use registry cache

Author: artyom-morozov

.github/workflows/ci.yaml

@@ -181,7 +181,7 @@ jobs:
         if: fromJSON(needs.prepare-metadata.outputs.docker_push)
         uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
 
-      - name: Determine Image Name
+      - name: Determine Image Name and Cache Configuration
         id: image_name
         run: |
           if [[ "${{ fromJSON(needs.prepare-metadata.outputs.use_ecr) }}" == "true" ]]; then
@@ -193,6 +193,23 @@ jobs:
           fi
           echo "image_name=${image_name}" >> $GITHUB_OUTPUT
 
+          # Configure cache settings
+          cache_ref="${image_name}:buildcache-${{ matrix.platform.tag_suffix }}"
+          echo "cache_ref=${cache_ref}" >> $GITHUB_OUTPUT
+
+          # For PR builds, use gha cache as fallback since we can't push to registry
+          # For push builds, use registry cache for better persistence and sharing
+          if [[ "${{ fromJSON(needs.prepare-metadata.outputs.docker_push) }}" == "true" ]]; then
+            echo "cache_from=type=registry,ref=${cache_ref}" >> $GITHUB_OUTPUT
+            echo "cache_to=type=registry,ref=${cache_ref},mode=max" >> $GITHUB_OUTPUT
+            echo "Using registry cache (can read and write)"
+          else
+            # PR builds: try to read from registry cache, write to gha cache
+            echo "cache_from=type=registry,ref=${cache_ref}" >> $GITHUB_OUTPUT
+            echo "cache_to=type=gha,scope=${{ matrix.platform.tag_suffix }},mode=max" >> $GITHUB_OUTPUT
+            echo "Using registry cache for reading, gha cache for writing (PR build)"
+          fi
+
       - name: Build and Push Platform-Specific Image
         uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
@@ -201,8 +218,8 @@ jobs:
           platforms: ${{ matrix.platform.name }}
           tags: ${{ steps.image_name.outputs.image_name }}:${{ needs.prepare-metadata.outputs.version }}-${{ needs.prepare-metadata.outputs.short_sha }}-${{ matrix.platform.tag_suffix }}
           push: ${{ fromJSON(needs.prepare-metadata.outputs.docker_push) }}
-          cache-from: type=gha,scope=${{ matrix.platform.tag_suffix }}
-          cache-to: type=gha,scope=${{ matrix.platform.tag_suffix }},mode=max
+          cache-from: ${{ steps.image_name.outputs.cache_from }}
+          cache-to: ${{ steps.image_name.outputs.cache_to }}
           provenance: false
           sbom: false
 

Dockerfile

@@ -22,6 +22,12 @@ RUN curl -sL https://deb.nodesource.com/setup_24.x | bash - && \
 # ============================================================
 # UI Build Stages - Run in parallel with separate caches
 # ============================================================
+# These stages use registry cache with mode=max, which means:
+# - Each stage is cached independently in the registry
+# - Only stages with changed dependencies will rebuild
+# - Cache mounts persist across builds for faster npm installs
+# - Changes to docs/ won't invalidate config_portal or webui caches
+# ============================================================
 
 # Build Config Portal UI
 FROM base AS ui-config-portal
@@ -55,6 +61,12 @@ RUN npm run build
 # ============================================================
 # Python Build Stage
 # ============================================================
+# This stage uses registry cache with mode=max for optimal caching:
+# - uv cache mount (/root/.cache/uv) speeds up package downloads
+# - Lock file changes only rebuild dependency installation layer
+# - Source code changes only rebuild the wheel build layer
+# - Independent from UI build stages - Python changes don't rebuild UI
+# ============================================================
 
 # Builder stage for creating wheels and runtime environment
 FROM base AS builder
@@ -130,6 +142,8 @@ RUN playwright install-deps chromium
 
 # Install Playwright browsers with cache (cached layer)
 # This layer stays cached because it doesn't depend on builder stage
+# Registry cache with mode=max ensures this expensive download is cached
+# sharing=locked prevents concurrent builds from corrupting the cache
 RUN --mount=type=cache,target=/var/cache/playwright,sharing=locked \
     PLAYWRIGHT_BROWSERS_PATH=/var/cache/playwright playwright install chromium