feat(node): official kth node Docker image + GHCR publish workflow

[CyberAshven]

Official kth node Docker image

This adds the first Docker image of the kth node itself, next to the existing base/ and
gcc/ toolchain images. Right now there is no published node image anywhere, so users have
to compile kth themselves; this closes that gap and gives ghcr.io/k-nuth/kth a real image.

How it builds

• node/Dockerfile builds FROM kthnode/gcc15-ubuntu24.04 (your toolchain), so the
  compile profile matches the binaries on packages.kth.cash.
• It installs kth the way the README documents:
  conan install --requires=kth/<version> --deployer=direct_deploy --build=missing.
  kth and the heavy deps (boost, openssl, lmdb, gmp, ftxui, simdjson…) come down prebuilt;
  the only thing currently rebuilt for this profile is utxoz/0.8.0 (~1–2 min), because no
  prebuilt is published for cppstd=23. --build=missing keeps this self-healing if a
  future release lacks a prebuilt for any piece.
• The runtime stage is a slim ubuntu:24.04 (~103 MB) carrying only the GCC 15 C++
  runtime, the CA bundle and the kth binary — no package manager, nothing else.

The workflow

.github/workflows/build-node.yml is reusable (workflow_call) and also runnable by hand
(workflow_dispatch). It builds node/ for a given version and pushes
ghcr.io/<owner>/kth:<version> and :latest, authenticating with the built-in
GITHUB_TOKEN . The companion PR on k-nuth/kth calls this on
every release; until then you can build any version manually from the Actions tab.

Tested

Built v1.0.0 locally end to end; the resulting image runs:

$ docker build --build-arg KNUTH_VERSION=1.0.0 -t kth ./node
$ docker run --rm kth --version
Knuth Node
  C++ lib v1.0.0
  Knuth v1.0.0
  Currency: BCH

One-time note

After the first publish, the new kth package under Packages will be private by default —
it just needs to be set to public once.

Summary by CodeRabbit

• New Features

  • Added a new workflow to build and publish a container image for the node.
  • Added a Docker image for running the node in containers, including default port, data directory, and non-root execution.

• Improvements

  • Image versions are now normalized automatically and tagged consistently.
  • The published image includes standard metadata and supports both manual and reusable workflow runs.

[coderabbitai]

Warning

Review limit reached

@fpelliccioni, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 52 minutes and 17 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 947fd573-5aaf-41de-ad7f-198533c7460d

📥 Commits

Reviewing files that changed from the base of the PR and between a2170ec and 7a16c7b.

📒 Files selected for processing (2)

• .github/workflows/build-node.yml
• kth/Dockerfile

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that normalizes a version input and builds and pushes a kth image to ghcr.io, plus a multi-stage Dockerfile that builds kth with Conan and packages a runtime image with an unprivileged user and port 8333.

Changes

Knuth Node Docker Image and CI Workflow

Layer / File(s)	Summary
Dockerfile build stage with Conan compilation kth/Dockerfile	Declares build arguments, validates KNUTH_VERSION, installs kthbuild, configures Conan remote and profile settings, and runs conan install to /deploy with currency selection and C++23 settings.
Dockerfile runtime stage and final image configuration kth/Dockerfile	Sets OCI labels, copies shared libraries and CA certificates from the build stage, copies the kth binary, creates an unprivileged kth user, prepares /data, sets WORKDIR and VOLUME, exposes port 8333, and sets ENTRYPOINT to kth.
GitHub Actions build-and-push workflow .github/workflows/build-node.yml	Defines workflow_call and workflow_dispatch inputs and permissions, checks out k-nuth/docker-images at master, normalizes the version and owner, sets up Docker Buildx, logs into ghcr.io, builds from ./kth with KNUTH_VERSION, pushes version and latest tags, and applies OCI source and version labels.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🐰 I hopped through the build and spun the wheel,
A kth nest now bakes with Docker zeal.
Version trimmed, then tags take flight,
GHCR gleams in rabbit light.
Crunch! The burrow’s node is set to run.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding the official kth node Docker image and GHCR publish workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

node/Dockerfile (1)

11-12: ⚡ Quick win

Avoid mutable base tags for release image builds.

Using :latest for TOOLCHAIN makes rebuilds non-deterministic and can silently change produced binaries. Prefer an immutable version tag or digest pin.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@node/Dockerfile` around lines 11 - 12, The TOOLCHAIN ARG is using the mutable
`:latest` tag which can change between builds and cause non-deterministic
behavior. Replace the `:latest` tag in the TOOLCHAIN variable with a specific
immutable version tag (e.g., a specific version number like :1.0.0) or a digest
pin (using `@sha256`:...) to ensure consistent and reproducible builds.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-node.yml:
- Around line 25-29: The workflow uses mutable action version tags and contains
security/reproducibility issues. Update the checkout action at line 25 and all
other action invocations (lines 38, 40, 46) by replacing floating version tags
like `@v4` with pinned commit SHAs, removing the forced ref: master parameter from
the checkout step to allow using the actual triggering reference, and adding
persist-credentials: false to the checkout step to prevent unnecessary git
credentials from persisting after checkout. These changes should be applied
consistently across all uses statements and checkout invocations in the workflow
file.
- Around line 30-35: The meta step directly injects the inputs.version workflow
input into a shell script without validation, creating a potential shell
injection vulnerability where crafted values containing quotes or newlines could
break out of the assignment. Add validation to ensure inputs.version matches a
strict format (such as semantic versioning with optional leading v prefix)
before it is used in the version assignment on line 32. This validation should
be added as a check before the variable is written to GITHUB_OUTPUT to prevent
malicious input from compromising the shell script execution.

