Split UI from Docker: UI never touches Docker, all ops via workers

Remove orchestrator import and Docker SDK from UI. All container
operations now go through workers via REST API. No standalone mode.
Workers must have Docker socket by design.

- Remove orchestrator usage from main.py (17 call sites)
- Remove docker SDK from requirements.txt
- Add _get_all_worker_containers() for heartbeat-based status
- Add _proxy_worker_deploy() for forwarding deploys to workers
- All container management routes require worker_id
- Update docker-compose files for UI + Worker architecture
- Independent CI builds: only affected image gets rebuilt
- Update AGENTS.md for new architecture

Author: GeiserX

.github/workflows/build.yml

@@ -4,12 +4,66 @@ on:
   push:
     tags: ["v*"]
   workflow_dispatch:
+    inputs:
+      build_ui:
+        description: 'Build UI image'
+        type: boolean
+        default: true
+      build_worker:
+        description: 'Build Worker image'
+        type: boolean
+        default: true
 
 concurrency:
   group: build-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  detect:
+    runs-on: ubuntu-latest
+    outputs:
+      build_ui: ${{ steps.check.outputs.ui }}
+      build_worker: ${{ steps.check.outputs.worker }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Detect what to build
+        id: check
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "ui=${{ inputs.build_ui }}" >> "$GITHUB_OUTPUT"
+            echo "worker=${{ inputs.build_worker }}" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || echo "all")
+          BUILD_UI=false
+          BUILD_WORKER=false
+
+          if echo "$CHANGED" | grep -qE '^(Dockerfile|requirements\.txt|app/(main|database|catalog|auth|compose_generator|exchange_rates|collectors|templates|static)|services/)'; then
+            BUILD_UI=true
+          fi
+          if echo "$CHANGED" | grep -qE '^(Dockerfile\.worker|requirements-worker\.txt|app/(worker_api|orchestrator)\.py)'; then
+            BUILD_WORKER=true
+          fi
+          if echo "$CHANGED" | grep -qE '^app/__init__\.py'; then
+            BUILD_UI=true
+            BUILD_WORKER=true
+          fi
+
+          # Default: if no specific detection, build both (safety net)
+          if [ "$BUILD_UI" = "false" ] && [ "$BUILD_WORKER" = "false" ]; then
+            BUILD_UI=true
+            BUILD_WORKER=true
+          fi
+
+          echo "ui=$BUILD_UI" >> "$GITHUB_OUTPUT"
+          echo "worker=$BUILD_WORKER" >> "$GITHUB_OUTPUT"
+          echo "Build UI: $BUILD_UI, Build Worker: $BUILD_WORKER"
+
   lint:
     runs-on: ubuntu-latest
     steps:
@@ -27,20 +81,58 @@ jobs:
       - name: Lint and format check
         run: ruff check app/ && ruff format --check app/
 
-  build:
-    needs: lint
+  build-ui:
+    needs: [lint, detect]
+    if: needs.detect.outputs.build_ui == 'true'
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
-    strategy:
-      matrix:
-        include:
-          - image: drumsergio/cashpilot
-            dockerfile: Dockerfile
-          - image: drumsergio/cashpilot-worker
-            dockerfile: Dockerfile.worker
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: drumsergio/cashpilot
+          tags: |
+            type=raw,value=latest
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
 
+      - name: Build and push UI image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=cashpilot-ui
+          cache-to: type=gha,mode=max,scope=cashpilot-ui
+
+  build-worker:
+    needs: [lint, detect]
+    if: needs.detect.outputs.build_worker == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -57,24 +149,24 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Extract metadata (tags, labels)
+      - name: Extract metadata
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ matrix.image }}
+          images: drumsergio/cashpilot-worker
           tags: |
             type=raw,value=latest
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
-      - name: Build and push
+      - name: Build and push Worker image
         uses: docker/build-push-action@v6
         with:
           context: .
-          file: ${{ matrix.dockerfile }}
+          file: Dockerfile.worker
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha,scope=${{ matrix.image }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.image }}
+          cache-from: type=gha,scope=cashpilot-worker
+          cache-to: type=gha,mode=max,scope=cashpilot-worker

.github/workflows/release.yml

@@ -10,6 +10,7 @@ on:
       - 'requirements-worker.txt'
       - 'app/**'
       - 'services/**'
+      - 'docker-compose*.yml'
   workflow_dispatch:
 
 permissions:
@@ -19,25 +20,61 @@ jobs:
   release:
     name: Bump version and release
     runs-on: ubuntu-latest
-    # Skip releases triggered by the release workflow itself
     if: "!contains(github.event.head_commit.message, '[skip ci]')"
+    outputs:
+      new_tag: ${{ steps.version.outputs.new_tag }}
+      build_ui: ${{ steps.changes.outputs.ui }}
+      build_worker: ${{ steps.changes.outputs.worker }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: Detect what changed
+        id: changes
+        run: |
+          # Compare against the previous commit
+          CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || echo "")
+          echo "Changed files: $CHANGED"
+
+          BUILD_UI=false
+          BUILD_WORKER=false
+
+          # UI changes: main.py, templates, static, collectors, Dockerfile, requirements.txt
+          if echo "$CHANGED" | grep -qE '^(Dockerfile|requirements\.txt|app/(main|database|catalog|auth|compose_generator|exchange_rates|collectors|templates|static))'  ; then
+            BUILD_UI=true
+          fi
+          # Also trigger UI on services/ changes (catalog data)
+          if echo "$CHANGED" | grep -qE '^services/'; then
+            BUILD_UI=true
+          fi
+
+          # Worker changes: worker_api.py, orchestrator.py, Dockerfile.worker, requirements-worker.txt
+          if echo "$CHANGED" | grep -qE '^(Dockerfile\.worker|requirements-worker\.txt|app/(worker_api|orchestrator)\.py)'; then
+            BUILD_WORKER=true
+          fi
+
+          # If both Dockerfiles or shared files changed, build both
+          if echo "$CHANGED" | grep -qE '^app/__init__\.py'; then
+            BUILD_UI=true
+            BUILD_WORKER=true
+          fi
+
+          echo "ui=$BUILD_UI" >> "$GITHUB_OUTPUT"
+          echo "worker=$BUILD_WORKER" >> "$GITHUB_OUTPUT"
+          echo "Build UI: $BUILD_UI, Build Worker: $BUILD_WORKER"
+
       - name: Get latest version tag
         id: version
+        if: steps.changes.outputs.ui == 'true' || steps.changes.outputs.worker == 'true'
         run: |
-          # Get the latest semver tag, default to v0.0.0 if none
           LATEST=$(git tag -l 'v*.*.*' --sort=-v:refname | head -1)
           if [ -z "$LATEST" ]; then
             LATEST="v0.0.0"
           fi
           echo "latest=$LATEST" >> "$GITHUB_OUTPUT"
 
-          # Increment patch version
           VERSION="${LATEST#v}"
           MAJOR=$(echo "$VERSION" | cut -d. -f1)
           MINOR=$(echo "$VERSION" | cut -d. -f2)
@@ -48,13 +85,15 @@ jobs:
           echo "Bumping $LATEST -> $NEW_TAG"
 
       - name: Create and push tag
+        if: steps.version.outputs.new_tag
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git tag -a "${{ steps.version.outputs.new_tag }}" -m "Release ${{ steps.version.outputs.new_tag }}"
           git push origin "${{ steps.version.outputs.new_tag }}"
 
       - name: Create GitHub Release
+        if: steps.version.outputs.new_tag
         uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ steps.version.outputs.new_tag }}