chore: upgrades dc.sh to use buildkit to store cache on gha

[stalniy]

Why

To speed up env setup by storing docker cache in gha

Summary by CodeRabbit

• Chores
  • CI: PR-gated static analysis added; test flow now auto-detects tests, conditionally prepares/tears down environments, normalizes branches, and only runs/uploads results when tests exist; removed Node/version printouts.
  • Docker & build: unified "up" command, BuildKit-backed bake path with cache-backed installs for faster builds, option to skip DB; updated local scripts and quick-start docs to reflect the unified workflow and removed the old production up line.

[coderabbitai]

Walkthrough

Adds test-detection and gated test/setup/teardown steps to the reusable GitHub Actions workflow; consolidates docker CLI into a Buildx/Bake-enabled script with BuildKit caching and unified up command; updates Dockerfiles to use BuildKit cache mounts for npm installs; adjusts npm scripts and app CI setup commands to call dc up.

Changes

Cohort / File(s)	Summary
Reusable workflow /.github/workflows/reusable-validate-app.yml	Replace Node/version step with PR-gated static analysis; add tests_details step emitting has_tests and requires_env_setup; conditionally run docker/setup-buildx-action, branch normalization, Prepare tests environment, gated Run tests and always-run Teardown tests environment; update upload steps and all references to steps.tests_details.outputs.has_tests.
Docker CLI script packages/docker/script/dc.sh	Add Buildx/Bake support and builder helpers (ensure_builder, docker_buildx_bake, bake_cached), array helper (remove_array_item_by_value), and docker_compose() wrapper; consolidate up flow, support --no-db by excluding DB compose file at runtime, and route builds via BuildKit when enabled.
Next.js Dockerfile packages/docker/Dockerfile.nextjs	Replace inline npm run safe-install && npm cache clean with BuildKit cache-mounted install RUN --mount=type=cache,id=npm-cache,target=/root/.npm npm run safe-install.
Node Dockerfile packages/docker/Dockerfile.node	Replace npm run safe-install invocations in dev/prod stages with BuildKit cache-mounted variants to enable npm cache mounting during installs.
App CI scripts & root package.json apps/api/package.json, apps/notifications/package.json, package.json	Update CI setup scripts and npm scripts to use unified dc up forms (e.g., dc up -d db, dc up), remove dc:up:prod, and change former up:dev/up:db script invocations to the single up style.
Docs README.md, packages/docker/README.md	Remove references to separate up:db/up:dev/up:prod commands; document unified up command and --no-db option; minor whitespace tidy.

Sequence Diagram(s)

sequenceDiagram
    rect rgb(242,248,255)
    participant WF as GitHub Workflow
    participant Detect as tests_details (package.json)
    participant Buildx as docker/setup-buildx-action
    participant Prep as Prepare tests env
    participant Test as Run tests
    participant Teardown as Teardown tests env
    participant Codecov as Coverage upload
    end

    WF->>Detect: read package.json -> outputs has_tests, requires_env_setup
    Detect-->>WF: outputs(has_tests, requires_env_setup)
    alt requires_env_setup == true
        WF->>Buildx: setup buildx / ensure builder
        Buildx-->>WF: builder ready
        WF->>Prep: run test:ci-setup
        Prep-->>WF: env ready
    end
    alt has_tests == true
        WF->>Test: run test:ci (coverage)
        Test-->>WF: results
        WF->>Codecov: upload results & coverage
        Codecov-->>WF: done
    end
    alt requires_env_setup == true
        WF->>Teardown: run test:ci-teardown (always)
        Teardown-->>WF: cleanup complete
    end

Loading

sequenceDiagram
    rect rgb(255,248,242)
    participant User
    participant DC as dc.sh
    participant Parser as Flag/Compose Parser
    participant Builder as ensure_builder
    participant Bake as docker_buildx_bake / bake_cached
    participant Compose as docker_compose
    participant Docker as Docker Engine
    end

    User->>DC: ./dc.sh up [--no-db] [USE_DOCKER_BUILDKIT=1]
    DC->>Parser: parse flags -> COMPOSE_FILES, REQUESTED_SERVICES
    Parser-->>DC: parsed values
    alt USE_DOCKER_BUILDKIT == 1
        DC->>Builder: ensure_builder()
        Builder->>Docker: create/verify builder
        Builder-->>DC: ready
        DC->>Bake: docker_buildx_bake / bake_cached (with cache)
        Bake->>Docker: build images (BuildKit)
        Bake-->>DC: images built
    else
        DC->>Docker: docker compose build (requested services)
    end
    DC->>Compose: docker_compose up (COMPOSE_FILES, services)
    Compose->>Docker: start containers
    Compose-->>DC: services running
    DC-->>User: done

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Extra attention:
  • packages/docker/script/dc.sh: builder lifecycle, Bake usage, cache semantics, and --no-db compose-file exclusion logic.
  • /.github/workflows/reusable-validate-app.yml: correctness of tests_details outputs, conditional expressions, gating order, and always() teardown behavior.
  • Dockerfile changes: BuildKit cache mount syntax and build arg propagation.
  • Cross-file consistency: npm script names and updated CI setup commands in package.json files.

Possibly related PRs

• chore: adds CI workflow summary #1579 — Modifies reusable workflow test execution logic and inputs; closely related to gating and test-step structure.
• feat: adds safe node packages installation #1726 — Alters Docker build logic and safe-install usage; overlaps with Dockerfile BuildKit/cache changes.
• feat: enables sentry sourcemaps in deploy-web #1800 — Touches the Next.js Dockerfile; may conflict with BuildKit/npm-install edits.

