Speed up workspace image builds

chapterjason · claude · chapterjason · commit 6d688face9dc · 2026-04-23T22:08:58.000Z
- Drop linux/arm64 from the publish matrix (no arm64 consumers; QEMU
  emulation roughly doubled build time and cache size).
- Remove docker/setup-qemu-action — no longer needed without arm64.
- Split scripts/ bind mounts in base + cpp Dockerfiles so each installer
  lives in its own RUN with a narrow bind. Bumping one tool (e.g.
  web-shell) no longer invalidates the other installer layers.
- Pass BASE_IMAGE to the stacks job as image@digest from the base job's
  build-push-action output, not the base-&lt;short_sha&gt; tag. Cache hits
  across stack rebuilds when only non-base source changed.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/publish-workspaces.yml b/.github/workflows/publish-workspaces.yml
@@ -18,6 +18,8 @@ jobs:
       packages: write
     outputs:
       short_sha: ${{ steps.sha.outputs.short }}
+      digest: ${{ steps.build.outputs.digest }}
+      image: ${{ steps.img.outputs.name }}
     steps:
       - uses: actions/checkout@v6
 
@@ -29,7 +31,6 @@ jobs:
         id: img
         run: echo "name=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/coder-workspace" >> "$GITHUB_OUTPUT"
 
-      - uses: docker/setup-qemu-action@v4
       - uses: docker/setup-buildx-action@v4
 
       - name: Log in to GHCR
@@ -49,11 +50,12 @@ jobs:
             type=sha,format=short,prefix=base-
 
       - name: Build and push
+        id: build
         uses: docker/build-push-action@v7
         with:
           context: .
           file: ./src/base/Dockerfile
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -77,7 +79,6 @@ jobs:
         id: img
         run: echo "name=ghcr.io/${GITHUB_REPOSITORY_OWNER,,}/coder-workspace" >> "$GITHUB_OUTPUT"
 
-      - uses: docker/setup-qemu-action@v4
       - uses: docker/setup-buildx-action@v4
 
       - name: Log in to GHCR
@@ -101,11 +102,11 @@ jobs:
         with:
           context: .
           file: ./src/${{ matrix.stack }}/Dockerfile
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
-            BASE_IMAGE=${{ steps.img.outputs.name }}:base-${{ needs.base.outputs.short_sha }}
+            BASE_IMAGE=${{ needs.base.outputs.image }}@${{ needs.base.outputs.digest }}
           cache-from: type=gha,scope=workspace-${{ matrix.stack }}
           cache-to: type=gha,mode=max,scope=workspace-${{ matrix.stack }}
diff --git a/src/base/Dockerfile b/src/base/Dockerfile
@@ -78,19 +78,27 @@ USER root
 # env var the devcontainer CLI used at feature-install time.
 ENV _REMOTE_USER=${USERNAME}
 
-# System-wide installers run as root.
-RUN --mount=type=bind,source=scripts,target=/scripts \
-    for s in context-mode home-persist jetbrains; do \
-      bash "/scripts/$s/install.sh"; \
-    done
+# Per-tool bind mounts so a change in one installer only busts its own layer.
+# A single mount of scripts/ would hash the whole dir — bumping web-shell
+# would rebuild every tool.
+RUN --mount=type=bind,source=scripts/context-mode,target=/scripts/context-mode \
+    bash /scripts/context-mode/install.sh
+RUN --mount=type=bind,source=scripts/home-persist,target=/scripts/home-persist \
+    bash /scripts/home-persist/install.sh
+RUN --mount=type=bind,source=scripts/jetbrains,target=/scripts/jetbrains \
+    bash /scripts/jetbrains/install.sh
 
 # Per-user installers run as the remote user directly — upstream installers
 # write into $HOME with correct ownership; no root+chown dance.
 USER ${USERNAME}
-RUN --mount=type=bind,source=scripts,target=/scripts \
-    for s in nvm claude-code rtk web-shell; do \
-      bash "/scripts/$s/install.sh"; \
-    done
+RUN --mount=type=bind,source=scripts/nvm,target=/scripts/nvm \
+    bash /scripts/nvm/install.sh
+RUN --mount=type=bind,source=scripts/claude-code,target=/scripts/claude-code \
+    bash /scripts/claude-code/install.sh
+RUN --mount=type=bind,source=scripts/rtk,target=/scripts/rtk \
+    bash /scripts/rtk/install.sh
+RUN --mount=type=bind,source=scripts/web-shell,target=/scripts/web-shell \
+    bash /scripts/web-shell/install.sh
 USER root
 
 # Coder agent: systemd unit runs /etc/coder/agent-init.sh as the workspace
diff --git a/src/cpp/Dockerfile b/src/cpp/Dockerfile
@@ -6,17 +6,17 @@ FROM ${BASE_IMAGE}
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 ENV DEBIAN_FRONTEND=noninteractive
 
-# System-wide installers (root).
-RUN --mount=type=bind,source=scripts,target=/scripts \
-    bash "/scripts/llvm/install.sh"
+# Per-tool bind mounts so a change in one installer only busts its own layer.
+RUN --mount=type=bind,source=scripts/llvm,target=/scripts/llvm \
+    bash /scripts/llvm/install.sh
 
 RUN printf 'export CC=/usr/local/bin/clang\nexport CXX=/usr/local/bin/clang++\n' \
     > /etc/profile.d/llvm-env.sh
 
 # cmake and sccache drop their binaries in $HOME/.local → run as the remote user.
 USER ${_REMOTE_USER}
-RUN --mount=type=bind,source=scripts,target=/scripts \
-    for s in cmake sccache; do \
-      bash "/scripts/$s/install.sh"; \
-    done
+RUN --mount=type=bind,source=scripts/cmake,target=/scripts/cmake \
+    bash /scripts/cmake/install.sh
+RUN --mount=type=bind,source=scripts/sccache,target=/scripts/sccache \
+    bash /scripts/sccache/install.sh
 USER root
