feat: add standalone rebalancer Docker image and workflow

[paulbalaji]

Summary

• Add standalone Docker image for rebalancer using ncc bundling
• Achieves 96.5% image size reduction vs monorepo (227 MB vs 6.45 GB)
• Add GitHub Actions workflow to build and push to GCR
• Update Helm chart to use standalone rebalancer image

Image Size Comparison

Image	Size	vs Monorepo (yarn)	vs Monorepo (pnpm)
hyperlane-monorepo (yarn)	8.69 GB	-	-
hyperlane-monorepo (pnpm)	6.45 GB	25.8% smaller	-
hyperlane-rebalancer (standalone)	227 MB	97.4% smaller	96.5% smaller

Approach

Uses @vercel/ncc to bundle the rebalancer into a single file with all dependencies, then runs on a minimal Alpine image. This eliminates the need for pnpm/node_modules in the final image.

Changes

• typescript/rebalancer/Dockerfile - Multi-stage Docker build with ncc bundling
• typescript/rebalancer/package.json - Added ncc and bundle script
• typescript/rebalancer/scripts/ncc.post-bundle.mjs - Post-bundle __dirname fix
• .github/workflows/rebalancer-docker.yml - CI workflow for building/pushing
• typescript/infra/helm/rebalancer/ - Updated deployment + values
• turbo.json - Added bundle task

Stacked on #7544

Test plan

• Docker build succeeds in CI
• Helm chart deploys correctly

---

🐳 Standalone Image Initiative

This PR is part of a wider effort to migrate TypeScript workloads from the 6.39 GB monorepo image to lightweight standalone images:

PR	Workload	Pods	Nodes	Standalone Size	Reduction
#7545	Rebalancer	11	7	227 MB	28x
#7565	Offchain Lookup Server	1	1	1.64 GB	4x
#7653	Warp Monitor	181	19	227 MB	28x
Total	-	193	20*	-	-

*20 unique nodes (some overlap between workloads)

Total Infrastructure Savings

• ~121 GB node disk freed across the cluster
• Before: 20 nodes × 6.45 GB = 129 GB cached monorepo images
• After: ~8 GB total standalone images
• 28x faster pod startup for most workloads
• Reduced GCR costs from smaller storage and less transfer

🤖 Generated with Claude Code

Greptile Summary

Introduces a standalone Docker image for the rebalancer using @vercel/ncc bundling, achieving a 96.5% reduction in image size (227 MB vs 6.45 GB). The implementation uses a multi-stage build process: first stage builds TypeScript and bundles with ncc, second stage copies just the bundle to an Alpine image.

Key Changes:

• Multi-stage Dockerfile with ncc bundling and Foundry installation using bash for pipefail support
• GitHub Actions workflow for automated building and pushing to GCR with multi-platform support
• Service entry point with comprehensive environment variable validation and registry URI support (can include /tree/{commit} for version pinning)
• Post-bundle script to inject __dirname polyfill for ESM compatibility
• Helm chart updates to use registryUri instead of registryCommit
• Added @vercel/ncc to pnpm catalog for consistency

Issue Found:

• typescript/infra/src/rebalancer/helm.ts still references the old monorepo image (gcr.io/abacus-labs-dev/hyperlane-monorepo) instead of the new standalone image (gcr.io/abacus-labs-dev/hyperlane-rebalancer), which would prevent deployments from using the optimized image

Confidence Score: 3/5

• Safe to merge after fixing the image reference in helm.ts - the Docker build and workflow are solid
• Well-architected implementation with proper multi-stage builds, comprehensive env validation, and solid CI workflow. However, the critical bug in helm.ts (line 82) where the hardcoded monorepo image reference prevents actual deployment of the standalone image significantly impacts the PR's core goal of using the optimized image
• typescript/infra/src/rebalancer/helm.ts needs the image repository updated to use the standalone rebalancer image

