From 9b39057f31a7f3fc536b7a58453a5aa60385065f Mon Sep 17 00:00:00 2001
From: toniocodo <antoine@originprotocol.com>
Date: Wed, 19 Nov 2025 14:06:36 +0100
Subject: [PATCH 1/8] Add Docker support for contracts

- Introduced .dockerignore to exclude node_modules, artifacts, and .env files.
- Created Dockerfile for building the contracts environment with necessary dependencies and cron jobs for automated tasks.
---
 contracts/.dockerignore |  3 ++
 contracts/dockerfile    | 68 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 contracts/.dockerignore
 create mode 100644 contracts/dockerfile

diff --git a/contracts/.dockerignore b/contracts/.dockerignore
new file mode 100644
index 0000000000..d859f53a59
--- /dev/null
+++ b/contracts/.dockerignore
@@ -0,0 +1,3 @@
+node_modules
+artifacts
+.env
diff --git a/contracts/dockerfile b/contracts/dockerfile
new file mode 100644
index 0000000000..0cd86f4a2f
--- /dev/null
+++ b/contracts/dockerfile
@@ -0,0 +1,68 @@
+FROM node:20-bookworm-slim
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    git \
+    openssh-client \
+  && rm -rf /var/lib/apt/lists/*
+
+# Preload GitHub host key for SSH-based dependencies.
+RUN mkdir -p /root/.ssh \
+  && ssh-keyscan -t rsa github.com >> /root/.ssh/known_hosts
+
+RUN git config --global url."https://github.com/".insteadOf "git@github.com:"
+
+ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v0.2.39/supercronic-linux-amd64 \
+  SUPERCRONIC_SHA1SUM=c98bbf82c5f648aaac8708c182cc83046fe48423 \
+  SUPERCRONIC=supercronic-linux-amd64
+
+RUN curl -fsSLO "$SUPERCRONIC_URL" \
+  && echo "${SUPERCRONIC_SHA1SUM}  ${SUPERCRONIC}" | sha1sum -c - \
+  && chmod +x "$SUPERCRONIC" \
+  && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \
+  && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic
+
+WORKDIR /app
+
+# Enable pnpm via corepack and install dependencies first for better caching.
+COPY pnpm-lock.yaml package.json ./
+RUN corepack enable \
+  && pnpm install --frozen-lockfile
+
+# Copy the rest of the contracts workspace.
+COPY . .
+
+ENV PROVIDER_URL="" \
+  BEACON_PROVIDER_URL="" \
+  DEFENDER_API_KEY="" \
+  DEFENDER_API_SECRET=""
+
+# Scripts executed by cron every hour (snapBalances runs five minutes earlier).
+RUN cat <<'EOF' > /usr/local/bin/run-snap-balances.sh
+#!/usr/bin/env bash
+set -euo pipefail
+cd /app
+export PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET
+pnpm hardhat snapBalances --network mainnet
+EOF
+RUN cat <<'EOF' > /usr/local/bin/run-hourly-tasks.sh
+#!/usr/bin/env bash
+set -euo pipefail
+cd /app
+export PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET
+pnpm hardhat
+pnpm hardhat verifyBalances --network mainnet
+pnpm hardhat verifyDeposits --network mainnet
+pnpm hardhat autoValidatorDeposits --network mainnet
+pnpm hardhat autoValidatorWithdrawals --network mainnet
+EOF
+RUN chmod +x /usr/local/bin/run-snap-balances.sh /usr/local/bin/run-hourly-tasks.sh
+
+# Cron configuration for supercronic.
+RUN printf '55 * * * * /usr/local/bin/run-snap-balances.sh\n0 * * * * /usr/local/bin/run-hourly-tasks.sh\n' > /etc/cronjob
+
+ENTRYPOINT ["supercronic", "/etc/cronjob"]

From 6b29a7667f108f829264362a4faf7879eab10c23 Mon Sep 17 00:00:00 2001
From: toniocodo <antoine@originprotocol.com>
Date: Wed, 19 Nov 2025 16:13:43 +0100
Subject: [PATCH 2/8] Update Dockerfile to include HARDHAT_NETWORK environment
 variable for script execution

