joakimp/opencode-devbox
Public Access
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

validate.yml: use Hub base-latest as variant parent + warn on base-input changes
Validate / docs-check (push) Successful in 9s
Details
Validate / base-change-warning (push) Successful in 11s
Details
Validate / validate-base (push) Failing after 21s
Details
Validate / validate-omos (push) Failing after 1m49s
Details
Validate / validate-with-pi (push) Failing after 1m46s
Details
Validate / validate-omos-with-pi (push) Failing after 13m9s
Details

Browse Source 
The previous two-step approach (build Dockerfile.base \ then
Dockerfile.variant FROM the local image) doesn't work: each
docker/build-push-action@v7 invocation runs in its own buildx
container context, and an image loaded into the host docker daemon
by step N is not visible to step N+1's buildx invocation.

Variant builds in validate.yml now FROM joakimp/opencode-devbox:base-latest
on Docker Hub, matching the production smokes' parent. Trade-off:
PRs/pushes that change Dockerfile.base, rootfs/, or entrypoint*.sh
are not exercised here \u2014 only release tags rebuild the base via
docker-publish-split.yml.

The new base-change-warning job surfaces a runtime warning when a
commit modifies any base-image input, telling the author to run a
workflow_dispatch test if they want full validation before merging.
This commit is contained in:
Joakim Persson
2026-05-14 20:53:19 +02:00
parent 8359fef949
commit dba05da7d1
1 changed files with 47 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/validate.yml
+47 -44
View File
@@ -4,6 +4,22 @@ name: Validate
# runs the smoke test, and checks image size — without pushing anything # runs the smoke test, and checks image size — without pushing anything
# to Docker Hub. Tag pushes are handled by docker-publish-split.yml which # to Docker Hub. Tag pushes are handled by docker-publish-split.yml which
# does the full multi-arch split-base build-and-push. # does the full multi-arch split-base build-and-push.
#
# Trade-off: variant builds here use the published `base-latest` image
# from Docker Hub as their parent, NOT a locally-built base. This is
# because `docker/build-push-action@v7` runs each invocation in its own
# buildx container context, so an image loaded into the host docker
# daemon by step N is not visible to step N+1's buildx invocation.
# Building base + variant in the same job would require either pushing
# the base to a registry or sharing a buildx instance across steps — both
# significantly more complex than just using the published base.
#
# Consequence: PRs/pushes that change Dockerfile.base, rootfs/, or
# entrypoint*.sh are NOT exercised by this workflow. The release path
# (docker-publish-split.yml on tag push) does build the new base, so
# release tags are the gate that fully validates base-image changes.
# The base-change-warning job below surfaces a runtime warning when this
# blind-spot applies.
on: on:
push: push:
@@ -34,6 +50,33 @@ jobs:
run: | run: |
python3 scripts/generate-dockerhub-md.py --check python3 scripts/generate-dockerhub-md.py --check
base-change-warning:
# Surfaces a warning when this commit changes base-image inputs
# (Dockerfile.base, rootfs/, entrypoint*.sh). validate.yml uses
# Hub's base-latest as the parent for variant builds, so changes to
# those files are NOT exercised here — only release tags rebuild the
# base via docker-publish-split.yml.
runs-on: ubuntu-latest
container:
image: catthehacker/ubuntu:act-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Detect base-input changes
run: |
set -e
if ! git diff --name-only HEAD~1 HEAD 2>/dev/null \
| grep -qE '^(Dockerfile\.base|rootfs/|entrypoint.*\.sh)$'; then
echo "No base-image inputs changed in this commit — validate.yml fully exercises the published base-latest."