Important Files Changed

Filename	Overview
typescript/rebalancer/Dockerfile	Multi-stage build using ncc bundling to reduce image from 6.45GB to 227MB, properly handles Foundry installation with pipefail
.github/workflows/rebalancer-docker.yml	GitHub Actions workflow for building multi-platform images with proper tagging, GCR authentication, and PR commenting
typescript/rebalancer/src/service.ts	Service entry point with comprehensive env var validation, registry URI support with commit pinning, and proper error handling
typescript/infra/src/rebalancer/helm.ts	Updated to use registryUri instead of registryCommit, but still references old monorepo image instead of standalone image

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub Actions
    participant Depot as Depot Builder
    participant GCR as Google Container Registry
    participant K8s as Kubernetes
    participant Rebalancer as Rebalancer Service

    Dev->>GH: Push to main / Create PR
    GH->>GH: Trigger rebalancer-docker.yml workflow
    GH->>GH: Check GCLOUD_SERVICE_KEY secret
    GH->>GH: Generate tag (SHA-DATE)
    GH->>GH: Read Foundry version from .foundryrc
    
    GH->>Depot: Build multi-stage Docker image
    Depot->>Depot: Stage 1: Install deps & build TypeScript
    Depot->>Depot: Run ncc bundling (creates single file)
    Depot->>Depot: Run post-bundle script (add __dirname)
    Depot->>Depot: Stage 2: Copy bundle to Alpine image
    
    Depot->>GCR: Push tagged image (227 MB)
    GCR-->>GH: Image pushed successfully
    GH->>Dev: Comment image tags on PR
    
    Dev->>K8s: Deploy via Helm chart
    K8s->>GCR: Pull hyperlane-rebalancer image
    K8s->>Rebalancer: Start container with env vars
    Rebalancer->>Rebalancer: Validate REBALANCER_CONFIG_FILE & HYP_KEY
    Rebalancer->>Rebalancer: Load config & initialize registry
    Rebalancer->>Rebalancer: Create MultiProvider with signer
    Rebalancer->>Rebalancer: Start daemon mode (check every 60s)
    Rebalancer->>K8s: Expose metrics on port 9090

Loading

Summary by CodeRabbit

• New Features

  • Rebalancer delivered as a standalone, optimized container image with configurable registry, platform selection, and runtime env vars.
  • Production bundling pipeline that produces a single executable bundle and post-bundle processing.

• Chores

  • CI workflow added to build/push images (multi-arch option, gated secret check, PR preview comments).
  • Helm values and chart parameters updated for rebalancer image and env-driven configuration.
  • Tooling: bundler dependency added and ignore patterns updated.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5d127c2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[hyper-gonk]

🦀 Rust Agent Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-agent:pr-7545
gcr.io/abacus-labs-dev/hyperlane-agent:e3823dd-20251208-153738

[paulbalaji]

@greptileai

[greptile-apps]

Additional Comments (1)

1. typescript/infra/src/rebalancer/helm.ts, line 81-84 (link)

   logic: still referencing old monorepo image instead of standalone hyperlane-rebalancer image

_{13 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

typescript/rebalancer/Dockerfile (2)

72-73: Consider whether package.json is needed in the runtime.

You're copying the package.json alongside the bundle. If the bundle is truly standalone (all dependencies compiled in), that file might not be required. Worth verifying whether the runtime actually reads it.

---

64-83: Runtime stage is lean, but could use a non-root user.

The Alpine base keeps things minimal, and the bundled output means no hefty node_modules. For better security posture, consider running as a non-root user—especially in production environments.

🔎 Add a non-root user to the runtime stage

 FROM node:20-alpine AS runner

 WORKDIR /app

 RUN apk add --no-cache ca-certificates

+# Create non-root user
+RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
+
 # Copy only the bundled output (includes all dependencies)
 COPY --from=builder /hyperlane-monorepo/typescript/rebalancer/rebalancer-bundle ./rebalancer-bundle
 COPY --from=builder /hyperlane-monorepo/typescript/rebalancer/package.json ./
 
+# Set ownership to non-root user
+RUN chown -R nodejs:nodejs /app
+
+USER nodejs
+
 # Environment variables
 ENV NODE_ENV=production
 ENV LOG_LEVEL=info

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fadb5a6 and c07ea1d.

