Skip to content

build: migrate to docker/github-builder reusable workflows#206

Open
Soner (shyim) wants to merge 6 commits intomainfrom
feat/github-builder-reusable-workflows
Open

build: migrate to docker/github-builder reusable workflows#206
Soner (shyim) wants to merge 6 commits intomainfrom
feat/github-builder-reusable-workflows

Conversation

@shyim
Copy link
Copy Markdown
Member

@shyim Soner (shyim) commented Apr 2, 2026

Summary

  • Replace custom build-bake-publish composite action with docker/github-builder/.github/workflows/bake.yml@v1 reusable workflow
  • Consolidate changed-files detection into a single changes job instead of duplicating in every build job
  • Remove Namespace Labs cloud builder dependency in favor of GitHub-hosted runners
  • Gain SLSA provenance attestations and Cosign signing for all images

Changes

  • Deleted .github/action/build-bake-publish/action.yml
  • Rewritten .github/workflows/build.yml to use reusable workflow calls
  • Registry auth now uses registry-auths YAML secret format
  • imageSuffix/tagPrefix passed via bake vars input
  • Simplified conditional logic in check and dev-check jobs

Test plan

  • Verify PR build triggers and skips correctly based on changed files
  • Confirm images are pushed to GHCR with -ci-test suffix for PRs
  • Validate job dependency chain: fpm → webserver → dev
  • Check that dev-check and check jobs pass against built images
  • Verify main branch push builds and pushes to both Docker Hub and GHCR

@shyim
build: migrate to docker/github-builder reusable workflows
d8334de 
Replace custom build-bake-publish composite action with
docker/github-builder bake.yml reusable workflow. This brings
SLSA provenance attestations, Cosign signing, and standardized
Docker-maintained build infrastructure.

- Consolidate changed-files detection into a single job
- Remove Namespace Labs cloud builder dependency
- Use registry-auths secret for Docker Hub and GHCR auth
- Pass imageSuffix/tagPrefix via bake vars input
- Simplify conditional logic in check/dev-check jobs
@shyim
build: trigger all builds when workflow file changes
e46c93d
@shyim
fix: add bake group blocks for matrix-expanded targets
a75cecc 
The github-builder bake workflow resolves targets by name, but
matrix-expanded targets (e.g. fpm) only produce individual targets
like fpm-8-2, fpm-8-3, etc. Add explicit group blocks so the
original target names resolve to all their matrix variants.
@shyim
fix: use individual bake targets for github-builder compatibility
7268f42 
github-builder enforces exactly one concrete target per workflow
call. Move PHP version matrix to the workflow level and pass
individual target names (e.g. fpm-8-3) instead of group names.
Remove now-unnecessary group blocks from docker-bake.hcl.
@shyim
fix: enable distribute for multi-arch builds
32451b4 
With distribute: false, github-builder runs on a single amd64
runner and ignores platform definitions. Setting distribute: true
creates a matrix entry per platform, building arm64 on native
arm runners.
@shyim
chore: remove distribute option since true is the default
68e46d6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shyim