solana: Deterministic builds via Docker (wormhole-foundation#646)

This PR was initially based on wormhole-foundation#403. However, due to reasons mentioned in [this comment](wormhole-foundation#646 (comment)), the Dockerfile changes were reverted.

tl;dr: 
This PR adds:
* Add `artifacts-mainnet`, `artifacts-solana-devnet`, and `artifacts-tilt-devnet` Makefile target to generate verifiable build artifacts using `solana-verify build`
* Remove `prod-build` Makefile target

Author: nvsriram

Tiltfile

@@ -44,7 +44,7 @@ docker_build(
     only=["./sdk", "./package.json", "./package-lock.json", "jest.config.ts", "tsconfig.json", "tsconfig.esm.json", "tsconfig.cjs.json", "tsconfig.test.json"],
     dockerfile = "./sdk/Dockerfile",
 )
-k8s_yaml_with_ns("./sdk/ci.yaml") 
+k8s_yaml_with_ns("./sdk/ci.yaml")
 k8s_resource(
     "ntt-ci-tests",
     labels = ["ntt"],

solana/.gitignore

@@ -2,4 +2,5 @@
 **/*.rs.bk
 node_modules
 test-ledger
-dist
+dist
+artifacts-*

solana/Dockerfile

@@ -33,7 +33,7 @@ RUN cp ./target/sbf-solana-solana/release/example_native_token_transfers.so /opt
 COPY solana/tilt /opt/solana/deps
 
 COPY sdk ../sdk
-COPY solana/ts ts 
+COPY solana/ts ts
 COPY solana/package.json package.json
 COPY solana/tsconfig.esm.json tsconfig.esm.json
 COPY solana/tsconfig.cjs.json tsconfig.cjs.json
@@ -50,7 +50,7 @@ COPY --from=builder /usr/src/solana/ts /usr/src/solana/ts
 COPY --from=builder /usr/src/solana/package.json /usr/src/solana/package.json
 COPY --from=builder /usr/src/solana/tsconfig.esm.json /usr/src/solana/tsconfig.esm.json
 COPY --from=builder /usr/src/solana/tsconfig.cjs.json /usr/src/solana/tsconfig.cjs.json
-COPY --from=builder /usr/src/solana/target/idl  /usr/src/solana/target/idl 
+COPY --from=builder /usr/src/solana/target/idl  /usr/src/solana/target/idl
 COPY --from=builder /usr/src/solana/target/types /usr/src/solana/target/types
 
 FROM node:lts-alpine@sha256:41e4389f3d988d2ed55392df4db1420ad048ae53324a8e2b7c6d19508288107e AS governance

solana/Makefile

@@ -1,5 +1,5 @@
 .DEFAULT_GOAL = build
-.PHONY: build cargo-build anchor-build prod-build test cargo-test anchor-test idl sdk clean node_modules lint cargo-lint anchor-lint fix-lint
+.PHONY: build cargo-build anchor-build artifacts-mainnet artifacts-solana-devnet artifacts-tilt-devnet _artifacts test cargo-test anchor-test idl sdk clean node_modules lint cargo-lint anchor-lint fix-lint
 
 # Find and convert version line:
 #  Turn `const VERSION: &str = "major.minor.patch";` into `major_minor_patch`
@@ -27,8 +27,17 @@ anchor-build:
 	  ./scripts/patch-idl $$jsonfile; \
 	done
 
-prod-build:
-	anchor build --verifiable
+artifacts-mainnet: 
+	$(MAKE) _artifacts TARGET_DIR=$@ NETWORK=mainnet
+
+artifacts-solana-devnet:
+	$(MAKE) _artifacts TARGET_DIR=$@ NETWORK=solana-devnet
+
+artifacts-tilt-devnet:
+	$(MAKE) _artifacts TARGET_DIR=$@ NETWORK=tilt-devnet
+
+_artifacts:
+	solana-verify build -- --no-default-features --features $(NETWORK) --target-dir $(TARGET_DIR)
 
 idl: anchor-build
 	@echo "IDL Version: $(VERSION)"
@@ -86,4 +95,4 @@ anchor-lint:
 	bash scripts/anchor-lint.sh
 
 fix-lint:
-	cargo fmt --all --manifest-path Cargo.toml
+	cargo fmt --all --manifest-path Cargo.toml

solana/README.md

@@ -144,6 +144,25 @@ Run the following command to install necessary dependencies and to build the pro
 make build
 ```
 
+#### Verifiable Builds
+
+For building verifiably, make sure [`solana-verify`](https://crates.io/crates/solana-verify) is installed and Docker is installed and running.
+
+Run the following command to build the program binaries deterministically for `mainnet`:
+
+```sh
+make artifacts-mainnet
+```
+
+> This will produce the generated artifacts in the `artifacts-mainnet` directory.
+
+For Solana devnet builds, or local testing builds, use the following commands:
+
+```sh
+make artifacts-solana-devnet
+make artifacts-tilt-devnet
+```
+
 ### Test
 
 Run the following command to generate the IDL and run the full Solana test-suite: