feat(docker): extract risc0 installation into a separate image

.github/workflows/publish_images.yml

@@ -16,16 +16,20 @@ jobs:
             dockerfile: ./lez/sequencer/service/Dockerfile
             build_args: |
               STANDALONE=false
+            needs_risc0: true
           - name: sequencer_service-standalone
             dockerfile: ./lez/sequencer/service/Dockerfile
             build_args: |
               STANDALONE=true
+            needs_risc0: true
           - name: indexer_service
             dockerfile: ./lez/indexer/service/Dockerfile
             build_args: ""
+            needs_risc0: true
           - name: explorer_service
             dockerfile: ./lez/explorer_service/Dockerfile
             build_args: ""
+            needs_risc0: false
     steps:
       - uses: actions/checkout@v5
 
@@ -53,6 +57,17 @@ jobs:
             type=sha,prefix=sha-
             type=raw,value=latest,enable={{is_default_branch}}
 
+      - name: Build risc0 base image
+        if: ${{ matrix.needs_risc0 }}
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./lez/docker/risc0-base.Dockerfile
+          load: true
+          tags: lez/risc0_base:ci
+          cache-from: type=gha,scope=risc0-base
+          cache-to: type=gha,mode=max,scope=risc0-base
+
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
@@ -62,5 +77,6 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: ${{ matrix.build_args }}
+          build-contexts: ${{ matrix.needs_risc0 && 'risc0_base=docker-image://lez/risc0_base:ci' || '' }}
           cache-from: type=gha
           cache-to: type=gha,mode=max

lez/docker/risc0-base.Dockerfile

@@ -0,0 +1,47 @@
+# Shared build base: cargo-chef toolchain + risc0 r0vm.
+#
+# This is the single source of truth for the r0vm install that the sequencer
+# and indexer service images depend on. It is consumed as a named build context
+# called `risc0_base` (the service Dockerfiles start with `FROM risc0_base`).
+#
+# Wiring:
+#   - docker-compose: `build.additional_contexts: { risc0_base: "service:risc0_base" }`
+#   - CI: built first and passed via `build-contexts: risc0_base=docker-image://...`
+FROM lukemathwalker/cargo-chef:latest-rust-1.94.0-slim-trixie
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    pkg-config \
+    libssl-dev \
+    libclang-dev \
+    clang \
+    cmake \
+    ninja-build \
+    curl \
+    unzip \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install r0vm
+# Use quick install for x86-64 (risczero provides binaries only for this linux platform)
+# Manual build for other platforms (including arm64 Linux)
+RUN ARCH=$(uname -m); \
+    if [ "$ARCH" = "x86_64" ]; then \
+        echo "Using quick install for $ARCH"; \
+        curl -L https://risczero.com/install | bash; \
+        export PATH="/root/.cargo/bin:/root/.risc0/bin:${PATH}"; \
+        rzup install; \
+    else \
+        echo "Using manual build for $ARCH"; \
+        git clone --depth 1 --branch release-3.0 https://github.com/risc0/risc0.git; \
+        git clone --depth 1 --branch risc0-1.94.1 https://github.com/risc0/rust.git; \
+        cd /risc0; \
+        cargo install --locked --path rzup; \
+        rzup build --path /rust rust --verbose; \
+        cargo install --locked --path risc0/cargo-risczero; \
+    fi
+ENV PATH="/root/.cargo/bin:/root/.risc0/bin:${PATH}"
+RUN cp "$(which r0vm)" /usr/local/bin/r0vm
+RUN test -x /usr/local/bin/r0vm
+RUN r0vm --version

