Skip to content

ci: Create per-platform Dockerfile for proper Docker image layer caching #3747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
alco wants to merge 2 commits into from
+22 −6
Closed

ci: Create per-platform Dockerfile for proper Docker image layer caching #3747

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
73374da
ci: Create temporary per-platform Dockerfile for proper image layer c…
alco Jan 20, 2026
21fc809
TMP use personal Docker Hub for testing
alco Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 22 additions & 6 deletions .github/workflows/sync_service_dockerhub_image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ on:
type: string

env:
DOCKERHUB_REPO: electricsql/electric
DOCKERHUB_CANARY_REPO: electricsql/electric-canary
DOCKERHUB_REPO: alco/electric
DOCKERHUB_CANARY_REPO: alco/electric-canary
Comment on lines +26 to +27
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Revert temporary Docker Hub repositories before merging.

These point to a personal Docker Hub account (alco/*) instead of the official electricsql/* repositories. Per the commit message, this is intentionally temporary for testing. Ensure these are reverted to the production values before merge.

-  DOCKERHUB_REPO: alco/electric
-  DOCKERHUB_CANARY_REPO: alco/electric-canary
+  DOCKERHUB_REPO: electricsql/electric
+  DOCKERHUB_CANARY_REPO: electricsql/electric-canary
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
DOCKERHUB_REPO: alco/electric
DOCKERHUB_CANARY_REPO: alco/electric-canary
DOCKERHUB_REPO: electricsql/electric
DOCKERHUB_CANARY_REPO: electricsql/electric-canary
🤖 Prompt for AI Agents 
In @.github/workflows/sync_service_dockerhub_image.yml around lines 26 - 27, The
DOCKERHUB_REPO and DOCKERHUB_CANARY_REPO environment variables currently point
to a personal account; change them back to the official production repositories
by replacing DOCKERHUB_REPO: alco/electric with DOCKERHUB_REPO:
electricsql/electric and DOCKERHUB_CANARY_REPO: alco/electric-canary with
DOCKERHUB_CANARY_REPO: electricsql/electric-canary (update the values wherever
DOCKERHUB_REPO or DOCKERHUB_CANARY_REPO appear in the workflow file).


jobs:
derive_build_vars:
Expand Down Expand Up @@ -111,14 +111,30 @@ jobs:
- uses: docker/login-action@v3
with:
registry: docker.io
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
username: ${{ secrets.DOCKERHUB_USERNAME_ALCO }}
password: ${{ secrets.DOCKERHUB_TOKEN_ALCO }}
Comment on lines +114 to +115
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Revert temporary credentials before merging.

These use personal secrets (DOCKERHUB_USERNAME_ALCO, DOCKERHUB_TOKEN_ALCO) instead of the production credentials. Revert to the original secrets.

-          username: ${{ secrets.DOCKERHUB_USERNAME_ALCO }}
-          password: ${{ secrets.DOCKERHUB_TOKEN_ALCO }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
username: ${{ secrets.DOCKERHUB_USERNAME_ALCO }}
password: ${{ secrets.DOCKERHUB_TOKEN_ALCO }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
🤖 Prompt for AI Agents 
In @.github/workflows/sync_service_dockerhub_image.yml around lines 114 - 115,
Replace the temporary personal Docker Hub secrets used in the workflow: change
the username and password values that reference DOCKERHUB_USERNAME_ALCO and
DOCKERHUB_TOKEN_ALCO back to the production secrets (restore the original secret
names used for CI/CD). Edit the username/password entries in the
sync_service_dockerhub_image.yml workflow (the lines providing username: and
password:) to reference the correct production secret identifiers instead of
DOCKERHUB_USERNAME_ALCO and DOCKERHUB_TOKEN_ALCO.


- name: Create a temporary per-platform Dockerfile (CI only)
run: |
set -euo pipefail

source_dockerfile="packages/sync-service/Dockerfile"

# Make the Dockerfile path unique per platform so Blacksmith uses separate sticky
# disks for image layer caching.
# Without this, caches produced by builds for different platforms trample each other
# and only the last written cache is persistent for subsequent builds.
dst="/tmp/sync-service.Dockerfile.${{ matrix.platform_id }}"
{ echo "# blacksmith-cache-scope: sync-service/${{ matrix.platform_id }}"; cat "$source_dockerfile"; } > "$dst"

echo "SYNC_SERVICE_DOCKERFILE=$dst" >> "$GITHUB_ENV"

- name: Build and push by digest
id: build
uses: useblacksmith/build-push-action@v2
with:
context: packages/sync-service
file: ${{ env.SYNC_SERVICE_DOCKERFILE }}
build-contexts: |
electric-telemetry=packages/electric-telemetry
build-args: |
Expand Down Expand Up @@ -149,8 +165,8 @@ jobs:
steps:
- uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
username: ${{ secrets.DOCKERHUB_USERNAME_ALCO }}
password: ${{ secrets.DOCKERHUB_TOKEN_ALCO }}
Comment on lines +168 to +169
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Revert temporary credentials before merging.

Same as the build job—revert to production secrets.

-          username: ${{ secrets.DOCKERHUB_USERNAME_ALCO }}
-          password: ${{ secrets.DOCKERHUB_TOKEN_ALCO }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
username: ${{ secrets.DOCKERHUB_USERNAME_ALCO }}
password: ${{ secrets.DOCKERHUB_TOKEN_ALCO }}
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
🤖 Prompt for AI Agents 
In @.github/workflows/sync_service_dockerhub_image.yml around lines 168 - 169,
Replace the temporary Docker Hub credentials used in the workflow (the username
and password fields referencing secrets.DOCKERHUB_USERNAME_ALCO and
DOCKERHUB_TOKEN_ALCO) with the production secrets; update the username and
password entries to point to the canonical production secret names (the same
ones used in the build job) so the workflow uses the proper production
DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets before merging.


- uses: useblacksmith/setup-docker-builder@v1

Expand Down