Suggested reviewers

• baktun14
• ygrishajev

Poem

🐇 I hopped through builds and whispered "bake",

I sniffed for tests and set the stake,
I warmed the lab, ran checks with care,
Cached the crumbs and cleared the air,
A rabbit grins — CI wakes to bake.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: upgrading dc.sh to use BuildKit for caching in GitHub Actions, which aligns with the primary objectives and the substantial changes to Docker build configuration across multiple files.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/api-build

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1611f78 and 794af59.

📒 Files selected for processing (9)

• .github/workflows/reusable-validate-app.yml (2 hunks)
• README.md (1 hunks)
• apps/api/package.json (1 hunks)
• apps/notifications/package.json (1 hunks)
• package.json (1 hunks)
• packages/docker/Dockerfile.nextjs (1 hunks)
• packages/docker/Dockerfile.node (2 hunks)
• packages/docker/README.md (1 hunks)
• packages/docker/script/dc.sh (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• packages/docker/README.md

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/docker/Dockerfile.nextjs
• apps/notifications/package.json

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: baktun14
Repo: akash-network/console PR: 1725
File: apps/api/src/utils/constants.ts:5-5
Timestamp: 2025-07-24T17:00:52.361Z
Learning: In the Akash Network Console project, when cross-cutting concerns or broader refactoring issues are identified during PR review, the preferred approach is to create a separate GitHub issue to track the work rather than expanding the scope of the current PR. This maintains focus and allows for proper planning of architectural improvements.

📚 Learning: 2025-06-10T14:19:14.122Z

Learnt from: ygrishajev
Repo: akash-network/console PR: 1461
File: apps/notifications/src/modules/alert/services/deployment-alert/deployment-alert.service.ts:194-197
Timestamp: 2025-06-10T14:19:14.122Z
Learning: The alert.CONSOLE_WEB_URL environment variable in the notifications app is controlled and configured by the Akash team, reducing XSS concerns for HTML link generation in alert messages.

Applied to files:

• README.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: Validate local packages

🔇 Additional comments (16)

README.md (1)

42-43: Documentation aligns with updated npm scripts.

The Quick Start continues to reference npm run dc:up:dev, which now maps to the unified dc up command per the package.json changes. This maintains backward compatibility for users.

packages/docker/Dockerfile.node (1)

29-29: BuildKit cache mounts properly optimize npm install operations.

Both the development (line 29) and production (line 53) stages correctly utilize BuildKit's --mount=type=cache directive for persistent npm package cache. The consistent cache ID (npm-cache) enables sharing across stages, and removing explicit npm cache clean --force is appropriate since BuildKit manages cache eviction.

Also applies to: 53-53

apps/api/package.json (2)

27-28: Unified dc up command correctly applied to test setup.

Line 27 properly migrates from the old dc up:dev command to the new unified dc up command, aligning with the consolidated docker CLI workflow.

---

33-33: Verify backward compatibility: test:oauth2-server still uses deprecated command.

Line 33 continues to reference dc up:dev, which is not in the scope of this change. Please verify whether dc.sh maintains backward compatibility for the up:dev alias or if this line should also be updated to dc up.

package.json (1)

15-16: Unified dc commands correctly mapped via npm scripts.

Lines 15-16 properly consolidate the docker compose invocations to use the new unified dc up command. The npm script names (dc:up:db, dc:up:dev) maintain backward compatibility while the underlying commands now delegate to the single dc up command with appropriate service arguments.

.github/workflows/reusable-validate-app.yml (4)

33-39: Robust test and environment setup detection improves CI flexibility.

The new "Check whether app has tests" step (lines 33-39) intelligently gates subsequent steps by detecting test:cov (indicates tests exist) and test:ci-setup (indicates environment setup required). This allows the workflow to adapt to app-specific needs without manual configuration.

---

44-66: Structured setup/test/teardown sequence with proper gating is well-designed.

Lines 44-66 implement a clean three-phase flow:

• Normalize branch name for BuildKit cache scope (cached per branch for PR-based fallback)
• Prepare environment with BuildKit flags only when needed (requires_env_setup)
• Execute tests only when they exist (has_tests)
• Always tear down if setup was performed (via always())

This structure prevents resource leaks and improves test isolation.

---

50-58: BuildKit environment variables correctly passed to test setup.

Lines 50-58 properly configure BuildKit cache scopes:

• DOCKER_BUILDKIT_CACHE_SCOPE: Primary scope (workflow-app combination)
• DOCKER_BUILDKIT_CACHE_FALLBACK_SCOPE: Fallback scope (includes branch name for PR differentiation)

This allows cache reuse while protecting branch-specific builds.

---

64-66: Teardown properly gates on both always() and requires_env_setup.

The teardown step correctly uses if: ${{ always() && steps.tests_details.outputs.requires_env_setup == 'true' }} to ensure cleanup runs even on failure, but only if setup was actually performed.

packages/docker/script/dc.sh (7)

26-37: New utility function properly handles array manipulation via nameref.

The remove_array_item_by_value() function correctly uses bash nameref (local -n arr="$1") to modify the caller's array in place, enabling clean removal of compose files when --no-db is specified.

---

39-46: ensure_builder() validates buildx and creates builder with appropriate error handling.

The function correctly checks for docker buildx availability and either reuses or creates the ci-builder context. The use of silent redirections (>/dev/null 2>&1) for availability checks is appropriate, though explicit error messages on failure improve debugging.

---

48-71: docker_buildx_bake() implements intelligent target filtering and cache scope management.

Lines 48-71 correctly:

• Query buildable targets from docker compose files
• Filter REQUESTED_SERVICES to only include buildable targets (lines 56-60)
• Apply both primary and fallback cache scopes (lines 66-67)
• Use --load to make images available locally

The fallback scope strategy (branch-specific for PRs) improves cache hit rates.

---

100-105: Cache scope normalization correctly handles branch names with special characters.

