From 3563f1b1296011fa1d8ed80786d671f5e26e55e0 Mon Sep 17 00:00:00 2001
From: Julian Goldstein <julian.goldstein0@gmail.com>
Date: Fri, 19 Jun 2026 13:16:42 -0500
Subject: [PATCH] ci: ignore Dockerfile comments/blanks when fingerprinting
 [bump:patch]

The change-detection fingerprint hashed the whole Dockerfile, so a comment- or
whitespace-only edit forced a full from-source rebuild (e.g. a one-word doc
tweak to Dockerfile.qemu would rebuild qemu on both arches). Normalise the
Dockerfile first: drop blank lines and line-leading comments, but keep parser
directives (# syntax=, # escape=) which do affect the build. Inline '#' is left
intact since it is not a Dockerfile comment. Real instruction changes still
rebuild.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/vendor.yml | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/vendor.yml b/.github/workflows/vendor.yml
index 20f6794..22fb1ae 100644
--- a/.github/workflows/vendor.yml
+++ b/.github/workflows/vendor.yml
@@ -84,10 +84,23 @@ jobs:
           read_src() {  # ref path
             if [ "$1" = WORK ]; then cat "$2"; else git show "$1:$2" 2>/dev/null || true; fi
           }
+          # Normalise a Dockerfile for fingerprinting: drop blank lines and
+          # full-line comments (in a Dockerfile only a line-leading '#' is a
+          # comment; inline '#' is part of the instruction) so doc-only edits
+          # don't force a rebuild. Parser directives (# syntax=, # escape=) are
+          # build-significant, so keep them.
+          norm_df() {
+            awk '{ low = tolower($0) }
+                 low ~ /^[[:space:]]*#[[:space:]]*(syntax|escape)=/ { print; next }
+                 /^[[:space:]]*#/                                   { next }
+                 /^[[:space:]]*$/                                   { next }
+                 { print }'
+          }
           # Fingerprint a from-source tool's build inputs: exactly what the Docker
-          # build consumes — its Dockerfile plus the version vars passed as
-          # build-args. We hash only those keys (not the whole versions.env), so
-          # CI's own checksum/version edits never masquerade as a real change.
+          # build consumes — its Dockerfile (sans comments/blanks) plus the
+          # version vars passed as build-args. We hash only those keys (not the
+          # whole versions.env), so CI's own checksum/version edits never
+          # masquerade as a real change.
           fingerprint() {  # ref tool
             case "$2" in
               clang) df=build/Dockerfile.clang; keys="LLVM_VERSION ALPINE_TAG" ;;
@@ -96,7 +109,7 @@ jobs:
               qemu)  df=build/Dockerfile.qemu;  keys="QEMU_VERSION LIBSLIRP_VERSION ALPINE_TAG" ;;
             esac
             env="$(read_src "$1" build/versions.env)"
-            { read_src "$1" "$df"
+            { read_src "$1" "$df" | norm_df
               for k in $keys; do printf '%s\n' "$env" | grep "^$k=" || true; done
             } | sha256sum | awk '{print $1}'
           }