lez/indexer/service/Dockerfile

@@ -1,42 +1,5 @@
-# Chef stage - uses pre-built cargo-chef image
-FROM lukemathwalker/cargo-chef:latest-rust-1.94.0-slim-trixie AS chef
-
-# Install build dependencies
-RUN apt-get update && apt-get install -y \
-    build-essential \
-    pkg-config \
-    libssl-dev \
-    libclang-dev \
-    clang \
-    cmake \
-    ninja-build \
-    curl \
-    unzip \
-    git \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install r0vm
-# Use quick install for x86-64 (risczero provides binaries only for this linux platform)
-# Manual build for other platforms (including arm64 Linux)
-RUN ARCH=$(uname -m); \
-    if [ "$ARCH" = "x86_64" ]; then \
-        echo "Using quick install for $ARCH"; \
-        curl -L https://risczero.com/install | bash; \
-        export PATH="/root/.cargo/bin:/root/.risc0/bin:${PATH}"; \
-        rzup install; \
-    else \
-        echo "Using manual build for $ARCH"; \
-        git clone --depth 1 --branch release-3.0 https://github.com/risc0/risc0.git; \
-        git clone --depth 1 --branch risc0-1.94.1 https://github.com/risc0/rust.git; \
-        cd /risc0; \
-        cargo install --locked --path rzup; \
-        rzup build --path /rust rust --verbose; \
-        cargo install --locked --path risc0/cargo-risczero; \
-    fi
-ENV PATH="/root/.cargo/bin:/root/.risc0/bin:${PATH}"
-RUN cp "$(which r0vm)" /usr/local/bin/r0vm
-RUN test -x /usr/local/bin/r0vm
-RUN r0vm --version
+# Chef stage
+FROM risc0_base AS chef
 
 WORKDIR /indexer_service
 

lez/indexer/service/docker-compose.yml

@@ -1,9 +1,20 @@
 services:
+  # Build-only: shared base image (toolchain + r0vm) referenced as the
+  # `risc0_base` named context below. It has no long-running command, so it
+  # only gets built — it exits immediately if started.
+  risc0_base:
+    image: lez/risc0_base
+    build:
+      context: ../../..
+      dockerfile: lez/docker/risc0-base.Dockerfile
+
   indexer_service:
     image: lez/indexer_service
     build:
       context: ../../..
       dockerfile: lez/indexer/service/Dockerfile
+      additional_contexts:
+        risc0_base: "service:risc0_base"
     container_name: indexer_service
     ports:
       - "8779:8779"

lez/sequencer/service/Dockerfile

@@ -1,42 +1,5 @@
-# Chef stage - uses pre-built cargo-chef image
-FROM lukemathwalker/cargo-chef:latest-rust-1.94.0-slim-trixie AS chef
-
-# Install dependencies
-RUN apt-get update && apt-get install -y \
-    build-essential \
-    pkg-config \
-    libssl-dev \
-    libclang-dev \
-    clang \
-    cmake \
-    ninja-build \
-    curl \
-    unzip \
-    git \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install r0vm
-# Use quick install for x86-64 (risczero provides binaries only for this linux platform)
-# Manual build for other platforms (including arm64 Linux)
-RUN ARCH=$(uname -m); \
-    if [ "$ARCH" = "x86_64" ]; then \
-        echo "Using quick install for $ARCH"; \
-        curl -L https://risczero.com/install | bash; \
-        export PATH="/root/.cargo/bin:/root/.risc0/bin:${PATH}"; \
-        rzup install; \
-    else \
-        echo "Using manual build for $ARCH"; \
-        git clone --depth 1 --branch release-3.0 https://github.com/risc0/risc0.git; \
-        git clone --depth 1 --branch risc0-1.94.1 https://github.com/risc0/rust.git; \
-        cd /risc0; \
-        cargo install --locked --path rzup; \
-        rzup build --path /rust rust --verbose; \
-        cargo install --locked --path risc0/cargo-risczero; \
-    fi
-ENV PATH="/root/.cargo/bin:/root/.risc0/bin:${PATH}"
-RUN cp "$(which r0vm)" /usr/local/bin/r0vm
-RUN test -x /usr/local/bin/r0vm
-RUN r0vm --version
+# Chef stage
+FROM risc0_base AS chef
 
 WORKDIR /sequencer_service
 

lez/sequencer/service/docker-compose.yml

@@ -1,9 +1,20 @@
 services:
+  # Build-only: shared base image (toolchain + r0vm) referenced as the
+  # `risc0_base` named context below. It has no long-running command, so it
+  # only gets built — it exits immediately if started.
+  risc0_base:
+    image: lez/risc0_base
+    build:
+      context: ../../..
+      dockerfile: lez/docker/risc0-base.Dockerfile
+
   sequencer_service:
     image: lez/sequencer_service
     build:
       context: ../../..
       dockerfile: lez/sequencer/service/Dockerfile
+      additional_contexts:
+        risc0_base: "service:risc0_base"
     container_name: sequencer_service
     ports:
       - "3040:3040"