[Performance] Updating dependencies to support crypto libraries with CGO enabled (#458)

- https://github.com/buildwithgrove/path/actions/runs/18061606609
- See this ticket for the full list of changes: pokt-network/poktroll#1793
- Improving docs, tooling, builds, etc to make this work
- Adding some benchmarks as well

```bash
Shannon SDK Signing Performance Comparison
===========================================

Benchmark                                      Decred     Ethereum    Speedup
---------------------------------------- ------------ ------------ ----------
KeyOperations                                 12.1μs      11.5μs      1.05x
SigningDirect                                  1.83ms       1.02ms      1.80x
CompleteSigningPipeline                        1.97ms     784.1μs      2.51x
```

Author: Olshansk

.dockerignore

@@ -0,0 +1,6 @@
+.git
+**/node_modules
+bin
+*.log
+*.tmp
+**/.cache

.github/workflows/main-build.yml

@@ -10,25 +10,31 @@ on:
       - completed
     branches:
       - main
-  workflow_dispatch: # Added to enable manual trigger via GitHub UI
+  workflow_dispatch: # Manual trigger
 
 jobs:
   build-and-push:
-    runs-on: "ubuntu-22.04"
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout project
         uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
           go-version: "1.24"
 
+      # Needed so release_build_cgo can produce arm64 artifacts on amd64 runner
+      - name: Install cross toolchains for CGO
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y gcc-aarch64-linux-gnu libc6-dev-arm64-cross
+
       - name: Build binaries for multiple architectures
         run: make release_build_cross
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
 
       - name: Docker Metadata action
         id: meta
@@ -45,22 +51,52 @@ jobs:
             type=sha,format=short,suffix=-rc
             type=ref,event=branch,pattern=latest
 
+      - name: Docker Metadata action (cgo)
+        id: meta_cgo
+        uses: docker/metadata-action@v5
+        env:
+          DOCKER_METADATA_PR_HEAD_SHA: "true"
+        with:
+          images: |
+            ghcr.io/buildwithgrove/path
+          tags: |
+            type=semver,pattern={{version}},suffix=-cgo
+            type=semver,pattern={{major}}.{{minor}},suffix=-cgo
+            type=ref,event=tag,suffix=-rc-cgo
+            type=sha,format=short,suffix=-rc-cgo
+            type=ref,event=branch,pattern=latest,suffix=-cgo
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ github.token }}
 
+      # Non-CGO image (multi-arch, Alpine runtime)
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           build-args: IMAGE_TAG=${{ steps.meta.outputs.version }}
-          # Multi-arch support with pre-built binaries
           platforms: linux/amd64,linux/arm64
           file: Dockerfile.release
           cache-from: type=gha
           cache-to: type=gha,mode=max
           context: .
+
+      # CGO image (multi-arch, glibc runtime)
+      - name: Build and push Docker image (cgo)
+        uses: docker/build-push-action@v5
+        with:
+          push: true
+          tags: ${{ steps.meta_cgo.outputs.tags }}
+          build-args: |
+            IMAGE_TAG=${{ steps.meta.outputs.version }}
+            BINARY_SUFFIX=_cgo
+          platforms: linux/amd64,linux/arm64
+          file: Dockerfile.release.glibc
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          context: .

.github/workflows/run-lint-and-test.yml

@@ -43,5 +43,8 @@ jobs:
         run: |
           git config --global url."https://${{ github.token }}:[email protected]/".insteadOf "https://github.com/"
 
-      - name: Run unit tests
+      - name: Run unit tests without CGO
         run: CGO_ENABLED=0 go test ./... -short
+
+      - name: Run unit tests with CGO
+        run: CGO_ENABLED=1 go test -tags "ethereum_secp256k1" ./... -short

.gitignore

@@ -79,3 +79,6 @@ install.log
 # Supplier Report JSON File
 # Generated by ./e2e/scripts/shannon-preliminary-services-test.sh
 supplier_report_*.json
+
+# Benchmark Results
+bench_results

Dockerfile

@@ -1,3 +1,4 @@
+# TODO_TECHDEBT: Consolidate Dockerfile.local and Dockerfile
 # Builder stage
 FROM golang:1.24-alpine3.20 AS builder
 

