Trying docker bake with single cache

.dockerignore

@@ -1,7 +1,5 @@
 **/node_modules/
 **/target/
 .git/
-**/Dockerfile
-**/docker-compose.yml
 .dockerignore
 .gitignore

.github/workflows/build-and-push-docker-images.yml

@@ -1,4 +1,4 @@
-name: build-and-push-docker-images
+name: build-and-push-docker
 on:
   push:
     branches:
@@ -8,142 +8,42 @@ on:
   pull_request:
   workflow_dispatch:
     inputs:
-      test_mode:
-        description: 'Enable test mode (uses candyland-test registry and draft releases)'
-        required: false
-        type: boolean
-        default: false
       docker_push:
         description: 'Enable docker push'
         required: false
         type: boolean
         default: true
-      release_push:
-        description: 'Enable release push'
-        required: false
-        type: boolean
-        default: true
+
 
 env:
-  # If test_mode is true, or we're on a branch with a test-build- prefix then use a test registry and a draft release
-  TEST_MODE: ${{ github.event.inputs.test_mode == 'true' || startsWith(github.ref, 'refs/heads/test-build-') }}
-  DOCKER_REGISTRY: ${{ (github.event.inputs.test_mode == 'true' || startsWith(github.ref, 'refs/heads/test-build-')) && 'europe-west1-docker.pkg.dev/randamu-prod/candyland-test' || 'europe-west1-docker.pkg.dev/randamu-prod/candyland' }}
+  DOCKER_REGISTRY: 'europe-west1-docker.pkg.dev/randamu-prod/candyland'
+  DOCKER_PUSH: ${{ github.event.inputs.docker_push == 'true' }}
 
   SERVICE_ACCOUNT: github@randamu-prod.iam.gserviceaccount.com
   IMAGE_MAINTAINER: "Randamu"
   IMAGE_VENDOR: "Randamu"
   AUTHOR: "Randu Mohammed"
 
 jobs:
-  build-binaries:
-    uses: ./.github/workflows/build-all-binaries.yml
-    secrets: inherit
-
-  generate-matrix:
-    needs: build-binaries
+  docker-build-and-push:
+    name: "Docker build and push"
     runs-on: ["randamu-self-hosted-default"]
-    outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
-
-      - name: Download binaries metadata
-        uses: actions/download-artifact@v4
-        with:
-          name: binaries-metadata-${{ github.sha }}
-          path: .
-
-      - name: Upload binaries for docker jobs
-        uses: actions/upload-artifact@v4
         with:
-          name: binaries-for-docker-${{ github.sha }}
-          path: target/release/
-          retention-days: 1
-          overwrite: true
-
-      - name: Generate build matrix
-        id: set-matrix
-        run: |
-          CONFIG_FILE=".github/docker-config.json"
-
-          # Load config if exists
-          if [ -f "$CONFIG_FILE" ]; then
-            CONFIG=$(cat "$CONFIG_FILE")
-          else
-            CONFIG='{}'
-          fi
-
-          # Generate matrix from binaries.json (slurp to read all objects into array)
-          MATRIX=$(jq -sc --argjson config "$CONFIG" 'map({
-            binary_name: .name,
-            binary_path: ( .path | sub("/home/runner/_work/dcipher/dcipher/"; "") ),
-            image_name: ($config[.name].image_name // .name),
-            description: ($config[.name].description // "Dcipher service")
-          })' binaries.json)
-
-          echo "matrix=$MATRIX" >> $GITHUB_OUTPUT
-          echo "Generated matrix:"
-          echo "$MATRIX" | jq .
-
-      - name: Upload Docker build context
-        uses: actions/upload-artifact@v4
-        with:
-          name: docker-context-${{ github.sha }}
-          path: |
-            Dockerfile
-            .github/docker-config.json
-            .dockerignore
-          retention-days: 1
-          overwrite: true
-
-  docker:
-    name: "Docker: ${{ matrix.app.image_name }}"
-    needs: generate-matrix
-    runs-on: ["randamu-self-hosted-default"]
-    strategy:
-      fail-fast: false
-      matrix:
-        app: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
-    steps:
-      - name: Download Docker build context
-        uses: actions/download-artifact@v4
-        with:
-          name: docker-context-${{ github.sha }}
-          path: .
-
-      - name: Download pre-built binaries
-        uses: actions/download-artifact@v4
-        with:
-          name: binaries-${{ github.sha }}
-          path: target/release
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.DOCKER_REGISTRY }}/${{ matrix.app.image_name }}
-          labels: |
-            maintainer=${{ env.IMAGE_MAINTAINER }}
-            org.opencontainers.image.vendor=${{ env.IMAGE_VENDOR }}
-            org.opencontainers.image.title=${{ matrix.app.image_name }}
-            org.opencontainers.image.description=${{ matrix.app.description }}
-          flavor: |
-            latest=false
-          tags: |
-            type=sha,prefix=
-            type=ref,event=branch,suffix=-latest,enable=${{ startsWith(github.ref, 'refs/heads/') }}
-            type=semver,pattern={{version}},event=tag,enable=${{ startsWith(github.ref, 'refs/tags/') }}
-            type=raw,value=main-latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
-            type=ref,event=pr
-            type=ref,event=branch
+          submodules: 'recursive'
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           buildkitd-config-inline: |
+            debug = true
             [registry."docker.io"]
               mirrors = ["mirror.gcr.io"]
+            [worker.oci]
+              max-parallelism = 8
           driver-opts: |
             image=mirror.gcr.io/moby/buildkit:buildx-stable-1
             network=host
@@ -155,18 +55,45 @@ jobs:
           username: _json_key
           password: ${{ secrets.GCP_SERVICE_ACCOUNT_TOKEN }}
 
