Reduce Docker Hub pulls by sharing base images across matrix jobs

[Soulike]

Summary

Pre-pull Docker Hub base images once and share them across matrix jobs to reduce Docker Hub pull requests.

Current State

Every Docker build job independently pulls base images from Docker Hub:

• oven/bun:alpine — used by all 7 app Dockerfiles
• nginx:stable-alpine — used by 3 web app Dockerfiles + nginx

Since docker/build-push-action with Buildx runs each build in its own builder context, base images are pulled independently even on the same runner. A single workflow run building all apps can result in 10+ Docker Hub pulls.

Proposed Change

Add a setup job that pulls base images once and shares them with build jobs via GitHub Actions cache:

setup:
  runs-on: ubuntu-latest
  steps:
    - uses: docker/setup-buildx-action@v3
    - name: Pull and cache base images
      run: |
        docker pull oven/bun:alpine
        docker pull nginx:stable-alpine
        docker save oven/bun:alpine nginx:stable-alpine -o /tmp/base-images.tar
    - uses: actions/cache/save@v4
      with:
        path: /tmp/base-images.tar
        key: base-images-${{ github.run_id }}

build:
  needs: setup
  strategy:
    matrix: ...
  steps:
    - uses: actions/cache/restore@v4
      with:
        path: /tmp/base-images.tar
        key: base-images-${{ github.run_id }}
    - run: docker load -i /tmp/base-images.tar
    # ... then build as normal

This reduces Docker Hub pulls from N per base image per workflow run to 1 per base image per workflow run.

Applies to

• apps-ci.yml (PR CI matrix builds)
• The consolidated build-and-push workflow (once the separate workflows are merged)