Speed up deploy builds: Blacksmith + layer cache

[simonsmallchua]

Summary

Cuts Fly Deploy build time (and removes the recurring builder flake) by building images on the Blacksmith runner with a sticky layer cache, instead of shipping the build to Fly's shared remote builder.

• Drop Fly's remote builder. Both build jobs now use useblacksmith/build-push-action@v1 (auth via flyctl auth docker, push to registry.fly.io) rather than flyctl deploy --build-only --push. This removes the error releasing builder: deadline_exceeded / graceful_stop failures that have flaked the deploy repeatedly.
• Add BuildKit cache mounts for the Go module cache (/go/pkg/mod) and build cache (/root/.cache/go-build) in Dockerfile and Dockerfile.analysis. Blacksmith's sticky disk persists these across runs, so dependency compiles are incremental instead of cold every deploy. For the analysis image the Chromium/Lighthouse layers also cache.

Release/reconcile/autoscaler jobs are unchanged — they still consume needs.build-*.outputs.image, which now points at the Blacksmith-pushed tag.

Expected impact

• Incremental deploys (small code/config change): ~12 min → ~3-4 min.
• Cold builds (after a dependency bump): roughly halved via the module cache.
• Eliminates the remote-builder flake that required manual re-runs.

Test plan

• CI build-shared + build-analysis jobs go green on this PR (validates flyctl auth docker + Blacksmith push wiring).
• Confirm pushed image tags resolve and release jobs deploy them.
• Compare build duration on a second run (warm cache) vs the first (cold cache) to confirm the speedup.
• Sanity-check both images run (API/worker entrypoints; analysis Chromium/Lighthouse present).

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Summary by CodeRabbit

• Chores

  • CI now pre-builds and publishes container images via the new runner and exposes image references for downstream jobs.
  • Build steps use BuildKit cache mounts for Go module and build caches, reducing incremental build times and flakiness.

• Documentation

  • CHANGELOG updated to describe the CI build workflow change and observed build-time and reliability improvements.

[supabase]

Updates to Preview Branch (feature/speed-up-deploy-builds) ↗︎

Deployments	Status	Updated
Database	✅	Wed, 27 May 2026 10:07:20 UTC
Services	✅	Wed, 27 May 2026 10:07:20 UTC
APIs	✅	Wed, 27 May 2026 10:07:20 UTC

Tasks are run on every commit but only new migration files are pushed.
Close and reopen this PR if you want to apply changes from existing seed or migration files.

Tasks	Status	Updated
Configurations	✅	Wed, 27 May 2026 10:07:24 UTC
Migrations	✅	Wed, 27 May 2026 10:07:27 UTC
Seeding	✅	Wed, 27 May 2026 10:07:34 UTC
Edge Functions	✅	Wed, 27 May 2026 10:07:34 UTC

---

View logs for this Workflow Run ↗︎.
Learn more about Supabase for Git ↗︎.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 075bd24c-7306-49f8-aaf2-d81f87bf0d44

📥 Commits

Reviewing files that changed from the base of the PR and between bf28a3c and 5b97359.

📒 Files selected for processing (2)

• .github/workflows/fly-deploy.yml
• .github/workflows/review-apps.yml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/review-apps.yml
• .github/workflows/fly-deploy.yml

---

📝 Walkthrough

Walkthrough

This PR refactors the build pipeline to replace flyctl-based image creation with useblacksmith/build-push-action and optimizes Go build caching using Docker BuildKit cache mounts. Both Dockerfiles now persist module and build caches across builds, and the CI workflow jobs wire authentication and image labels through the new build action.