📒 Files selected for processing (3)

• .github/workflows/rebalancer-docker.yml
• typescript/infra/src/rebalancer/helm.ts
• typescript/rebalancer/Dockerfile

🚧 Files skipped from review as they are similar to previous changes (2)

• typescript/infra/src/rebalancer/helm.ts
• .github/workflows/rebalancer-docker.yml

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-12-22T16:50:19.890Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7565
File: typescript/ccip-server/Dockerfile:10-11
Timestamp: 2025-12-22T16:50:19.890Z
Learning: Standardize Foundry installation in Dockerfiles by using the official curl -L https://foundry.paradigm.xyz | bash followed by foundryup. This pattern is already used across multiple Dockerfiles in the repo and should be retained for consistency and reliability wherever Foundry is installed.

Applied to files:

• typescript/rebalancer/Dockerfile

📚 Learning: 2025-08-13T16:53:55.163Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6891
File: typescript/infra/config/environments/mainnet3/funding.ts:22-22
Timestamp: 2025-08-13T16:53:55.163Z
Learning: In Hyperlane mainnet3 configs, funding.ts uses 'gcr.io/abacus-labs-dev/hyperlane-monorepo' docker image while agent.ts uses 'gcr.io/abacus-labs-dev/hyperlane-agent' docker image. These are different images with independent tag cycles, so tag consistency across them is not expected.

Applied to files:

• typescript/rebalancer/Dockerfile

📚 Learning: 2025-11-25T17:10:33.369Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

Applied to files:

• typescript/rebalancer/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (61)

• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (status)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-radix-e2e-matrix (core-apply)
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: pnpm-test-run
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: cli-install-test-run
• GitHub Check: infra-test
• GitHub Check: build-and-push-to-gcr
• GitHub Check: build-and-push-to-gcr
• GitHub Check: Socket Security: Pull Request Alerts
• GitHub Check: e2e-matrix (evm)
• GitHub Check: lint-rs
• GitHub Check: lander-coverage
• GitHub Check: test-rs

🔇 Additional comments (4)

typescript/rebalancer/Dockerfile (4)

1-7: Solid foundation for the build stage.

The base image and dependencies are well-chosen. Cleaning up apt lists keeps the layer lean, which is proper housekeeping.

---

9-16: Pinned Foundry binaries are a solid choice here.

The direct download from GitHub releases with version pinning gives you reproducible builds, which is what you're after. This differs from the installer pattern in some other Dockerfiles, but the pinning approach is more explicit. The shell switching for pipefail ensures curl failures don't slip through unnoticed, which is good defensive coding.

Based on learnings, other Dockerfiles use the official curl | bash installer, but your approach is intentional for pinning.

---

18-43: Well-structured dependency caching.

The layering here is thoughtful: package.json first, then configs, patches, and workspace package.jsons before the install. Using --frozen-lockfile keeps builds reproducible. This approach makes rebuilds faster when only source code changes.

---

45-62: Bundle strategy looks clean.

The source copies align with the package.json dependencies, and the turbo filter targets just the rebalancer. If the bundle step fails, the subsequent COPY will catch it, so there's no need for explicit verification here.

[antigremlin]

Nice! Please see my comments.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

typescript/rebalancer/scripts/ncc.post-bundle.mjs (1)

11-11: Minor shebang format inconsistency with CLI version.

The CLI's post-bundle script uses #! /usr/bin/env node (with a space after #!), while this uses #!/usr/bin/env node (no space). Both are valid, but for consistency across the monorepo, consider matching the CLI's format.

🔎 Optional consistency fix

-const shebang = '#!/usr/bin/env node';
+const shebang = '#! /usr/bin/env node';

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c07ea1d and bed40c7.

