chore: migrate Docker builds to docker buildx bake

Replace 5 sequential build-push-action steps with a single docker/bake-action call backed by docker-bake.hcl. BuildKit now builds all images in parallel: backend/runner/pocketbase share one Go builder stage (compiled once), while caddy and ui build concurrently alongside the Go targets. Workflow YAML goes from ~130 lines of build steps to ~35. Adding a new image now only requires a new target block in docker-bake.hcl. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 19:09:27 +05:00
parent fc73756308
commit cb9598a786
2 changed files with 154 additions and 99 deletions
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -147,10 +147,14 @@ jobs:
  #         SENTRY_ORG: libnovel
  #         SENTRY_PROJECT: ui

-  # ── docker: all images in one job (single login) ──────────────────────────────
-  # backend, runner, ui, and caddy are built sequentially in one job so Docker
-  # Hub only needs to be authenticated once. This also eliminates 3 redundant
-  # checkout + setup-buildx + scheduler round-trips compared to separate jobs.
+  # ── docker: build + push all images via docker bake ──────────────────────────
+  # docker-bake.hcl defines all five targets. BuildKit builds them with maximum
+  # parallelism: backend/runner/pocketbase share the Go builder stage (compiled
+  # once), while caddy and ui build concurrently alongside the Go targets.
+  #
+  # Metadata (tags + labels) is generated per-image by docker/metadata-action
+  # (bake-target mode), then merged into a single bake call via the bake-action
+  # targets input — one Docker Hub login, one buildx invocation.
  docker:
    name: Docker
    runs-on: ubuntu-latest
@@ -160,65 +164,13 @@ jobs:

      - uses: docker/setup-buildx-action@v3

-      # Single login — credential is written to ~/.docker/config.json and
-      # reused by all subsequent build-push-action steps in this job.
      - name: Log in to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

-      # ── backend ──────────────────────────────────────────────────────────────
-      - name: Docker meta / backend
-        id: meta-backend
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ secrets.DOCKER_USER }}/libnovel-backend
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=latest
-
-      - name: Build and push / backend
-        uses: docker/build-push-action@v6
-        with:
-          context: backend
-          target: backend
-          push: true
-          tags: ${{ steps.meta-backend.outputs.tags }}
-          labels: ${{ steps.meta-backend.outputs.labels }}
-          build-args: |
-            VERSION=${{ steps.meta-backend.outputs.version }}
-            COMMIT=${{ gitea.sha }}
-          cache-from: type=registry,ref=${{ secrets.DOCKER_USER }}/libnovel-backend:latest
-          cache-to: type=inline
-
-      # ── runner ───────────────────────────────────────────────────────────────
-      - name: Docker meta / runner
-        id: meta-runner
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ secrets.DOCKER_USER }}/libnovel-runner
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=latest
-
-      - name: Build and push / runner
-        uses: docker/build-push-action@v6
-        with:
-          context: backend
-          target: runner
-          push: true
-          tags: ${{ steps.meta-runner.outputs.tags }}
-          labels: ${{ steps.meta-runner.outputs.labels }}
-          build-args: |
-            VERSION=${{ steps.meta-runner.outputs.version }}
-            COMMIT=${{ gitea.sha }}
-          cache-from: type=registry,ref=${{ secrets.DOCKER_USER }}/libnovel-runner:latest
-          cache-to: type=inline
-
-      # ── ui ───────────────────────────────────────────────────────────────────
+      # ── Prepare ui build artifact ─────────────────────────────────────────────
      - name: Download ui build artifacts
        uses: actions/download-artifact@v3
        with:
@@ -230,73 +182,80 @@ jobs:
          grep -v '^build$' ui/.dockerignore > ui/.dockerignore.tmp
          mv ui/.dockerignore.tmp ui/.dockerignore

-      - name: Docker meta / ui
-        id: meta-ui
+      # ── Generate per-image tags + labels (bake-target mode) ───────────────────
+      - name: Docker meta / backend
+        id: meta-backend
        uses: docker/metadata-action@v5
        with:
-          images: ${{ secrets.DOCKER_USER }}/libnovel-ui
+          images: ${{ secrets.DOCKER_USER }}/libnovel-backend
+          bake-target: backend
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=latest

-      - name: Build and push / ui
-        uses: docker/build-push-action@v6
-        with:
-          context: ui
-          push: true
-          tags: ${{ steps.meta-ui.outputs.tags }}
-          labels: ${{ steps.meta-ui.outputs.labels }}
-          build-args: |
-            BUILD_VERSION=${{ steps.meta-ui.outputs.version }}
-            BUILD_COMMIT=${{ gitea.sha }}
-            BUILD_TIME=${{ gitea.event.head_commit.timestamp }}
-            PREBUILT=1
-          cache-from: type=registry,ref=${{ secrets.DOCKER_USER }}/libnovel-ui:latest
-          cache-to: type=inline
-
-      # ── caddy ────────────────────────────────────────────────────────────────
-      - name: Docker meta / caddy
-        id: meta-caddy
+      - name: Docker meta / runner
+        id: meta-runner
        uses: docker/metadata-action@v5
        with:
-          images: ${{ secrets.DOCKER_USER }}/libnovel-caddy
+          images: ${{ secrets.DOCKER_USER }}/libnovel-runner
+          bake-target: runner
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=latest

-      - name: Build and push / caddy
-        uses: docker/build-push-action@v6
-        with:
-          context: caddy
-          push: true
-          tags: ${{ steps.meta-caddy.outputs.tags }}
-          labels: ${{ steps.meta-caddy.outputs.labels }}
-          cache-from: type=registry,ref=${{ secrets.DOCKER_USER }}/libnovel-caddy:latest
-          cache-to: type=inline
-
-      # ── pocketbase ───────────────────────────────────────────────────────────
      - name: Docker meta / pocketbase
        id: meta-pocketbase
        uses: docker/metadata-action@v5
        with:
          images: ${{ secrets.DOCKER_USER }}/libnovel-pocketbase
+          bake-target: pocketbase
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=latest

