refactor(ci): build only the binary, no OCI image push #15

Merged

David merged 1 commit from refactor/binary-only-workflow into main

2026-05-14 02:20:48 +02:00

David commented

2026-05-14 02:20:02 +02:00

Owner

The release pipeline only consumes the static musl binary that ships through Generic Packages and Dufs - nothing downstream pulls the runtime OCI image we were pushing to dev.a8n.run/pandoras-box/monkey. Building and pushing that image on every push to main added several minutes of build time plus a registry round-trip for no consumer.

This change strips the workflow down to "build the binary, publish it":

Removed the Set up buildx builder (docker-container driver), Log in to container registry, and Build and push monkey image steps.
Removed the IMAGE_REGISTRY env var that only existed to compute OCI tag arguments.
Renamed Extract binary from build to Build binary and removed the duplicated build_args setup that fell out when the OCI step disappeared.
Kept the existing ^docker buildx build --target binary --output type=local,dest=./output -f oci-build/Dockerfile . invocation, which exports only the scratch binary stage of the Dockerfile. The runtime alpine stage in oci-build/Dockerfile is no longer reached from CI but stays in the repo so just docker-build still produces a runtime image locally.
Renamed the file to .forgejo/workflows/build-binary.yml and updated the workflow name, job id, job name, and path filters to match. Updated the one stale build-oci-image.yml reference in docs/superpowers/specs/2026-04-16-video-conversion-design.md.

The Generic Package + Dufs publish steps are unchanged. They authenticate against the Forgejo API with secrets.FORGEJO_PAT (HTTP basic auth on the package upload URL, not docker login), so the secret stays in env: for those steps.

Test plan

Confirm the new Build binary workflow runs on this branch, the Build binary step completes, and the binary lands in Generic Packages at https://dev.a8n.run/api/packages/pandoras-box/generic/monkey/<tag>/monkey-linux-x86_64.
Confirm no OCI image is pushed to dev.a8n.run/pandoras-box/monkey for this run.
On the next v* tag, confirm the Dufs upload step still fires and uploads to https://<DUFS_DOMAIN>/public/linux/x86_64/monkey/<version>/monkey.

The release pipeline only consumes the static musl binary that ships through Generic Packages and Dufs - nothing downstream pulls the runtime OCI image we were pushing to `dev.a8n.run/pandoras-box/monkey`. Building and pushing that image on every push to main added several minutes of build time plus a registry round-trip for no consumer. This change strips the workflow down to "build the binary, publish it": - Removed the `Set up buildx builder` (docker-container driver), `Log in to container registry`, and `Build and push monkey image` steps. - Removed the `IMAGE_REGISTRY` env var that only existed to compute OCI tag arguments. - Renamed `Extract binary from build` to `Build binary` and removed the duplicated `build_args` setup that fell out when the OCI step disappeared. - Kept the existing `^docker buildx build --target binary --output type=local,dest=./output -f oci-build/Dockerfile .` invocation, which exports only the scratch `binary` stage of the Dockerfile. The runtime alpine stage in `oci-build/Dockerfile` is no longer reached from CI but stays in the repo so `just docker-build` still produces a runtime image locally. - Renamed the file to `.forgejo/workflows/build-binary.yml` and updated the workflow `name`, job id, job name, and path filters to match. Updated the one stale `build-oci-image.yml` reference in `docs/superpowers/specs/2026-04-16-video-conversion-design.md`. The Generic Package + Dufs publish steps are unchanged. They authenticate against the Forgejo API with `secrets.FORGEJO_PAT` (HTTP basic auth on the package upload URL, not `docker login`), so the secret stays in `env:` for those steps. ## Test plan - [ ] Confirm the new `Build binary` workflow runs on this branch, the `Build binary` step completes, and the binary lands in Generic Packages at `https://dev.a8n.run/api/packages/pandoras-box/generic/monkey/<tag>/monkey-linux-x86_64`. - [ ] Confirm no OCI image is pushed to `dev.a8n.run/pandoras-box/monkey` for this run. - [ ] On the next `v*` tag, confirm the Dufs upload step still fires and uploads to `https://<DUFS_DOMAIN>/public/linux/x86_64/monkey/<version>/monkey`.

David added 1 commit

2026-05-14 02:20:02 +02:00

refactor(ci): build only the binary, no OCI image push

Check / fmt + clippy + build + tests (pull_request) Successful in 17s

Details

Create release / Create release from merged PR (pull_request) Has been skipped

Details

186820a4f1

The release pipeline only needs the static musl binary that ships through Generic Packages and Dufs. Building and pushing a runtime OCI image on every push to main added several minutes of build time and a registry round-trip with no consumer downstream. Drop the OCI build entirely: remove the buildx container-driver setup, the `docker login` step, the `Build and push monkey image` step, and the `IMAGE_REGISTRY` env var that fed its tag arguments. The remaining `Build binary` step keeps the previous `--target binary --output type=local` invocation, which exports the scratch stage of `oci-build/Dockerfile` containing only the compiled binary; the runtime alpine stage of that Dockerfile is no longer reached from CI but stays in the repo so `just docker-build` still works locally. Rename the workflow file to `build-binary.yml` and update the name, job id, and step names so the workflow does what it says on the tin, and update the one stale path reference in the video-conversion design doc.