Lines 101-105 properly normalize cache scopes by replacing spaces with hyphens (// /-), enabling valid use of branch names and workflow identifiers in GHA cache scopes.

---

119-132: Service filtering logic properly validates against known services.

Lines 119-132 correctly distinguish between docker compose services and docker-compose arguments:

• --no-db triggers array modification to exclude the DB compose file
• Known services are added to REQUESTED_SERVICES for targeted builds/ups
• Other arguments pass through via PASSTHRU_ARGS

This allows dc up db api to start only the db and api services.

---

134-152: Command dispatch logic maintains backward compatibility while supporting BuildKit.

Lines 134-152 correctly:

• Support both up:dev and up commands (line 147) for compatibility
• Conditionally use BuildKit when USE_BUILDKIT=1 (line 148)
• Build before starting services in up mode (lines 148-150)
• Pass through requested services to docker compose (line 151)

This allows gradual BuildKit adoption via environment variables.

---

114-114: The review comment incorrectly describes the current state of line 114.

The actual line 114 in packages/docker/script/dc.sh contains no 2> /dev/null redirection:

KNOWN_SERVICES=$(docker compose $(printf -- " -f %q" "${COMPOSE_FILES[@]}") config --services | tr '\n' ' ')

The review claims this line "redirects docker compose stderr to /dev/null," but no such redirection exists in the current code. The provided diff attempts to remove a 2> /dev/null that is not present. While error handling for the docker compose config command could be improved as a general practice, the specific concern raised about existing stderr suppression is factually inaccurate.

Likely an incorrect or invalid review comment.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

❌ 3 Tests Failed:

Tests completed	Failed	Passed	Skipped
1632	3	1629	0

View the top 3 failed test(s) by shortest run time

Managed Wallet API Deployment Flow should maintain read-only operations during blockchain node outages

Stack Traces | 33s run time

Error: expect(received).toMatchObject(expected)

Matcher error: received value must be a non-null object

Received has value: undefined
    at Object.<anonymous> (.../test/functional/managed-api-deployment-flow.spec.ts:201:21)
    at processTicksAndRejections (node:internal/process/task_queues:103:5)

Managed Wallet API Deployment Flow should execute a full deployment cycle with provider JWT auth

Stack Traces | 33.5s run time

Error: expect(received).toMatchObject(expected)

Matcher error: received value must be a non-null object

Received has value: undefined
    at .../test/functional/managed-api-deployment-flow.spec.ts:82:21
    at processTicksAndRejections (node:internal/process/task_queues:103:5)

Managed Wallet API Deployment Flow should execute a full deployment cycle with provider mTLS auth

Stack Traces | 39.9s run time

Error: expect(received).toMatchObject(expected)

Matcher error: received value must be a non-null object

Received has value: undefined
    at .../test/functional/managed-api-deployment-flow.spec.ts:82:21
    at processTicksAndRejections (node:internal/process/task_queues:103:5)

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

packages/docker/script/dc.sh (3)

64-66: Directory context change is correct but path should be quoted.

The subshell pattern (cd $DC_FILES_DIR && ...) correctly isolates the directory context. However, $DC_FILES_DIR should be quoted to handle paths with spaces: (cd "$DC_FILES_DIR" && ...).

Apply this diff:

 bake_cached() {
-  (cd $DC_FILES_DIR && docker_buildx_bake)
+  (cd "$DC_FILES_DIR" && docker_buildx_bake)
 }

---

68-71: Centralized compose helper is good, but apply it consistently across all commands.

The docker_compose helper correctly manages file paths and passthrough args. However, the down command (line 131–132) bypasses this helper and directly calls docker compose, while build and up use it. This inconsistency creates maintenance risk if compose invocation logic needs to change.

Refactor the down command to use the docker_compose helper for consistency:

   down)
-    echo "Running: docker compose -p console down $*"
-    docker compose -p console down "$@" || { echo "Docker down failed"; exit 1; }
+    docker_compose -p console down || { echo "Docker down failed"; exit 1; }
     ;;

This ensures all commands follow the same invocation pattern.

---

3-24: Help text examples are clear but could clarify the up/up:dev equivalence.

The help examples correctly show USE_DOCKER_BUILDKIT=1 usage. However, lines 23 shows only up:dev in the BuildKit example. Since lines 134 treats up and up:dev as equivalent, clarify in the help that both work or simplify to just up.

Update line 23 to show both forms:

-  echo "  USE_DOCKER_BUILDKIT=1 $COMMAND_PREFIX up:dev <docker compose args> # Builds Docker images using buildkit and start them"
+  echo "  USE_DOCKER_BUILDKIT=1 $COMMAND_PREFIX up <docker compose args>      # Build images using buildkit and start services"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fef0945 and 8b4d626.

📒 Files selected for processing (2)

• .github/workflows/reusable-validate-app.yml (2 hunks)
• packages/docker/script/dc.sh (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: test-build
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: Validate local packages

🔇 Additional comments (6)

.github/workflows/reusable-validate-app.yml (3)

38-44: Verify test detection robustness.

The preflight check detects test:cov for test presence, but consider documenting whether apps must use exactly this script name or if there's flexibility for other test runners. If standardization is required across apps, ensure it's enforced elsewhere.

---

49-55: Environment variable naming and cache scope design look sound.

The USE_DOCKER_BUILDKIT=1 and DOCKER_BUILDKIT_CACHE_SCOPE pattern with per-app scoping (${{ github.workflow }}-${{ inputs.app }}) correctly isolates caches and avoids conflicts between parallel builds of different apps.

---

61-63: Teardown lifecycle design is correct.

