From 9efb6092624cfbb419282b91133a386202561fb0 Mon Sep 17 00:00:00 2001
From: Joe Lencioni <joe.lencioni@gmail.com>
Date: Mon, 11 May 2026 12:11:22 +0200
Subject: [PATCH 1/2] CI: add BuildKit registry cache for Docker builds

Replaces CircleCI DLC with BuildKit registry cache (enduire/happo-docs:buildcache,
mode=max) so layer reuse works across cold runners. Both the test and publish
jobs now authenticate to Docker Hub, use --cache-from/--cache-to, and set
docker_layer_caching: false. The test job also gets the docker context so
DOCKERHUB_USERNAME/DOCKERHUB_PASS are available on every branch build.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 .circleci/config.yml | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index a71dbca..77faf74 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -6,18 +6,27 @@ jobs:
       - image: cimg/base:current
 
     environment:
-      DOCKER_BUILDKIT: 1
+      CACHE_REF: enduire/happo-docs:buildcache
 
     steps:
       - checkout
       - setup_remote_docker:
-          docker_layer_caching: true
+          docker_layer_caching: false
+
+      - run:
+          name: Log in to Docker Hub
+          command: echo "$DOCKERHUB_PASS" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin
 
       - run:
           name: Build Docker image
           command: |
-            docker build \
+            docker buildx create --use --name happo-builder --driver docker-container
+            docker buildx build \
               --progress=plain \
+              --pull \
+              --cache-from "type=registry,ref=${CACHE_REF}" \
+              --cache-to "type=registry,ref=${CACHE_REF},mode=max" \
+              --load \
               --tag happo-test-docs \
               -f Dockerfile .
 
@@ -115,10 +124,14 @@ jobs:
   publish-docker:
     docker:
       - image: cimg/base:current
+
+    environment:
+      CACHE_REF: enduire/happo-docs:buildcache
+
     steps:
       - checkout
       - setup_remote_docker:
-          docker_layer_caching: true
+          docker_layer_caching: false
 
       - run:
           name: Publish Docker image
@@ -128,6 +141,9 @@ jobs:
             docker buildx create --use --name happo-builder --driver docker-container
             docker buildx build \
               --progress=plain \
+              --pull \
+              --cache-from "type=registry,ref=${CACHE_REF}" \
+              --cache-to "type=registry,ref=${CACHE_REF},mode=max" \
               -t enduire/happo-docs:$IMAGE_TAG \
               --attest type=sbom \
               --attest type=provenance,mode=max \
@@ -137,7 +153,8 @@ workflows:
   version: 2.1
   run_all:
     jobs:
-      - test_docker_image
+      - test_docker_image:
+          context: docker
   release:
     jobs:
       - publish-docker:

From ddcc4203b2254a71c2af7ccbba9ba332889a7fef Mon Sep 17 00:00:00 2001
From: Joe Lencioni <joe.lencioni@gmail.com>
Date: Mon, 11 May 2026 13:46:06 +0200
Subject: [PATCH 2/2] CI: address PR review feedback on registry cache security
 and --pull

Remove docker context and Hub credentials from test_docker_image: branch
builds now only read from the public cache ref (no --cache-to), so Docker Hub
secrets are never exposed outside release builds.

Remove --pull from both jobs: without a digest-pinned base image in the
Dockerfile, --pull fetches whatever is latest for the tag and reduces
cross-build consistency rather than improving it.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 .circleci/config.yml | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 77faf74..37feb15 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -13,19 +13,13 @@ jobs:
       - setup_remote_docker:
           docker_layer_caching: false
 
-      - run:
-          name: Log in to Docker Hub
-          command: echo "$DOCKERHUB_PASS" | docker login -u "$DOCKERHUB_USERNAME" --password-stdin
-
       - run:
           name: Build Docker image
           command: |
             docker buildx create --use --name happo-builder --driver docker-container
             docker buildx build \
               --progress=plain \
-              --pull \
               --cache-from "type=registry,ref=${CACHE_REF}" \
-              --cache-to "type=registry,ref=${CACHE_REF},mode=max" \
               --load \
               --tag happo-test-docs \
               -f Dockerfile .
@@ -141,7 +135,6 @@ jobs:
             docker buildx create --use --name happo-builder --driver docker-container
             docker buildx build \
               --progress=plain \
-              --pull \
               --cache-from "type=registry,ref=${CACHE_REF}" \
               --cache-to "type=registry,ref=${CACHE_REF},mode=max" \
               -t enduire/happo-docs:$IMAGE_TAG \
@@ -153,8 +146,7 @@ workflows:
   version: 2.1
   run_all:
     jobs:
-      - test_docker_image:
-          context: docker
+      - test_docker_image
   release:
     jobs:
       - publish-docker: