Conversation
Replaces CircleCI DLC with BuildKit registry cache (enduire/happo-docs:buildcache, mode=max) so layer reuse works across cold runners. Both the test and publish jobs now authenticate to Docker Hub, use --cache-from/--cache-to, and set docker_layer_caching: false. The test job also gets the docker context so DOCKERHUB_USERNAME/DOCKERHUB_PASS are available on every branch build. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates CircleCI Docker build strategy to use BuildKit’s registry-backed cache and adds image attestations on release builds, aiming to speed up builds across cold runners and improve supply-chain metadata.
Changes:
- Switches Docker layer reuse from CircleCI DLC to BuildKit registry cache (
--cache-from/--cache-to,mode=max) for both test and publish jobs. - Updates
publish-dockerto usedocker buildx buildwith SBOM and provenance attestations. - Adds Docker Hub auth and a
dockercontext to ensure cache access, and adds--pullto builds.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - test_docker_image: | ||
| context: docker |
There was a problem hiding this comment.
Good catch. Fixed in ddcc420 — removed the docker context from test_docker_image in run_all, dropped the Hub login step, and removed --cache-to from that job. Branch builds now only read from the public cache ref (no credentials needed for a public Docker Hub repo). Cache writes stay scoped to the release job only, which already had the context restricted to tag builds.
| --progress=plain \ | ||
| --pull \ | ||
| --cache-from "type=registry,ref=${CACHE_REF}" \ |
There was a problem hiding this comment.
Fair point — the framing in the PR description was wrong. --pull ensures the latest tag, not a reproducible build. Removed --pull from both jobs in ddcc420. If we want actual reproducibility in the future, the right move is pinning the base image to a digest in the Dockerfile.
Remove docker context and Hub credentials from test_docker_image: branch builds now only read from the public cache ref (no --cache-to), so Docker Hub secrets are never exposed outside release builds. Remove --pull from both jobs: without a digest-pinned base image in the Dockerfile, --pull fetches whatever is latest for the tag and reduces cross-build consistency rather than improving it. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Summary
enduire/happo-docs:buildcache,mode=max) so layers are reused across cold runners without paying for DLCtest_docker_imageandpublish-dockerjobs now authenticate to Docker Hub and use--cache-from/--cache-towith the same cache ref;docker_layer_caching: falseon bothtest_docker_imagegains thedockercontext soDOCKERHUB_USERNAME/DOCKERHUB_PASSare injected on every branch build (previously only the release job had credentials)publish-dockerupgraded todocker buildx buildwith SBOM and provenance attestations (--attest type=sbom,--attest type=provenance,mode=max)--pullto both builds for reproducible base imagesTest plan
--cache-fromwill warn that:buildcachedoesn't exist yet and proceed cold;--cache-toseeds the tag at the end of that runpnpm installandpnpm buildlayerspublish-dockerpushes the versioned image and updates:buildcache; verify SBOM/provenance attestations are present viadocker buildx imagetools inspect enduire/happo-docs:<tag>🤖 Generated with Claude Code