add three-tier ci-base rebuild (dev/stage) to CI workflows

2026-05-07 15:51:24 -05:00
parent a3732a1e9a
commit 81a1a624f1
2 changed files with 94 additions and 0 deletions
@@ -252,4 +252,51 @@ jobs:
            --source=el-compiler/runtime/el_runtime.js

          echo "Published El SDK version=${VERSION} to foundation-dev"
+          # Keep key alive for the ci-base rebuild step below
+          # (deleted in that step after docker push)
+
+      - name: Rebuild ci-base with fresh El SDK (dev)
+        # Patches ci-base:dev in-place: pulls the existing image (which has all
+        # system deps — Node, Go, gcloud, Docker CLI, etc.) and overlays the freshly
+        # built El SDK on top. Keeps the full ci-base rebuild fast and incremental.
+        if: github.event_name == 'push'
+        env:
+          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
+        run: |
+          set -euo pipefail
+          CI_BASE="us-central1-docker.pkg.dev/neuron-785695/neuron-ci/ci-base"
+          SHA="${GITHUB_SHA:0:8}"
+
+          echo "${GCP_SA_KEY}" > /tmp/gcp-key.json
+          gcloud auth activate-service-account --key-file=/tmp/gcp-key.json
+          gcloud config set project neuron-785695
+          gcloud auth configure-docker us-central1-docker.pkg.dev --quiet
+
+          # Pull existing ci-base:dev (system deps stay cached in the base layer)
+          docker pull "${CI_BASE}:dev" || docker pull "${CI_BASE}:latest"
+
+          # Inline Dockerfile — only replaces the El SDK layer
+          cat > /tmp/Dockerfile.ci-base-patch << 'EOF'
+          ARG BASE
+          FROM ${BASE}
+          COPY dist/platform/elc                 /opt/el/dist/platform/elc
+          COPY dist/bin/elb                       /opt/el/dist/bin/elb
+          COPY el-compiler/runtime/el_runtime.c  /opt/el/el-compiler/runtime/el_runtime.c
+          COPY el-compiler/runtime/el_runtime.h  /opt/el/el-compiler/runtime/el_runtime.h
+          COPY el-compiler/runtime/el_runtime.js /opt/el/el-compiler/runtime/el_runtime.js
+          RUN chmod +x /opt/el/dist/platform/elc /opt/el/dist/bin/elb
+          EOF
+
+          docker build \
+            --build-arg BASE="${CI_BASE}:dev" \
+            --build-arg BUILDKIT_INLINE_CACHE=1 \
+            -f /tmp/Dockerfile.ci-base-patch \
+            -t "${CI_BASE}:dev" \
+            -t "${CI_BASE}:dev-${SHA}" \
+            .
+
+          docker push "${CI_BASE}:dev"
+          docker push "${CI_BASE}:dev-${SHA}"
+
+          echo "ci-base rebuilt: ${CI_BASE}:dev (${SHA})"
          rm -f /tmp/gcp-key.json
@@ -246,4 +246,51 @@ jobs:
            --source=el-compiler/runtime/el_runtime.h

          echo "Published El SDK version=${VERSION} to foundation-stage"
+          # Keep key alive for the ci-base rebuild step below
+          # (deleted in that step after docker push)
+
+      - name: Rebuild ci-base with fresh El SDK (stage)
+        # Patches ci-base:stage in-place: pulls the existing image (which has all
+        # system deps — Node, Go, gcloud, Docker CLI, etc.) and overlays the freshly
+        # built El SDK on top. Keeps the full ci-base rebuild fast and incremental.
+        if: github.event_name == 'push'
+        env:
+          GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
+        run: |
+          set -euo pipefail
+          CI_BASE="us-central1-docker.pkg.dev/neuron-785695/neuron-ci/ci-base"
+          SHA="${GITHUB_SHA:0:8}"
+
+          echo "${GCP_SA_KEY}" > /tmp/gcp-key.json
+          gcloud auth activate-service-account --key-file=/tmp/gcp-key.json
+          gcloud config set project neuron-785695
+          gcloud auth configure-docker us-central1-docker.pkg.dev --quiet
+
+          # Pull existing ci-base:stage (system deps stay cached in the base layer)
+          docker pull "${CI_BASE}:stage" || docker pull "${CI_BASE}:latest"
+
+          # Inline Dockerfile — only replaces the El SDK layer
+          cat > /tmp/Dockerfile.ci-base-patch << 'EOF'
+          ARG BASE
+          FROM ${BASE}
+          COPY dist/platform/elc                 /opt/el/dist/platform/elc
+          COPY dist/bin/elb                       /opt/el/dist/bin/elb
+          COPY el-compiler/runtime/el_runtime.c  /opt/el/el-compiler/runtime/el_runtime.c
+          COPY el-compiler/runtime/el_runtime.h  /opt/el/el-compiler/runtime/el_runtime.h
+          COPY el-compiler/runtime/el_runtime.js /opt/el/el-compiler/runtime/el_runtime.js
+          RUN chmod +x /opt/el/dist/platform/elc /opt/el/dist/bin/elb
+          EOF
+
+          docker build \
+            --build-arg BASE="${CI_BASE}:stage" \
+            --build-arg BUILDKIT_INLINE_CACHE=1 \
+            -f /tmp/Dockerfile.ci-base-patch \
+            -t "${CI_BASE}:stage" \
+            -t "${CI_BASE}:stage-${SHA}" \
+            .
+
+          docker push "${CI_BASE}:stage"
+          docker push "${CI_BASE}:stage-${SHA}"
+
+          echo "ci-base rebuilt: ${CI_BASE}:stage (${SHA})"
          rm -f /tmp/gcp-key.json