feat(node): official kth node Docker image + GHCR publish workflow

[CyberAshven]

Official kth node Docker image

This adds the first Docker image of the kth node itself, next to the existing base/ and
gcc/ toolchain images. Right now there is no published node image anywhere, so users have
to compile kth themselves; this closes that gap and gives ghcr.io/k-nuth/kth a real image.

How it builds

• node/Dockerfile builds FROM kthnode/gcc15-ubuntu24.04 (your toolchain), so the
  compile profile matches the binaries on packages.kth.cash.
• It installs kth the way the README documents:
  conan install --requires=kth/<version> --deployer=direct_deploy --build=missing.
  kth and the heavy deps (boost, openssl, lmdb, gmp, ftxui, simdjson…) come down prebuilt;
  the only thing currently rebuilt for this profile is utxoz/0.8.0 (~1–2 min), because no
  prebuilt is published for cppstd=23. --build=missing keeps this self-healing if a
  future release lacks a prebuilt for any piece.
• The runtime stage is a slim ubuntu:24.04 (~103 MB) carrying only the GCC 15 C++
  runtime, the CA bundle and the kth binary — no package manager, nothing else.

The workflow

.github/workflows/build-node.yml is reusable (workflow_call) and also runnable by hand
(workflow_dispatch). It builds node/ for a given version and pushes
ghcr.io/<owner>/kth:<version> and :latest, authenticating with the built-in
GITHUB_TOKEN . The companion PR on k-nuth/kth calls this on
every release; until then you can build any version manually from the Actions tab.

Tested

Built v1.0.0 locally end to end; the resulting image runs:

$ docker build --build-arg KNUTH_VERSION=1.0.0 -t kth ./node
$ docker run --rm kth --version
Knuth Node
  C++ lib v1.0.0
  Knuth v1.0.0
  Currency: BCH

One-time note

After the first publish, the new kth package under Packages will be private by default —
it just needs to be set to public once.

[coderabbitai]

Warning

Review limit reached

@CyberAshven, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 15 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9c7712f5-fed1-4c24-b855-662d0df2d74e

📥 Commits

Reviewing files that changed from the base of the PR and between b87a324 and fe7130c.

📒 Files selected for processing (1)

• .github/workflows/build-node.yml

📝 Walkthrough

Walkthrough

Adds a node/Dockerfile with a multi-stage build for the Knuth Bitcoin Cash full node (build stage uses Conan/kthbuild; runtime stage copies libraries and the binary) and a .github/workflows/build-node.yml GitHub Actions workflow that normalizes the version input, builds the image from ./node, and pushes it to ghcr.io with version and latest tags.

Changes

Knuth Node Docker Image and CI Workflow

Layer / File(s)	Summary
Dockerfile build stage with Conan compilation node/Dockerfile	Defines TOOLCHAIN and RUNTIME configurable base image arguments, then implements the build stage which validates KNUTH_VERSION, installs kthbuild, detects Conan profile, configures the kth Conan remote, and runs conan install targeting C++23 compiler standard with utxoz test/benchmark options disabled to compile and deploy dependencies.
Dockerfile runtime stage and final image configuration node/Dockerfile	Builds the runtime stage from a configurable base image, adds OCI labels, copies GCC 15 runtime libraries (libstdc++, libgcc_s) and CA certificates from the build stage, updates ldconfig, copies the compiled kth binary to /usr/local/bin/kth, creates an unprivileged kth user, sets WORKDIR to /data, declares /data as a persistent volume, exposes port 8333, and sets the container entrypoint to kth.
GitHub Actions build-and-push workflow .github/workflows/build-node.yml	Adds build-node.yml with workflow_call/workflow_dispatch triggers and a required version input; sets permissions for repository content read and package write. The build-node-docker-image job checks out k-nuth/docker-images from master, then a metadata step validates the version format, strips a leading v, lowercases the repo owner, and outputs normalized version and image name. Subsequent steps set up Docker Buildx, authenticate to ghcr.io with GITHUB_TOKEN, and build/push the image from ./node with KNUTH_VERSION as a build-arg, applying both the computed version tag and latest, plus OCI source and version labels.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 Hop, hop, a node takes shape,
From Conan's brew to Docker's cape.
A version stripped, a tag applied,
The binary built and pushed with pride.
On port 8333 the chain awaits — ✨
A rabbit wired the CI gates!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main changes: introducing an official kth node Docker image and a GHCR publish workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

node/Dockerfile (1)

11-12: ⚡ Quick win

Avoid mutable base tags for release image builds.

