From d0312f3adf72729f8c98b7155b2026607dcd2eca Mon Sep 17 00:00:00 2001
From: Rhodri Morgan <rhodri@clippd.io>
Date: Sat, 7 Mar 2026 19:59:56 +0000
Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=A7=20fix(build):=20use=20commit?=
 =?UTF-8?q?=20SHA=20for=20image=20tag=20instead=20of=20git=20ref?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove the image-tag input and always derive the tag from GITHUB_SHA,
using the first 6 characters. This ensures consistent, unique tagging
based on the exact commit being built, rather than relying on git refs
which may not always be present or consistent across workflows.

Co-Authored-By: Claude <noreply@anthropic.com>
---
 build/action.yml | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/build/action.yml b/build/action.yml
index 425f055..933f9f0 100644
--- a/build/action.yml
+++ b/build/action.yml
@@ -30,14 +30,9 @@ inputs:
     description: "Newline-separated list of Docker build secrets (id=value)"
     required: false
     default: ""
-  image-tag:
-    description: "Image tag override (defaults to tag from git ref)"
-    required: false
-    default: ""
-
 outputs:
   image-tag:
-    description: "Resolved image tag"
+    description: "Resolved image tag (first 6 chars of commit SHA)"
     value: ${{ steps.resolve-tag.outputs.image-tag }}
 
 runs:
@@ -47,12 +42,7 @@ runs:
       id: resolve-tag
       shell: bash
       run: |
-        if [[ -n "${{ inputs.image-tag }}" ]]; then
-          IMAGE_TAG="${{ inputs.image-tag }}"
-        else
-          TAG_NAME=${GITHUB_REF##*/}
-          IMAGE_TAG=$(echo $TAG_NAME | sed 's/^v//')
-        fi
+        IMAGE_TAG="${GITHUB_SHA:0:6}"
         echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
         echo "image-tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
 

From c0eff9100cdb974b5c83977cad3212d7a643539a Mon Sep 17 00:00:00 2001
From: Rhodri Morgan <rhodri@clippd.io>
Date: Sat, 7 Mar 2026 21:06:35 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=E2=9C=A8=20feat(build):=20add=20push-cache?=
 =?UTF-8?q?=20input=20to=20control=20cache=20writes?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a push-cache input (default false) so cache is only written to the
registry when explicitly enabled. Document in README that push-cache
should only be enabled for images intended to be pushed to ECR.

Co-Authored-By: Claude <noreply@anthropic.com>
---
 README.md        | 1 +
 build/action.yml | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8203807..a99dad9 100644
--- a/README.md
+++ b/README.md
@@ -59,3 +59,4 @@ Before setting up build workflows, note the following:
 - If your project needs different images for dev and prod (e.g. statically replaced variables, build-time validation that requires environment-specific values), use a [matrix strategy](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow) so dev and prod builds run in parallel.
 - If you have a **monorepo**, use separate jobs per image so they build concurrently on tag push.
 - **Validate your Dockerfile layer caching.** Check each layer for cache-busting pitfalls: changing commit SHAs baked into build args, rotating secrets passed as build args instead of `--mount=type=secret`, non-deterministic package installs (missing lockfiles), timestamps in generated files, and `COPY . .` placed before dependency installation layers.
+- **Only enable `push-cache` for images you intend to push to ECR.** The build action reads from the registry cache by default, but only writes back to it when `push-cache: "true"` is set. Enable this on builds that will be pushed so the cache stays up to date; leave it off for local-only or throwaway builds to avoid polluting the cache.
diff --git a/build/action.yml b/build/action.yml
index 933f9f0..e164c6d 100644
--- a/build/action.yml
+++ b/build/action.yml
@@ -30,6 +30,10 @@ inputs:
     description: "Newline-separated list of Docker build secrets (id=value)"
     required: false
     default: ""
+  push-cache:
+    description: "Push layer cache to registry (set to 'true' to enable)"
+    required: false
+    default: "false"
 outputs:
   image-tag:
     description: "Resolved image tag (first 6 chars of commit SHA)"
@@ -75,4 +79,4 @@ runs:
         build-args: ${{ inputs.build-args }}
         secrets: ${{ inputs.secrets }}
         cache-from: type=registry,ref=${{ env.IMAGE_REGISTRY }}/${{ inputs.image-repo }}:cache
-        cache-to: type=registry,ref=${{ env.IMAGE_REGISTRY }}/${{ inputs.image-repo }}:cache,mode=max
+        cache-to: ${{ inputs.push-cache == 'true' && format('type=registry,ref={0}/{1}:cache,mode=max', env.IMAGE_REGISTRY, inputs.image-repo) || '' }}