ci: GHA layer cache + refresh stale container bases (#57)#62
Merged
Conversation
sam-at-luther
force-pushed
the
fix/docker-cache-and-base-image-refresh
branch
from
e4aa72c to
bb04c54
Compare
Wire `--cache-from`/`--cache-to type=gha,mode=max` into the shared `build-docker-images` composite action so the 18-job buildx matrix (9 images x 2 arches) reuses unchanged layers across runs. Cache is scoped per `image-arch` to avoid cross-contamination. `crazy-max/ghaction-github-runtime` (SHA-pinned, dependabot-tracked) exports `ACTIONS_CACHE_URL` / `ACTIONS_RUNTIME_TOKEN` so buildx can talk to the GHA cache backend. The Makefile accepts the flags via a `BUILDX_CACHE_FLAGS` variable that stays empty for local builds.
sam-at-luther
force-pushed
the
fix/docker-cache-and-base-image-refresh
branch
2 times, most recently
from
70a4b1a to
f3c7a01
Compare
Bumps the bases flagged in #57 to currently supported upstream tags. All new bases are confirmed multi-arch (linux/amd64 + linux/arm64). - build-js: ubuntu:22.04 -> ubuntu:24.04 (LTS); node:bullseye -> node:bookworm. Bookworm drops the python2 package, so the node-gyp toolchain install switches to python3/python3-dev (node-gyp >=9 targets python3). - build-java, build-swaggercodegen: maven:3.8.5-openjdk-8 -> maven:3.9-eclipse-temurin-17. openjdk:* on Docker Hub is deprecated; Eclipse Temurin is the recommended successor. JDK 17 (LTS) is the conservative bump from 8. - build-java.static: openjdk:19-jdk-alpine3.16 -> eclipse-temurin:17-jre-jammy. The -jre-alpine variant is amd64-only on Temurin 17, so we use the Ubuntu (jammy) base for arm64 support; the apk-based package install becomes apt with explicit upgrade. - build-godynamic AWS stage: python:3.8-alpine3.20 -> python:3.11-alpine, plus AWSCLI_VER 2.25.5 -> 2.34.53. The bump is required because awscli 2.25.5 pinned ruamel.yaml.clib<=0.2.8, whose C extension fails to compile against the libyaml shipped in newer Alpine (signature mismatch with current yaml_parser_set_input). awscli 2.34.53 allows ruamel.yaml.clib<=0.2.15, which builds cleanly. Staying on Python 3.11 (not 3.12) because awscli's make-exe script still imports distutils.dir_util.copy_tree, removed in 3.12 (PEP 632). - build-js.static: replace the historical `luthersystems/nginx-frontend:v0.0.88` hard-pin with `ARG NGINX_FRONTEND_VERSION` (defaults to `latest`, overridable from build-js.mk). Ties the runtime base to a real buildenv release tag instead of a frozen 2022-era SHA. - build-go.static, build-godynamic.static: align stale ARG ALPINE_VERSION defaults from 3.22 to 3.23 (matches common.config.mk). Out of scope: explicit apt-get upgrade on all Debian/Ubuntu bases (applied for the new java-runtime image only; wider rollout deserves its own evaluation per #57). Alpine 3.23 -> next bump. Bumping the Java toolchain from 17 -> 21.
sam-at-luther
force-pushed
the
fix/docker-cache-and-base-image-refresh
branch
from
7e9e109 to
89cd99d
Compare
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--cache-from/--cache-to type=gha,mode=maxto the sharedbuild-docker-imagesaction so the 18-job buildx matrix reuses layers. Cache scoped per image+arch.maven:3.8.5-openjdk-8→maven:3.9-eclipse-temurin-17for build-java + build-swaggercodegen,openjdk:19-jdk-alpine3.16→eclipse-temurin:17-jre-jammyfor the Java runtime (jammy not alpine — Temurin's17-jre-alpineis amd64-only and would break arm64),python:3.8-alpine3.20→python:3.12-alpinefor the build-godynamic AWS builder stage.luthersystems/nginx-frontend:v0.0.88hard-pin inDockerfile.build-js.staticwith anARG NGINX_FRONTEND_VERSIONdefaulting tolatest, overridable viabuild-js.mk.ARG ALPINE_VERSION=3.22defaults to3.23in the two.staticDockerfiles to matchcommon.config.mk.Multi-arch (amd64 + arm64) confirmed on every new base tag before commit.
Test plan
importing cache manifest from gha)publish.ymlpushes the refreshed images to Docker Hub successfullybuild-go-alpine,service-base-alpine,build-js,build-java,build-java.static,build-godynamicbefore vs afterOut of scope (#57 leftovers)
apt-get upgradeon Debian/Ubuntu bases (the reproducibility-vs-CVE tradeoff Address remaining container base-image debt after Alpine CVE refresh #57 calls out) — applied for the new java-runtime image only; deserves a wider design pass.Review notes
Related