chore: build base image when the file changes in commit or release

[wyattwalter]

Description

The existing base Docker image build job was completely independent of the final image build, and they run in parallel. That means that in practice, often we were seeing the image on the release branch be built with the older base image which makes rollout of changes with dependencies between the two tricky.

This removes the direct push trigger on the base Docker image build, and shifts it to the places where we build the image. It calls the base image job which checks whether it needs to be re-built for this commit. If not, it skips the build step. But if it does, it halts the build of the downstream image until the base is updated.

Fixes #Issue Number
or
Fixes Issue URL

Warning

If no issue exists, please create an issue first, and check with the maintainers if the issue is valid.

Automation

/ok-to-test tags=""

🔍 Cypress test results

Warning

Tests have not run on the HEAD 9a82393 yet

---

Fri, 27 Feb 2026 23:07:59 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD workflows to support invoking the base-image build with an optional tag and conditional execution only when the base definition changes.
  • Added a reusable base-image build job and integrated it into release and test pipelines so the base image is built before packaging and Docker image builds.
  • Enabled nightly tagging for automated base-image builds.

[coderabbitai]

Walkthrough

Refactors Docker base-image build into a reusable workflow-callable workflow with an optional tag input, adds fetch-depth: 0, computes whether deploy/docker/base.dockerfile changed across the commit range when invoked, and conditions the build/push on that flag. Two other workflows invoke this job and add it as a dependency.

Changes

Cohort / File(s)	Summary
Base Image Workflow \.github/workflows/docker-base-image.yml	Replaces push trigger with workflow_call accepting optional tag; sets fetch-depth: 0; adds a conditional step that diffs deploy/docker/base.dockerfile over the commit range to set a changed flag; only runs build-and-push when flag is true (when invoked via workflow_call).
Release Workflow \.github/workflows/github-release.yml	Adds a build-base-image job that reuses ./.github/workflows/docker-base-image.yml with tag: nightly and inherited secrets; updates package job needs to include build-base-image.
Test Build Workflow \.github/workflows/test-build-docker-image.yml	Adds deploy/docker/base.dockerfile to push path filters; introduces a build-base-image job that uses the reusable workflow and inherits secrets; makes build-docker-image depend on build-base-image and passes pr: 0 when invoking the referenced workflow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐳 A base file watched across the lane,
Calls now reuse, and tag names reign,
Diffing changes, builds run light,
Nightly whispers wake the night. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description covers the motivation and context, but lacks a linked issue reference despite the template warning about creating issues first.	Link the relevant issue number in the 'Fixes' section or confirm with maintainers if this change is valid without an issue reference.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: making the base Docker image build conditional on file changes rather than a direct push trigger.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ww-base-dockerfile-build-dependency

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/docker-base-image.yml (1)

42-65: Consider gating prep steps behind the same change condition.

When changed=false, Lines 42/48/61 still run. You can apply the same condition there to reduce unnecessary secret usage and runtime.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-base-image.yml around lines 42 - 65, The workflow
runs preparatory steps even when no relevant changes exist; add the same guard
used on the Build step (if: steps.check.outputs.changed != 'false') to the
"Login to DockerHub", "Get tag" (id: tag), and "Set up Depot CLI" steps so those
steps are skipped when steps.check.outputs.changed == 'false'; update the three
steps to include that identical if condition to avoid consuming secrets and
runtime unnecessarily.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/docker-base-image.yml:
- Around line 29-40: The check step (id: check) only diffs HEAD~1..HEAD which
misses changes in multi-commit pushes and is paired with fetch-depth: 2; update
the workflow to fetch full history (set fetch-depth: 0) or at least ensure the
pushed range is present, then replace the git diff invocation to compare the
push range using github.event.before and github.sha (e.g., git diff --name-only
"${{ github.event.before }}" "${{ github.sha }}" | grep -q
"deploy/docker/base.dockerfile") so any change to deploy/docker/base.dockerfile
in the entire push is detected and the base image rebuild is triggered.

---

Nitpick comments:
In @.github/workflows/docker-base-image.yml:
- Around line 42-65: The workflow runs preparatory steps even when no relevant
changes exist; add the same guard used on the Build step (if:
steps.check.outputs.changed != 'false') to the "Login to DockerHub", "Get tag"
(id: tag), and "Set up Depot CLI" steps so those steps are skipped when
steps.check.outputs.changed == 'false'; update the three steps to include that
identical if condition to avoid consuming secrets and runtime unnecessarily.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 04121e4 and 0e8df54.

📒 Files selected for processing (3)

• .github/workflows/docker-base-image.yml
• .github/workflows/github-release.yml
• .github/workflows/test-build-docker-image.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/docker-base-image.yml:
- Around line 36-40: The current if-block sets range based only on whether
github.event.before is non-empty, but that value can be the null SHA
"0000000000000000000000000000000000000000" on first-time branch pushes which
causes git diff to fail; update the conditional to treat the null SHA as
equivalent to empty by checking github.event.before is not empty AND not equal
to the null SHA (e.g., compare against the 40-zero string or test prefix), and
only then set range="${{ github.event.before }}..${{ github.sha }}"; otherwise
set range="HEAD~1..HEAD" so new-branch pushes use a valid diff range.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0e8df54 and 9a82393.

📒 Files selected for processing (1)

• .github/workflows/docker-base-image.yml