Using always() ensures cleanup runs even if earlier steps fail, which is the right approach for environment teardown. However, verify that if "Prepare tests environment" fails, leaving a partially-initialized state, test:ci-teardown can safely handle and clean it up.

packages/docker/script/dc.sh (3)

26-37: Array helper function is well-implemented.

The remove_array_item_by_value function correctly uses bash namerefs to mutate the original array in place. Implementation is solid and safely removes the composed file when --no-db is specified.

---

39-46: BuildKit availability check is appropriate.

The ensure_builder function correctly verifies docker buildx availability and either creates or switches to ci-builder. The error exit on missing buildx is the right approach to fail fast with a clear message.

---

121-139: Command dispatch logic correctly gates BuildKit usage but verify service ordering.

The conditional BuildKit execution in build and up cases correctly checks USE_BUILDKIT before calling bake_cached. Ensure that docker compose correctly handles service names placed after options in line 138. The order docker compose -f ... up --renew-anon-volumes service1 service2 should be valid, but verify with docker compose --help if this deviates from your testing.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

packages/docker/script/dc.sh (1)

48-62: ** GHA cache configuration is environment-specific but lacks context detection.**

This replicates the prior concern: the hardcoded type=gha cache (lines 58–59) only works within GitHub Actions. The function will fail or produce errors when invoked locally or in non-GHA CI systems. The past review requested either context detection or clear fallback behavior.

To resolve, detect the GITHUB_ACTIONS environment variable and conditionally apply cache settings:

 docker_buildx_bake() {
   ensure_builder
   # Build only requested services if any; otherwise build all targets from compose
   local targets=()
   if [[ ${#REQUESTED_SERVICES[@]} -gt 0 ]]; then
     targets=("${REQUESTED_SERVICES[@]}")
   fi

   docker buildx bake \
     $(printf -- " --file %q" "${COMPOSE_FILES[@]}") \
+    $([ "$GITHUB_ACTIONS" = "true" ] && printf -- " --set *.cache-from=type=gha,scope=%s --set *.cache-to=type=gha,mode=max,scope=%s" "$BUILDKIT_CACHE_SCOPE" "$BUILDKIT_CACHE_SCOPE") \
     --load \
     "${targets[@]}"
 }

Alternatively, use a local buildkit cache backend when outside GHA and document the limitation.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8b4d626 and f73389a.

📒 Files selected for processing (2)

• .github/workflows/reusable-validate-app.yml (2 hunks)
• packages/docker/script/dc.sh (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/reusable-validate-app.yml

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: baktun14
Repo: akash-network/console PR: 1725
File: apps/api/src/utils/constants.ts:5-5
Timestamp: 2025-07-24T17:00:52.361Z
Learning: In the Akash Network Console project, when cross-cutting concerns or broader refactoring issues are identified during PR review, the preferred approach is to create a separate GitHub issue to track the work rather than expanding the scope of the current PR. This maintains focus and allows for proper planning of architectural improvements.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: Validate local packages

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

packages/docker/script/dc.sh (2)

73-73: Unquoted variable path breaks on spaces or special characters — issue persists from past review.

This was flagged previously and marked as addressed, but the unquoted $DC_FILES_DIR in the subshell remains. If the path contains spaces or special characters, the command will fail.

 bake_cached() {
-  (cd $DC_FILES_DIR && docker_buildx_bake)
+  (cd "$DC_FILES_DIR" && docker_buildx_bake)
 }

---

109-109: KNOWN_SERVICES extraction silently fails on invalid compose files — issue persists from past review.

This issue was flagged in the previous review and remains unresolved. The stderr redirection to /dev/null masks failures from missing or malformed compose files. If docker compose config fails, KNOWN_SERVICES becomes empty, causing the service matching logic (lines 119–122) to silently skip all requested services, and downstream builds/ups proceed without the specified services.

Additionally, COMPOSE_FILES paths are never validated before use, making this scenario realistic.

The fix requires validating compose files before use and not discarding docker compose errors. Use set -o pipefail or capture the docker exit code explicitly:

+# Validate compose files exist
+for f in "${COMPOSE_FILES[@]}"; do
+  if [[ ! -f "$f" ]]; then
+    echo "Error: Compose file not found: $f" >&2
+    exit 1
+  fi
+done
+
+# Enable pipefail to catch docker compose failures
+set -o pipefail
+
-KNOWN_SERVICES=$(docker compose $(printf -- " -f %q" "${COMPOSE_FILES[@]}") config --services 2> /dev/null | tr '\n' ' ')
+KNOWN_SERVICES=$(docker compose $(printf -- " -f %q" "${COMPOSE_FILES[@]}") config --services | tr '\n' ' ') || { echo "Error: Failed to retrieve services from Docker Compose" >&2; exit 1; }

🧹 Nitpick comments (6)

.github/workflows/reusable-validate-app.yml (1)

44-50: Consider adding explicit error handling for test:ci-setup.

The "Prepare tests environment" step uses --if-present, so it gracefully skips if the script doesn't exist. However, when requires_env_setup is true, the expectation is that the script will exist. If it's missing, the step silently succeeds, which could mask configuration errors. Consider adding a validation check or at least a clear error message if the script is expected but missing.

packages/docker/script/dc.sh (5)

63-69: Debug output echo doesn't match executed command due to variable transformation.

Line 63 echoes the command with unmodified BUILDKIT_CACHE_SCOPE, but the actual execution (lines 66–67) replaces spaces with dashes (${BUILDKIT_CACHE_SCOPE// /-}). This makes the debug output misleading—developers see a different command than what actually ran, complicating troubleshooting.

Either update the echo to reflect the transformation or remove it if not needed for debugging.

