fix: build-push-docker layer caching (#1484)

erikburt · web-flow · commit 3315e6d28f5f · 2026-03-25T13:15:03.000-07:00
* test: integ test docker cache

* fix

* rework some things, testing

* try mode=min

* test: only create cache on push/schedule events

* chore: prep for PR

* fix: cache defaulting
diff --git a/.changeset/few-lobsters-attend.md b/.changeset/few-lobsters-attend.md
@@ -0,0 +1,6 @@
+---
+"build-push-docker": minor
+---
+
+fix and rework docker caching logic. cache restores are now disabled by default,
+and cache-to/cache-from inputs are no longer post-processed
diff --git a/.changeset/lucky-pianos-exist.md b/.changeset/lucky-pianos-exist.md
@@ -0,0 +1,5 @@
+---
+"ctf-build-image": minor
+---
+
+fix: rework docker caching setup
diff --git a/actions/build-push-docker/action.yml b/actions/build-push-docker/action.yml
@@ -19,7 +19,7 @@ inputs:
       See `--no-cache` flag in:
       https://docs.docker.com/engine/reference/commandline/buildx_build/#cache
     required: false
-    default: "true"
+    default: "false"
   docker-save-cache:
     description: |
       Whether to save the Docker build cache after the build. If set to `false`,
@@ -30,21 +30,13 @@ inputs:
   # See: https://github.com/moby/buildkit#github-actions-cache-experimental
   docker-build-cache-from:
     description: |
-      Source of Docker build cache.
-
-      ",scope=buildkit-<runner arch>" is appended to this input in order to set
-      caching for the specific runner architecture.
+      Source of Docker build cache. Defaulted below.
     required: false
-    default: "type=gha,timeout=10m"
   # See: https://github.com/moby/buildkit#github-actions-cache-experimental
   docker-build-cache-to:
     description: |
-      Destination of Docker build cache.
-
-      ",scope=buildkit-<runner arch>" is appended to this input in order to set
-      caching for the specific runner architecture.
+      Destination of Docker build cache. Defaulted below.
     required: false
-    default: "type=gha,timeout=10m,mode=max,ignore-error=true"
   docker-push:
     description: "Push the docker image. Build only (no push) if: false."
     required: false
@@ -317,29 +309,38 @@ runs:
       env:
         DOCKER_RESTORE_CACHE: ${{ inputs.docker-restore-cache }}
         DOCKER_SAVE_CACHE: ${{ inputs.docker-save-cache }}
-        DOCKER_BUILD_CACHE_FROM: >-
-          ${{
-            format('{0},scope={1}', inputs.docker-build-cache-from, runner.arch)
-          }}
-        DOCKER_BUILD_CACHE_TO: >-
-          ${{
-            format('{0},scope={1}', inputs.docker-build-cache-to, runner.arch)
-          }}
+        DOCKER_BUILD_CACHE_FROM: ${{ inputs.docker-build-cache-from }}
+        DOCKER_BUILD_CACHE_TO: ${{ inputs.docker-build-cache-to }}
+        DEFAULT_DOCKER_BUILD_CACHE_FROM:
+          type=gha,timeout=10m,scope=generic-${{ runner.os }}-${{ runner.arch }}
+        DEFAULT_DOCKER_BUILD_CACHE_TO:
+          type=gha,timeout=10m,mode=min,ignore-error=true,scope=generic-${{
+          runner.os }}-${{ runner.arch }}
       run: |
-        if [[ "${DOCKER_RESTORE_CACHE}" == "true" ]]; then
-          echo "no-cache=false" | tee -a "${GITHUB_OUTPUT}"
-          echo "cache-from=${DOCKER_BUILD_CACHE_FROM}" | tee -a "${GITHUB_OUTPUT}"
-        else
+        CACHE_TO="${DOCKER_BUILD_CACHE_TO}"
+        if [[ "${DOCKER_SAVE_CACHE}" == "true" ]]; then
+          if [[ -z "${CACHE_TO}" ]]; then
+            CACHE_TO="${DEFAULT_DOCKER_BUILD_CACHE_TO}"
+          fi
+          echo "cache-to=${CACHE_TO}" | tee -a "${GITHUB_OUTPUT}"
+        fi
+
+        if [[ "${DOCKER_RESTORE_CACHE}" == "false" ]]; then
           echo "no-cache=true" | tee -a "${GITHUB_OUTPUT}"
+          exit 0
         fi
 
-        if [[ "${DOCKER_SAVE_CACHE}" == "true" ]]; then
-          echo "cache-to=${DOCKER_BUILD_CACHE_TO}" | tee -a "${GITHUB_OUTPUT}"
+        CACHE_FROM="${DOCKER_BUILD_CACHE_FROM}"
+        if [[ -z "${CACHE_FROM}" ]]; then
+          CACHE_FROM="${DEFAULT_DOCKER_BUILD_CACHE_FROM}"
         fi
 
+        echo "no-cache=false" | tee -a "${GITHUB_OUTPUT}"
+        echo "cache-from=${CACHE_FROM}" | tee -a "${GITHUB_OUTPUT}"
+
     - name: Build & push image
       id: build-image
-      uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+      uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
       env:
         DOCKER_BUILD_CHECKS_ANNOTATIONS: true
         DOCKER_BUILD_SUMMARY: true
@@ -359,9 +360,10 @@ runs:
         tags: ${{ steps.docker-meta.outputs.tags }}
         labels: ${{ steps.docker-meta.outputs.labels }}
         platforms: ${{ inputs.platform }}
+        # disables cache when building image
         no-cache: ${{ steps.docker-cache.outputs.no-cache }}
-        cache-from: ${{ steps.docker-cache.outputs.docker-cache-from }}
-        cache-to: ${{ steps.docker-cache.outputs.docker-cache-to }}
+        cache-from: ${{ steps.docker-cache.outputs.cache-from }}
+        cache-to: ${{ steps.docker-cache.outputs.cache-to }}
         secrets: |
           GIT_AUTH_TOKEN=${{ inputs.github-token || ''}}
 
diff --git a/actions/ctf-build-image/action.yml b/actions/ctf-build-image/action.yml
@@ -181,11 +181,19 @@ runs:
         docker-attestations: "false"
         docker-registry-url: ${{ inputs.docker-registry-url }}
         docker-repository-name: ${{ inputs.docker-repository-name }}
-
+        # only save on events which are expected to be from the default branch
+        docker-save-cache:
+          ${{ github.event_name == 'schedule' || github.event_name == 'push' }}
+        # dont use cache on events which are expected to be from the default branch
+        # this is to create a fresh cache/snapshot unpolluted by previous cache entries
         docker-restore-cache:
-          ${{ github.event_name == 'pull_request' || github.event_name ==
-          'merge_group' }}
-        docker-save-cache: ${{ github.event_name == 'push' }}
+          ${{ github.event_name != 'schedule' && github.event_name != 'push' }}
+        docker-build-cache-to:
+          "type=gha,timeout=10m,mode=min,ignore-error=true,scope=ctf-build-image-${{
+          runner.os }}-${{ runner.arch }}"
+        docker-build-cache-from:
+          "type=gha,timeout=10m,scope=ctf-build-image-${{ runner.os }}-${{
+          runner.arch }}"
 
         tags: type=raw,value=${{ inputs.image-tag }}
         aws-account-number: ${{ inputs.aws-account-number }}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"ctf-build-image": minor
 +---
++
 +fix: rework docker caching setup