📒 Files selected for processing (7)

• .github/workflows/rebalancer-docker.yml
• typescript/rebalancer/.gitignore
• typescript/rebalancer/Dockerfile
• typescript/rebalancer/package.json
• typescript/rebalancer/scripts/ncc.post-bundle.mjs
• typescript/rebalancer/src/service.ts
• typescript/rebalancer/turbo.json

🚧 Files skipped from review as they are similar to previous changes (4)

• typescript/rebalancer/turbo.json
• typescript/rebalancer/Dockerfile
• typescript/rebalancer/src/service.ts
• .github/workflows/rebalancer-docker.yml

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-08-26T13:45:52.227Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/testnet_config.json:34-35
Timestamp: 2025-08-26T13:45:52.227Z
Learning: Skip reviewing mainnet_config.json and testnet_config.json configuration files in typescript/infra/config/ and rust/main/config/ directories as requested by paulbalaji to reduce review noise.

Applied to files:

• typescript/rebalancer/.gitignore

📚 Learning: 2025-08-26T13:46:37.695Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/mainnet_config.json:965-965
Timestamp: 2025-08-26T13:46:37.695Z
Learning: In the repository hyperlane-xyz/hyperlane-monorepo, skip reviewing the file rust/main/config/testnet_config.json in future code reviews as requested by paulbalaji.

Applied to files:

• typescript/rebalancer/.gitignore

📚 Learning: 2025-11-25T17:10:33.369Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

Applied to files:

• typescript/rebalancer/package.json

🧬 Code graph analysis (1)

typescript/rebalancer/scripts/ncc.post-bundle.mjs (1)

typescript/cli/scripts/ncc.post-bundle.mjs (8)

• __filename (6-6)
• __dirname (7-7)
• outputFile (9-9)
• shebang (11-11)
• dirnameDef (12-15)
• content (19-19)
• executable (27-27)
• newContent (28-28)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (61)

• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (status)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: cli-radix-e2e-matrix (core-apply)
• GitHub Check: pnpm-test-run
• GitHub Check: cli-install-test-run
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: infra-test
• GitHub Check: build-and-push-to-gcr
• GitHub Check: build-and-push-to-gcr
• GitHub Check: e2e-matrix (evm)
• GitHub Check: lint-prettier
• GitHub Check: lint-rs
• GitHub Check: lander-coverage
• GitHub Check: test-rs

🔇 Additional comments (5)

typescript/rebalancer/.gitignore (1)

4-4: LGTM! Build artifacts belong in .gitignore.

Adding the bundle directory to .gitignore is the right call—keeps generated files out of version control where they belong.

typescript/rebalancer/package.json (3)

18-18: Clean script updated correctly.

Good addition of the bundle directory to the clean script.

---

54-54: NCC dependency added appropriately.

The @vercel/ncc devDependency is correctly placed and uses the catalog reference.

---

17-17: No action needed—the turbo.json already has the bundle task properly configured with "dependsOn": ["build"], so the build step will always run before bundle. Fresh checkouts won't hit errors here.

Likely an incorrect or invalid review comment.

typescript/rebalancer/scripts/ncc.post-bundle.mjs (1)

17-36: Post-bundle processing looks solid.

The logic correctly validates the shebang, injects the __dirname shim when needed, and properly exits with an error code on failure. Nice work addressing the error handling from the previous review.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bed40c7 and 863e99c.

📒 Files selected for processing (4)

• typescript/infra/src/rebalancer/helm.ts
• typescript/rebalancer/Dockerfile
• typescript/rebalancer/package.json
• typescript/rebalancer/src/service.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• typescript/rebalancer/Dockerfile

🧰 Additional context used

📓 Path-based instructions (1)

typescript/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

typescript/**/*.{ts,tsx}: Use ChainMap for per-chain configurations in TypeScript
Import types from @hyperlane-xyz/sdk when using TypeScript SDK types

Files:

• typescript/rebalancer/src/service.ts
• typescript/infra/src/rebalancer/helm.ts

🧠 Learnings (3)

📚 Learning: 2025-11-26T13:28:51.658Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: typescript/cli/package.json:20-20
Timestamp: 2025-11-26T13:28:51.658Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, hyperlane-xyz/registry is maintained in a separate repository and published to npm, so it should use a pinned version (e.g., "23.6.0") rather than the workspace protocol ("workspace:*") that other internal Hyperlane packages use.