-  echo "docker buildx bake $(printf -- " --file %q" "${COMPOSE_FILES[@]}") --set *.cache-from="type=gha,scope=${BUILDKIT_CACHE_SCOPE}" --set *.cache-to="type=gha,mode=max,scope=${BUILDKIT_CACHE_SCOPE}" --load ${targets[@]}"
+  echo "docker buildx bake $(printf -- " --file %q" "${COMPOSE_FILES[@]}") --set *.cache-from=\"type=gha,scope=${BUILDKIT_CACHE_SCOPE// /-}\" --set *.cache-to=\"type=gha,mode=max,scope=${BUILDKIT_CACHE_SCOPE// /-}\" --load ${targets[@]}"

---

90-94: COMMAND_PREFIX depends on undefined npm_command variable.

The npm_command variable is never defined in this script; it's implicitly expected to be set by npm when the script runs as an npm script. This is fragile—if npm_command is unset, COMMAND_PREFIX silently defaults to "./dc.sh", which may not be the intended behavior. Consider making this more explicit or adding a comment documenting this dependency.

+# npm_command is set by npm when this script is invoked as an npm script
 if [ "$npm_command" = "run-script" ]; then
   COMMAND_PREFIX="npm run dc --"
 else
   COMMAND_PREFIX="./dc.sh"
 fi

---

111-125: Argument parsing and shifting logic is correct but could be clearer.

The loop correctly processes --no-db, removes the DB service file, matches known services, and shifts them out of $@, leaving only docker compose flags for downstream use. However, the pattern of calling shift during loop iteration over $@ is not immediately obvious. Consider adding a brief comment to clarify the intent.

 for arg in "$@"; do
   case $arg in
     --no-db)
+      # Remove DB service and shift it out of $@
       remove_array_item_by_value COMPOSE_FILES "${DC_FILES_DIR}docker-compose.prod-with-db.yml"
       shift
       echo "Excluding DB services from Docker Compose."
       ;;
     *)
       if [[ " $KNOWN_SERVICES " == *" $arg "* ]]; then
+        # Known service: add to REQUESTED_SERVICES and shift out of $@
         REQUESTED_SERVICES+=("$arg")
         shift
       fi
       ;;
   esac
 done

---

136-139: Inconsistent command handling: down doesn't use docker_compose wrapper or COMPOSE_FILES.

The down command runs docker compose directly without using the docker_compose wrapper function and without referencing COMPOSE_FILES. This is inconsistent with the build and up commands, which both use the wrapper and compose files. For correctness and consistency, down should also use the wrapper and the same compose files so docker knows exactly what to remove.

   down)
-    echo "Running: docker compose -p console down $*"
-    docker compose -p console down $@ || { echo "Docker down failed"; exit 1; }
+    docker_compose down $@ || { echo "Docker down failed"; exit 1; }

Note: Update the docker_compose function to handle the -p console flag, or pass it explicitly here if the function doesn't add it automatically.

---

40-40: Consider improving error messaging in ensure_builder function.

When Docker Buildx is not available, the error message is printed but the exit is not explicit about the error context. The message goes to stdout instead of stderr. For better debugging, consider redirecting the error message to stderr.

 ensure_builder() {
-  docker buildx version >/dev/null 2>&1 || { echo "Docker Buildx not available"; exit 1; }
+  docker buildx version >/dev/null 2>&1 || { echo "Docker Buildx not available" >&2; exit 1; }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f73389a and 75fa85d.

📒 Files selected for processing (2)

• .github/workflows/reusable-validate-app.yml (2 hunks)
• packages/docker/script/dc.sh (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: Validate local packages

🔇 Additional comments (8)

.github/workflows/reusable-validate-app.yml (5)

26-31: Clarify intent of gating static analysis to pull_request events only.

The static code analysis step is now conditionally run only on pull_request events. This differs from the prior behavior where it may have run on all events. Confirm this is intentional—it could mean push-to-main no longer validates linting, which might allow issues to slip through.

---

33-39: Verify test detection logic accounts for all edge cases.

The workflow detects has_tests by checking for the presence of a test:cov script in package.json. However, line 54 runs npm run test:cov unconditionally without --if-present, so if the detection fails or package.json changes between detection and execution, the step will fail. Consider using --if-present as a defensive measure, or verify that the detection logic is bulletproof.

Additionally, confirm that requires_env_setup detection via the test:ci-setup script is consistent across all apps that require Docker setup.

---

41-50: Confirm BuildKit cache scope isolation strategy.

The cache scope is set to ${{ github.workflow }}-${{ inputs.app }}, which should provide adequate isolation for multi-app repos. However, verify that:

1. The cache scope is compatible with the dc.sh helper script's BuildKit configuration.
2. The cache doesn't create stale/orphaned entries across different branches or workflow runs.

Also note that BuildKit environment variable setup (lines 47–48) assumes downstream scripts (like dc.sh) will consume these variables. Verify the integration with the docker helper script that this workflow triggers.

---

56-58: LGTM: Teardown properly uses always() for guaranteed cleanup.

The use of always() ensures the teardown step runs even if prior steps fail, which is the correct pattern for resource cleanup. The additional gating on requires_env_setup prevents unnecessary cleanup steps when no setup was performed.

---

60-67: Verify codecov integration still works with dynamic test detection.

Both codecov steps now depend on steps.tests_details.outputs.has_tests instead of a run output. Confirm that:

1. Codecov gracefully handles the case where no test artifacts (junit.xml or coverage files) exist.
2. Apps without tests don't trigger false negatives in the CI/CD pipeline.

Also note that the "Upload test results" step uses !cancelled() while "Upload Test Coverage" only uses the has_tests condition. Confirm this asymmetry is intentional.

Also applies to: 69-76

packages/docker/script/dc.sh (3)

76-79: The docker_compose wrapper function is well-designed.

