From dba05da7d12c532e78c79e5d41dbebc383d1b189 Mon Sep 17 00:00:00 2001
From: Joakim Persson <joakim.persson@icloud.com>
Date: Thu, 14 May 2026 20:53:19 +0200
Subject: [PATCH] validate.yml: use Hub base-latest as variant parent + warn on
 base-input changes

The previous two-step approach (build Dockerfile.base \ then
Dockerfile.variant FROM the local image) doesn't work: each
docker/build-push-action@v7 invocation runs in its own buildx
container context, and an image loaded into the host docker daemon
by step N is not visible to step N+1's buildx invocation.

Variant builds in validate.yml now FROM joakimp/opencode-devbox:base-latest
on Docker Hub, matching the production smokes' parent. Trade-off:
PRs/pushes that change Dockerfile.base, rootfs/, or entrypoint*.sh
are not exercised here \u2014 only release tags rebuild the base via
docker-publish-split.yml.

The new base-change-warning job surfaces a runtime warning when a
commit modifies any base-image input, telling the author to run a
workflow_dispatch test if they want full validation before merging.
---
 .gitea/workflows/validate.yml | 91 ++++++++++++++++++-----------------
 1 file changed, 47 insertions(+), 44 deletions(-)

diff --git a/.gitea/workflows/validate.yml b/.gitea/workflows/validate.yml
index 69d2c90..3666da2 100644
--- a/.gitea/workflows/validate.yml
+++ b/.gitea/workflows/validate.yml
@@ -4,6 +4,22 @@ name: Validate
 # runs the smoke test, and checks image size — without pushing anything
 # to Docker Hub. Tag pushes are handled by docker-publish-split.yml which
 # does the full multi-arch split-base build-and-push.
+#
+# Trade-off: variant builds here use the published `base-latest` image
+# from Docker Hub as their parent, NOT a locally-built base. This is
+# because `docker/build-push-action@v7` runs each invocation in its own
+# buildx container context, so an image loaded into the host docker
+# daemon by step N is not visible to step N+1's buildx invocation.
+# Building base + variant in the same job would require either pushing
+# the base to a registry or sharing a buildx instance across steps — both
+# significantly more complex than just using the published base.
+#
+# Consequence: PRs/pushes that change Dockerfile.base, rootfs/, or
+# entrypoint*.sh are NOT exercised by this workflow. The release path
+# (docker-publish-split.yml on tag push) does build the new base, so
+# release tags are the gate that fully validates base-image changes.
+# The base-change-warning job below surfaces a runtime warning when this
+# blind-spot applies.
 
 on:
   push:
@@ -34,6 +50,33 @@ jobs:
         run: |
           python3 scripts/generate-dockerhub-md.py --check
 
+  base-change-warning:
+    # Surfaces a warning when this commit changes base-image inputs
+    # (Dockerfile.base, rootfs/, entrypoint*.sh). validate.yml uses
+    # Hub's base-latest as the parent for variant builds, so changes to
+    # those files are NOT exercised here — only release tags rebuild the
+    # base via docker-publish-split.yml.
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Detect base-input changes
+        run: |
+          set -e
+          if ! git diff --name-only HEAD~1 HEAD 2>/dev/null \
+              | grep -qE '^(Dockerfile\.base|rootfs/|entrypoint.*\.sh)$'; then
+            echo "No base-image inputs changed in this commit — validate.yml fully exercises the published base-latest."
+            exit 0
+          fi
+          echo "::warning::This commit changes base-image inputs (Dockerfile.base, rootfs/, or entrypoint*.sh). validate.yml uses Hub's base-latest as the parent for variant builds, so the new base is NOT exercised by this workflow. Cut a release tag, or run a workflow_dispatch of docker-publish-split.yml against a test tag (e.g. v0.0.0-base-test, promote_latest=false) for end-to-end validation of the new base."
+          echo "Changed base-input files:"
+          git diff --name-only HEAD~1 HEAD | grep -E '^(Dockerfile\.base|rootfs/|entrypoint.*\.sh)$'
+
   validate-base:
     runs-on: ubuntu-latest
     container:
@@ -79,16 +122,6 @@ jobs:
         with:
           driver-opts: network=host
 
-      - name: Build base layer (amd64, load to local daemon)
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          file: Dockerfile.base
-          platforms: linux/amd64
-          push: false
-          load: true
-          tags: opencode-devbox:validate-base
-
       - name: Build base image (amd64, load to local daemon)
         uses: docker/build-push-action@v7
         with:
@@ -98,7 +131,7 @@ jobs:
           push: false
           load: true
           build-args: |
-            BASE_IMAGE=opencode-devbox:validate-base
+            BASE_IMAGE=joakimp/opencode-devbox:base-latest
           tags: opencode-devbox:ci-base
 
       - name: Smoke test
@@ -146,16 +179,6 @@ jobs:
         with:
           driver-opts: network=host
 
-      - name: Build base layer (amd64, load to local daemon)
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          file: Dockerfile.base
-          platforms: linux/amd64
-          push: false
-          load: true
-          tags: opencode-devbox:validate-base
-
       - name: Build omos image (amd64, load to local daemon)
         uses: docker/build-push-action@v7
         with:
@@ -165,7 +188,7 @@ jobs:
           push: false
           load: true
           build-args: |
-            BASE_IMAGE=opencode-devbox:validate-base
+            BASE_IMAGE=joakimp/opencode-devbox:base-latest
             INSTALL_OMOS=true
           tags: opencode-devbox:ci-omos
 
@@ -214,16 +237,6 @@ jobs:
         with:
           driver-opts: network=host
 
-      - name: Build base layer (amd64, load to local daemon)
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          file: Dockerfile.base
-          platforms: linux/amd64
-          push: false
-          load: true
-          tags: opencode-devbox:validate-base
-
       - name: Build with-pi image (amd64, load to local daemon)
         uses: docker/build-push-action@v7
         with:
@@ -233,7 +246,7 @@ jobs:
           push: false
           load: true
           build-args: |
-            BASE_IMAGE=opencode-devbox:validate-base
+            BASE_IMAGE=joakimp/opencode-devbox:base-latest
             INSTALL_PI=true
           tags: opencode-devbox:ci-with-pi
 
@@ -282,16 +295,6 @@ jobs:
         with:
           driver-opts: network=host
 
-      - name: Build base layer (amd64, load to local daemon)
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          file: Dockerfile.base
-          platforms: linux/amd64
-          push: false
-          load: true
-          tags: opencode-devbox:validate-base
-
       - name: Build omos+with-pi image (amd64, load to local daemon)
         uses: docker/build-push-action@v7
         with:
@@ -301,7 +304,7 @@ jobs:
           push: false
           load: true
           build-args: |
-            BASE_IMAGE=opencode-devbox:validate-base
+            BASE_IMAGE=joakimp/opencode-devbox:base-latest
             INSTALL_OMOS=true
             INSTALL_PI=true
           tags: opencode-devbox:ci-omos-with-pi