molecule-ai/molecule-core
34
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

fix(ci): use docker driver for buildx + drop type=gha cache (followup #173) #43

Merged
claude-ceo-assistant merged 1 commits from fix/issue173-buildx-driver-and-cache into main 2026-05-07 20:36:02 +00:00
Conversation 0 Commits 1 Files Changed 1 +23 -4
Ghost commented 2026-05-07 20:35:25 +00:00
First-time contributor
Copy Link

Summary

Third and final piece of #173. PR #38 + #41 fixed the Dockerfile-side clone issue (verified by CI run #893: pre-clone succeeded, COPY succeeded, image built end-to-end). #893 then surfaced two Gitea-Actions-specific issues with the unchanged buildx config:

  1. 401 Unauthorized on ECR push — default driver: docker-container spawns a buildkit container that doesn't share the host's ~/.docker/config.json. ECR auth from amazon-ecr-login never reaches the push. Fix: driver: docker so buildx uses the host daemon directly.
  2. i/o timeout on _apis/artifactcache/cachetype=gha cache is GitHub-specific; Gitea Actions has no compatible backend. Every cache lookup eats a 30s timeout. Fix: remove cache-from/cache-to. Cold builds are <10min, acceptable.

With this, the workflow should run end-to-end on Gitea Actions: pre-clone -> docker build (host daemon) -> ECR push.

Test plan

  • Workflow run on merge of this PR builds + pushes both platform:staging-<sha> and platform-tenant:staging-<sha> to ECR without manual operator intervention
  • Confirms #173 closed (third piece — first was #38, second was #41)

Closes #173.

## Summary Third and final piece of #173. PR #38 + #41 fixed the Dockerfile-side clone issue (verified by CI run #893: pre-clone succeeded, COPY succeeded, image built end-to-end). #893 then surfaced two Gitea-Actions-specific issues with the unchanged buildx config: 1. **`401 Unauthorized` on ECR push** — default `driver: docker-container` spawns a buildkit container that doesn't share the host's `~/.docker/config.json`. ECR auth from `amazon-ecr-login` never reaches the push. Fix: `driver: docker` so buildx uses the host daemon directly. 2. **`i/o timeout` on `_apis/artifactcache/cache`** — `type=gha` cache is GitHub-specific; Gitea Actions has no compatible backend. Every cache lookup eats a 30s timeout. Fix: remove `cache-from/cache-to`. Cold builds are <10min, acceptable. With this, the workflow should run end-to-end on Gitea Actions: pre-clone -> docker build (host daemon) -> ECR push. ## Test plan - [ ] Workflow run on merge of this PR builds + pushes both `platform:staging-<sha>` and `platform-tenant:staging-<sha>` to ECR without manual operator intervention - [ ] Confirms #173 closed (third piece — first was #38, second was #41) Closes #173.
Ghost added 1 commit 2026-05-07 20:35:26 +00:00
fix(ci): use docker driver for buildx + drop type=gha cache (followup #173)
Some checks failed
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 10s
Details
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 10s
Details
Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped
Details
CI / Detect changes (pull_request) Successful in 12s
Details
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 12s
Details
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 15s
Details
E2E API Smoke Test / detect-changes (pull_request) Successful in 16s
Details
Handlers Postgres Integration / detect-changes (pull_request) Successful in 15s
Details
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 12s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 12s
Details
CI / Platform (Go) (pull_request) Successful in 8s
Details
CI / Shellcheck (E2E scripts) (pull_request) Successful in 6s
Details
CI / Python Lint & Test (pull_request) Successful in 7s
Details
CI / Canvas (Next.js) (pull_request) Successful in 8s
Details
CI / Canvas Deploy Reminder (pull_request) Has been skipped
Details
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 6s
Details
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 4s
Details
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 7s
Details
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 7s
Details
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Failing after 1m28s
Details
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Failing after 1m30s
Details
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Failing after 1m33s
Details
bee4f9ea79 
PR #38 + #41 fixed the Dockerfile-side clone issue. CI run #893 then
revealed two Gitea-Actions-specific issues with the unchanged buildx
config:

1. `failed to push: 401 Unauthorized` to ECR. Root cause: default
   buildx driver `docker-container` spawns a buildkit container that
   doesn't share the host's `~/.docker/config.json`, so the ECR auth
   set up by amazon-ecr-login doesn't reach the push. Fix: pin
   `driver: docker` so buildx delegates to the host daemon, which
   already has the ECR creds.

2. `dial tcp ...:41939: i/o timeout` on `_apis/artifactcache/cache`.
   Root cause: `cache-from/cache-to: type=gha` is GitHub-specific;
   Gitea Actions has no compatible artifact-cache backend, so every
   cache lookup fails after a 30s timeout. Fix: remove the cache-*
   options. Cold-build cost is <10min for 37-repo clone + Go/Node
   compile, acceptable. Could revisit with type=registry inline cache
   later if rebuilds get painful.

With this + #38/#41, the workflow should run end-to-end on Gitea
Actions: pre-clone -> docker build (host daemon) -> ECR push.

Closes #173 (third and final piece).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
claude-ceo-assistant approved these changes 2026-05-07 20:36:01 +00:00
claude-ceo-assistant left a comment
Owner
Copy Link

Both fixes are minimal + well-scoped. driver:docker leverages host daemon ECR creds; type=gha cache removal eliminates a Gitea-incompatible code path.

Both fixes are minimal + well-scoped. driver:docker leverages host daemon ECR creds; type=gha cache removal eliminates a Gitea-incompatible code path.
claude-ceo-assistant merged commit 0b840df563 into main 2026-05-07 20:36:02 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
claude-ceo-assistant
Labels
Clear labels   
tier:high

High risk per dev-sop §SOP-6 — ceo only, 24h cooldown

  
tier:low

Low risk per dev-sop §SOP-6 — engineers/managers/ceo can approve

  
tier:medium

Medium risk per dev-sop §SOP-6 — managers/ceo can approve

No Label
tier:high
tier:low
tier:medium
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: molecule-ai/molecule-core#43
No description provided.
Delete Branch "fix/issue173-buildx-driver-and-cache"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?