---
 contracts/dockerfile | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/contracts/dockerfile b/contracts/dockerfile
index 0cd86f4a2f..d928c512a6 100644
--- a/contracts/dockerfile
+++ b/contracts/dockerfile
@@ -39,26 +39,27 @@ COPY . .
 ENV PROVIDER_URL="" \
   BEACON_PROVIDER_URL="" \
   DEFENDER_API_KEY="" \
-  DEFENDER_API_SECRET=""
+  DEFENDER_API_SECRET="" \
+  HARDHAT_NETWORK=mainnet
 
 # Scripts executed by cron every hour (snapBalances runs five minutes earlier).
 RUN cat <<'EOF' > /usr/local/bin/run-snap-balances.sh
 #!/usr/bin/env bash
 set -euo pipefail
 cd /app
-export PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET
-pnpm hardhat snapBalances --network mainnet
+export PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET HARDHAT_NETWORK
+pnpm hardhat snapBalances --network "${HARDHAT_NETWORK:-mainnet}"
 EOF
 RUN cat <<'EOF' > /usr/local/bin/run-hourly-tasks.sh
 #!/usr/bin/env bash
 set -euo pipefail
 cd /app
-export PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET
+export PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET HARDHAT_NETWORK
 pnpm hardhat
-pnpm hardhat verifyBalances --network mainnet
-pnpm hardhat verifyDeposits --network mainnet
-pnpm hardhat autoValidatorDeposits --network mainnet
-pnpm hardhat autoValidatorWithdrawals --network mainnet
+pnpm hardhat verifyBalances --network "${HARDHAT_NETWORK:-mainnet}"
+pnpm hardhat verifyDeposits --network "${HARDHAT_NETWORK:-mainnet}"
+pnpm hardhat autoValidatorDeposits --network "${HARDHAT_NETWORK:-mainnet}"
+pnpm hardhat autoValidatorWithdrawals --network "${HARDHAT_NETWORK:-mainnet}"
 EOF
 RUN chmod +x /usr/local/bin/run-snap-balances.sh /usr/local/bin/run-hourly-tasks.sh
 

From fe9ec9424b41338f3066b1f91dc1f1c1bd0770bb Mon Sep 17 00:00:00 2001
From: toniocodo <antoine@originprotocol.com>
Date: Wed, 19 Nov 2025 17:35:26 +0100
Subject: [PATCH 3/8] feat: add env variables for multiple providers

---
 contracts/dockerfile | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/contracts/dockerfile b/contracts/dockerfile
index d928c512a6..99466bf1b9 100644
--- a/contracts/dockerfile
+++ b/contracts/dockerfile
@@ -37,24 +37,27 @@ RUN corepack enable \
 COPY . .
 
 ENV PROVIDER_URL="" \
+  SONIC_PROVIDER_URL="" \
+  PLUME_PROVIDER_URL="" \
+  HOODI_PROVIDER_URL="" \
   BEACON_PROVIDER_URL="" \
   DEFENDER_API_KEY="" \
   DEFENDER_API_SECRET="" \
-  HARDHAT_NETWORK=mainnet
+  HARDHAT_NETWORK=""
 
 # Scripts executed by cron every hour (snapBalances runs five minutes earlier).
 RUN cat <<'EOF' > /usr/local/bin/run-snap-balances.sh
 #!/usr/bin/env bash
 set -euo pipefail
 cd /app
-export PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET HARDHAT_NETWORK
+export PROVIDER_URL SONIC_PROVIDER_URL PLUME_PROVIDER_URL HOODI_PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET
 pnpm hardhat snapBalances --network "${HARDHAT_NETWORK:-mainnet}"
 EOF
 RUN cat <<'EOF' > /usr/local/bin/run-hourly-tasks.sh
 #!/usr/bin/env bash
 set -euo pipefail
 cd /app
-export PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET HARDHAT_NETWORK
+export PROVIDER_URL SONIC_PROVIDER_URL PLUME_PROVIDER_URL HOODI_PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET
 pnpm hardhat
 pnpm hardhat verifyBalances --network "${HARDHAT_NETWORK:-mainnet}"
 pnpm hardhat verifyDeposits --network "${HARDHAT_NETWORK:-mainnet}"

From 9b6290608b31783e9683c14f12ca90f8845b1ea2 Mon Sep 17 00:00:00 2001
From: toniocodo <antoine@originprotocol.com>
Date: Wed, 19 Nov 2025 18:39:51 +0100
Subject: [PATCH 4/8] refactor: update Dockerfile for improved task scheduling
 and add hardhat compile step