-      - name: Build and push / pocketbase
-        uses: docker/build-push-action@v6
+      - name: Docker meta / ui
+        id: meta-ui
+        uses: docker/metadata-action@v5
        with:
-          context: backend
-          target: pocketbase
-          push: true
-          tags: ${{ steps.meta-pocketbase.outputs.tags }}
-          labels: ${{ steps.meta-pocketbase.outputs.labels }}
-          cache-from: type=registry,ref=${{ secrets.DOCKER_USER }}/libnovel-pocketbase:latest
-          cache-to: type=inline
+          images: ${{ secrets.DOCKER_USER }}/libnovel-ui
+          bake-target: ui
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest
+
+      - name: Docker meta / caddy
+        id: meta-caddy
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKER_USER }}/libnovel-caddy
+          bake-target: caddy
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest
+
+      # ── Build + push all images in parallel ───────────────────────────────────
+      - name: Build and push all images
+        uses: docker/bake-action@v6
+        with:
+          files: |
+            docker-bake.hcl
+            ${{ steps.meta-backend.outputs.bake-file }}
+            ${{ steps.meta-runner.outputs.bake-file }}
+            ${{ steps.meta-pocketbase.outputs.bake-file }}
+            ${{ steps.meta-ui.outputs.bake-file }}
+            ${{ steps.meta-caddy.outputs.bake-file }}
+          set: |
+            backend.args.VERSION=${{ steps.meta-backend.outputs.version }}
+            backend.args.COMMIT=${{ gitea.sha }}
+            runner.args.VERSION=${{ steps.meta-runner.outputs.version }}
+            runner.args.COMMIT=${{ gitea.sha }}
+            ui.args.BUILD_TIME=${{ gitea.event.head_commit.timestamp }}
+            *.output=type=image,push=true

  # ── deploy: sync docker-compose.yml + restart prod ───────────────────────────
  # Runs after all images are pushed to Docker Hub.
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -0,0 +1,96 @@
+# docker-bake.hcl — defines all five production images.
+#
+# Used by CI (docker/bake-action) to build and push all images in one call,
+# with shared BuildKit cache and maximum parallelism:
+#   - backend, runner, pocketbase share the Go builder stage (built once)
+#   - caddy and ui build independently in parallel alongside the Go targets
+#
+# Local build (no push):
+#   docker buildx bake
+#
+# CI sets per-target tags and labels via --set overrides in docker/bake-action.
+
+# ── Variables injected by CI via --set ───────────────────────────────────────
+
+variable "DOCKER_USER" { default = "kalekber" }
+
+variable "VERSION"    { default = "dev" }
+variable "COMMIT"     { default = "unknown" }
+variable "BUILD_TIME" { default = "" }
+
+# ── Shared defaults ───────────────────────────────────────────────────────────
+
+# All targets inherit these.  CI overrides tags/labels per-target via --set.
+target "_defaults" {
+  pull   = true
+  output = ["type=image,push=false"]
+}
+
+# Registry cache shared across all targets in a run.
+target "_cache" {
+  cache-to = ["type=inline"]
+}
+
+# ── Go targets (share the backend/ build context + builder stage) ─────────────
+
+target "backend" {
+  inherits  = ["_defaults", "_cache"]
+  context   = "backend"
+  target    = "backend"
+  tags      = ["${DOCKER_USER}/libnovel-backend:latest"]
+  cache-from = ["type=registry,ref=${DOCKER_USER}/libnovel-backend:latest"]
+  args = {
+    VERSION = VERSION
+    COMMIT  = COMMIT
+  }
+}
+
+target "runner" {
+  inherits  = ["_defaults", "_cache"]
+  context   = "backend"
+  target    = "runner"
+  tags      = ["${DOCKER_USER}/libnovel-runner:latest"]
+  cache-from = ["type=registry,ref=${DOCKER_USER}/libnovel-runner:latest"]
+  args = {
+    VERSION = VERSION
+    COMMIT  = COMMIT
+  }
+}
+
+target "pocketbase" {
+  inherits  = ["_defaults", "_cache"]
+  context   = "backend"
+  target    = "pocketbase"
+  tags      = ["${DOCKER_USER}/libnovel-pocketbase:latest"]
+  cache-from = ["type=registry,ref=${DOCKER_USER}/libnovel-pocketbase:latest"]
+}
+
+# ── UI (SvelteKit — separate context) ────────────────────────────────────────
+
+target "ui" {
+  inherits  = ["_defaults", "_cache"]
+  context   = "ui"
+  tags      = ["${DOCKER_USER}/libnovel-ui:latest"]
+  cache-from = ["type=registry,ref=${DOCKER_USER}/libnovel-ui:latest"]
+  args = {
+    BUILD_VERSION = VERSION
+    BUILD_COMMIT  = COMMIT
+    BUILD_TIME    = BUILD_TIME
+    PREBUILT      = "1"
+  }
+}
+
+# ── Caddy (custom plugins — separate context) ─────────────────────────────────
+
+target "caddy" {
+  inherits  = ["_defaults", "_cache"]
+  context   = "caddy"
+  tags      = ["${DOCKER_USER}/libnovel-caddy:latest"]
+  cache-from = ["type=registry,ref=${DOCKER_USER}/libnovel-caddy:latest"]
+}
+
+# ── Default group: all five images ────────────────────────────────────────────
+
+group "default" {
+  targets = ["backend", "runner", "pocketbase", "ui", "caddy"]
+}