fix(ci): align gha cache scopes so Integration reuses build caches

[Yambr]

Problem

The Integration — real MCP + Docker job rebuilds the ~8GB sandbox image from scratch on every run (no cache), making it by far the slowest job.

Root cause

gha cache scope mismatch:

Image	cache-to (writer)	Integration cache-from	Hit?
sandbox	build-sandbox → default (unscoped)	scope=sandbox	❌ miss
server	build-server → default; smoke → scope=server-smoke	scope=server-smoke	⚠️ only via smoke

type=gha keys cache by scope; the default scope is per-job, so Integration's scope=sandbox read never matched build-sandbox's default-scope write → 100% miss → full rebuild (Playwright, Chromium, npm, Python).

Fix

• build-sandbox: write + read scope=sandbox.
• build-server: write + read scope=server-smoke (shared with smoke + Integration).
• Integration: drop cache-to on both inline builds — they are pure consumers of caches owned by the build jobs that run first via needs:; re-exporting the 8GB layer cache only wasted upload time.

build-sandbox runs before Integration (needs:), so the hit lands on the same run, not just the next one.

CI-only; no image-content change.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Optimized GitHub Actions Docker build caching configuration for improved CI/CD pipeline efficiency across sandbox and server image builds.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 408b2d0d-0f48-4cc2-abb2-0015b92f9b89

📥 Commits

Reviewing files that changed from the base of the PR and between 0a80231 and 434f99a.

📒 Files selected for processing (1)

• .github/workflows/build.yml

---

📝 Walkthrough

Walkthrough

GitHub Actions workflow updated to use scoped Docker layer caching. Primary build jobs (build-sandbox, build-server) now use scope-specific caches with read/write permissions. Integration job consumes these scoped caches in read-only mode, avoiding re-export of cached layers.

Changes

Docker build cache scoping

Layer / File(s)	Summary
Sandbox and server build cache scoping .github/workflows/build.yml	build-sandbox job switches to scope=sandbox cache; build-server job switches to scope=server-smoke cache. Both jobs configured for read and write to their respective scoped caches.
Integration job cache consumption .github/workflows/build.yml	Integration job's workspace and server image builds switch to read-only scoped cache pulls (scope=sandbox and scope=server-smoke), removing cache-to entries to skip re-exporting large layers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

A rabbit hops through cache so bright,
Sandbox and server, now organized right,
Scoped like a warren, divided with care,
Building and sharing, no layers laid bare! 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: fixing GitHub Actions cache scope alignment so the Integration job can reuse build caches instead of rebuilding images.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch worktree-ci-cache-scope-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}