ci: enable Docker layer caching for cspell spellcheck job

[SuyashJain17]

Proposed change

Resolves #3269

This PR optimizes the Docker-based spellcheck job by enabling Docker Buildx with GitHub Actions cache for the cspell image.

Previously, the spellcheck job rebuilt the Docker image from scratch on every CI run (~26s on recent main runs). With this change, the first run populates the cache and subsequent runs can reuse Docker layers, avoiding repeated cold builds.

Summary of changes

• Enable Docker Buildx and GitHub Actions cache in the spellcheck job
• Update the Makefile to reuse the cached cspell:ci image when available
• Preserve existing Docker-based spellcheck behavior with no functional changes

Notes

• The first CI run will still be a cold build (expected)
• Subsequent runs should show reduced build time due to Docker layer reuse

Checklist

• Required: I read and followed the contributing guidelines
• Required: I ran make check-test locally and all tests passed
  (Not applicable — this change only affects CI configuration and Docker build caching)
• I used AI for code, documentation, or tests in this PR

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Optimized CI/CD pipeline with improved Docker image caching for spell-checking and build processes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Adds Docker Buildx and GitHub Actions layer caching to the spellcheck CI job by building a cached cspell:ci image before running cspell, and updates the cspell Makefile to prefer tagging a local cspell:ci as cspell or build cspell if absent.

Changes

Cohort / File(s)	Summary
CI workflow caching setup .github/workflows/run-ci-cd.yaml	Adds docker/setup-buildx-action and a docker/build-push-action step to build a cspell:ci image with cache-from/cache-to (type=gha) and load, placed before the existing Run cspell step.
Makefile image build logic cspell Makefile cspell/Makefile	Modifies cspell-install to tag a local cspell:ci image as cspell if present; otherwise build a cspell image from the cspell directory. Removes explicit BuildKit/cache flags and unconditional build call.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: enabling Docker layer caching for the cspell spellcheck job, which aligns with the primary objective of the PR.
Description check	✅ Passed	The description provides detailed context on the problem, proposed solution, and implementation details, directly relating to the changeset and addressing the objectives from issue #3269.
Linked Issues check	✅ Passed	The PR implements the first proposed solution from #3269 by enabling Docker Buildx with GitHub Actions cache (cache-from/cache-to with type=gha), enabling layer reuse across runs and reducing repeated cold builds.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to enabling Docker caching for the spellcheck job as specified in #3269; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.github/workflows/run-ci-cd.yaml:
- Around line 110-118: The workflow step using the docker/build-push-action is
pinned to the version tag "@v5", which is a supply-chain risk; update that step
(the action reference in the "Build cspell image with cache" job) to use the
same commit SHA used elsewhere (e.g. "263435318d21b8e681c14492fe198d362a7d2c83")
instead of "@v5" so the uses: value matches the pinned SHA form used in other
occurrences of docker/build-push-action in this file.
- Around line 107-108: The "Set up Docker buildx" step currently uses the
floating tag docker/setup-buildx-action@v3; replace it with the pinned commit
SHA docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f to match
the other occurrences and prevent supply-chain risks, i.e., update the uses
entry in the "Set up Docker buildx" job to reference that exact SHA.

🧹 Nitpick comments (1)

.github/workflows/run-ci-cd.yaml (1)

110-118: Consider adding cache compression and registry fallback.

Other Docker build jobs in this workflow (e.g., lines 184-188) use compression=zstd for cache-to and include a registry fallback for cache-from. These optimizations could reduce cache storage/transfer time and provide redundancy.

⚡ Optional optimization

       - name: Build cspell image with cache
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
         with:
           context: cspell
           file: cspell/Dockerfile
           tags: cspell:ci
           load: true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: |
+            type=gha
+            type=registry,ref=owasp/nest:cspell-ci-cache
+          cache-to: |
+            type=gha,compression=zstd,mode=max

Note: This assumes you have push access to the registry and want to maintain a registry cache. If not needed, you can just add compression:

-          cache-to: type=gha,mode=max
+          cache-to: type=gha,compression=zstd,mode=max

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6471c8b and 0c9e1f3.

📒 Files selected for processing (2)

• .github/workflows/run-ci-cd.yaml
• cspell/Makefile

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-21T19:03:59.068Z

Learnt from: ahmedxgouda
Repo: OWASP/Nest PR: 1139
File: .github/workflows/setup-backend-environment/action.yaml:16-27
Timestamp: 2025-12-21T19:03:59.068Z
Learning: Composite actions (runs: using: composite) execute as steps within the calling job's context and can access the job context, including job.services.* properties (e.g., job.services.<service_id>.id, job.services.<service_id>.ports). Service containers must be defined at the job level, but a composite action's steps can reference them via the job context.

Applied to files:

• .github/workflows/run-ci-cd.yaml

🔇 Additional comments (1)

cspell/Makefile (1)

3-6: LGTM! Conditional logic correctly implements cache reuse.

The new conditional logic properly checks for a pre-built cspell:ci image and tags it as cspell, falling back to building a fresh image if unavailable. This efficiently reuses the cached image from CI while preserving local development workflow. The removal of DOCKER_BUILDKIT=1 and --cache-from is appropriate given the new CI-based caching approach.

[arkid15r]

What's goal of these changes?

[SuyashJain17]

The goal is to avoid rebuilding the cspell Docker image from scratch on every CI run.

The workflow now builds the image once using Buildx with the GitHub Actions cache and tags it as cspell:ci.
The Makefile change simply reuses that image when it’s already available and falls back to a local build otherwise, so CI benefits from caching without changing local behavior.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[arkid15r]

LGTM

// it didn't make any visible changes for this CI/CD step in terms of duration.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

cspell/Makefile (1)

6-8: Optional: Consider splitting the shell command for readability.

The one-liner with && and || operators is functionally correct but could be more readable if split into separate Makefile recipe lines or wrapped in a small shell script block.

♻️ Alternative with explicit conditional structure

-	@docker image inspect cspell:ci >/dev/null 2>&1 && \
-	docker tag cspell:ci cspell || \
-	docker build -t cspell cspell
+	@if docker image inspect cspell:ci >/dev/null 2>&1; then \
+		docker tag cspell:ci cspell; \
+	else \
+		docker build -t cspell cspell; \
+	fi

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8a46db0 and 516482b.

📒 Files selected for processing (2)

• .github/workflows/run-ci-cd.yaml
• cspell/Makefile

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/run-ci-cd.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Run frontend e2e tests

🔇 Additional comments (1)

cspell/Makefile (1)

4-8: LGTM! Caching approach is sound.

The conditional logic correctly handles both CI (reusing cspell:ci via tag) and local development (building from scratch). The fallback to docker build ensures the target always produces a usable cspell image.