Skip to content

ci: enable Docker layer caching for cspell spellcheck job#3278

Merged
arkid15r merged 6 commits intoOWASP:mainfrom
SuyashJain17:ci-cspell-buildx-cache
Jan 10, 2026
Merged

ci: enable Docker layer caching for cspell spellcheck job#3278
arkid15r merged 6 commits intoOWASP:mainfrom
SuyashJain17:ci-cspell-buildx-cache

Conversation

@SuyashJain17
Copy link
Contributor

Proposed change

Resolves #3269

This PR optimizes the Docker-based spellcheck job by enabling Docker Buildx with GitHub Actions cache for the cspell image.

Previously, the spellcheck job rebuilt the Docker image from scratch on every CI run (~26s on recent main runs). With this change, the first run populates the cache and subsequent runs can reuse Docker layers, avoiding repeated cold builds.

Summary of changes

  • Enable Docker Buildx and GitHub Actions cache in the spellcheck job
  • Update the Makefile to reuse the cached cspell:ci image when available
  • Preserve existing Docker-based spellcheck behavior with no functional changes

Notes

  • The first CI run will still be a cold build (expected)
  • Subsequent runs should show reduced build time due to Docker layer reuse

Checklist

  • Required: I read and followed the contributing guidelines
  • Required: I ran make check-test locally and all tests passed
    (Not applicable — this change only affects CI configuration and Docker build caching)
  • I used AI for code, documentation, or tests in this PR

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 10, 2026

Summary by CodeRabbit

  • Chores
    • Optimized CI/CD pipeline with improved Docker image caching for spell-checking and build processes.

✏️ Tip: You can customize this high-level summary in your review settings.

Walkthrough

Adds Docker Buildx and GitHub Actions layer caching to the spellcheck CI job by building a cached cspell:ci image before running cspell, and updates the cspell Makefile to prefer tagging a local cspell:ci as cspell or build cspell if absent.

Changes

Cohort / File(s) Summary
CI workflow caching setup
.github/workflows/run-ci-cd.yaml
Adds docker/setup-buildx-action and a docker/build-push-action step to build a cspell:ci image with cache-from/cache-to (type=gha) and load, placed before the existing Run cspell step.
Makefile image build logic
cspell Makefile
cspell/Makefile
Modifies cspell-install to tag a local cspell:ci image as cspell if present; otherwise build a cspell image from the cspell directory. Removes explicit BuildKit/cache flags and unconditional build call.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: enabling Docker layer caching for the cspell spellcheck job, which aligns with the primary objective of the PR.
Description check ✅ Passed The description provides detailed context on the problem, proposed solution, and implementation details, directly relating to the changeset and addressing the objectives from issue #3269.
Linked Issues check ✅ Passed The PR implements the first proposed solution from #3269 by enabling Docker Buildx with GitHub Actions cache (cache-from/cache-to with type=gha), enabling layer reuse across runs and reducing repeated cold builds.
Out of Scope Changes check ✅ Passed All changes are directly scoped to enabling Docker caching for the spellcheck job as specified in #3269; no unrelated modifications are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents
In @.github/workflows/run-ci-cd.yaml:
- Around line 110-118: The workflow step using the docker/build-push-action is
pinned to the version tag "@v5", which is a supply-chain risk; update that step
(the action reference in the "Build cspell image with cache" job) to use the
same commit SHA used elsewhere (e.g. "263435318d21b8e681c14492fe198d362a7d2c83")
instead of "@v5" so the uses: value matches the pinned SHA form used in other
occurrences of docker/build-push-action in this file.
- Around line 107-108: The "Set up Docker buildx" step currently uses the
floating tag docker/setup-buildx-action@v3; replace it with the pinned commit
SHA docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f to match
the other occurrences and prevent supply-chain risks, i.e., update the uses
entry in the "Set up Docker buildx" job to reference that exact SHA.
🧹 Nitpick comments (1)
.github/workflows/run-ci-cd.yaml (1)

110-118: Consider adding cache compression and registry fallback.

