Skip to content

feat(ci): build-once-promote pattern to eliminate double Docker build#7770

Merged
h0lybyte merged 1 commit intodevfrom
trunk/axum-build-perf-1772937526
Mar 8, 2026
Merged

feat(ci): build-once-promote pattern to eliminate double Docker build#7770
h0lybyte merged 1 commit intodevfrom
trunk/axum-build-perf-1772937526

Conversation

@h0lybyte
Copy link
Member

@h0lybyte h0lybyte commented Mar 8, 2026

Summary

  • Eliminate double Docker build — the pipeline was building the same Docker image twice (~43 min test + ~40 min publish = ~83 min wasted). Now the test job pushes to ghcr.io/<image>:ci-<sha> after e2e passes, and the publish job pulls + retags instead of rebuilding.
  • Skip Playwright in Docker build — add PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 to Dockerfile astro-builder stage. Playwright was downloading ~600MB of browsers that are never used inside the build, and frequently timing out.
  • Fully backward-compatible — if no CI image exists (e.g. for apps that don't pass image), the publish job falls back to full build.

Changes

File What
docker-test-app.yml New image input, packages: write, push CI image after e2e
utils-publish-docker-image.yml Promote step pulls CI image, gates build steps on promote.found
ci-main.yml Add image to e2e matrix, pass to test workflow, elevate permissions
apps/kbve/axum-kbve/Dockerfile PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1

Expected impact

  • ~1h 45min → ~1h 05min (publish drops from ~44 min to ~2 min)
  • Playwright skip saves additional ~3-5 min on the test build

Test plan

  • CI test job pushes ghcr.io/kbve/kbve:ci-<sha> after e2e passes
  • Publish job logs "Promoted" instead of running full Nx build
  • Final images on DockerHub + GHCR have correct version tags
  • Playwright download no longer appears in Docker build logs
  • Other Docker apps (discordsh, cryptothrone, etc.) still work with new matrix

@h0lybyte
feat(ci): build-once-promote pattern to eliminate double Docker build
acfed0e 
The CI pipeline was building the Docker image twice — once for e2e
testing (~43 min) and again for publishing (~40 min) on separate
runners with no shared cache.

Now the test job pushes the built image to GHCR as a ci-<sha> tag
after e2e passes. The publish job pulls and retags it instead of
rebuilding. Falls back to full build if no CI image found.

Also skip Playwright browser download in Dockerfile (unused, ~600MB).
@github-actions
Copy link
Contributor

github-actions bot commented Mar 8, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@h0lybyte h0lybyte merged commit ada1b23 into dev Mar 8, 2026
5 checks passed
@h0lybyte h0lybyte deleted the trunk/axum-build-perf-1772937526 branch March 8, 2026 03:43
@github-actions github-actions bot mentioned this pull request Mar 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@h0lybyte