perf: enable GHA cache for base image layers in Docker builds

Add ARG CACHE_BUST boundary in Dockerfile before curl-latest tool
installs. Layers above (base image, apt, Chrome) are cached via GHA
cache; layers below are rebuilt every build via CACHE_BUST=$GITHUB_SHA.
Replaces the blanket no-cache approach that also prevented caching the
expensive base image.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/build-and-push.yaml

@@ -56,5 +56,7 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          no-cache: true
+          build-args: CACHE_BUST=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           platforms: linux/amd64

.github/workflows/release-unified.yaml

@@ -96,7 +96,9 @@ jobs:
         with:
           context: .
           push: true
-          no-cache: true
+          build-args: CACHE_BUST=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           tags: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }}

Dockerfile

@@ -56,6 +56,13 @@ exec /usr/bin/google-chrome-stable \\\n\
   "$@"\n' > /usr/local/bin/google-chrome && \
     chmod +x /usr/local/bin/google-chrome
 
+# --- Cache boundary ---
+# Everything above here is deterministic (apt packages, fixed base image) and
+# safe to serve from the Docker layer cache.  Everything below fetches "latest"
+# releases via curl, so a changing CACHE_BUST arg forces a rebuild from this
+# point onward while still reusing the expensive base-image / apt layers.
+ARG CACHE_BUST
+
 # Install Claude Code native binary (npm wrapper breaks remote control)
 RUN curl -fsSL https://claude.ai/install.sh | bash && \
     cp /root/.local/bin/claude /usr/local/bin/claude && \