Other Docker build jobs in this workflow (e.g., lines 184-188) use compression=zstd for cache-to and include a registry fallback for cache-from. These optimizations could reduce cache storage/transfer time and provide redundancy.

⚡ Optional optimization
       - name: Build cspell image with cache
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
         with:
           context: cspell
           file: cspell/Dockerfile
           tags: cspell:ci
           load: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: |
+            type=gha
+            type=registry,ref=owasp/nest:cspell-ci-cache
+          cache-to: |
+            type=gha,compression=zstd,mode=max

Note: This assumes you have push access to the registry and want to maintain a registry cache. If not needed, you can just add compression:

-          cache-to: type=gha,mode=max
+          cache-to: type=gha,compression=zstd,mode=max
📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6471c8b and 0c9e1f3.

📒 Files selected for processing (2)
  • .github/workflows/run-ci-cd.yaml
  • cspell/Makefile
🧰 Additional context used
🧠 Learnings (1)
📚 Learning: 2025-12-21T19:03:59.068Z
Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

  • .github/workflows/run-ci-cd.yaml
🔇 Additional comments (1)
cspell/Makefile (1)

3-6: LGTM! Conditional logic correctly implements cache reuse.

The new conditional logic properly checks for a pre-built cspell:ci image and tags it as cspell, falling back to building a fresh image if unavailable. This efficiently reuses the cached image from CI while preserving local development workflow. The removal of DOCKER_BUILDKIT=1 and --cache-from is appropriate given the new CI-based caching approach.

coderabbitai[bot]
coderabbitai bot previously approved these changes Jan 10, 2026
--cache-from cspell \
cspell \
-t cspell
@docker image inspect cspell:ci >/dev/null 2>&1 && \
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's goal of these changes?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The goal is to avoid rebuilding the cspell Docker image from scratch on every CI run.

The workflow now builds the image once using Buildx with the GitHub Actions cache and tags it as cspell:ci.
The Makefile change simply reuses that image when it’s already available and falls back to a local build otherwise, so CI benefits from caching without changing local behavior.

@arkid15r arkid15r enabled auto-merge January 10, 2026 19:08
@sonarqubecloud
Copy link

Copy link
Collaborator

@arkid15r arkid15r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

// it didn't make any visible changes for this CI/CD step in terms of duration.

Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
cspell/Makefile (1)

6-8: Optional: Consider splitting the shell command for readability.

The one-liner with && and || operators is functionally correct but could be more readable if split into separate Makefile recipe lines or wrapped in a small shell script block.

♻️ Alternative with explicit conditional structure
-	@docker image inspect cspell:ci >/dev/null 2>&1 && \
-	docker tag cspell:ci cspell || \
-	docker build -t cspell cspell
+	@if docker image inspect cspell:ci >/dev/null 2>&1; then \
+		docker tag cspell:ci cspell; \
+	else \
+		docker build -t cspell cspell; \
+	fi
📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8a46db0 and 516482b.

📒 Files selected for processing (2)
  • .github/workflows/run-ci-cd.yaml
  • cspell/Makefile
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/run-ci-cd.yaml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Run frontend e2e tests
🔇 Additional comments (1)
cspell/Makefile (1)

4-8: LGTM! Caching approach is sound.

The conditional logic correctly handles both CI (reusing cspell:ci via tag) and local development (building from scratch). The fallback to docker build ensures the target always produces a usable cspell image.

@arkid15r arkid15r added this pull request to the merge queue Jan 10, 2026
Merged via the queue into OWASP:main with commit 92d9898 Jan 10, 2026
27 checks passed
hussainjamal760 pushed a commit to hussainjamal760/Nest that referenced this pull request Jan 14, 2026
* ci: enable Docker layer caching for cspell spellcheck job

* ci: pin Docker GitHub Actions to commit SHAs

* ci: scope GHA cache for cspell Docker build

* Update code

---------

Co-authored-by: Arkadii Yakovets <arkadii.yakovets@owasp.org>
Co-authored-by: Arkadii Yakovets <2201626+arkid15r@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CI: Spellcheck job does not benefit from Docker layer caching

3 participants

Comments