Images stored against content hashes

[gilescope]

Overview

Replace 8-char git commit hashes with 12-char tree content hashes (git rev-parse HEAD^{tree}) in Docker image tags. Identical source trees now produce the same tag regardless of commit metadata, allowing CI to skip redundant builds entirely.

Key changes:

• Image tags use {VERSION}-{12-char-tree-hash}-{ARCH} format instead of {VERSION}-{8-char-commit-hash}-{ARCH}
• CI checks GHCR for existing images before building — if both node and toolkit images exist, the build is skipped
• force_rebuild workflow_dispatch input provides an escape hatch
• Format/lint and feature unification checks also skip when images already exist
• Downstream jobs (E2E tests, genesis rebuild) reference image tags from the build job outputs instead of recomputing them
• ARM64 builds no longer gated behind ci:arm64 label
• Feature unification check split into its own job
• Earthfile image targets use CONTENT_HASH LET instead of EARTHLY_GIT_SHORT_HASH
• Toolkit reuses pre-built compactc from +prep-no-copy instead of rebuilding from +node-ci-image-single-platform
• GenerateGenesis output downgraded from println! to log::debug!
• ADR 0004 documents the decision and rationale

🗹 TODO before merging

• Ready

📌 Submission Checklist

• Changes are backward-compatible (or flagged if breaking)
• Pull request description explains why the change is needed
• Self-reviewed the diff
• I have included a change file, or skipped for this reason:
• If the changes introduce a new feature, I have bumped the node minor version
• Update documentation (if relevant)
• Updated AGENTS.md if build commands, architecture, or workflows changed
• No new todos introduced

🧪 Testing Evidence

CI runs on this PR demonstrate the content hash tagging and skip logic in action.

• Additional tests are provided (if possible)

🔱 Fork Strategy

• Node Runtime Update
• Node Client Update
• Other: CI workflow and Earthfile changes only — no runtime or client changes
• N/A

Links

• ADR: docs/decisions/0004-tree-content-hash-image-tags.md

[github-actions]

KICS version: v2.1.19

Category Results CRITICAL 0 HIGH 2 MEDIUM 52 LOW 3 INFO 64 TRACE 0 TOTAL 121	Metric Values Files scanned 27 Files parsed 27 Files failed to scan 0 Total executed queries 73 Queries failed to execute 0 Execution time 12

[ozgb]

Great addition - a couple of suggestions

[NachoPal]

Ok if it saves unnecessary extra CI time. On the other hand, not being able to pin an image to a specific commit can be troublesome for debugging and auditability. As @ozgb suggested this could be addressed with Docker annotations or embedding the commit hash as an env var in the image.

The tree hash granularity could also be improved by hashing only the directories that affect the binary (node, runtime, pallets, etc.) rather than the entire repo tree, to avoid unnecessary rebuilds from docs-only or CI-only changes.

[gilescope]

I don't want to put a particular commit into the image as that would be inappropriate, but images are now tagged with the git commit(s) that the image was as well as the one content hash.