ci(webview): build Qt 5 builder inline, drop the publish job

a9b9522d migrated the Qt 5 builder image from screenly/ose-qt-builder:latest (Docker Hub) to ghcr.io/screenly/anthias-webview-qt5-builder:latest (GHCR), but the publish step (`build-docker-image`) is gated to push events. On PR runs the GHCR image therefore never exists, and the consumer (compile-webview-part-1) blew up trying to `docker pull` it: Error response from daemon: Head ...manifests/latest: denied The image is a CI-internal build artifact — only consumed by the next step in the same workflow, never deployed, never pulled by any external user. Publishing it as a registry artifact is just inventory the workflow has to manage. So instead: * Delete the `build-docker-image` job entirely. * Move the build into compile-webview-part-1 as a step that runs on every event (PR + push), produces the image with `--load`, and tags it locally as `webview-qt5-builder:latest` for the subsequent `docker run` to consume. * Keep the registry-cache backend on ghcr.io/screenly/anthias-webview-qt5-builder:buildcache so cold builds remain fast: `cache-from` always, `cache-to` only on push events (fork PRs have a read-only GITHUB_TOKEN and would 401 on cache write — same gating as docker-build.yaml). Side benefits: * Removes the chicken-and-egg of "PR can't run because GHCR image doesn't exist; GHCR image only gets pushed on master". * Drops the cross-job artifact handoff (and the auth dance to read the published image), so fork PRs work without any GHCR public-flip step. * Two matrix runners (pi2, pi3) build in parallel from the same registry cache — second-onward runs hit cache for everything once the first push to master warms it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-10 09:08:09 -04:00 · 2026-04-30 05:56:52 +00:00
parent 8d46890306
commit 3dc0a04ae4
1 changed files with 27 additions and 51 deletions
--- a/.github/workflows/build-webview.yaml
+++ b/.github/workflows/build-webview.yaml
@@ -19,11 +19,15 @@ on:
      - '!webview/README.md'

 jobs:
-  build-docker-image:
-    name: Build Docker Images (Pi 1-4)
+  compile-webview-part-1:
+    name: Compile Webview (Pi 2-3 / Qt 5)
+    strategy:
+      matrix:
+        board: ['pi2', 'pi3']
    runs-on: ubuntu-24.04
-    # `packages: write` so `docker login ghcr.io` with GITHUB_TOKEN can push
-    # the buildcache tag below. Mirrors docker-build.yaml's `buildx` job.
+    # `packages: write` so the build step's --cache-to can push the
+    # buildcache tag to GHCR on push events. Fork PRs auto-downgrade
+    # to read-only regardless of declared permissions.
    permissions:
      contents: read
      packages: write
@@ -46,62 +50,34 @@ jobs:
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Building container
-        if: github.event_name != 'pull_request'
+      - name: Build Qt 5 builder image
        env:
-          # Image and cache live at the same GHCR repo:
-          #   ghcr.io/screenly/anthias-webview-qt5-builder:latest      (image)
-          #   ghcr.io/screenly/anthias-webview-qt5-builder:buildcache  (cache)
-          # Replaces the old screenly/ose-qt-builder:latest on Docker Hub
-          # — same image, new home. Mirrors the anthias-* GHCR namespace
-          # so auth, public-flip, and registry-cache mode=max all share
-          # the same operational pattern as docker-build.yaml.
-          IMAGE_REF: ghcr.io/screenly/anthias-webview-qt5-builder:latest
+          # Build the Qt 5 cross-compile builder inline rather than as a
+          # separate publish job. The image is a CI-internal artifact —
+          # only ever consumed by the next step in this same job — so
+          # there is no need to push it anywhere. Cache layers are still
+          # registry-backed (mirrors docker-build.yaml): `cache-from`
+          # always reads, `cache-to` writes only on push events because
+          # fork-PR GITHUB_TOKENs are read-only and would 401 on cache
+          # write. --load makes the resulting image available to the
+          # local Docker daemon for the `docker run` step below.
          CACHE_REF: ghcr.io/screenly/anthias-webview-qt5-builder:buildcache
        run: |
          cd webview
+          set_args=( --cache-from "type=registry,ref=${CACHE_REF}" )
+          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
+            set_args+=( --cache-to "type=registry,ref=${CACHE_REF},mode=max,image-manifest=true" )
+          fi
          GIT_SHORT_HASH=$(git rev-parse --short HEAD)
          docker buildx build \
-            --cache-from "type=registry,ref=${CACHE_REF}" \
-            --cache-to "type=registry,ref=${CACHE_REF},mode=max,image-manifest=true" \
-            --output "type=image,push=true" \
+            "${set_args[@]}" \
+            --load \
            --build-arg "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
            --build-arg "GIT_HASH=${GIT_SHORT_HASH}" \
            --build-arg "GIT_SHORT_HASH=${GIT_SHORT_HASH}" \
            --build-arg "GIT_BRANCH=${GITHUB_REF_NAME}" \
-            -t "${IMAGE_REF}" .
-
-  compile-webview-part-1:
-    name: Compile Webview (Pi 2-3 / Qt 5)
-    needs: build-docker-image
-    strategy:
-      matrix:
-        board: ['pi2', 'pi3']
-    runs-on: ubuntu-24.04
-    # `packages: read` so the GHCR login below can pull the Qt 5 builder
-    # image. Read is the GITHUB_TOKEN default; declared explicitly to
-    # match the per-job permission scoping convention.
-    permissions:
-      contents: read
-      packages: read
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
-
-      - name: Login to GitHub Container Registry
-        if: success() && github.event_name != 'pull_request'
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+            -t webview-qt5-builder:latest \
+            .

      - name: Cache build layers
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
@@ -143,7 +119,7 @@ jobs:
            -v $(pwd):/webview:ro \
            -e TARGET=${{ matrix.board }} \
            -e WEBVIEW_VERSION="$WEBVIEW_VERSION" \
-            ghcr.io/screenly/anthias-webview-qt5-builder:latest
+            webview-qt5-builder:latest
          docker exec -it qt-builder /webview/build_webview_with_qt5.sh
          docker rm -f qt-builder