-      - name: Build and push
-        uses: docker/build-push-action@v6
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push docker images
+        uses: docker/bake-action@v6
+        env:
+          TAG: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref_name }}
+          SHA: ${{ github.sha }}
+          REGISTRY: ${{ env.DOCKER_REGISTRY }}
         with:
-          context: .
-          file: ./Dockerfile
-          push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || env.TEST_MODE == 'true' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            BINARY_PATH=${{ matrix.app.binary_path }}
-            BINARY_NAME=${{ matrix.app.binary_name }}
-          cache-from: |
-            type=registry,ref=${{ env.DOCKER_REGISTRY }}/${{ matrix.app.image_name }}-cache:${{ steps.meta.outputs.version }}
-            type=registry,ref=${{ env.DOCKER_REGISTRY }}/${{ matrix.app.image_name }}-cache:main
-          cache-to: type=registry,ref=${{ env.DOCKER_REGISTRY }}/${{ matrix.app.image_name }}-cache:${{ steps.meta.outputs.version }},mode=max
+          files: docker-bake.hcl
+          source: .
+          push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') || env.DOCKER_PUSH == 'true' }}
+          set: |
+            rust-binary-common.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:base-external
+            rust-binary-common.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:base-external,mode=max
+            rust-base-internal.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:base-external
+            rust-base-internal.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:base-internal
+            rust-base-internal.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:base-internal,mode=max
+            *.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:base-internal
+            adkg-cli.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:adkg-cli
+            adkg-cli.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:adkg-cli,mode=max
+            blocklock-agent.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:blocklock-agent
+            blocklock-agent.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:blocklock-agent,mode=max
+            monitoring.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:monitoring
+            monitoring.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:monitoring,mode=max
+            onlyswaps-smoketest.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:onlyswaps-smoketest
+            onlyswaps-smoketest.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:onlyswaps-smoketest,mode=max
+            onlyswaps-solver.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:onlyswaps-solver
+            onlyswaps-solver.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:onlyswaps-solver,mode=max
+            onlyswaps-state-api.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:onlyswaps-state-api
+            onlyswaps-state-api.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:onlyswaps-state-api,mode=max
+            onlyswaps-verifier.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:onlyswaps-verifier
+            onlyswaps-verifier.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:onlyswaps-verifier,mode=max
+            randomness-agent.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:randomness-agent
+            randomness-agent.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:randomness-agent,mode=max
+            dsigner-legacy-http.cache-from=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:dsigner-legacy-http
+            dsigner-legacy-http.cache-to=type=registry,ref=${{ env.DOCKER_REGISTRY }}/buildkit-cache:dsigner-legacy-http,mode=max

bin/Dockerfile.base

@@ -0,0 +1,55 @@
+FROM lukemathwalker/cargo-chef:latest-rust-1.92 AS chef
+RUN apt-get update \
+ && apt-get install -y protobuf-compiler \
+ && rm -rf /var/lib/apt/lists/*
+WORKDIR /app
+
+RUN cargo install cargo-chef sccache --locked
+
+ENV RUSTC_WRAPPER=sccache \
+    SCCACHE_DIR=/sccache
+
+FROM chef AS external-planner
+# Copy workspace root files
+COPY Cargo.toml Cargo.lock ./
+
+# Copy all workspace member Cargo.toml files (cache only busts when deps change)
+# bin/*
+COPY bin/adkg-cli/Cargo.toml bin/adkg-cli/Cargo.toml
+COPY bin/blocklock-agent/Cargo.toml bin/blocklock-agent/Cargo.toml
+COPY bin/dsigner/Cargo.toml bin/dsigner/Cargo.toml
+COPY bin/gen-keys/Cargo.toml bin/gen-keys/Cargo.toml
+COPY bin/monitoring/Cargo.toml bin/monitoring/Cargo.toml
+COPY bin/onlyswaps-smoketest/Cargo.toml bin/onlyswaps-smoketest/Cargo.toml
+COPY bin/onlyswaps-solver/Cargo.toml bin/onlyswaps-solver/Cargo.toml
+COPY bin/onlyswaps-state-api/Cargo.toml bin/onlyswaps-state-api/Cargo.toml
+COPY bin/onlyswaps-verifier/Cargo.toml bin/onlyswaps-verifier/Cargo.toml
+COPY bin/randomness-agent/Cargo.toml bin/randomness-agent/Cargo.toml
+# crates/*
+COPY crates/adkg/Cargo.toml crates/adkg/Cargo.toml
+COPY crates/agent-utils/Cargo.toml crates/agent-utils/Cargo.toml
+COPY crates/config/Cargo.toml crates/config/Cargo.toml
+COPY crates/dcipher-agents/Cargo.toml crates/dcipher-agents/Cargo.toml
+COPY crates/generated/Cargo.toml crates/generated/Cargo.toml
+COPY crates/network/Cargo.toml crates/network/Cargo.toml
+COPY crates/omnievent/Cargo.toml crates/omnievent/Cargo.toml
+COPY crates/onlyswaps-client/Cargo.toml crates/onlyswaps-client/Cargo.toml
+COPY crates/signer/Cargo.toml crates/signer/Cargo.toml
+COPY crates/superalloy/Cargo.toml crates/superalloy/Cargo.toml
+COPY crates/utils/Cargo.toml crates/utils/Cargo.toml
+
+# Create stub source files for each workspace member so cargo metadata works
+RUN find bin crates -name Cargo.toml -execdir sh -c 'mkdir -p src && echo "fn main() {}" > src/main.rs && touch src/lib.rs' \;
+
+RUN mkdir -p bin/dsigner/examples/dsigner_legacy_http && echo "fn main() {}" > bin/dsigner/examples/dsigner_legacy_http/main.rs
+RUN mkdir -p bin/dsigner/examples/dsigner_grpc && echo "fn main() {}" > bin/dsigner/examples/dsigner_grpc/main.rs
+
+RUN cargo chef prepare --recipe-path external.json
+
+FROM chef AS rust-base-internal
+COPY --from=external-planner /app/external.json external.json
+# Caches all external crates.io deps
+RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
+    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
+    cargo chef cook --release --recipe-path external.json