This function correctly echoes the command for debugging and passes through arguments flexibly. The -p console flag is handled by callers (lines 138, 144), which provides good separation of concerns.

---

26-37: Helper function remove_array_item_by_value is well-implemented.

The use of nameref (local -n) for array reference passing is the correct bash idiom for modifying arrays in-place. The filter logic is straightforward and effective.

---

3-24: Help text is clear and well-maintained.

The updated examples properly document the new USE_DOCKER_BUILDKIT usage and the up:dev command. Good alignment with the actual implementation.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (3)

packages/docker/script/dc.sh (3)

48-70: ⚠️ CRITICAL: Unquoted array expansion in loop will break on service names with spaces.

Line 56 uses for target in $REQUESTED_SERVICES; do which splits on whitespace. If a service name contains spaces, it will be incorrectly split into multiple targets.

This issue was flagged in past review but still appears in the current code. Fix by using proper array expansion:

-    for target in $REQUESTED_SERVICES; do
+    for target in "${REQUESTED_SERVICES[@]}"; do

Ensure REQUESTED_SERVICES is populated as a bash array (which it is on line 101 and line 120), so element preservation works correctly.

---

72-74: ⚠️ CRITICAL: Unquoted variable path will break on directories with spaces or special characters.

Line 73 uses cd $DC_FILES_DIR without quotes in a subshell. If DC_FILES_DIR contains spaces or special characters, the command will fail silently or misbehave. The function was recently introduced in commit adfa989 with this vulnerability already present.

Apply this fix:

-  (cd $DC_FILES_DIR && docker_buildx_bake)
+  (cd "$DC_FILES_DIR" && docker_buildx_bake)

---

99-109: MAJOR: Silent failure in KNOWN_SERVICES extraction masks configuration errors — CONFIRMED.

Verification confirms the issue persists in line 109. The stderr redirection (2> /dev/null) hides failures from docker compose config, and the absence of set -o pipefail means the pipeline exit status is lost—only tr's exit code is checked. If docker compose fails, KNOWN_SERVICES becomes an empty string, causing silent service matching failures at line 119 with no user-facing error.

All four referenced compose files exist at correct paths, but there is no validation before use. Configuration errors remain invisible to users.

Suggested fix:

• Validate each COMPOSE_FILES path exists before invoking docker compose
• Do not discard docker compose stderr; let errors surface
• Enable set -o pipefail or capture docker's exit code explicitly to fail fast

-KNOWN_SERVICES=$(docker compose $(printf -- " -f %q" "${COMPOSE_FILES[@]}") config --services 2> /dev/null | tr '\n' ' ')
+for file in "${COMPOSE_FILES[@]}"; do
+  [[ -f "$file" ]] || { echo "Error: Compose file not found: $file"; exit 1; }
+done
+KNOWN_SERVICES=$(docker compose $(printf -- " -f %q" "${COMPOSE_FILES[@]}") config --services | tr '\n' ' ') || { echo "Error: Failed to retrieve services from docker compose"; exit 1; }

Alternatively, add set -o pipefail at line 2 (after shebang) to auto-fail pipelines on docker compose errors.

🧹 Nitpick comments (1)

packages/docker/script/dc.sh (1)

111-125: Service targeting and --no-db handling looks sound, but service name matching is string-based.

The argument parsing correctly identifies --no-db, removes the DB compose file, and matches requested services against KNOWN_SERVICES. The user-facing feedback is helpful.

One minor consideration: Line 119 uses string matching (" $KNOWN_SERVICES " == *" $arg "*) which assumes service names don't contain spaces. If a service name could contain spaces, this approach would fail. However, service names in Docker Compose typically don't include spaces, so this is unlikely to be an issue in practice.

If robustness against edge-case service names is needed, consider parsing KNOWN_SERVICES into an array instead of a space-separated string to enable reliable matching of names with embedded spaces.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b2b4eb0 and adfa989.

📒 Files selected for processing (2)

• .github/workflows/reusable-validate-app.yml (2 hunks)
• packages/docker/script/dc.sh (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: baktun14
Repo: akash-network/console PR: 1725
File: apps/api/src/utils/constants.ts:5-5
Timestamp: 2025-07-24T17:00:52.361Z
Learning: In the Akash Network Console project, when cross-cutting concerns or broader refactoring issues are identified during PR review, the preferred approach is to create a separate GitHub issue to track the work rather than expanding the scope of the current PR. This maintains focus and allows for proper planning of architectural improvements.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: Validate local packages

🔇 Additional comments (7)

.github/workflows/reusable-validate-app.yml (4)

33-39: Test detection via package.json scripts is clean, but verify edge cases.

The step correctly checks for test:cov and test:ci-setup scripts in the app's package.json. Ensure that:

1. Apps without either script still proceed (both variables default to 'false')
2. The node -p syntax is resilient to missing/malformed package.json files

Consider adding error handling to fail fast if package.json is invalid.

---

44-50: Environment variables passed to test:ci-setup—ensure downstream scripts consume them correctly.

The workflow sets USE_DOCKER_BUILDKIT=1 and DOCKER_BUILDKIT_CACHE_SCOPE and passes them to npm run test:ci-setup. Verify that:

1. The npm script (or any Docker commands it invokes) correctly reads these environment variables
2. DOCKER_BUILDKIT_CACHE_SCOPE follows Docker naming conventions (alphanumeric, hyphens only; spaces converted to hyphens per the dc.sh implementation)

Spot-check by tracing the flow: workflow → npm script → dc.sh (line 100).

---

52-54: Approve test and upload logic—conditions are correctly aligned.

The test execution and Codecov uploads are properly gated on steps.tests_details.outputs.has_tests. The teardown step correctly uses always() to ensure environment cleanup even if tests fail, while the upload steps use !cancelled() and conditional checks to avoid running on skip/cancellation.

