Add service image build performance improvements

[forstmeier]

Overview

Changes

• remove "no cache" flags from Python image definitions
• add caching logic to Rust image definition
• add several build performance improvements to launch infrastructure GitHub workflow

Comments

These were all generated by Claude and seem reasonable.

Summary by CodeRabbit

• Chores

  • CI/CD now performs targeted builds and deployments only when relevant services change, reducing unnecessary runs and speeding feedback.
  • Docker build caching and registry caching improved to accelerate image builds and pushes.
  • Deployment flow updated to ensure environment initialization before deploys and to tag images consistently for reproducible releases.

• Bug Fixes / Reliability

  • Improved SSL certificate handling in service images for more reliable secure connections.
  • Added entrypoint and runtime adjustments to ensure services start predictably.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The CI workflow was refactored to an include-based matrix that maps services to paths and detects path changes to gate execution. AWS credentials, ECR login, Docker Buildx, Flox installation, artifact download, and the unified docker/build-push-action are conditionally executed only when a service changed or on scheduled runs. The build step now fetches the AWS account ID for ECR tagging and uses registry caching. Pulumi deployment now includes an explicit stack initialization step. Dockerfiles were updated to add build cache mounts, SSL handling for datamanager, and removed explicit cache-busting flags for Python/Rust package syncs.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant Path as Path Change Detector
    participant AWS as AWS (STS/ECR)
    participant Buildx as Docker Buildx
    participant Registry as ECR Registry
    participant Flox as Flox Installer
    participant Artifact as Artifact Storage
    participant Pulumi as Pulumi

    GH->>Path: determine changed services / global changes
    alt service_changed or schedule
        Path-->>GH: service list (e.g., equitypricemodel)
        GH->>AWS: Configure AWS credentials
        AWS-->>GH: creds set
        GH->>AWS: Get AWS Account ID
        AWS-->>GH: account id (for ECR path)
        GH->>Buildx: Setup Docker Buildx (conditional)
        GH->>Flox: Install Flox (conditional)
        alt artifact needed (equitypricemodel)
            GH->>Artifact: Download artifact
            Artifact-->>GH: artifact files
        end
        GH->>Buildx: Build and push via docker/build-push-action
        Buildx->>Registry: Push images (tags: latest, ECR path) with cache
        Registry-->>Buildx: push result
        GH->>Pulumi: pulumi stack init
        Pulumi-->>GH: stack ready
        GH->>Pulumi: pulumi up (deploy)
        Pulumi-->>GH: deployment result
    else no_relevant_changes
        Path-->>GH: no service changed
        GH-->>GH: skip AWS/Docker/Pulumi/Flox steps
    end

Loading

Possibly related PRs

• Parallelize launch infrastructure steps and cleanup comments #642: Related changes to .github/workflows/launch_infrastructure.yaml moving toward matrix-driven build/push flows; this PR further refines include-based matrices, path filtering, conditional steps, and docker/build-push-action integration.
• Update all code checks and tests #628: Related updates to CI/tooling (Flox/Mask and workflow adjustments) that overlap with conditional installation and workflow restructuring in this change.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: performance improvements for service image builds through cache optimization and workflow enhancements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch image-build-improvements

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5b9b8d1 and c436298.

📒 Files selected for processing (1)

• .github/workflows/launch_infrastructure.yaml

🧰 Additional context used

🧠 Learnings (3)

📚 Learning: 2025-12-23T16:45:01.573Z

Learnt from: CR
Repo: pocketsizefund/pocketsizefund PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-23T16:45:01.573Z
Learning: Place Pulumi infrastructure as code in the `infrastructure/` folder

Applied to files:

• .github/workflows/launch_infrastructure.yaml

📚 Learning: 2025-12-23T16:45:01.573Z

Learnt from: CR
Repo: pocketsizefund/pocketsizefund PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-23T16:45:01.573Z
Learning: Use Flox to manage project environment and packages

Applied to files:

• .github/workflows/launch_infrastructure.yaml

📚 Learning: 2025-12-23T16:45:01.573Z

Learnt from: CR
Repo: pocketsizefund/pocketsizefund PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-23T16:45:01.573Z
Learning: Applies to infrastructure/**/*.py : Use Pulumi with the Python SDK to manage cloud infrastructure

Applied to files:

• .github/workflows/launch_infrastructure.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Run Rust code checks

🔇 Additional comments (7)

.github/workflows/launch_infrastructure.yaml (7)

22-28: LGTM! Include-based matrix enables path filtering.

The refactor from a simple service list to an include-based matrix mapping services to their application paths is well-structured and enables the conditional execution logic introduced later in the workflow.

---

32-43: LGTM! Path filter correctly includes service and shared dependencies.

