From fdae51613436a29b00118131a8d17b61281a1b3b Mon Sep 17 00:00:00 2001 From: BigSimmo <87357024+BigSimmo@users.noreply.github.com> Date: Wed, 8 Jul 2026 16:43:10 +0800 Subject: [PATCH 1/2] ci: build production app + worker Docker images from main MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a non-blocking "Docker image build" workflow that runs the exact npm ci + next build the Fly.io / Cloud Run deploy runs, on a GitHub runner with enough memory for the build's 8 GiB heap (local Docker Desktop OOMs on it). Fulfils the deploy contract in docs/deployment-architecture.md ("Images are built from main"): every main/release push now proves the tree produces a deployable image before a real deploy. Nothing is pushed to a registry — the build just succeeds or fails. Gated to main/release/dispatch/schedule to bound CI cost; run on a branch on demand via "Run workflow". Co-Authored-By: Claude Opus 4.8 --- .github/workflows/docker-image.yml | 71 ++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/docker-image.yml diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 000000000..15d2a135a --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,71 @@ +name: Docker image build + +# Validates that the production app and worker images build cleanly from the +# tree — the deploy contract in docs/deployment-architecture.md ("Images are +# built from main"). Runs the exact `npm ci` + `next build` the Fly.io / Cloud +# Run deploy runs, on a runner with enough memory for the build's 8 GiB heap +# (local Docker Desktop OOMs on this build; GitHub runners have ~16 GiB). +# +# Non-blocking: this is a standalone workflow, not part of the required `verify` +# check. Nothing is pushed to a registry — the build either succeeds or fails. +# Gated to main / release / dispatch / schedule (not every PR) to bound CI cost; +# run it on a branch on demand via the "Run workflow" button. + +on: + push: + branches: [main, "release/**"] + workflow_dispatch: + schedule: + - cron: "0 18 * * 0" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + app-image: + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - name: Checkout + uses: actions/checkout@v7 + with: + persist-credentials: false + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build app image (no push) + uses: docker/build-push-action@v6 + with: + context: . + file: Dockerfile + push: false + # The publishable key is public-by-design and only inlines into the + # client bundle, so the CI placeholder is enough to validate the build. + # Real production images are built with the real key at deploy time. + build-args: | + NEXT_PUBLIC_SUPABASE_URL=https://sjrfecxgysukkwxsowpy.supabase.co + NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY=placeholder-ci-publishable-key + + worker-image: + runs-on: ubuntu-latest + timeout-minutes: 30 + steps: + - name: Checkout + uses: actions/checkout@v7 + with: + persist-credentials: false + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build worker image (no push) + uses: docker/build-push-action@v6 + with: + context: . + file: Dockerfile.worker + push: false From fda54d194f849c1e3844e64ffcf595e80cb89496 Mon Sep 17 00:00:00 2001 From: BigSimmo <87357024+BigSimmo@users.noreply.github.com> Date: Wed, 8 Jul 2026 16:46:24 +0800 Subject: [PATCH 2/2] ci: also validate images on container-affecting PRs Adds a paths-scoped pull_request trigger (Dockerfiles, deps, engine/build guards, the workflow itself) so containerization is validated before merge when it can actually break, without rebuilding on every src-only PR (verify already runs next build for those). Co-Authored-By: Claude Opus 4.8 --- .github/workflows/docker-image.yml | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 15d2a135a..296b83f7f 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -8,12 +8,32 @@ name: Docker image build # # Non-blocking: this is a standalone workflow, not part of the required `verify` # check. Nothing is pushed to a registry — the build either succeeds or fails. -# Gated to main / release / dispatch / schedule (not every PR) to bound CI cost; -# run it on a branch on demand via the "Run workflow" button. +# Runs on main/release pushes, the weekly schedule, manual dispatch, and PRs that +# touch container-affecting files (Dockerfiles, deps, engine/build guards) — not +# every src-only PR, since `verify` already runs `next build` for those. on: push: branches: [main, "release/**"] + # PRs only rebuild the images when a container-affecting file changes — the + # `verify` job already runs `next build` for src changes, so this stays focused + # on containerization (Dockerfiles, dependency install, engine guard, OCR deps) + # and does not rebuild on every src-only PR. + pull_request: + branches: [main, "release/**"] + paths: + - "Dockerfile" + - "Dockerfile.worker" + - ".dockerignore" + - "package.json" + - "package-lock.json" + - ".npmrc" + - ".nvmrc" + - "next.config.ts" + - "worker/python/requirements.txt" + - "scripts/check-node-engine.cjs" + - "scripts/guard-next-build.mjs" + - ".github/workflows/docker-image.yml" workflow_dispatch: schedule: - cron: "0 18 * * 0"