Dockerfile.local

@@ -0,0 +1,29 @@
+# TODO_TECHDEBT: Consolidate Dockerfile.local and Dockerfile
+ARG GO_VERSION=1.24-alpine
+
+FROM golang:${GO_VERSION} AS builder
+WORKDIR /src
+RUN apk add --no-cache build-base git
+# Default: CGO enabled (musl) for Alpine runtime
+ENV CGO_ENABLED=1 GOOS=linux \
+    CGO_CFLAGS="-Wno-implicit-function-declaration -Wno-error=implicit-function-declaration"
+
+# Better layer caching
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+
+# Build with tags (CGO enabled)
+RUN go build -tags "ethereum_secp256k1" -buildvcs=false -o /out/path ./cmd
+
+# Optional no-CGO build (commented by default)
+# RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -buildvcs=false -o /out/path_nocgo ./cmd
+
+FROM alpine:3.19
+RUN apk add --no-cache ca-certificates tzdata
+WORKDIR /app
+# Default artifact: CGO-enabled
+COPY --from=builder /out/path /app/path
+# Swap to no-CGO by uncommenting this and commenting the line above:
+# COPY --from=builder /out/path_nocgo /app/path
+ENTRYPOINT ["/app/path"]

Dockerfile.release

@@ -1,6 +1,7 @@
-# Multi-architecture Dockerfile that uses pre-built binaries
+# Multi-architecture Dockerfile that uses pre-built binaries.
+
 # This Dockerfile expects binaries to be built beforehand using:
-# make release_build_cross
+# $ make release_build_cross
 
 FROM alpine:3.19 AS final
 
@@ -18,9 +19,14 @@ RUN apk add --no-cache ca-certificates tzdata && \
 ARG IMAGE_TAG
 ENV IMAGE_TAG=${IMAGE_TAG}
 
+# Optional suffix for selecting the CGO-enabled binary variant
+# Empty by default (uses CGO-disabled binary). For CGO builds, pass: _cgo
+# Fore more details, see .github/workflows/main-build.yml
+ARG BINARY_SUFFIX=""
+
 # Determine the architecture and copy the appropriate binary
 ARG TARGETARCH
-COPY release/path-linux-${TARGETARCH} /app/path
+COPY release/path-linux-${TARGETARCH}${BINARY_SUFFIX} /app/path
 
 # Set the binary as executable
 RUN chmod +x /app/path
@@ -29,4 +35,4 @@ RUN chmod +x /app/path
 USER appuser
 
 # Command to run
-CMD ["./path"]
+CMD ["./path"]

Dockerfile.release.glibc

@@ -0,0 +1,17 @@
+# Dockerfile.release.glibc — CGO runtime (glibc)
+# Expects prebuilt CGO binaries at: release/path-linux-${TARGETARCH}_cgo
+
+FROM gcr.io/distroless/cc-debian12 AS final
+WORKDIR /app
+
+ARG IMAGE_TAG
+ENV IMAGE_TAG=${IMAGE_TAG}
+
+# CGO build uses the _cgo suffix
+ARG TARGETARCH
+COPY release/path-linux-${TARGETARCH}_cgo /app/path
+
+# Non-root user (distroless uses 65532 by convention)
+USER 65532:65532
+
+CMD ["/app/path"]

Makefile

@@ -4,14 +4,60 @@
 
 # TODO(@olshansk): Remove "Shannon" and just use "Pocket".
 
-.PHONY: list
-list: ## List all make targets
-	@${MAKE} -pRrn : -f $(MAKEFILE_LIST) 2>/dev/null | awk -v RS= -F: '/^# File/,/^# Finished Make data base/ {if ($$1 !~ "^[#.]") {print $$1}}' | egrep -v -e '^[^[:alnum:]]' -e '^$@$$' | sort
-
 .PHONY: help
 .DEFAULT_GOAL := help
 help: ## Prints all the targets in all the Makefiles
-	@grep -h -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-60s\033[0m %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)$(CYAN)🌐 PATH (Path API & Toolkit Harness) Makefile Targets$(RESET)"
+	@echo ""
+	@echo "$(BOLD)=== 📋 Information & Discovery ===$(RESET)"
+	@grep -h -E '^help:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 🔨 Build & Run ===$(RESET)"
+	@grep -h -E '^path_(build|run):.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== ⚙️ Configuration ===$(RESET)"
+	@grep -h -E '^config.*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 🛠️ Development Environment ===$(RESET)"
+	@grep -h -E '^(path_up|path_down|install_tools.*|localnet_.*):.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 🚀 Load Testing ===$(RESET)"
+	@grep -h -E '^load_test.*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 🧪 Testing ===$(RESET)"
+	@grep -h -E '^(test_unit|test_all|go_lint):.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@grep -h -E '^e2e_test.*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== ⚡ Benchmarking ===$(RESET)"
+	@grep -h -E '^bench.*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== ✋ Manual Testing ===$(RESET)"
+	@grep -h -E '^(get_disqualified_endpoints|grove_get_disqualified_endpoints|shannon_preliminary_services_test_help|shannon_preliminary_services_test|source_shannon_preliminary_services_helpers):.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 🗄️ Portal Database ===$(RESET)"
+	@grep -h -E '^portal_db.*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 📦 Protocol Buffers ===$(RESET)"
+	@grep -h -E '^proto.*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 🚢 Release Management ===$(RESET)"
+	@grep -h -E '^release_.*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 🔧 Utilities ===$(RESET)"
+	@echo ""
+	@echo "$(BOLD)=== 📚 Documentation ===$(RESET)"
+	@grep -h -E '^(go_docs|docusaurus.*|gen_.*_docs):.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 🔍 Request Testing ===$(RESET)"
+	@grep -h -E '^test_(request|healthz|disqualified|load).*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== ⚡ Benchmarking ===$(RESET)"
+	@grep -h -E '^bench_.*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
+	@echo "$(BOLD)=== 🤖 AI ===$(RESET)"
+	@grep -h -E '^claudesync.*:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(CYAN)%-40s$(RESET) %s\n", $$1, $$2}'
+	@echo ""
 