---
 contracts/dockerfile | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/contracts/dockerfile b/contracts/dockerfile
index 99466bf1b9..3b9c0d56ec 100644
--- a/contracts/dockerfile
+++ b/contracts/dockerfile
@@ -4,10 +4,10 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
-    ca-certificates \
-    curl \
-    git \
-    openssh-client \
+  ca-certificates \
+  curl \
+  git \
+  openssh-client \
   && rm -rf /var/lib/apt/lists/*
 
 # Preload GitHub host key for SSH-based dependencies.
@@ -31,11 +31,13 @@ WORKDIR /app
 # Enable pnpm via corepack and install dependencies first for better caching.
 COPY pnpm-lock.yaml package.json ./
 RUN corepack enable \
-  && pnpm install --frozen-lockfile
+  && pnpm install --frozen-lockfile  
 
 # Copy the rest of the contracts workspace.
 COPY . .
 
+RUN pnpm hardhat compile
+
 ENV PROVIDER_URL="" \
   SONIC_PROVIDER_URL="" \
   PLUME_PROVIDER_URL="" \
@@ -58,7 +60,6 @@ RUN cat <<'EOF' > /usr/local/bin/run-hourly-tasks.sh
 set -euo pipefail
 cd /app
 export PROVIDER_URL SONIC_PROVIDER_URL PLUME_PROVIDER_URL HOODI_PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET
-pnpm hardhat
 pnpm hardhat verifyBalances --network "${HARDHAT_NETWORK:-mainnet}"
 pnpm hardhat verifyDeposits --network "${HARDHAT_NETWORK:-mainnet}"
 pnpm hardhat autoValidatorDeposits --network "${HARDHAT_NETWORK:-mainnet}"
@@ -66,7 +67,7 @@ pnpm hardhat autoValidatorWithdrawals --network "${HARDHAT_NETWORK:-mainnet}"
 EOF
 RUN chmod +x /usr/local/bin/run-snap-balances.sh /usr/local/bin/run-hourly-tasks.sh
 
-# Cron configuration for supercronic.
-RUN printf '55 * * * * /usr/local/bin/run-snap-balances.sh\n0 * * * * /usr/local/bin/run-hourly-tasks.sh\n' > /etc/cronjob
+# run-snap-balances runs five minutes earlier than run-hourly-tasks
+RUN printf '0 * * * * /usr/local/bin/run-snap-balances.sh\n5 * * * * /usr/local/bin/run-hourly-tasks.sh\n' > /etc/cronjob
 
 ENTRYPOINT ["supercronic", "/etc/cronjob"]

From 1e29dbd1369afca98ee3ab17c6045d6a20d58141 Mon Sep 17 00:00:00 2001
From: toniocodo <antoine@originprotocol.com>
Date: Thu, 20 Nov 2025 14:15:57 +0100
Subject: [PATCH 5/8] feat: make script dumber and use 7min delay between calls

---
 contracts/dockerfile | 34 +++++++++-------------------------
 1 file changed, 9 insertions(+), 25 deletions(-)

diff --git a/contracts/dockerfile b/contracts/dockerfile
index 3b9c0d56ec..28f7c4cbb3 100644
--- a/contracts/dockerfile
+++ b/contracts/dockerfile
@@ -1,6 +1,4 @@
-FROM node:20-bookworm-slim
-
-ENV DEBIAN_FRONTEND=noninteractive
+FROM node:22
 
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
@@ -47,27 +45,13 @@ ENV PROVIDER_URL="" \
   DEFENDER_API_SECRET="" \
   HARDHAT_NETWORK=""
 
