Skip to content

feat(workflows): validate latest source branches#22

Merged
imbajin merged 13 commits into
masterfrom
cx-hubble-build-cache-perf
Jul 12, 2026
Merged

feat(workflows): validate latest source branches#22
imbajin merged 13 commits into
masterfrom
cx-hubble-build-cache-perf

Conversation

@imbajin

@imbajin imbajin commented Jul 12, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • allow every regular latest image workflow to validate an upstream source branch without writes
  • add durable, channel-isolated registry caches for Hubble, Loader, Vermeer, RAG, RAG Bin, PD, Store, and Server
  • run non-default branches with push=false, no cache exports, no manifests, and no hash updates
  • document BUILDPLATFORM/TARGETPLATFORM, QEMU avoidance, native artifact boundaries, and measured results

Measured validation

Image flow Before After
PD/Store/Server arm64 jobs 42-44 min 6.2-6.8 min
Hubble multi-platform 147.5 min 8.8 min
Loader multi-platform 30-40 min 2.9 min
Vermeer multi-platform 13.3 min 1.9 min

Validation runs:

Upstream changes

Safety

Default-branch and release builds retain image pushes, registry cache exports, manifests, and hash updates. Non-default validation imports caches read-only and never changes Docker Hub state.

AI RAG retains target-platform builds because its copied Python venv contains architecture-specific native wheels; only its cache and validation policy change.

Verification

  • actionlint passed for all changed workflows
  • YAML and matrix JSON assertions passed
  • all review comments addressed and resolved
  • real read-only amd64/arm64 validations passed for Server, Hubble, Loader, and Vermeer
  • git diff --check passed
  • independent cross-repository reviews passed

imbajin added 6 commits July 12, 2026 16:41
- add an optional registry cache backend to the reusable image workflow
- share the Hubble build cache across latest and release publishes
- preserve the existing GHA cache path for all other components
- expose image, platform, and cache parameters in the workflow summary
- update the reusable image workflow to actions/checkout v7
- use the latest stable major for every shared workflow consumer
- keep the Docker action chain on its current stable major aliases
- use a dedicated registry cache tag for latest builds
- use a separate registry cache tag for release builds
- prevent release cache exports from replacing the master cache index
- keep registry cache selection optional for shared callers
- preserve GHA cache fallback when the matrix key is absent
- make the reusable workflow contract explicit
- move PD, Store, and Server caches to Docker Hub registry

- seed durable caches during strict integration prechecks

- isolate caches by image and publish channel

- share BUILDPLATFORM cache with read-only arm64 jobs

- upgrade checkout steps and expose cache strategy
- allow manual latest builds to select a source branch
- run non-master validation without registry or image writes
- force strict prechecks and bypass the production hash gate
- preserve scheduled master and release publishing behavior
Copilot AI review requested due to automatic review settings July 12, 2026 09:15
@gemini-code-assist

Copy link
Copy Markdown

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@dosubot dosubot Bot added size:XS This PR changes 0-9 lines, ignoring generated files. enhancement New feature or request labels Jul 12, 2026
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@imbajin, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 53 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ffe7b809-b370-4e7e-a972-77a913d9d781

📥 Commits

Reviewing files that changed from the base of the PR and between 247ab67 and e1ba1c4.

📒 Files selected for processing (1)
  • README.md

Walkthrough

新增 latest 源分支选择和只读验证模式。复用工作流根据验证状态控制镜像推送、缓存导出、manifest 创建及 hash 更新,并补充 latest/release 构建缓存配置与相关文档。

Changes

镜像发布与缓存控制

Layer / File(s) Summary
通用镜像发布控制
.github/workflows/_publish_image_reusable.yml
新增 validation_onlypublish_images,并据此控制缓存写入、镜像推送及 hash 更新。
PD Store Server 缓存与发布控制
.github/workflows/_publish_pd_store_server_reusable.yml
新增 cache_channelpublish_images 输出,控制多平台构建缓存、镜像推送、manifest 和 hash 更新。
Latest 工作流分支路由
.github/workflows/publish_latest_*_image.yml
新增 latest_source_branch,非默认分支启用只读验证,并动态设置分支和 hash gate。
Release 缓存配置与策略文档
.github/workflows/publish_release_*_image.yml, README.md
补充 release 构建缓存镜像,并记录多平台构建与只读分支验证策略。

