feat: enable Turbo remote cache in Docker builds

[paulbalaji]

Summary

Enables Depot's Turbo remote cache during Docker builds, allowing pnpm turbo run commands to skip rebuilding unchanged packages by hitting the same cache used in CI.

Also includes a drive-by expansion of .dockerignore to reduce build context size.

Build Time Comparison

Image	Main (baseline)	PR	Improvement
Rebalancer	3.0 min	1.4 min	53% faster
Warp Monitor	3.0 min	1.8 min	40% faster
Monorepo	4.5 min	3.7 min	18% faster
CCIP Server	6.3 min	5.5 min	13% faster

Changes

Turbo remote cache:

• Pass TURBO_TEAM as build-arg and TURBO_TOKEN as Docker build secret to all TypeScript Docker workflows
• Dockerfiles mount the secret and configure Turbo environment variables
• Graceful fallback when secret unavailable: $(cat /run/secrets/TURBO_TOKEN 2>/dev/null || echo "") ensures fork PRs still work

Drive-by .dockerignore improvements:

• Added exclusions for .github/, .changeset/, .vscode/, .turbo/, coverage/, docs/, etc.
• Note: .git/ is intentionally NOT excluded (needed by rust/Dockerfile for vergen)

Security

TURBO_TOKEN is passed as a Docker build secret (--mount=type=secret) rather than a build arg, so it never appears in build logs or image layers.

Summary by CodeRabbit

• Chores
  • Optimized Docker builds by excluding unnecessary files from the build context
  • Enhanced build performance with remote caching integration
  • Improved build security through credential-based authentication

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: b5fc47b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR integrates Turbo remote caching into the Docker build pipeline by passing authentication credentials (TURBO_TEAM and TURBO_TOKEN) through GitHub Actions workflows to multiple service Dockerfiles, while expanding .dockerignore patterns to reduce build context size.

Changes

Cohort / File(s)	Summary
Docker ignore patterns .dockerignore, rust/.dockerignore	Expands exclusion lists to remove build artifacts, logs, documentation, IDE configs, and coverage directories from Docker build context
CI/CD workflow configuration .github/workflows/ccip-server-docker.yml, .github/workflows/monorepo-docker.yml, .github/workflows/rebalancer-docker.yml, .github/workflows/warp-monitor-docker.yml	Adds TURBO_TEAM build-arg and TURBO_TOKEN secret to depot/build-push-action steps across all service workflows for Turbo remote cache authentication
Dockerfile build logic Dockerfile, typescript/ccip-server/Dockerfile, typescript/rebalancer/Dockerfile, typescript/warp-monitor/Dockerfile	Introduces TURBO_TEAM arg and TURBO_TOKEN secret mount; sets TURBO_API, TURBO_TELEMETRY_DISABLED environment variables; and modifies build commands to leverage Turbo remote cache with Depot credentials

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related PRs

• fix(solidity): integrate soldeer with yarn build #7529: Modifies .github/workflows/monorepo-docker.yml for Turbo integration with similar secret/arg wiring patterns
• feat: add standalone ccip-server Docker image and workflow #7565: Updates typescript/ccip-server/Dockerfile and its workflow for Turbo and deployment step changes

Suggested Reviewers

• nambrot
• Mo-Hussain
• yorhodes

Poem

🧅 Like layers of an onion, secrets stack just right,
Docker builds now cache with Turbo's remote might,
Ignored files peel away, context grows light,
Each service gets its token, the wiring's tight,
No more needless rebuilding—now that's ogre-ific! 🐉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: enabling Turbo remote cache in Docker builds, which is the primary objective of this PR.
Description check	✅ Passed	The description covers all required sections with thorough detail: summary of changes, build time improvements, security considerations, and drive-by improvements; all template sections are addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pbio/docker-build-optimizations

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[hyper-gonk]

♻️ Rebalancer Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-rebalancer:pr-7734
gcr.io/abacus-labs-dev/hyperlane-rebalancer:b5fc47b-20260109-235824

[hyper-gonk]

🕵️ Warp Monitor Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-warp-monitor:pr-7734
gcr.io/abacus-labs-dev/hyperlane-warp-monitor:b5fc47b-20260109-235830

[hyper-gonk]

🐳 Monorepo Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-monorepo:pr-7734
gcr.io/abacus-labs-dev/hyperlane-monorepo:b5fc47b-20260109-235825

[hyper-gonk]

🦀 Rust Agent Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-agent:pr-7734
gcr.io/abacus-labs-dev/hyperlane-agent:b5fc47b-20260109-235824

[hyper-gonk]

🔍 CCIP Server Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-offchain-lookup-server:pr-7734
gcr.io/abacus-labs-dev/hyperlane-offchain-lookup-server:b5fc47b-20260109-235831

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.dockerignore (1)

22-35: Good context shrink; keeping .git/ is a fair trade, but it’s a chunky onion layer.
Since .git/ can bloat context a lot, consider a later improvement where vergen metadata is injected via build-args/env (commit/describe) so you can ignore .git/ again—no need for this PR, just a heads-up.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5a2fc4c and b5fc47b.

📒 Files selected for processing (10)

• .dockerignore
• .github/workflows/ccip-server-docker.yml
• .github/workflows/monorepo-docker.yml
• .github/workflows/rebalancer-docker.yml
• .github/workflows/warp-monitor-docker.yml
• Dockerfile
• rust/.dockerignore
• typescript/ccip-server/Dockerfile
• typescript/rebalancer/Dockerfile
• typescript/warp-monitor/Dockerfile

🧰 Additional context used

🧠 Learnings (5)

📚 Learning: 2025-12-29T19:45:12.592Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7545
File: typescript/infra/src/rebalancer/helm.ts:82-83
Timestamp: 2025-12-29T19:45:12.592Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, Docker image tags in Helm managers (e.g., typescript/infra/src/rebalancer/helm.ts) are intentionally hardcoded for reproducibility and explicit version control, rather than using dynamically generated CI tags.