-# Scripts executed by cron every hour (snapBalances runs five minutes earlier).
-RUN cat <<'EOF' > /usr/local/bin/run-snap-balances.sh
-#!/usr/bin/env bash
-set -euo pipefail
-cd /app
-export PROVIDER_URL SONIC_PROVIDER_URL PLUME_PROVIDER_URL HOODI_PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET
-pnpm hardhat snapBalances --network "${HARDHAT_NETWORK:-mainnet}"
-EOF
-RUN cat <<'EOF' > /usr/local/bin/run-hourly-tasks.sh
-#!/usr/bin/env bash
-set -euo pipefail
-cd /app
-export PROVIDER_URL SONIC_PROVIDER_URL PLUME_PROVIDER_URL HOODI_PROVIDER_URL BEACON_PROVIDER_URL DEFENDER_API_KEY DEFENDER_API_SECRET
-pnpm hardhat verifyBalances --network "${HARDHAT_NETWORK:-mainnet}"
-pnpm hardhat verifyDeposits --network "${HARDHAT_NETWORK:-mainnet}"
-pnpm hardhat autoValidatorDeposits --network "${HARDHAT_NETWORK:-mainnet}"
-pnpm hardhat autoValidatorWithdrawals --network "${HARDHAT_NETWORK:-mainnet}"
-EOF
-RUN chmod +x /usr/local/bin/run-snap-balances.sh /usr/local/bin/run-hourly-tasks.sh
-
-# run-snap-balances runs five minutes earlier than run-hourly-tasks
-RUN printf '0 * * * * /usr/local/bin/run-snap-balances.sh\n5 * * * * /usr/local/bin/run-hourly-tasks.sh\n' > /etc/cronjob
+# Cron configuration for supercronic.
+# Each Hardhat task runs with a 7 minute offset, ensuring sequential execution.
+RUN printf '0 * * * * cd /app && echo \"[snapBalances] starting\" && pnpm hardhat snapBalances --network ${HARDHAT_NETWORK:-mainnet}\n'\
+'7 * * * * cd /app && echo \"[verifyBalances] starting\" && pnpm hardhat verifyBalances --network ${HARDHAT_NETWORK:-mainnet}\n'\
+'14 * * * * cd /app && echo \"[verifyDeposits] starting\" && pnpm hardhat verifyDeposits --network ${HARDHAT_NETWORK:-mainnet}\n'\
+'21 * * * * cd /app && echo \"[autoValidatorDeposits] starting\" && pnpm hardhat autoValidatorDeposits --network ${HARDHAT_NETWORK:-mainnet}\n'\
+'28 * * * * cd /app && echo \"[autoValidatorWithdrawals] starting\" && pnpm hardhat autoValidatorWithdrawals --network ${HARDHAT_NETWORK:-mainnet}\n'\
+> /etc/cronjob
 
 ENTRYPOINT ["supercronic", "/etc/cronjob"]

From 82bef0f162e182fbf04e59466d0073e73d908fc4 Mon Sep 17 00:00:00 2001
From: toniocodo <antoine@originprotocol.com>
Date: Fri, 21 Nov 2025 10:53:11 +0100
Subject: [PATCH 6/8] Update Dockerfile to include build-essential and python3,
 modify cron job timings, and add pnpm-workspace.yaml for dependency
 management

---
 contracts/dockerfile          | 19 ++++++++++++-------
 contracts/pnpm-workspace.yaml | 15 +++++++++++++++
 2 files changed, 27 insertions(+), 7 deletions(-)
 create mode 100644 contracts/pnpm-workspace.yaml

diff --git a/contracts/dockerfile b/contracts/dockerfile
index 28f7c4cbb3..151e5431a8 100644
--- a/contracts/dockerfile
+++ b/contracts/dockerfile
@@ -1,11 +1,15 @@
 FROM node:22
 
+ENV DEBIAN_FRONTEND=noninteractive
+
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
   ca-certificates \
   curl \
   git \
   openssh-client \
+  build-essential \
+  python3 \
   && rm -rf /var/lib/apt/lists/*
 
 # Preload GitHub host key for SSH-based dependencies.
@@ -27,7 +31,7 @@ RUN curl -fsSLO "$SUPERCRONIC_URL" \
 WORKDIR /app
 
 # Enable pnpm via corepack and install dependencies first for better caching.
-COPY pnpm-lock.yaml package.json ./
+COPY pnpm-lock.yaml package.json pnpm-workspace.yaml ./
 RUN corepack enable \
   && pnpm install --frozen-lockfile  
 
