SChernykh/p2pool`
immediately above `ARG P2POOL_BRANCH=v4.17`.
Validated with `renovate-config-validator` (renovate@latest):
"Config validated successfully". (Note: the field `managerFilePatterns`
requires Renovate >= 39; the hosted Mend app on this owner runs current
Renovate, matching the live monerod config.)
The hosted Mend Renovate app is already active on this owner's repos and
will pick this up automatically once merged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The final runtime stage installed full -dev packages (headers, static
archives, build-time deps) when only the runtime shared libraries are
needed. Replace them with the runtime-only equivalents, verified via
`ldd` on the built p2pool binary against the pinned base.
Changes:
- Final stage: install runtime libs instead of -dev packages
(libuv1t64, libzmq5, libsodium23, libpgm-5.3-0t64, libnorm1t64,
libgssapi-krb5-2, libcurl4t64, libidn2-0). Note the t64 names on
Ubuntu 24.04 due to the 64-bit time_t transition.
- Pin both stages to ubuntu:24.04 (current LTS) instead of
ubuntu:latest for reproducible builds. Renovate's docker manager
keeps this current.
- Add --depth 1 --shallow-submodules to the git clone for faster,
lighter source checkout.
Local verification (native arm64):
- Build succeeds (exit 0).
- `docker run --rm p2pool:test --help` prints "P2Pool v4.17" + usage.
- `ldd` on the binary in the final image: all libs resolve, none missing.
- Image size: 317MB -> 188MB (-129MB, -41%).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