Also applies to: 60-70

---

26-31: No issues found—ESLint --quiet flag syntax and support verified.

The --quiet flag is documented in ESLint CLI as a standard way to suppress warnings and report only errors, and the syntax on line 31 is correct. The -- separator properly isolates the eslint flag from npm arguments, which is the standard approach for passing flags to npm scripts.

packages/docker/script/dc.sh (3)

127-135: Build command routing is sound with proper error handling.

The build command correctly isolates to the build compose file, conditionally uses BuildKit when USE_BUILDKIT=1, and falls back to standard docker compose build. Service targeting via REQUESTED_SERVICES is preserved and passed through correctly. Error messages are clear.

---

136-139: Down command doesn't respect COMPOSE_FILES or --no-db option.

The down command hardcodes docker compose -p console down without using the COMPOSE_FILES array or the docker_compose wrapper. This means --no-db is processed during argument parsing (removing the DB compose file from COMPOSE_FILES) but then ignored by the down command.

Depending on intent, consider whether down should:

1. Respect the same COMPOSE_FILES as up (i.e., exclude DB when --no-db is used)
2. Or intentionally always bring down all services regardless of --no-db

If the former, apply this fix:

-    echo "Running: docker compose -p console down $*"
-    docker compose -p console down $@ || { echo "Docker down failed"; exit 1; }
+    docker_compose -p console down $@ || { echo "Docker down failed"; exit 1; }

Verify the intended behavior: should --no-db affect the down operation or only up/build?

---

140-145: Up command correctly routes through BuildKit when enabled and respects service targeting.

The up command properly handles the BuildKit flow (build then run), uses the docker_compose wrapper to respect COMPOSE_FILES and --no-db options, and preserves REQUESTED_SERVICES. The --renew-anon-volumes flag is a good dev-time default. Error handling is consistent with other commands.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

packages/docker/script/dc.sh (2)

76-77: Unquoted variable in subshell will break on paths with spaces.

Line 76 uses unquoted $DC_FILES_DIR in a subshell. If the path contains spaces or special characters, the cd command will fail.

 bake_cached() {
-  (cd $DC_FILES_DIR && docker_buildx_bake)
+  (cd "$DC_FILES_DIR" && docker_buildx_bake)
 }

---

112-112: KNOWN_SERVICES extraction needs error handling.

Line 112 extracts services without validating that docker compose config succeeded. If any compose file is missing or malformed, KNOWN_SERVICES becomes empty, causing service matching at line 122 to silently skip, and builds proceed without user-requested services.

Validate compose files exist before extraction and fail fast if docker compose config returns an error:

+# Validate compose files exist
+for file in "${COMPOSE_FILES[@]}"; do
+  if [[ ! -f "$file" ]]; then
+    echo "Error: Compose file not found: $file" >&2
+    exit 1
+  fi
+done
+
-KNOWN_SERVICES=$(docker compose $(printf -- " -f %q" "${COMPOSE_FILES[@]}") config --services | tr '\n' ' ')
+KNOWN_SERVICES=$(docker compose $(printf -- " -f %q" "${COMPOSE_FILES[@]}") config --services) || { echo "Error: Failed to retrieve services from Docker Compose"; exit 1; }
+KNOWN_SERVICES=$(echo "$KNOWN_SERVICES" | tr '\n' ' ')

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between adfa989 and 6f21d4b.

📒 Files selected for processing (2)

• .github/workflows/reusable-validate-app.yml (2 hunks)
• packages/docker/script/dc.sh (2 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: baktun14
Repo: akash-network/console PR: 1725
File: apps/api/src/utils/constants.ts:5-5
Timestamp: 2025-07-24T17:00:52.361Z
Learning: In the Akash Network Console project, when cross-cutting concerns or broader refactoring issues are identified during PR review, the preferred approach is to create a separate GitHub issue to track the work rather than expanding the scope of the current PR. This maintains focus and allows for proper planning of architectural improvements.

🪛 GitHub Actions: GitHub Actions Linting

.github/workflows/reusable-validate-app.yml

[error] 49-49: YAML syntax error in reusable workflow: could not parse as YAML at line 49 ('BUILDX_BAKE_ENTITLEMENTS_FS=0'). Expected ':' after key.

🪛 YAMLlint (1.37.1)

.github/workflows/reusable-validate-app.yml

[error] 50-50: syntax error: could not find expected ':'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Validate local packages

🔇 Additional comments (2)

.github/workflows/reusable-validate-app.yml (1)

33-60: Workflow structure looks sound after syntax fix.

The refactored test detection, environment preparation, and conditional teardown logic is well-designed. Test detection derives has_tests and requires_env_setup from package.json, and the subsequent steps properly gate BuildKit setup, environment prep, test execution, and teardown based on these outputs. The transition from run_tests.has_tests to tests_details.has_tests is consistently applied.

packages/docker/script/dc.sh (1)

57-62: Array expansion for REQUESTED_SERVICES is correct.

The loop correctly uses "${REQUESTED_SERVICES[@]}" to preserve service names with spaces, fixing the past issue flagged at this location.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

packages/docker/script/dc.sh (2)

73-75: CRITICAL: Unquoted variable path breaks with spaces.

Line 74 uses an unquoted $DC_FILES_DIR variable in the subshell, which will fail if the directory path contains spaces or special characters. This issue was previously flagged but remains unresolved in the current code.

Apply this diff to quote the variable:

 bake_cached() {
-  (cd $DC_FILES_DIR && docker_buildx_bake)
+  (cd "$DC_FILES_DIR" && docker_buildx_bake)
 }

---

108-114: Validate COMPOSE_FILES paths before use to catch configuration errors early.