Applied to files:

• typescript/rebalancer/Dockerfile
• Dockerfile

📚 Learning: 2025-08-13T16:53:55.163Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6891
File: typescript/infra/config/environments/mainnet3/funding.ts:22-22
Timestamp: 2025-08-13T16:53:55.163Z
Learning: In Hyperlane mainnet3 configs, funding.ts uses 'gcr.io/abacus-labs-dev/hyperlane-monorepo' docker image while agent.ts uses 'gcr.io/abacus-labs-dev/hyperlane-agent' docker image. These are different images with independent tag cycles, so tag consistency across them is not expected.

Applied to files:

• typescript/rebalancer/Dockerfile

📚 Learning: 2025-12-22T16:50:19.890Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7565
File: typescript/ccip-server/Dockerfile:10-11
Timestamp: 2025-12-22T16:50:19.890Z
Learning: Standardize Foundry installation in Dockerfiles by using the official curl -L https://foundry.paradigm.xyz | bash followed by foundryup. This pattern is already used across multiple Dockerfiles in the repo and should be retained for consistency and reliability wherever Foundry is installed.

Applied to files:

• typescript/rebalancer/Dockerfile
• typescript/warp-monitor/Dockerfile
• typescript/ccip-server/Dockerfile
• Dockerfile

📚 Learning: 2025-08-26T13:45:52.227Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/testnet_config.json:34-35
Timestamp: 2025-08-26T13:45:52.227Z
Learning: Skip reviewing mainnet_config.json and testnet_config.json configuration files in typescript/infra/config/ and rust/main/config/ directories as requested by paulbalaji to reduce review noise.

Applied to files:

• rust/.dockerignore
• .dockerignore

📚 Learning: 2025-11-26T13:28:51.658Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: typescript/cli/package.json:20-20
Timestamp: 2025-11-26T13:28:51.658Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, hyperlane-xyz/registry is maintained in a separate repository and published to npm, so it should use a pinned version (e.g., "23.6.0") rather than the workspace protocol ("workspace:*") that other internal Hyperlane packages use.

Applied to files:

• Dockerfile

🔇 Additional comments (9)

rust/.dockerignore (1)

1-6: Looks good for trimming Rust build context; just ensure nothing in docs/ / *.md is needed at build time.
If any crate build script or Dockerfile step reads README/docs (rare, but it happens), this will cause a confusing “file not found” during docker build.

.github/workflows/ccip-server-docker.yml (1)

111-116: Nice and clean wiring for Turbo cache (team as arg, token as secret).
Just make sure this pairs with an optional secret mount in the Dockerfile, so non-secret builds don’t choke.

.github/workflows/warp-monitor-docker.yml (1)

111-116: Same story here: good Turbo secret/arg plumbing; verify missing-secret behavior end-to-end.
If the builder runs without DEPOT_TURBO_TOKEN, the Dockerfile should still build (just without remote cache).

Dockerfile (1)

58-65: The code already provides the graceful fallback through BuildKit's default secret mount behavior (required=false). The cat ... 2>/dev/null || echo "" safely handles missing secrets. Adding required=false explicitly would only clarify intent but isn't required to prevent failures.

Likely an incorrect or invalid review comment.

.github/workflows/monorepo-docker.yml (1)

131-133: Turbo remote cache wiring looks solid.

The TURBO_TEAM build-arg and TURBO_TOKEN secret are properly configured. Using the secrets block ensures the token won't leak into build logs or image layers.

.github/workflows/rebalancer-docker.yml (1)

114-116: LGTM on the Turbo integration.

Consistent with the monorepo workflow, this wires the cache credentials securely into the build process.

typescript/rebalancer/Dockerfile (1)

65-71: Consistent Turbo setup across services.

Same secure pattern as the warp-monitor Dockerfile - secret mount with graceful fallback. Keeps things tidy and predictable.

typescript/ccip-server/Dockerfile (1)

74-80: Turbo cache integration matches the pattern.

The ccip-server now uses the same secure Turbo remote cache setup as the other services. Running build instead of bundle is the right call for this service.

typescript/warp-monitor/Dockerfile (1)

65-71: Secret handling looks solid.

The fallback pattern $(cat /run/secrets/TURBO_TOKEN 2>/dev/null || echo "") keeps things working for fork PRs without the secret, and mounting as type=secret keeps it out of the layers where it doesn't belong. Good call on disabling telemetry too.

The endpoint https://cache.depot.dev is the right one for Depot's remote cache—that's all sorted. Your Turbo setup here is properly configured, layers are clean, and secrets stay where they should be. Nothing wrong with this.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.02%. Comparing base (5a2fc4c) to head (b5fc47b).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7734   +/-   ##
=======================================
  Coverage   77.02%   77.02%           
=======================================
  Files         117      117           
  Lines        2651     2651           
  Branches      244      244           
=======================================
  Hits         2042     2042           
  Misses        593      593           
  Partials       16       16           

Components	Coverage Δ
core	87.80% <ø> (ø)
hooks	71.86% <ø> (ø)
isms	81.10% <ø> (ø)
token	86.67% <ø> (ø)
middlewares	84.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.