From a378c0f91349fb19ffe41ece37051b2e58c05c90 Mon Sep 17 00:00:00 2001
From: DevContainer User <devcontainer@example.com>
Date: Tue, 3 Mar 2026 16:46:47 +0000
Subject: [PATCH] perf: enable GHA cache for base image layers in Docker builds

Add ARG CACHE_BUST boundary in Dockerfile before curl-latest tool
installs. Layers above (base image, apt, Chrome) are cached via GHA
cache; layers below are rebuilt every build via CACHE_BUST=$GITHUB_SHA.
Replaces the blanket no-cache approach that also prevented caching the
expensive base image.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/build-and-push.yaml  | 4 +++-
 .github/workflows/release-unified.yaml | 4 +++-
 Dockerfile                             | 7 +++++++
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
index 5f8f81c..8a0f3c7 100644
--- a/.github/workflows/build-and-push.yaml
+++ b/.github/workflows/build-and-push.yaml
@@ -56,5 +56,7 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          no-cache: true
+          build-args: CACHE_BUST=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           platforms: linux/amd64
diff --git a/.github/workflows/release-unified.yaml b/.github/workflows/release-unified.yaml
index 0b4d85f..602129f 100644
--- a/.github/workflows/release-unified.yaml
+++ b/.github/workflows/release-unified.yaml
@@ -96,7 +96,9 @@ jobs:
         with:
           context: .
           push: true
-          no-cache: true
+          build-args: CACHE_BUST=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
           tags: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version }}
diff --git a/Dockerfile b/Dockerfile
index 1d0f6f2..a4e5632 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -56,6 +56,13 @@ exec /usr/bin/google-chrome-stable \\\n\
   "$@"\n' > /usr/local/bin/google-chrome && \
     chmod +x /usr/local/bin/google-chrome
 
+# --- Cache boundary ---
+# Everything above here is deterministic (apt packages, fixed base image) and
+# safe to serve from the Docker layer cache.  Everything below fetches "latest"
+# releases via curl, so a changing CACHE_BUST arg forces a rebuild from this
+# point onward while still reusing the expensive base-image / apt layers.
+ARG CACHE_BUST
+
 # Install Claude Code native binary (npm wrapper breaks remote control)
 RUN curl -fsSL https://claude.ai/install.sh | bash && \
     cp /root/.local/bin/claude /usr/local/bin/claude && \