feat(workflows): validate latest source branches#22
Conversation
- add an optional registry cache backend to the reusable image workflow - share the Hubble build cache across latest and release publishes - preserve the existing GHA cache path for all other components - expose image, platform, and cache parameters in the workflow summary
- update the reusable image workflow to actions/checkout v7 - use the latest stable major for every shared workflow consumer - keep the Docker action chain on its current stable major aliases
- use a dedicated registry cache tag for latest builds - use a separate registry cache tag for release builds - prevent release cache exports from replacing the master cache index
- keep registry cache selection optional for shared callers - preserve GHA cache fallback when the matrix key is absent - make the reusable workflow contract explicit
- move PD, Store, and Server caches to Docker Hub registry - seed durable caches during strict integration prechecks - isolate caches by image and publish channel - share BUILDPLATFORM cache with read-only arm64 jobs - upgrade checkout steps and expose cache strategy
- allow manual latest builds to select a source branch - run non-master validation without registry or image writes - force strict prechecks and bypass the production hash gate - preserve scheduled master and release publishing behavior
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Warning Review limit reached
Next review available in: 53 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Walkthrough新增 latest 源分支选择和只读验证模式。复用工作流根据验证状态控制镜像推送、缓存导出、manifest 创建及 hash 更新,并补充 latest/release 构建缓存配置与相关文档。 Changes镜像发布与缓存控制
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant LatestWrapper
participant ReusableWorkflow
participant BuildJobs
participant Registry
LatestWrapper->>ReusableWorkflow: 传递源分支与 validation_only
ReusableWorkflow->>BuildJobs: 输出发布与缓存策略
BuildJobs->>Registry: 读取构建缓存
BuildJobs->>Registry: 发布模式下推送镜像并导出缓存
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR extends the “latest” publishing workflows to support validating non-master source branches (primarily for PD/Store/Server) without overwriting production artifacts, while also introducing registry-backed BuildKit cache support in the shared image publishing reusable workflow.
Changes:
- Add a
latest_source_branchworkflow-dispatch input for the PD/Store/Server latest workflow and adjust strict/hash-gate behavior based on selected branch. - Update the PD/Store/Server reusable workflow to derive branch-based validation tags, enforce “no publish/no hash update” behavior for non-
master, and shift caching to Docker Hub registry-backed caches. - Enhance the generic image reusable workflow to support an optional
registry_cache_image, and configure hubble latest/release wrappers to use it.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/publish_release_hubble_image.yml | Adds a Docker Hub registry cache tag for release hubble builds. |
| .github/workflows/publish_latest_pd_store_server_image.yml | Adds branch selection input and updates strict/hash gating based on branch mode. |
| .github/workflows/publish_latest_hubble_image.yml | Adds a Docker Hub registry cache tag for latest hubble builds. |
| .github/workflows/_publish_pd_store_server_reusable.yml | Implements branch-aware “publish vs validate” behavior and switches build cache backend to registry refs. |
| .github/workflows/_publish_image_reusable.yml | Adds optional registry-backed cache support and surfaces cache configuration in step summaries. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- allow manual latest builds to select a source branch - run non-master validation without registry or image writes - force strict prechecks and bypass the production hash gate - preserve scheduled master and release publishing behavior
- describe non-master runs as read-only validation - normalize empty branch inputs to master semantics - report registry cache writers only when exports are enabled
- retain the reviewed branch-validation implementation - connect the prior PR branch history without rewriting remote commits - keep the PR diff based on the merged cache workflow
- allow manual Hubble builds to select a source branch - run non-master multi-platform builds without image or cache writes - skip latest hash updates during read-only validation - preserve existing generic workflow callers
- add isolated latest and release caches for Loader, Vermeer, and AI - support read-only validation from non-default source branches - document BUILDPLATFORM performance and native artifact boundaries - record measured arm64 build improvements
- add measured Server, Hubble, Loader, and Vermeer timings - distinguish QEMU removal gains from cache improvements - keep the optimization boundary tied to portable artifacts
- remove dated performance measurements from the README - retain the stable QEMU and cache design guidance - keep measured timings in PR and CI evidence instead
Summary
Measured validation
Validation runs:
Upstream changes
Safety
Default-branch and release builds retain image pushes, registry cache exports, manifests, and hash updates. Non-default validation imports caches read-only and never changes Docker Hub state.
AI RAG retains target-platform builds because its copied Python venv contains architecture-specific native wheels; only its cache and validation policy change.
Verification