 #############################
 #### PATH Build Targets   ###
@@ -60,10 +106,11 @@ include ./makefiles/docs.mk
 include ./makefiles/localnet.mk
 include ./makefiles/portal-db.mk
 include ./makefiles/test.mk
+include ./makefiles/bench.mk
 include ./makefiles/test_requests.mk
 include ./makefiles/test_load.mk
 include ./makefiles/proto.mk
 include ./makefiles/debug.mk
 include ./makefiles/claude.mk
 include ./makefiles/release.mk
-include ./makefiles/helpers.mk
+include ./makefiles/helpers.mk

Tiltfile

@@ -17,17 +17,20 @@ hot_reload_dirs = [
     "./local/observability",
     "./cmd",
     "./config",
+    "./data",
     "./gateway",
     "./health",
+    "./log",
     "./message",
+    "./metrics",
+    "./network",
+    "./observation",
+    "./protocol",
+    "./proto",
     "./qos",
     "./relayer",
     "./request",
     "./router",
-    "./protocol",
-    "./metrics",
-    "./observation",
-    "./proto",
     "./websockets",
 ]
 
@@ -133,50 +136,15 @@ local_resource(
 # 3. WATCH (Workload Analytics and Telemetry for Comprehensive Health): Observability #
 # ----------------------------------------------------------------------------------- #
 
-# TODO_TECHDEBT(@adshmh): use secrets for sensitive data with the following steps:
-# 1. Add place-holder files for sensitive data
-# 2. Add a secret per sensitive data item (e.g. gateway's private key)
-# 3. Load the secrets into environment variables of an init container
-# 4. Use an init container to run the scripts for updating config from environment variables.
-# This can leverage the scripts under `e2e` package to be consistent with the CI workflow.
-
-# Compile the binary inside the container
-local_resource(
-    'path-binary',
-    '''
-    echo "Building Go binary..."
-    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -buildvcs=false -o bin/path ./cmd
-    ''',
-    deps=hot_reload_dirs,
-    ignore=['**/node_modules', '.git'],
-    labels=["hot-reloading"],
-)
-
-# Build a minimal Docker image with just the binary
-docker_build_with_restart(
+# TODO_TECHDEBT: Consolidate Dockerfile.local and Dockerfile
+# Build the PATH image using Dockerfile.local (which handles CGO_ENABLED=1)
+# Include go.mod and go.sum in the build context along with hot_reload_dirs
+build_context_files = hot_reload_dirs + ["./go.mod", "./go.sum", "./Dockerfile.local"]
+docker_build(
     "path-image",
     context=".",
-    dockerfile_contents="""FROM alpine:3.19
-RUN apk add --no-cache ca-certificates tzdata
-WORKDIR /app
-COPY bin/path /app/path
-RUN chmod +x /app/path
-""",
-    only=["bin/path"],
-    entrypoint=["/app/path"],
-    live_update=[
-        sync("bin/path", "/app/path"),
-    ],
-)
-
-# Ensure the binary is built before the image
-local_resource(
-    "path-trigger",
-    "touch bin/path",
-    resource_deps=["path-binary"],
-    auto_init=False,
-    trigger_mode=TRIGGER_MODE_AUTO,
-    labels=["hot-reloading"],
+    dockerfile="Dockerfile.local",
+    only=build_context_files,  # Only rebuild the image when these files/directories change
 )
 
 # Tilt will run the Helm Chart with the following flags by default.