bin/adkg-cli/Dockerfile

@@ -0,0 +1,43 @@
+# This ARG is overridden by Bake contexts to 'target:rust-base-internal'
+# If built via 'docker build', it defaults to the slow but working chef image.
+ARG base_stage_alias=lukemathwalker/cargo-chef:latest-rust-1.92
+FROM ${base_stage_alias} AS builder
+RUN apt-get update \
+ && apt-get install -y protobuf-compiler \
+ && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y protobuf-compiler
+
+RUN cargo install cargo-chef sccache --locked
+
+ENV RUSTC_WRAPPER=sccache \
+    SCCACHE_DIR=/sccache
+
+WORKDIR /app
+
+COPY Cargo.toml Cargo.lock ./
+COPY crates/adkg ./crates/adkg
+COPY crates/config ./crates/config
+COPY crates/network ./crates/network
+COPY crates/utils ./crates/utils
+COPY crates/omnievent ./crates/omnievent
+COPY crates/superalloy ./crates/superalloy
+COPY modules/dcipher-proto ./modules/dcipher-proto
+COPY bin/adkg-cli ./bin/adkg-cli
+
+RUN cargo chef prepare --recipe-path internal.json --bin adkg-cli
+RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
+    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
+    cargo chef cook --release --recipe-path internal.json --bin adkg-cli
+
+# Build application
+RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
+    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
+    cargo build --release -p adkg-cli --bin adkg-cli
+
+# We do not need the Rust toolchain to run the binary!
+FROM debian:bookworm-slim AS runtime
+WORKDIR /app
+COPY --from=builder /app/target/release/adkg-cli /usr/local/bin/adkg-cli
+CMD ["adkg-cli"]

bin/blocklock-agent/Dockerfile

@@ -0,0 +1,40 @@
+# This ARG is overridden by Bake contexts to 'target:rust-base-internal'
+# If built via 'docker build', it defaults to the slow but working chef image.
+ARG base_stage_alias=lukemathwalker/cargo-chef:latest-rust-1.92
+FROM ${base_stage_alias} AS builder
+RUN apt-get update \
+ && apt-get install -y protobuf-compiler \
+ && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y protobuf-compiler
+
+RUN cargo install cargo-chef sccache --locked
+
+ENV RUSTC_WRAPPER=sccache \
+    SCCACHE_DIR=/sccache
+
+WORKDIR /app
+
+COPY Cargo.toml Cargo.lock ./
+COPY bin/blocklock-agent/ ./bin/blocklock-agent
+COPY crates/dcipher-agents ./crates/dcipher-agents
+COPY crates/generated ./crates/generated
+COPY crates/utils ./crates/utils
+COPY crates/config ./crates/config
+COPY crates/omnievent ./crates/omnievent
+COPY crates/network ./crates/network
+COPY crates/signer ./crates/signer
+COPY crates/superalloy ./crates/superalloy
+COPY modules/dcipher-proto ./modules/dcipher-proto
+
+
+RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
+    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
+    cargo build --release -p blocklock-agent --example blocklock
+
+# We do not need the Rust toolchain to run the binary!
+FROM debian:bookworm-slim AS runtime
+RUN apt-get update && apt-get install -y libssl3 dnsutils
+WORKDIR /app
+COPY --from=builder /app/target/release/examples/blocklock /usr/local/bin
+ENTRYPOINT ["/usr/local/bin/blocklock"]