From e89d878e06fb35f6ee75d56b270a4edb69cfa173 Mon Sep 17 00:00:00 2001
From: OG T <ogt@WOOOMacMiniM4.local>
Date: Sun, 12 Apr 2026 18:51:15 +0800
Subject: [PATCH] =?UTF-8?q?fix(cd):=20=E9=82=84=E5=8E=9F=20Web=20build=20-?=
 =?UTF-8?q?-no-cache=EF=BC=8C=E7=A7=BB=E9=99=A4=E4=B8=8D=E7=9B=B8=E5=AE=B9?=
 =?UTF-8?q?=E7=9A=84=20buildx=20registry=20cache?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

buildx --cache-to type=registry + --output type=docker 在 docker driver 不支援
Web bundle 禁止快取（ADR-045/feedback_docker_buildkit_cache_poisoning）
快取毒化風險遠高於速度損失

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/cd.yaml | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index b45f2b46..42349331 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -193,23 +193,15 @@ jobs:
 
       # 2026-03-31 ogt: 移除中間通知，減少訊息雜訊
 
-      # ── Web 鏡像建置（精準快取失效）──────────────────────────────
+      # ── Web 鏡像建置（強制重建，禁止快取）──────────────────────────────
       # 2026-03-30 ogt: NEXT_PUBLIC_* 必須用公網域名 (build-time 寫死)
-      # 2026-04-01 Claude Code: 改用 CACHE_BUST=git_sha 取代 --no-cache
-      # - deps 層 (pnpm install) 仍可 cache → 節省 ~2-3 min
-      # - COPY . . 以下由 CACHE_BUST 強制失效 → CSRF fix 等代碼變更正確進入 bundle
-      # 2026-04-12 Claude Code: 切換 buildx + registry cache (mode=max)
-      # - deps/runner 層存入 Harbor web-cache:buildcache，比 inline cache 更可靠
-      # - Dockerfile 補 turbo cache mount，Turborepo task hash 跨 build 生效
-      # - 預期節省 1-2 min（deps 層 + turbo 增量）
+      # 2026-04-12 ogt: 還原 --no-cache（ADR-045 / feedback_docker_buildkit_cache_poisoning）
+      #   buildx registry cache-to + --output type=docker 不相容（docker driver 限制）
+      #   Web bundle 禁用快取：快取毒化會讓舊 bundle 進生產，風險遠高於速度損失
       - name: Build and Push Web
         run: |
-          docker buildx build -f apps/web/Dockerfile \
+          docker build --no-cache -f apps/web/Dockerfile \
             --build-arg NEXT_PUBLIC_API_URL=https://awoooi.wooo.work \
-            --build-arg CACHE_BUST=${{ github.sha }} \
-            --cache-from type=registry,ref=${{ env.HARBOR }}/awoooi/web-cache:buildcache \
-            --cache-to   type=registry,ref=${{ env.HARBOR }}/awoooi/web-cache:buildcache,mode=max \
-            --output type=docker \
             -t ${{ env.HARBOR }}/awoooi/web:${{ github.sha }} \
             -t ${{ env.HARBOR }}/awoooi/web:latest \
             .