In `@node/Dockerfile`:
- Around line 37-63: The runtime Dockerfile stage runs the kth process as the
root user, which creates a security vulnerability for a long-running
network-facing service. Add a non-root user to the runtime stage by creating a
new user (such as "kth") before the WORKDIR directive, ensure the /data
directory and /opt/kth/lib directory are owned by this user, and add a USER
directive before the ENTRYPOINT instruction to switch from root to the newly
created non-root user when the container starts.

---

Nitpick comments:
In `@node/Dockerfile`:
- Around line 11-12: The TOOLCHAIN ARG is using the mutable `:latest` tag which
can change between builds and cause non-deterministic behavior. Replace the
`:latest` tag in the TOOLCHAIN variable with a specific immutable version tag
(e.g., a specific version number like :1.0.0) or a digest pin (using
`@sha256`:...) to ensure consistent and reproducible builds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 98a4e006-3075-4f60-b4f0-30055964ae58

📥 Commits

Reviewing files that changed from the base of the PR and between 6bd66e8 and ccbf8bf.

📒 Files selected for processing (2)

• .github/workflows/build-node.yml
• node/Dockerfile

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-node.yml:
- Line 40: The version regex pattern in the version validation check is too
permissive and allows `+` characters which are invalid for Docker tags. Modify
the regex pattern by removing the `+` character from the prerelease version
separator portion (currently `[-+.]`) to only allow `-` and `.` as separators,
ensuring that only valid Docker-compatible version strings pass validation. This
will prevent version strings like `1.0.0+meta` from being accepted and used as
Docker tags later in the workflow at line 65.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 273f3270-8a1b-4ae4-9e7b-3abd96200eb6

📥 Commits

Reviewing files that changed from the base of the PR and between ccbf8bf and b87a324.

📒 Files selected for processing (2)

• .github/workflows/build-node.yml
• node/Dockerfile

🚧 Files skipped from review as they are similar to previous changes (1)

• node/Dockerfile

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/build-node.yml (1)

64-66: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Don't push :latest for prerelease builds.

This workflow accepts prerelease inputs, but it always publishes :latest. A run for 1.2.0-rc.1 would replace the stable latest tag with an RC image.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-node.yml around lines 64 - 66, The image tagging in
the build workflow always publishes the latest tag, which should be skipped for
prerelease releases. Update the tag generation/publish logic in the workflow so
the step that uses steps.meta.outputs.image and steps.meta.outputs.version only
includes the latest tag for stable releases, and omits it when the version is a
prerelease. Use the existing metadata/version handling in the workflow to
distinguish prerelease inputs from normal releases.

🧹 Nitpick comments (1)

.github/workflows/build-node.yml (1)

25-27: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Update the checkout note to match the renamed build context.

This comment still points maintainers at node/, but the build now uses ./kth on Line 60. Keeping the old path here is needlessly misleading.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-node.yml around lines 25 - 27, The checkout note in
the reusable workflow is outdated and still refers to the old node/ build
context. Update the comment near the repository/ref checkout logic to match the
current ./kth build context used by the workflow so maintainers aren’t misled;
keep the wording aligned with the checkout step and the build setup it supports.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-node.yml:
- Around line 39-41: The version validation in the build workflow currently
allows prerelease suffixes to start with either a dot or a hyphen, which lets
malformed versions slip through. Update the regex in the version-check block
that derives and validates INPUT_VERSION so prerelease segments can only begin
with a hyphen, while still accepting valid semver prereleases in the same place.

---

Outside diff comments:
In @.github/workflows/build-node.yml:
- Around line 64-66: The image tagging in the build workflow always publishes
the latest tag, which should be skipped for prerelease releases. Update the tag
generation/publish logic in the workflow so the step that uses
steps.meta.outputs.image and steps.meta.outputs.version only includes the latest
tag for stable releases, and omits it when the version is a prerelease. Use the
existing metadata/version handling in the workflow to distinguish prerelease
inputs from normal releases.

---

Nitpick comments:
In @.github/workflows/build-node.yml:
- Around line 25-27: The checkout note in the reusable workflow is outdated and
still refers to the old node/ build context. Update the comment near the
repository/ref checkout logic to match the current ./kth build context used by
the workflow so maintainers aren’t misled; keep the wording aligned with the
checkout step and the build setup it supports.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2901447c-f5d2-452c-963b-889230dc7b9d

📥 Commits

Reviewing files that changed from the base of the PR and between b87a324 and a2170ec.

📒 Files selected for processing (2)

• .github/workflows/build-node.yml
• kth/Dockerfile

💤 Files with no reviewable changes (1)

• kth/Dockerfile