Changes

Build performance and mechanism optimization

Layer / File(s)	Summary
Docker build optimization with BuildKit caches Dockerfile, Dockerfile.analysis	Both Dockerfiles add BuildKit RUN --mount=type=cache directives for /go/pkg/mod (module cache) and /root/.cache/go-build (Go build cache), replacing previous non-cached go mod download and go build steps with cached equivalents.
CI workflow refactor to build-push-action .github/workflows/fly-deploy.yml, .github/workflows/review-apps.yml, CHANGELOG.md	build-shared and build-analysis jobs now authenticate Docker to Fly, set IMAGE_LABEL via job env, build and push images using useblacksmith/build-push-action from the respective Dockerfiles, and expose the pushed image references via a step id: image; CHANGELOG.md updated to document the pipeline change.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Good-Native/hover#361: Modifies the same workflow build/release flow and image wiring; likely related to CI build behavior and image prebuilds.

Poem

🐰 I cached the hops where Go modules go,

Blacksmith hammers images nice and slow,
flyctl retired, new steps hum bright,
Builds skip the flake and dance through the night,
🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Speed up deploy builds: Blacksmith + layer cache' clearly and concisely summarizes the main changes: adopting Blacksmith for builds and implementing BuildKit layer caching to improve deployment build performance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/speed-up-deploy-builds

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[github-actions]

🐝 Review App Deployed

Homepage: https://hover-pr-392.fly.dev
Dashboard: https://hover-pr-392.fly.dev/dashboard

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/fly-deploy.yml:
- Around line 69-75: In the Fly deploy workflow replace the floating action refs
and tighten checkout credentials: pin useblacksmith/build-push-action@v1 to a
specific immutable commit SHA in both occurrences (the steps that currently read
"uses: useblacksmith/build-push-action@v1" in the build-shared and
build-analysis jobs) and update the actions/checkout@v6 steps in those same jobs
to include persist-credentials: false so credentials are not persisted to the
workspace. Ensure both places are updated consistently.
- Line 54: Replace every occurrence of "uses: actions/checkout@v6" in the
workflow with a pinned commit SHA and explicitly disable credential persistence;
specifically update each checkout step (the ones currently using
actions/checkout@v6) to use "uses: actions/checkout@<COMMIT_SHA>" and add a
"with: persist-credentials: false" block for that step so the checkout is pinned
and tokens are not persisted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 84ed12b4-a982-4e53-b174-7e454c1855c2

📥 Commits

Reviewing files that changed from the base of the PR and between 4a8dae5 and 16c212b.

📒 Files selected for processing (3)

• .github/workflows/fly-deploy.yml
• Dockerfile
• Dockerfile.analysis

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/review-apps.yml:
- Line 471: Replace tag-based actions with pinned commit SHAs and disable
credential persistence: update each usage of actions/checkout@v6 to a specific
commit SHA (instead of the tag) and add with: persist-credentials: false to
those steps; similarly replace useblacksmith/build-push-action@v1 with its
corresponding pinned commit SHA. Locate the occurrences by the action
identifiers actions/checkout@v6 and useblacksmith/build-push-action@v1 in the
workflow and update both instances so checkout sets persist-credentials: false
and both actions reference exact SHAs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e36bdfd2-74ed-4df4-bfae-15645f610b90

📥 Commits

Reviewing files that changed from the base of the PR and between 16c212b and 54db04d.

📒 Files selected for processing (1)

• .github/workflows/review-apps.yml

[github-actions]

🐝 Review App Deployed

Homepage: https://hover-pr-392.fly.dev
Dashboard: https://hover-pr-392.fly.dev/dashboard

[github-actions]

Release Versions

App patch: v0.34.17 → v0.34.18

Changelog

Changed

• Deploy and review-app images now build on the Blacksmith CI runner via
  useblacksmith/build-push-action, with BuildKit cache mounts for the Go
  module and build caches, instead of Fly's shared remote builder. This removes
  the recurring error releasing builder: deadline_exceeded flake and makes
  dependency compiles incremental across runs, cutting build time substantially.

[github-actions]

🐝 Review App Deployed

Homepage: https://hover-pr-392.fly.dev
Dashboard: https://hover-pr-392.fly.dev/dashboard