DockerBuild: tie Claude DayStamp mixing to Dockerfile content, not -Claude flag

PostSharpAgent · claude · PostSharpAgent · commit a213a9b53097 · 2026-04-14T16:14:59.000+02:00
The daily cache-busting DayStamp added in 1ced9ca was mixed into the image hash only when -Claude was on the command line. That breaks the two-step TeamCity pattern that shares a Claude Dockerfile between PrepareImage (-BuildImage, no -Claude) and a main runner step (-NoBuildImage -Claude): the two invocations compute different content hashes, so docker run in the main step tries to pull a tag that was never built or pushed and fails with an ACR "unauthorized" HEAD. Observed on Metalama_Metalama20261_MetalamaConsolidated_Claude #643 — Step 3 built build-396451cf73a3fde5, Step 4 looked for build-dcaec122766f2bab. Pre-1ced9ca builds of the same config produced identical hashes across both steps. Key the DayStamp decision off the Dockerfile body instead: if the file contains "update.timestamp" (i.e. it uses the daily-invalidation layer emitted by TimestampComponent), rotate the hash; otherwise don't. Both steps read the same Dockerfile, so they now agree on the tag. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/DockerBuild.ps1 b/DockerBuild.ps1
@@ -760,9 +760,16 @@ try
         }
 
         # Generate content-based hash for image tag.
-        # In Claude mode, mix in $script:DayStamp so the tag rotates daily
-        # and picks up fresh @latest npm installs.
-        $hashDayStamp = if ($Claude) { $script:DayStamp } else { $null }
+        # Mix $script:DayStamp in whenever the Dockerfile bakes in the
+        # update.timestamp cache-invalidation layer (which itself rotates
+        # daily). Keying this off the Dockerfile content — not the -Claude
+        # runtime flag — keeps PrepareImage (-BuildImage, typically no
+        # -Claude) and the main step (-NoBuildImage -Claude) in sync when
+        # they share a Dockerfile; otherwise the two steps compute
+        # different tags and docker run tries to pull a tag that was never
+        # built or pushed.
+        $dockerfileBody = Get-Content $dockerfileFullPath -Raw -ErrorAction SilentlyContinue
+        $hashDayStamp = if ($dockerfileBody -and $dockerfileBody -match 'update\.timestamp') { $script:DayStamp } else { $null }
         $contentHash = Get-ContentHash `
                 -DockerfilePath $dockerfileFullPath `
                 -ContextDirectory $dockerContextDirectory `
diff --git a/src/PostSharp.Engineering.BuildTools/Resources/DockerBuild.ps1 b/src/PostSharp.Engineering.BuildTools/Resources/DockerBuild.ps1
@@ -760,9 +760,16 @@ try
         }
 
         # Generate content-based hash for image tag.
-        # In Claude mode, mix in $script:DayStamp so the tag rotates daily
-        # and picks up fresh @latest npm installs.
-        $hashDayStamp = if ($Claude) { $script:DayStamp } else { $null }
+        # Mix $script:DayStamp in whenever the Dockerfile bakes in the
+        # update.timestamp cache-invalidation layer (which itself rotates
+        # daily). Keying this off the Dockerfile content — not the -Claude
+        # runtime flag — keeps PrepareImage (-BuildImage, typically no
+        # -Claude) and the main step (-NoBuildImage -Claude) in sync when
+        # they share a Dockerfile; otherwise the two steps compute
+        # different tags and docker run tries to pull a tag that was never
+        # built or pushed.
+        $dockerfileBody = Get-Content $dockerfileFullPath -Raw -ErrorAction SilentlyContinue
+        $hashDayStamp = if ($dockerfileBody -and $dockerfileBody -match 'update\.timestamp') { $script:DayStamp } else { $null }
         $contentHash = Get-ContentHash `
                 -DockerfilePath $dockerfileFullPath `
                 -ContextDirectory $dockerContextDirectory `
