feat: migrate test-tools to pre-built GHCR image (closes #106)#119
Merged
Conversation
v0.9.12's load:true fix turned out not to share images between buildx steps (docker/build-push-action#581). The real fix is to publish the test-tools image to GHCR and have downstream Dockerfiles pull it over the wire via a parameterized ARG. Changes: .github/workflows/release-test-tools.yaml (new) On `push: tags: ['v*']` (and manual workflow_dispatch) builds multi-arch (linux/amd64 + linux/arm64) Dockerfile.test-tools and pushes ghcr.io/ycpss91255-docker/test-tools:<tag> + :latest. Uses GITHUB_TOKEN with packages:write. First-run bootstrap: workflow_dispatch → :latest is published; subsequent tag releases auto-publish versioned tags. .github/workflows/build-worker.yaml Removes the in-job "Build test-tools image" step entirely (no more local-build races). Adds a version-resolution step that parses GITHUB_WORKFLOW_REF to derive the template tag that the downstream main.yaml pinned, then passes TEST_TOOLS_IMAGE=ghcr.io/ycpss91255-docker/test-tools:<tag> as a build-arg to the test stage. buildx auto-pulls the image on COPY --from; public GHCR package keeps auth out of the picture. dockerfile/Dockerfile.example Top-level `ARG TEST_TOOLS_IMAGE="test-tools:local"`. New `FROM ${TEST_TOOLS_IMAGE} AS test-tools-stage` alias before the test stage. All four `COPY --from=test-tools:local` call sites switched to `--from=test-tools-stage`. Local ./build.sh users are unaffected because the default ARG matches the tag their local `docker build -t test-tools:local` produces. Tests (template_spec.bats) +9 tests, -1 test (the v0.9.12 load:true assertion no longer applies). Regression guards: - no "Build test-tools image" step left behind - GITHUB_WORKFLOW_REF parsing present - TEST_TOOLS_IMAGE build-arg passed to test stage - Dockerfile.example ARG default + named stage + 4 COPY --from= test-tools-stage occurrences + 0 legacy test-tools:local COPY - release-test-tools.yaml: ghcr.io path, packages:write scope, multi-arch platforms Docs CHANGELOG [Unreleased] flags BREAKING for downstream repos pinning @v0.9.13+ (they must add the ARG + named stage pattern). README (en, zh-TW, zh-CN, ja) Dockerfile.test-tools section rewritten to document the dual local/CI paths. TEST.md 655 → 663 (template_spec 106 → 114).
This was referenced Apr 24, 2026
Merged
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v0.9.12 tried to fix
test-tools:localCI resolution withload: true, but that turned out not to share images between buildx steps (docker/build-push-action#581). First caught whenros1_bridgePR #25 became the first downstream repo to actually consumetest-tools:local— CI died atpull access denied, repository does not existtrying to fall back to Docker Hub.This PR ships the D plan: publish test-tools to GHCR per tag, and parameterize the downstream Dockerfile with
ARG TEST_TOOLS_IMAGEso buildx pulls the arch-correct pre-built image directly.Changes
New workflow:
release-test-tools.yamlTriggers on
push: tags: ['v*']+workflow_dispatch. Multi-arch (amd64 + arm64) build ofDockerfile.test-tools, pushed toghcr.io/ycpss91255-docker/test-tools:<tag>+:latest. UsesGITHUB_TOKENwithpackages: write.build-worker.yamlBuild test-tools imagestep (eliminates cross-step buildx image-store race).GITHUB_WORKFLOW_REFto derive the template tag the downstream pinned (e.g.v0.9.13), then passesTEST_TOOLS_IMAGE=ghcr.io/ycpss91255-docker/test-tools:v0.9.13as a build-arg.Dockerfile.exampleARG TEST_TOOLS_IMAGE="test-tools:local"default keeps local./build.shflow unchanged.FROM ${TEST_TOOLS_IMAGE} AS test-tools-stagealias before the test stage.COPY --from=test-tools:localcall sites switched to--from=test-tools-stage.Tests (+9 / -1)
load: trueassertion (no longer applies; the step is gone).GITHUB_WORKFLOW_REFparsing present,TEST_TOOLS_IMAGEbuild-arg wired, Dockerfile.exampleARG+ named stage + 4--from=test-tools-stage+ 0 legacy--from=test-tools:local, release-test-tools.yaml publishes to correct GHCR path withpackages:write+ multi-arch.Docs
[Unreleased]flags BREAKING for downstream repos pinning@v0.9.13+(they must adopt the ARG + named stage pattern).Dockerfile.test-toolsparagraph rewritten to document the dual local/CI paths.Bootstrap sequence (post-merge)
release-test-tools.yamlviaworkflow_dispatch→ publishesghcr.io/ycpss91255-docker/test-tools:latest. Set GHCR package visibility to public so anonymous pulls work..version+ CHANGELOG cut).v0.9.13→release-test-tools.yamlauto-publishes:v0.9.13.ros1_bridgePR fix: switch to codecov-action@v5 tokenless upload #25: DockerfileARG TEST_TOOLS_IMAGE+ named stage pattern,main.yamlbumps@v0.9.12→@v0.9.13, CI validates the end-to-end flow for the first time.Test plan
make -f Makefile.ci testlocal — 663/663 passCloses #106.