farhoodlabs/devcontainer
8
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 39 Wiki Activity

fix(ci): resolve Docker build race condition #46

Merged
cpfarhood merged 1 commits from fix/ci-race-condition into main 2026-02-23 21:18:05 +00:00
Conversation 0 Commits 1 Files Changed 1
+3 -82
cpfarhood commented 2026-02-23 21:06:09 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

Fixes a race condition where release-unified.yaml and build-and-push.yaml would both build and push the Docker image during releases, with the losing build potentially overwriting :latest with a stale image (missing tools like crush and opencode).

Root Cause

When release-unified.yaml runs a release:

  1. It pushes a "chore: release version X.Y.Z" commit to main → triggers build-and-push.yaml
  2. It pushes a v* tag → triggers build-and-push.yaml again
  3. It builds the Docker image itself and pushes :latest

This creates up to 3 concurrent Docker builds racing to push :latest. The build-and-push.yaml builds use GHA layer cache which may serve stale layers from before new Dockerfile changes, overwriting the correct :latest image.

Changes

  • Remove tags: ['v*'] triggerrelease-unified.yaml already handles the full release flow (Docker build + Helm chart + GitHub release)
  • Remove duplicate release job — Helm packaging and GitHub release creation are handled by release-unified.yaml
  • Remove semver tag patterns from metadata — not needed without tag trigger
  • Skip builds from github-actions[bot] — prevents the "chore: release version" commit from triggering a racing build

After this fix

Trigger Workflow Action
Push to main (regular) build-and-push.yaml Build + push :latest, :main, :sha-xxx
Push to main (release commit) build-and-push.yaml Skipped (actor is github-actions[bot])
Tag v* push build-and-push.yaml Skipped (trigger removed)
PR to main build-and-push.yaml Build only (no push)
Manual release release-unified.yaml Full release: Docker + Helm + GitHub Release

Test plan

  • Trigger a manual release via release-unified.yaml and verify only one Docker build runs
  • Verify :latest image contains crush and opencode after release
  • Verify regular pushes to main still build and push correctly
  • Verify PRs still build (but don't push)

🤖 Generated with Claude Code

## Summary Fixes a race condition where `release-unified.yaml` and `build-and-push.yaml` would both build and push the Docker image during releases, with the losing build potentially overwriting `:latest` with a stale image (missing tools like `crush` and `opencode`). ### Root Cause When `release-unified.yaml` runs a release: 1. It pushes a "chore: release version X.Y.Z" commit to `main` → triggers `build-and-push.yaml` 2. It pushes a `v*` tag → triggers `build-and-push.yaml` again 3. It builds the Docker image itself and pushes `:latest` This creates **up to 3 concurrent Docker builds** racing to push `:latest`. The `build-and-push.yaml` builds use GHA layer cache which may serve stale layers from before new Dockerfile changes, overwriting the correct `:latest` image. ### Changes - **Remove `tags: ['v*']` trigger** — `release-unified.yaml` already handles the full release flow (Docker build + Helm chart + GitHub release) - **Remove duplicate `release` job** — Helm packaging and GitHub release creation are handled by `release-unified.yaml` - **Remove semver tag patterns from metadata** — not needed without tag trigger - **Skip builds from `github-actions[bot]`** — prevents the "chore: release version" commit from triggering a racing build ### After this fix | Trigger | Workflow | Action | |---------|----------|--------| | Push to main (regular) | `build-and-push.yaml` | Build + push `:latest`, `:main`, `:sha-xxx` | | Push to main (release commit) | `build-and-push.yaml` | **Skipped** (actor is github-actions[bot]) | | Tag `v*` push | `build-and-push.yaml` | **Skipped** (trigger removed) | | PR to main | `build-and-push.yaml` | Build only (no push) | | Manual release | `release-unified.yaml` | Full release: Docker + Helm + GitHub Release | ## Test plan - [ ] Trigger a manual release via `release-unified.yaml` and verify only one Docker build runs - [ ] Verify `:latest` image contains `crush` and `opencode` after release - [ ] Verify regular pushes to main still build and push correctly - [ ] Verify PRs still build (but don't push) 🤖 Generated with [Claude Code](https://claude.ai/code)
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
antigravity
architecture
automation
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 examples
good first issue
Good for newcomers
 helm
help wanted
Extra attention is needed
 invalid
This doesn't seem right
 maintainability
monitoring
question
Further information is requested
 refactor
tooling
user-experience
validation
wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
fl_blake (Blake MIddleware) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) flux (Flux CD) admin (Gitea Admin) fl_hugh (Hugh Commit) renovate (Mend Renovate) fl_warren (Warren Bufferpool)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: farhoodlabs/devcontainer#46
Delete Branch "fix/ci-race-condition"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?