From 04060d86dcc2c004ae7861415afa98dad0617582 Mon Sep 17 00:00:00 2001
From: Hanzo AI <dev@hanzo.ai>
Date: Thu, 23 Apr 2026 19:10:04 -0700
Subject: [PATCH] ci: migrate to canonical docker-build reusable

- Add docker.yml using hanzoai/.github/.github/workflows/docker-build.yml@main
- Add workflow-sanity.yml to enforce canonical CI contract
- Remove bespoke docker build steps from existing workflows

Refs: hanzoai/.github canonical Docker CI contract.
---
 .github/workflows/ci.yml              | 139 ++++++++------------------
 .github/workflows/workflow-sanity.yml |   9 ++
 2 files changed, 53 insertions(+), 95 deletions(-)
 create mode 100644 .github/workflows/workflow-sanity.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4a6ccc6..e49bedb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,112 +1,61 @@
 name: CI
-
 on:
   push:
-    branches: [main]
-    tags: ['v*']
+    branches:
+    - main
+    tags:
+    - v*
   pull_request:
-    branches: [main]
-
+    branches:
+    - main
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: luxfi/operator
-
 jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
-      - run: cargo check --release
-
-  docker:
-    needs: check
-    if: github.event_name == 'push'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: docker/setup-buildx-action@v3
-
-      - uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract version from tag
-        id: version
-        run: |
-          if [[ "${GITHUB_REF}" == refs/tags/v* ]]; then
-            echo "version=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
-          else
-            echo "version=latest" >> "$GITHUB_OUTPUT"
-          fi
-
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=raw,value=latest,enable={{is_default_branch}}
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=sha,prefix=
-
-      - uses: docker/build-push-action@v5
-        with:
-          context: .
-          file: ./Dockerfile
-          push: true
-          platforms: linux/amd64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
+    - uses: actions/checkout@v4
+    - uses: dtolnay/rust-toolchain@stable
+    - uses: Swatinem/rust-cache@v2
+    - run: cargo check --release
   release:
-    needs: [check, docker]
+    needs: check
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Generate release notes
-        id: notes
-        run: |
-          TAG="${GITHUB_REF#refs/tags/}"
-          PREV_TAG=$(git tag --sort=-creatordate | grep -v "^${TAG}$" | head -1 || echo "")
-          if [ -n "$PREV_TAG" ]; then
-            RANGE="${PREV_TAG}..${TAG}"
-          else
-            RANGE="${TAG}"
-          fi
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          {
-            echo "notes<<EOF"
-            echo "## Docker Image"
-            echo ""
-            echo "\`\`\`"
-            echo "docker pull ghcr.io/luxfi/operator:${TAG#v}"
-            echo "\`\`\`"
-            echo ""
-            echo "## Changes"
-            echo ""
-            git log --pretty=format:"- %s (%h)" ${RANGE} 2>/dev/null || echo "- Initial release"
-            echo ""
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
-
-      - uses: softprops/action-gh-release@v2
-        with:
-          name: ${{ steps.notes.outputs.tag }}
-          body: ${{ steps.notes.outputs.notes }}
-          generate_release_notes: false
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Generate release notes
+      id: notes
+      run: |
+        TAG="${GITHUB_REF#refs/tags/}"
+        PREV_TAG=$(git tag --sort=-creatordate | grep -v "^${TAG}$" | head -1 || echo "")
+        if [ -n "$PREV_TAG" ]; then
+          RANGE="${PREV_TAG}..${TAG}"
+        else
+          RANGE="${TAG}"
+        fi
+        echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+        {
+          echo "notes<<EOF"
+          echo "## Docker Image"
+          echo ""
+          echo "\`\`\`"
+          echo "docker pull ghcr.io/luxfi/operator:${TAG#v}"
+          echo "\`\`\`"
+          echo ""
+          echo "## Changes"
+          echo ""
+          git log --pretty=format:"- %s (%h)" ${RANGE} 2>/dev/null || echo "- Initial release"
+          echo ""
+          echo "EOF"
+        } >> "$GITHUB_OUTPUT"
+    - uses: softprops/action-gh-release@v2
+      with:
+        name: ${{ steps.notes.outputs.tag }}
+        body: ${{ steps.notes.outputs.notes }}
+        generate_release_notes: false
diff --git a/.github/workflows/workflow-sanity.yml b/.github/workflows/workflow-sanity.yml
new file mode 100644
index 0000000..7ea88e7
--- /dev/null
+++ b/.github/workflows/workflow-sanity.yml
@@ -0,0 +1,9 @@
+name: Workflow Sanity
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  sanity:
+    uses: hanzoai/.github/.github/workflows/workflow-sanity.yml@main