Using :latest for TOOLCHAIN makes rebuilds non-deterministic and can silently change produced binaries. Prefer an immutable version tag or digest pin.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@node/Dockerfile` around lines 11 - 12, The TOOLCHAIN ARG is using the mutable
`:latest` tag which can change between builds and cause non-deterministic
behavior. Replace the `:latest` tag in the TOOLCHAIN variable with a specific
immutable version tag (e.g., a specific version number like :1.0.0) or a digest
pin (using `@sha256`:...) to ensure consistent and reproducible builds.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-node.yml:
- Around line 25-29: The workflow uses mutable action version tags and contains
security/reproducibility issues. Update the checkout action at line 25 and all
other action invocations (lines 38, 40, 46) by replacing floating version tags
like `@v4` with pinned commit SHAs, removing the forced ref: master parameter from
the checkout step to allow using the actual triggering reference, and adding
persist-credentials: false to the checkout step to prevent unnecessary git
credentials from persisting after checkout. These changes should be applied
consistently across all uses statements and checkout invocations in the workflow
file.
- Around line 30-35: The meta step directly injects the inputs.version workflow
input into a shell script without validation, creating a potential shell
injection vulnerability where crafted values containing quotes or newlines could
break out of the assignment. Add validation to ensure inputs.version matches a
strict format (such as semantic versioning with optional leading v prefix)
before it is used in the version assignment on line 32. This validation should
be added as a check before the variable is written to GITHUB_OUTPUT to prevent
malicious input from compromising the shell script execution.

In `@node/Dockerfile`:
- Around line 37-63: The runtime Dockerfile stage runs the kth process as the
root user, which creates a security vulnerability for a long-running
network-facing service. Add a non-root user to the runtime stage by creating a
new user (such as "kth") before the WORKDIR directive, ensure the /data
directory and /opt/kth/lib directory are owned by this user, and add a USER
directive before the ENTRYPOINT instruction to switch from root to the newly
created non-root user when the container starts.

---

Nitpick comments:
In `@node/Dockerfile`:
- Around line 11-12: The TOOLCHAIN ARG is using the mutable `:latest` tag which
can change between builds and cause non-deterministic behavior. Replace the
`:latest` tag in the TOOLCHAIN variable with a specific immutable version tag
(e.g., a specific version number like :1.0.0) or a digest pin (using
`@sha256`:...) to ensure consistent and reproducible builds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 98a4e006-3075-4f60-b4f0-30055964ae58

📥 Commits

Reviewing files that changed from the base of the PR and between 6bd66e8 and ccbf8bf.

📒 Files selected for processing (2)

• .github/workflows/build-node.yml
• node/Dockerfile

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-node.yml:
- Line 40: The version regex pattern in the version validation check is too
permissive and allows `+` characters which are invalid for Docker tags. Modify
the regex pattern by removing the `+` character from the prerelease version
separator portion (currently `[-+.]`) to only allow `-` and `.` as separators,
ensuring that only valid Docker-compatible version strings pass validation. This
will prevent version strings like `1.0.0+meta` from being accepted and used as
Docker tags later in the workflow at line 65.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 273f3270-8a1b-4ae4-9e7b-3abd96200eb6

📥 Commits

Reviewing files that changed from the base of the PR and between ccbf8bf and b87a324.

📒 Files selected for processing (2)

• .github/workflows/build-node.yml
• node/Dockerfile

🚧 Files skipped from review as they are similar to previous changes (1)

• node/Dockerfile