@@ -47,11 +51,12 @@ ENV PROVIDER_URL="" \
 
 # Cron configuration for supercronic.
 # Each Hardhat task runs with a 7 minute offset, ensuring sequential execution.
-RUN printf '0 * * * * cd /app && echo \"[snapBalances] starting\" && pnpm hardhat snapBalances --network ${HARDHAT_NETWORK:-mainnet}\n'\
-'7 * * * * cd /app && echo \"[verifyBalances] starting\" && pnpm hardhat verifyBalances --network ${HARDHAT_NETWORK:-mainnet}\n'\
-'14 * * * * cd /app && echo \"[verifyDeposits] starting\" && pnpm hardhat verifyDeposits --network ${HARDHAT_NETWORK:-mainnet}\n'\
-'21 * * * * cd /app && echo \"[autoValidatorDeposits] starting\" && pnpm hardhat autoValidatorDeposits --network ${HARDHAT_NETWORK:-mainnet}\n'\
-'28 * * * * cd /app && echo \"[autoValidatorWithdrawals] starting\" && pnpm hardhat autoValidatorWithdrawals --network ${HARDHAT_NETWORK:-mainnet}\n'\
-> /etc/cronjob
+RUN cat <<'EOF' > /etc/cronjob
+0 * * * * cd /app && pnpm hardhat snapBalances --network ${HARDHAT_NETWORK:-mainnet}
+8 * * * * cd /app && pnpm hardhat verifyBalances --network ${HARDHAT_NETWORK:-mainnet}
+10 * * * * cd /app && pnpm hardhat verifyDeposits --network ${HARDHAT_NETWORK:-mainnet}
+12 * * * * cd /app && pnpm hardhat autoValidatorDeposits --network ${HARDHAT_NETWORK:-mainnet}
+14 * * * * cd /app && pnpm hardhat autoValidatorWithdrawals --network ${HARDHAT_NETWORK:-mainnet}
+EOF
 
 ENTRYPOINT ["supercronic", "/etc/cronjob"]
diff --git a/contracts/pnpm-workspace.yaml b/contracts/pnpm-workspace.yaml
new file mode 100644
index 0000000000..ea077fcb5f
--- /dev/null
+++ b/contracts/pnpm-workspace.yaml
@@ -0,0 +1,15 @@
+ignoredBuiltDependencies:
+  - '@arbitrum/nitro-contracts'
+  - core-js-pure
+  - es5-ext
+  - secp256k1
+  - utf-8-validate
+  - web3
+  - web3-bzz
+  - web3-shh
+
+onlyBuiltDependencies:
+  - '@trufflesuite/bigint-buffer'
+  - bigint-buffer
+  - bufferutil
+  - keccak

From 8d70dcf11e57cd45e506876da4f9b103cc9e6398 Mon Sep 17 00:00:00 2001
From: toniocodo <antoine@originprotocol.com>
Date: Fri, 21 Nov 2025 11:08:08 +0100
Subject: [PATCH 7/8] Add GitHub Actions workflow for building and pushing
 contracts cron Docker image

---
 .github/workflows/contracts-cron-image.yml | 43 ++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 .github/workflows/contracts-cron-image.yml

diff --git a/.github/workflows/contracts-cron-image.yml b/.github/workflows/contracts-cron-image.yml
new file mode 100644
index 0000000000..61bd123cec
--- /dev/null
+++ b/.github/workflows/contracts-cron-image.yml
@@ -0,0 +1,43 @@
+name: Contracts Cron Image
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Prepare image metadata
+        id: prep
+        run: |
+          IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/contracts-cron"
+          IMAGE_NAME="$(echo "${IMAGE_NAME}" | tr '[:upper:]' '[:lower:]')"
+          echo "image_name=${IMAGE_NAME}" >> "${GITHUB_OUTPUT}"
+
+      - name: Build and push image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./contracts
+          file: ./contracts/dockerfile
+          push: true
+          tags: |
+            ${{ steps.prep.outputs.image_name }}:latest
+            ${{ steps.prep.outputs.image_name }}:${{ github.sha }}
+

From d0384f85491c4b78b41c46fad5d07ed9212523fc Mon Sep 17 00:00:00 2001
From: toniocodo <antoine@originprotocol.com>
Date: Mon, 24 Nov 2025 11:45:54 +0100
Subject: [PATCH 8/8] feat: use DEBUG env var

---
 contracts/dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/contracts/dockerfile b/contracts/dockerfile
index 151e5431a8..eec12b18f5 100644
--- a/contracts/dockerfile
+++ b/contracts/dockerfile
@@ -1,6 +1,7 @@
 FROM node:22
 
-ENV DEBIAN_FRONTEND=noninteractive
+ENV DEBIAN_FRONTEND=noninteractive \
+    DEBUG=origin*
 
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \