fix(ci): drop ARM64 QEMU build, add GHA layer cache, fix credential ordering

Madan Shah · Madan Shah · commit 46ada3c2b291 · 2026-04-20T11:40:48.000+05:45
- Switch DOCKER_PLATFORMS from linux/amd64,linux/arm64 to linux/amd64 only;
  mosaic node group uses c6id.2xlarge (Intel x86_64), ARM64 via QEMU was
  causing OOM/timeout after 73 minutes
- Add --cache-from/--cache-to type=gha to the buildx build step so Rust
  compile layers are reused across runs
- Split build into two steps: build+push to private ECR first (with private
  credentials active), then configure public ECR credentials and re-tag via
  imagetools create -- fixes credential overwrite bug
- Fix concurrency group key (was hardcoded SHA, now uses github.ref)
diff --git a/.github/workflows/docker-publish-ecr.yml b/.github/workflows/docker-publish-ecr.yml
@@ -24,13 +24,13 @@ env:
   PUBLIC_ECR_REPOSITORY: mosaic
   PUBLIC_ECR_REGION: us-east-1
   DEFAULT_BUILD_REF: bae62a54b7137e811653d5dd89975e10f0e71676
-  DOCKER_PLATFORMS: linux/amd64,linux/arm64
+  DOCKER_PLATFORMS: linux/amd64
 
 permissions:
   contents: read
 
 concurrency:
-  group: docker-publish-ecr-${{ inputs.ref || 'bae62a54b7137e811653d5dd89975e10f0e71676' }}
+  group: docker-publish-ecr-${{ inputs.ref || github.ref }}
   cancel-in-progress: false
 
 jobs:
@@ -132,6 +132,18 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
+      - name: Build and push Mosaic image to private ECR
+        run: |
+          set -euo pipefail
+          docker buildx build \
+            --platform "${DOCKER_PLATFORMS}" \
+            --file docker/Dockerfile \
+            --cache-from "type=gha,scope=mosaic" \
+            --cache-to "type=gha,scope=mosaic,mode=max" \
+            --tag "${IMAGE_REF}" \
+            --push \
+            .
+
       - name: Configure public ECR credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
@@ -143,16 +155,12 @@ jobs:
           aws ecr-public get-login-password --region "${PUBLIC_ECR_REGION}" \
             | docker login --username AWS --password-stdin "${PUBLIC_ECR_REGISTRY}"
 
-      - name: Build and push Mosaic images
+      - name: Push Mosaic image to public ECR
         run: |
           set -euo pipefail
-          docker buildx build \
-            --platform "${DOCKER_PLATFORMS}" \
-            --file docker/Dockerfile \
-            --tag "${IMAGE_REF}" \
+          docker buildx imagetools create \
             --tag "${PUBLIC_IMAGE_REF}" \
-            --push \
-            .
+            "${IMAGE_REF}"
 
       - name: Reconfigure private AWS credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