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant LatestWrapper
  participant ReusableWorkflow
  participant BuildJobs
  participant Registry
  LatestWrapper->>ReusableWorkflow: 传递源分支与 validation_only
  ReusableWorkflow->>BuildJobs: 输出发布与缓存策略
  BuildJobs->>Registry: 读取构建缓存
  BuildJobs->>Registry: 发布模式下推送镜像并导出缓存
Loading

Possibly related PRs

Poem

小兔蹦进构建仓,
只读分支不乱忙。
缓存读取轻轻跑,
镜像推送按旗号。
多平台构建月牙亮。

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed 标题简洁且准确概括了此次变更:为 latest 源分支增加校验支持。
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cx-hubble-build-cache-perf

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the “latest” publishing workflows to support validating non-master source branches (primarily for PD/Store/Server) without overwriting production artifacts, while also introducing registry-backed BuildKit cache support in the shared image publishing reusable workflow.

Changes:

  • Add a latest_source_branch workflow-dispatch input for the PD/Store/Server latest workflow and adjust strict/hash-gate behavior based on selected branch.
  • Update the PD/Store/Server reusable workflow to derive branch-based validation tags, enforce “no publish/no hash update” behavior for non-master, and shift caching to Docker Hub registry-backed caches.
  • Enhance the generic image reusable workflow to support an optional registry_cache_image, and configure hubble latest/release wrappers to use it.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
.github/workflows/publish_release_hubble_image.yml Adds a Docker Hub registry cache tag for release hubble builds.
.github/workflows/publish_latest_pd_store_server_image.yml Adds branch selection input and updates strict/hash gating based on branch mode.
.github/workflows/publish_latest_hubble_image.yml Adds a Docker Hub registry cache tag for latest hubble builds.
.github/workflows/_publish_pd_store_server_reusable.yml Implements branch-aware “publish vs validate” behavior and switches build cache backend to registry refs.
.github/workflows/_publish_image_reusable.yml Adds optional registry-backed cache support and surfaces cache configuration in step summaries.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/publish_latest_pd_store_server_image.yml Outdated
Comment thread .github/workflows/publish_latest_pd_store_server_image.yml Outdated
Comment thread .github/workflows/_publish_pd_store_server_reusable.yml
imbajin added 5 commits July 12, 2026 17:32
- allow manual latest builds to select a source branch
- run non-master validation without registry or image writes
- force strict prechecks and bypass the production hash gate
- preserve scheduled master and release publishing behavior
- describe non-master runs as read-only validation
- normalize empty branch inputs to master semantics
- report registry cache writers only when exports are enabled
- retain the reviewed branch-validation implementation
- connect the prior PR branch history without rewriting remote commits
- keep the PR diff based on the merged cache workflow
- allow manual Hubble builds to select a source branch
- run non-master multi-platform builds without image or cache writes
- skip latest hash updates during read-only validation
- preserve existing generic workflow callers
- add isolated latest and release caches for Loader, Vermeer, and AI
- support read-only validation from non-default source branches
- document BUILDPLATFORM performance and native artifact boundaries
- record measured arm64 build improvements
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. and removed size:XS This PR changes 0-9 lines, ignoring generated files. labels Jul 12, 2026
- add measured Server, Hubble, Loader, and Vermeer timings
- distinguish QEMU removal gains from cache improvements
- keep the optimization boundary tied to portable artifacts
- remove dated performance measurements from the README
- retain the stable QEMU and cache design guidance
- keep measured timings in PR and CI evidence instead
@imbajin imbajin merged commit d1403a9 into master Jul 12, 2026
1 check passed
@imbajin imbajin deleted the cx-hubble-build-cache-perf branch July 12, 2026 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants