chore(engine): publish engine bases in ci

.github/actions/docker-setup/action.yaml

@@ -1,5 +1,5 @@
 name: 'Docker Setup'
-description: 'Set up Docker Buildx and log in to Docker Hub'
+description: 'Set up Docker Buildx and log in to Docker Hub and GHCR'
 inputs:
   docker_username:
     description: 'Docker Hub username'
@@ -22,11 +22,17 @@ runs:
         username: ${{ inputs.docker_username }}
         password: ${{ inputs.docker_password }}
 
+    - name: Log in to ghcr.io
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.github_token }}
+
     # This will be used as a secret to authenticate with Git repo pulls
     - name: Create .netrc file
       run: |
         echo "machine github.com" > ${{ runner.temp }}/netrc
         echo "login x-access-token" >> ${{ runner.temp }}/netrc
         echo "password ${{ inputs.github_token }}" >> ${{ runner.temp }}/netrc
       shell: bash
-

.github/workflows/publish.yaml

@@ -236,11 +236,43 @@ jobs:
           path: artifacts/${{ matrix.artifact }}
           if-no-files-found: error
 
+  # ---------------------------------------------------------------------------
+  # engine-base-images — publish engine-specific GHCR bases for this commit SHA
+  # ---------------------------------------------------------------------------
+  engine-base-images:
+    needs: [context]
+    name: "Engine Base ${{ matrix.base }}"
+    if: needs.context.outputs.is_fork != 'true'
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - base: engine-builder
+          - base: engine-runtime-full
+          - base: engine-runtime-slim
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build & Push Engine Base
+        run: |
+          TAG_OVERRIDE=${{ needs.context.outputs.sha }} \
+            ./scripts/docker-builder-base/build-push.sh ${{ matrix.base }} --push
+
   # ---------------------------------------------------------------------------
   # docker-images — per-arch runtime images pushed to Docker Hub
   # ---------------------------------------------------------------------------
   docker-images:
-    needs: [context]
+    needs: [context, engine-base-images]
     name: "Docker ${{ matrix.arch_suffix }}"
     if: needs.context.outputs.is_fork != 'true'
     strategy:
@@ -283,6 +315,7 @@ jobs:
           target: engine-full
           platforms: ${{ matrix.platform }}
           build-args: |
+            ENGINE_BASE_TAG=${{ needs.context.outputs.sha }}
             BUILD_FRONTEND=${{ steps.mode.outputs.build_frontend }}
             CARGO_BUILD_MODE=${{ steps.mode.outputs.cargo_build_mode }}
       - name: Build & Push (rivetdev/engine:slim)
@@ -295,6 +328,7 @@ jobs:
           target: engine-slim
           platforms: ${{ matrix.platform }}
           build-args: |
+            ENGINE_BASE_TAG=${{ needs.context.outputs.sha }}
             BUILD_FRONTEND=${{ steps.mode.outputs.build_frontend }}
             CARGO_BUILD_MODE=${{ steps.mode.outputs.cargo_build_mode }}
 
@@ -401,7 +435,7 @@ jobs:
 
       # ---- build TypeScript packages (turbo dep graph picks up native) ----
       - name: Build TypeScript packages
-        run: pnpm build -F rivetkit -F '@rivetkit/*' -F '!@rivetkit/shared-data' -F '!@rivetkit/engine-frontend' -F '!@rivetkit/mcp-hub' -F '!@rivetkit/sqlite-native' -F '!@rivetkit/rivetkit-native'
+        run: pnpm build -F rivetkit -F '@rivetkit/*' -F '!@rivetkit/shared-data' -F '!@rivetkit/engine-frontend' -F '!@rivetkit/mcp-hub' -F '!@rivetkit/sqlite-native' -F '!@rivetkit/sqlite-wasm' -F '!@rivetkit/rivetkit-native'
 
       - name: Pack inspector
         run: npx turbo build:pack-inspector -F rivetkit

CLAUDE.md

@@ -73,6 +73,8 @@ cd self-host/compose/dev
 docker-compose up -d
 ```
 
+- Rebuild publish base images with `scripts/docker-builder-base/build-push.sh <base-name|all> --push`; update `BASE_TAG` when rebuilding shared builder bases, while engine bases are published per commit in `publish.yaml`.
+
 ### Git Commands
 ```bash
 # Use conventional commits with a single-line commit message, no co-author

docker/builder-base/engine-builder.Dockerfile

@@ -0,0 +1,42 @@
+# syntax=docker/dockerfile:1.10.0
+# Base image for Linux engine container builds.
+# Pre-bakes Rust, Node.js 22, corepack, build dependencies, and the
+# FoundationDB client library for each target architecture.
+#
+# Build & push: scripts/docker-builder-base/build-push.sh engine-builder --push
+FROM mcr.microsoft.com/devcontainers/rust:1-1-bookworm
+
+ARG TARGETARCH
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -y && \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    cmake \
+    curl \
+    g++ \
+    git \
+    gpg \
+    libclang-dev \
+    libpq-dev \
+    libssl-dev \
+    make \
+    openssl \
+    pkg-config \
+    wget && \
+    rustup toolchain install 1.91.0 && \
+    rustup default 1.91.0 && \
+    curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
+    apt-get install -y --no-install-recommends nodejs && \
+    corepack enable && \
+    rm -rf /var/lib/apt/lists/* && \
+    if [ "$TARGETARCH" = "arm64" ]; then \
+        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.aarch64.so"; \
+    else \
+        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.x86_64.so"; \
+    fi
+
+ENV CARGO_NET_GIT_FETCH_WITH_CLI=true \
+    COREPACK_ENABLE_DOWNLOAD_PROMPT=0
+
+WORKDIR /app

docker/builder-base/engine-runtime-full.Dockerfile

@@ -0,0 +1,23 @@
+# syntax=docker/dockerfile:1.10.0
+# Base image for the full Linux engine runtime image.
+#
+# Build & push: scripts/docker-builder-base/build-push.sh engine-runtime-full --push
+FROM mcr.microsoft.com/devcontainers/base:debian
+
+ARG TARGETARCH
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -y && \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    dirmngr \
+    gpg \
+    openssl && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    if [ "$TARGETARCH" = "arm64" ]; then \
+        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.aarch64.so"; \
+    else \
+        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.x86_64.so"; \
+    fi

docker/builder-base/engine-runtime-slim.Dockerfile

@@ -0,0 +1,21 @@
+# syntax=docker/dockerfile:1.10.0
+# Base image for the slim Linux engine runtime image.
+#
+# Build & push: scripts/docker-builder-base/build-push.sh engine-runtime-slim --push
+FROM mcr.microsoft.com/devcontainers/base:debian
+
+ARG TARGETARCH
+
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update -y && \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    openssl && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    if [ "$TARGETARCH" = "arm64" ]; then \
+        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.aarch64.so"; \
+    else \
+        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.x86_64.so"; \
+    fi

docker/engine/Dockerfile

@@ -1,8 +1,10 @@
 # syntax=docker/dockerfile:1.10.0
 
+ARG ENGINE_BASE_TAG=latest
+
 # MARK: Builder
 # TODO(RVT-4168): Compile libfdb from scratch for ARM
-FROM rust:1.91.0-trixie AS builder
+FROM ghcr.io/rivet-dev/rivet/engine-base-builder:${ENGINE_BASE_TAG} AS builder
 
 # Docker automatically provides TARGETARCH
 ARG TARGETARCH
@@ -12,37 +14,6 @@ ARG CARGO_BUILD_MODE=debug
 ARG VITE_APP_API_URL=__SAME__
 ARG OVERRIDE_GIT_SHA
 
-ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update -y && \
-    apt-get install -y \
-    curl \
-    g++ \
-    git \
-    libclang-dev \
-    libpq-dev \
-    libssl-dev \
-    pkg-config \
-    ca-certificates \
-    gpg \
-    openssl \
-    wget \
-    cmake \
-    make && \
-    curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
-    apt-get install -y nodejs && \
-    corepack enable && \
-    if [ "$TARGETARCH" = "arm64" ]; then \
-        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.aarch64.so"; \
-    else \
-        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.x86_64.so"; \
-    fi
-
-# Disable interactive prompt
-ENV COREPACK_ENABLE_DOWNLOAD_PROMPT=0
-
-# Pull via Git CLI to improve reliability in CI
-ENV CARGO_NET_GIT_FETCH_WITH_CLI=true
-
 WORKDIR /app
 
 COPY . .
@@ -83,27 +54,7 @@ RUN \
     cp target/$CARGO_BUILD_MODE/rivet-engine /app/dist/
 
 # MARK: Engine (full, base)
-FROM debian:13.1-slim AS engine-full-base
-
-# Docker automatically provides TARGETARCH
-ARG TARGETARCH
-
-ENV DEBIAN_FRONTEND=noninteractive
-# - Install curl for health checks
-RUN apt-get update -y && \
-    apt-get install -y \
-    ca-certificates \
-    openssl \
-    curl \
-    gpg \
-    dirmngr && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    if [ "$TARGETARCH" = "arm64" ]; then \
-        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.aarch64.so"; \
-    else \
-        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.x86_64.so"; \
-    fi
+FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-full:${ENGINE_BASE_TAG} AS engine-full-base
 
 # MARK: Engine (Full)
 FROM engine-full-base AS engine-full
@@ -116,26 +67,11 @@ ENTRYPOINT ["/usr/bin/rivet-engine"]
 CMD ["start"]
 
 # MARK: Engine (Slim)
-FROM debian:13.1-slim AS engine-slim
+FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-slim:${ENGINE_BASE_TAG} AS engine-slim
 
 LABEL org.opencontainers.image.source=https://github.com/rivet-dev/rivet
 
-# Docker automatically provides TARGETARCH
-ARG TARGETARCH
-
-ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update -y && \
-    apt-get install -y ca-certificates openssl curl && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    if [ "$TARGETARCH" = "arm64" ]; then \
-        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.aarch64.so"; \
-    else \
-        curl -Lf -o /lib/libfdb_c.so "https://github.com/apple/foundationdb/releases/download/7.3.68/libfdb_c.x86_64.so"; \
-    fi
-
 COPY --from=builder /app/dist/rivet-engine /usr/bin/rivet-engine
 
 ENTRYPOINT ["/usr/bin/rivet-engine"]
 CMD ["start"]
-