The path-change detection comprehensively covers both service-specific paths and shared dependencies (Python libraries, Cargo files, and Python project files), ensuring builds trigger appropriately.

---

44-56: LGTM! Conditional execution properly gates AWS operations.

The conditional logic correctly gates AWS credentials, ECR login, and Docker Buildx setup behind service-change detection or scheduled runs, reducing unnecessary resource consumption while preserving scheduled deployment behavior.

---

57-59: LGTM! Flox installation properly gated.

The conditional execution for Flox installation is consistent with other infrastructure steps and appropriately skips installation when no service changes are detected.

---

60-66: LGTM! Artifact download correctly scoped to equitypricemodel.

The combined condition appropriately limits artifact downloads to the equitypricemodel service only when that service has changes or during scheduled runs.

---

67-70: LGTM! AWS Account ID retrieval enables dynamic ECR URL construction.

The step correctly fetches the AWS account ID and stores it for use in ECR registry URLs, enabling dynamic construction of registry paths.

---

103-108: LGTM! Pulumi stack initialization ensures deployment readiness.

The explicit stack initialization step before deployment is a good practice that ensures the Pulumi stack exists and is selected before attempting deployment operations. The --create flag provides idempotency.

Based on learnings, the cd infrastructure command correctly targets the Pulumi infrastructure code location.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR focuses on optimizing Docker build performance for service images and the CI/CD pipeline. The changes remove unnecessary cache-disabling flags from Python builds and implement proper build caching for Rust builds, while also adding smart change detection to the GitHub workflow to avoid unnecessary builds.

Key Changes:

• Removed --no-cache flags from Python dependency installation to enable package caching
• Implemented Docker BuildKit mount caching for Rust builds to cache dependencies and build artifacts
• Added path-based change detection to skip builds when services haven't changed

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
applications/portfoliomanager/Dockerfile	Removed --no-cache flag from uv sync to enable Python package caching
applications/equitypricemodel/Dockerfile	Removed --no-cache flag from uv sync to enable Python package caching
applications/datamanager/Dockerfile	Added BuildKit cache mounts for Cargo registry and build artifacts, with intermediate binary copy
.github/workflows/launch_infrastructure.yaml	Added path filtering for conditional builds, replaced custom mask commands with native Docker build-push action, and integrated registry-based layer caching

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 020398c and 5b9b8d1.

📒 Files selected for processing (4)

• .github/workflows/launch_infrastructure.yaml
• applications/datamanager/Dockerfile
• applications/equitypricemodel/Dockerfile
• applications/portfoliomanager/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Run Rust code checks

🔇 Additional comments (8)

applications/portfoliomanager/Dockerfile (1)

13-13: LGTM! Caching enabled for improved build performance.

Removing the --no-cache flag allows uv to cache downloaded packages, which should significantly improve build times on subsequent builds while maintaining correctness through Docker's layer caching mechanism.

applications/datamanager/Dockerfile (3)

29-38: Excellent cache mount implementation for Rust builds.

The BuildKit cache mounts for both the Cargo registry and target directory will significantly improve build times. The binary is correctly copied to /tmp within the same RUN command (line 38) before the cache mount is detached, ensuring it persists to the next stage.

---

53-57: LGTM! Binary copy and entrypoint are correctly configured.

The binary copy from /tmp/datamanager (staged during the build phase) and the explicit entrypoint are properly aligned with the cache mount strategy implemented in the builder stage.

---

42-49: SSL certificate setup is necessary for the datamanager service.

The datamanager service uses the reqwest HTTP client library to communicate with HTTPS endpoints, specifically the Massive API at https://api.massive.io. The CA certificates and SSL environment variables (SSL_CERT_FILE and SSL_CERT_DIR) are required for TLS certificate verification during these HTTPS requests.

applications/equitypricemodel/Dockerfile (1)

13-13: LGTM! Caching enabled for improved build performance.

Removing the --no-cache flag allows uv to cache downloaded packages, consistent with the optimization applied to portfoliomanager. This should improve build times while maintaining correctness.

.github/workflows/launch_infrastructure.yaml (3)

22-28: Excellent matrix restructure for maintainability.

The include-based matrix clearly ties each service to its path, making the configuration more maintainable and easier to extend with additional services.

---

32-43: Good path-based change detection implementation.

The path filter correctly identifies changes to service-specific paths, shared Python libraries, and dependency lock files. The filter appropriately triggers builds when any of these dependencies change.

---

71-84: Strong improvement with Docker Buildx and registry caching.

The migration to docker/build-push-action@v5 with ECR-based registry caching should significantly improve build times. The mode=max cache setting ensures maximum layer reuse.