exit 0
fi
echo "::warning::This commit changes base-image inputs (Dockerfile.base, rootfs/, or entrypoint*.sh). validate.yml uses Hub's base-latest as the parent for variant builds, so the new base is NOT exercised by this workflow. Cut a release tag, or run a workflow_dispatch of docker-publish-split.yml against a test tag (e.g. v0.0.0-base-test, promote_latest=false) for end-to-end validation of the new base."
echo "Changed base-input files:"
git diff --name-only HEAD~1 HEAD | grep -E '^(Dockerfile\.base|rootfs/|entrypoint.*\.sh)$'
validate-base: validate-base:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: container:
@@ -79,16 +122,6 @@ jobs:
with: with:
driver-opts: network=host driver-opts: network=host
- name: Build base layer (amd64, load to local daemon)
uses: docker/build-push-action@v7
with:
context: .
file: Dockerfile.base
platforms: linux/amd64
push: false
load: true
tags: opencode-devbox:validate-base
- name: Build base image (amd64, load to local daemon) - name: Build base image (amd64, load to local daemon)
uses: docker/build-push-action@v7 uses: docker/build-push-action@v7
with: with:
@@ -98,7 +131,7 @@ jobs:
push: false push: false
load: true load: true
build-args: | build-args: |
BASE_IMAGE=opencode-devbox:validate-base BASE_IMAGE=joakimp/opencode-devbox:base-latest
tags: opencode-devbox:ci-base tags: opencode-devbox:ci-base
- name: Smoke test - name: Smoke test
@@ -146,16 +179,6 @@ jobs:
with: with:
driver-opts: network=host driver-opts: network=host
- name: Build base layer (amd64, load to local daemon)
uses: docker/build-push-action@v7
with:
context: .
file: Dockerfile.base
platforms: linux/amd64
push: false
load: true
tags: opencode-devbox:validate-base
- name: Build omos image (amd64, load to local daemon) - name: Build omos image (amd64, load to local daemon)
uses: docker/build-push-action@v7 uses: docker/build-push-action@v7
with: with:
@@ -165,7 +188,7 @@ jobs:
push: false push: false
load: true load: true
build-args: | build-args: |
BASE_IMAGE=opencode-devbox:validate-base BASE_IMAGE=joakimp/opencode-devbox:base-latest
INSTALL_OMOS=true INSTALL_OMOS=true
tags: opencode-devbox:ci-omos tags: opencode-devbox:ci-omos
@@ -214,16 +237,6 @@ jobs:
with: with:
driver-opts: network=host driver-opts: network=host
- name: Build base layer (amd64, load to local daemon)
uses: docker/build-push-action@v7
with:
context: .
file: Dockerfile.base
platforms: linux/amd64
push: false
load: true
tags: opencode-devbox:validate-base
- name: Build with-pi image (amd64, load to local daemon) - name: Build with-pi image (amd64, load to local daemon)
uses: docker/build-push-action@v7 uses: docker/build-push-action@v7
with: with:
@@ -233,7 +246,7 @@ jobs:
push: false push: false
load: true load: true
build-args: | build-args: |
BASE_IMAGE=opencode-devbox:validate-base BASE_IMAGE=joakimp/opencode-devbox:base-latest
INSTALL_PI=true INSTALL_PI=true
tags: opencode-devbox:ci-with-pi tags: opencode-devbox:ci-with-pi
@@ -282,16 +295,6 @@ jobs:
with: with:
driver-opts: network=host driver-opts: network=host
- name: Build base layer (amd64, load to local daemon)
uses: docker/build-push-action@v7
with:
context: .
file: Dockerfile.base
platforms: linux/amd64
push: false
load: true
tags: opencode-devbox:validate-base
- name: Build omos+with-pi image (amd64, load to local daemon) - name: Build omos+with-pi image (amd64, load to local daemon)
uses: docker/build-push-action@v7 uses: docker/build-push-action@v7
with: with:
@@ -301,7 +304,7 @@ jobs:
push: false push: false
load: true load: true
build-args: | build-args: |
BASE_IMAGE=opencode-devbox:validate-base BASE_IMAGE=joakimp/opencode-devbox:base-latest
INSTALL_OMOS=true INSTALL_OMOS=true
INSTALL_PI=true INSTALL_PI=true
tags: opencode-devbox:ci-omos-with-pi tags: opencode-devbox:ci-omos-with-pi