Skip to content

ci: Swatinem caching + opt-in mold + build-once release image#26

Merged
geekbrother merged 3 commits into
fix/dont_block_on_trivyfrom
ci/swatinem-rust-cache
Jun 19, 2026
Merged

ci: Swatinem caching + opt-in mold + build-once release image#26
geekbrother merged 3 commits into
fix/dont_block_on_trivyfrom
ci/swatinem-rust-cache

Conversation

@geekbrother

@geekbrother geekbrother commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Folds the Rust CI/CD improvements that pay-core has been consuming via
@ci/swatinem-rust-cache into the canonical fix/dont_block_on_trivy ref, so
consumers can pin to it instead of the floating feature branch.

Clean merge: 3 ahead / 0 behind fix/dont_block_on_trivy.

Changes

  1. ci-check-app.yml → Swatinem/rust-cache (+53/-153)

    • Replaces the hand-rolled actions/cache (restore + "clean target" + save, keyed only on Cargo.lock → immutable/frozen) with Swatinem/rust-cache (pinned v2.9.1) in clippy / tests / tests-suites / udeps.
    • Drops caching from the formatting job (cargo fmt doesn't compile).
    • Removes the no-op sccache steps (no backend was configured; kept the use-sccache input as a deprecated no-op so callers don't break).

  2. Opt-in mold linker for the test jobs (ci.yml + ci-check-app.yml, +5)

    • New use-mold / rust-use-mold input (default false). When enabled, installs mold+clang and sets RUSTFLAGS before the cache step (so it's in the key) on tests + tests-suites only — the jobs that actually link.
    • clippy/fmt excluded (no link → mold doesn't help). Default-off because mold can't read ThinLTO bitcode, so cargo test --release/LTO builds would break.

  3. Build the release image once, push per env (release-app.yml, +107/-11)

    • publish previously ran a parallel matrix over envs, each doing a full Docker compile → the identical image compiled twice.
    • Restructured to build once → tarball artifact → per-env push (same pattern as pay-core's canary): build compiles once on the configurable run-label runner; publish (matrix per env) loads the tarball and tags/pushes to each env's ECR + GHCR on ubuntu-latest. Env config is injected at runtime, so the image is identical across envs.
    • ⚠️ The release image build only runs in the deploy pipeline (no PR-time validation) — validate on a staging deploy before relying on it for prod.

After merge

Consumers (pay-core) revert their @ci/swatinem-rust-cache refs back to @fix/dont_block_on_trivy so everything is on one ref again.

geekbrother and others added 3 commits June 11, 2026 18:46
@geekbrother @claude
ci: migrate app-check Rust caching to Swatinem/rust-cache
8e45e9e 
Replace the per-job hand-rolled actions/cache (restore + "clean target
if Cargo.lock changed" + save), keyed only on Cargo.lock, with
Swatinem/rust-cache in clippy / tests / tests-suites / unused-deps.

- Each job uses a Swatinem shared-key (clippy, tests, tests-suites,
  unused-deps) and maps the existing knobs: prefix-key <-
  rust-cache-prefix, save-if <- rust-cache-save. Swatinem keys on
  rustc + Cargo.lock + workspace and prunes stale workspace artifacts
  before saving, fixing the immutable-cache staleness of a
  Cargo.lock-only key.
- Formatting job no longer caches anything: `cargo fmt -- --check`
  does not compile, so restoring/saving ~/.cargo + target/ was pure
  waste.
- sccache steps removed: no persistent backend was ever configured
  (the object store was not cached), so it gave no cross-run benefit
  and disabled incremental compilation, fighting the target/ cache.
  The `use-sccache` input is kept (deprecated, no-op) so existing
  callers and ci.yml don't break.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@geekbrother @claude
ci: add opt-in mold linker for the test jobs
5721318 
mold is a linker, so it only helps jobs that link a binary — tests and
tests-suites, not clippy (check-only) or formatting (no compile). Add a
`use-mold` input (default false) and, when enabled, install mold+clang and set
RUSTFLAGS before the Swatinem cache step (so the linker flags are part of the
cache key) in those two jobs only.

Opt-in by default because this is a shared workflow: mold cannot read ThinLTO
bitcode objects without the LLVM plugin, so `cargo test --release` / LTO test
builds would fail at link time. Plumb the matching `rust-use-mold` input
through ci.yml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@geekbrother @claude
ci: build the release image once, push per-env (no double compile)
8818166 
release-app.yml previously published via a parallel matrix over publish-envs,
with each env (Staging, Prod) running build-publish.yml — a full Docker
compile. Because the legs ran in parallel they couldn't share the gha layer
cache, so the identical image was compiled twice (~2x the slowest build).

Restructure into build-once / push-per-env (same pattern as pay-core's canary
image):
- `build`: compiles the image once on the configurable run-label runner and
  exports it to a tarball artifact (gha layer cache retained).
- `publish` (matrix per env): downloads the tarball, docker load, then tags +
  pushes to that env's ECR (its own role) and GHCR. No compile — runs on
  ubuntu-latest. Env config is injected at runtime in ECS, so the image is
  identical across envs.

build-publish.yml is left in place for any direct callers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@geekbrother geekbrother self-assigned this Jun 15, 2026
@geekbrother geekbrother requested a review from chris13524 June 15, 2026 09:53
@geekbrother geekbrother merged commit a23093c into fix/dont_block_on_trivy Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chris13524 chris13524 chris13524 approved these changes

Assignees

@geekbrother geekbrother

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@geekbrother @chris13524