Applied to files:

• typescript/rebalancer/src/service.ts

📚 Learning: 2025-08-13T16:53:55.163Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6891
File: typescript/infra/config/environments/mainnet3/funding.ts:22-22
Timestamp: 2025-08-13T16:53:55.163Z
Learning: In Hyperlane mainnet3 configs, funding.ts uses 'gcr.io/abacus-labs-dev/hyperlane-monorepo' docker image while agent.ts uses 'gcr.io/abacus-labs-dev/hyperlane-agent' docker image. These are different images with independent tag cycles, so tag consistency across them is not expected.

Applied to files:

• typescript/rebalancer/src/service.ts
• typescript/infra/src/rebalancer/helm.ts

📚 Learning: 2025-11-25T17:10:33.369Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

Applied to files:

• typescript/rebalancer/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (62)

• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (status)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: cli-radix-e2e-matrix (core-apply)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: pnpm-test-run
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: cli-install-test-run
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: infra-test
• GitHub Check: build-and-push-to-gcr
• GitHub Check: build-and-push-to-gcr
• GitHub Check: e2e-matrix (evm)
• GitHub Check: agent-configs (mainnet3)
• GitHub Check: lint-prettier
• GitHub Check: lander-coverage
• GitHub Check: lint-rs
• GitHub Check: test-rs

🔇 Additional comments (11)

typescript/rebalancer/package.json (3)

18-18: Good addition to the clean script.

Adding bundle to the cleanup makes sense with the new bundling step. Keeps things tidy.

---

17-17: Both concerns are already properly handled—no changes needed.

Good news: the build→bundle dependency chain is set up right in turbo.json ("dependsOn": ["build"]), so that won't blow up mid-pipeline. And the excluded dependency gets handled in the Dockerfile's production stage with RUN npm install @google-cloud/pino-logging-gcp-config, which means it'll be available when the container runs. Everything's layered correctly here.

---

54-54: @vercel/ncc is secure and actively maintained — Latest version (0.38.4) has no known direct vulnerabilities, and using the catalog versioning keeps your workspace dependencies consistent across the monorepo, which is exactly what you want for build tools.

typescript/infra/src/rebalancer/helm.ts (3)

4-4: Import looks good.

The DEFAULT_GITHUB_REGISTRY import is used properly in the registryUri construction below.

---

89-89: Registry URI integration looks solid.

The registryUri is properly passed through to the Helm values, replacing the previous registryCommit approach.

---

77-79: No action needed — the /tree/{commit} format is correct and supported.

The @hyperlane-xyz/registry library does support GitHub URLs with /tree/{ref} (where ref can be a commit, branch, or tag), and this code properly locks the registry to a specific commit snapshot. The codebase even documents this pattern — see the rebalancer service where it notes that REGISTRY_URI can include /tree/{commit} for pinning to specific versions.

typescript/rebalancer/src/service.ts (5)

17-17: Nice documentation addition.

The REGISTRY_URI environment variable is well-documented, including the /tree/{commit} pattern for version pinning.

---

25-25: Import is correct.

DEFAULT_GITHUB_REGISTRY import matches the usage pattern in helm.ts.

---

34-34: Version resolution correctly updated.

The VERSION now uses SERVICE_VERSION environment variable with a 'dev' fallback, which addresses the previous review feedback about Docker image versioning.

---

133-138: Error handling improvements look good.

Explicitly typing errors and including stack traces in the logs will make debugging easier when things go sideways.

Also applies to: 144-146

---

87-95: enableProxy: true is the standard configuration across the codebase.

This change aligns with registry initialization patterns used consistently throughout the repository (in tests, config files, and other services). The SDK-provided getRegistry function from @hyperlane-xyz/registry/fs handles proxy functionality internally, so no additional documentation is needed here.

Likely an incorrect or invalid review comment.

[hyper-gonk]

♻️ Rebalancer Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-rebalancer:pr-7545
gcr.io/abacus-labs-dev/hyperlane-rebalancer:5d127c2-20251229-194945

[hyper-gonk]

🐳 Monorepo Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-monorepo:pr-7545
gcr.io/abacus-labs-dev/hyperlane-monorepo:5d127c2-20251229-194941