The script hardcodes COMPOSE_FILES paths but does not validate their existence before invoking docker compose config --services at line 114. If any file is missing or malformed, KNOWN_SERVICES will silently become empty, causing subsequent service matching to skip without warning. Later, service selection logic at line 124 will not add any requested services.

Add path validation before line 114:

 COMPOSE_FILES=(
   "${DC_FILES_DIR}docker-compose.build.yml"
   "${DC_FILES_DIR}docker-compose.prod.yml"
   "${DC_FILES_DIR}docker-compose.prod-with-db.yml"
   "${DC_FILES_DIR}docker-compose.dev.yml"
 )
+
+# Validate that all compose files exist
+for file in "${COMPOSE_FILES[@]}"; do
+  if [[ ! -f "$file" ]]; then
+    echo "Error: Required Docker Compose file not found: $file" >&2
+    exit 1
+  fi
+done
+
 KNOWN_SERVICES=$(docker compose $(printf -- " -f %q" "${COMPOSE_FILES[@]}") config --services | tr '\n' ' ')

Additionally, capture docker's exit status to fail early if docker compose config fails:

+docker compose $(printf -- " -f %q" "${COMPOSE_FILES[@]}") config --services > /tmp/dc_services.txt || {
+  echo "Error: Failed to retrieve available services from Docker Compose" >&2
+  exit 1
+}
+KNOWN_SERVICES=$(cat /tmp/dc_services.txt | tr '\n' ' ')

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ae6608b and 1611f78.

📒 Files selected for processing (6)

• .github/workflows/reusable-validate-app.yml (2 hunks)
• apps/api/package.json (1 hunks)
• apps/notifications/package.json (1 hunks)
• packages/docker/Dockerfile.nextjs (1 hunks)
• packages/docker/Dockerfile.node (2 hunks)
• packages/docker/script/dc.sh (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/docker/Dockerfile.node

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: baktun14
Repo: akash-network/console PR: 1725
File: apps/api/src/utils/constants.ts:5-5
Timestamp: 2025-07-24T17:00:52.361Z
Learning: In the Akash Network Console project, when cross-cutting concerns or broader refactoring issues are identified during PR review, the preferred approach is to create a separate GitHub issue to track the work rather than expanding the scope of the current PR. This maintains focus and allows for proper planning of architectural improvements.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: validate (apps/stats-web) / validate-unsafe
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: validate / validate-app
• GitHub Check: test-build
• GitHub Check: test-build
• GitHub Check: Validate local packages

🔇 Additional comments (8)

packages/docker/Dockerfile.nextjs (1)

43-43: BuildKit cache mount syntax is correct.

The addition of --mount=type=cache for npm dependencies and removal of npm cache clean --force aligns with BuildKit caching best practices. The cache mount point (/root/.npm) is appropriate for npm operations.

packages/docker/script/dc.sh (1)

26-46: Helper functions follow good practices with proper quoting.

The new helper functions (remove_array_item_by_value, ensure_builder) demonstrate proper bash practices with quoted array handling and defensive existence checks. The ensure_builder function correctly uses conditional logic to create or select the ci-builder buildx instance.

apps/api/package.json (1)

27-27: Verify that dc up (without :dev) starts the same services as dc up:dev did.

Line 27 changes the test:ci-setup script from dc up:dev -d db mock-oauth2-server provider-proxy to dc up -d db mock-oauth2-server provider-proxy. While dc.sh maps both up:dev and up to the same handler (line 147), confirm that removing the :dev suffix does not alter which Docker Compose files are loaded or service startup behavior in CI.

Verify the following in your local environment or CI logs:

• Run dc up -d db and confirm all expected services start
• Run dc up:dev -d db and confirm the output is identical
• Check that the service filtering at line 124–126 of dc.sh correctly identifies and starts only the requested services

Alternatively, you can inspect the dc.sh implementation to confirm both commands follow the same code path.

apps/notifications/package.json (1)

29-29: Fix: Changes broken dc up:db command to standard dc up -d db.

The previous test:ci-setup script used dc up:db, which is not a recognized dc.sh command (line 154 of dc.sh would treat it as unknown). This change to dc up -d db fixes the command to use the supported up command with explicit service specification and detached mode, aligning with the pattern introduced in apps/api/package.json.

.github/workflows/reusable-validate-app.yml (4)

33-39: Introspection-based test gating is well-implemented.

The workflow correctly derives whether an app has tests and requires environment setup by inspecting the package.json scripts. The step outputs (has_tests and requires_env_setup) are properly set and used to gate subsequent Docker setup and test execution steps, reducing unnecessary CI overhead for apps without tests.

---

60-62: Gated test execution ensures tests only run when present.

The "Run tests" step properly gates on has_tests and uses the correct command. This avoids unnecessary CI failures in apps without test suites.

---

64-66: Proper teardown guarantees cleanup even when tests fail.

The "Teardown tests environment" step uses always() condition combined with the requires_env_setup gate, ensuring Docker services are cleaned up even if tests fail, while avoiding unnecessary cleanup if no environment was set up. This is a best practice for CI workflows.

---

50-58: Verification complete: env vars correctly align with dc.sh expectations.

All concerns have been verified:

1. ✓ Env vars passed correctly: The workflow "Prepare tests environment" step passes DOCKER_BUILDKIT_CACHE_SCOPE and DOCKER_BUILDKIT_CACHE_FALLBACK_SCOPE to npm run test:ci-setup.

2. ✓ dc.sh reads variables at lines 100–105:

   • Line 101: reads DOCKER_BUILDKIT_CACHE_SCOPE
   • Line 104: reads DOCKER_BUILDKIT_CACHE_FALLBACK_SCOPE

3. ✓ Cache scopes properly normalized: Lines 102 and 105 replace spaces with hyphens, confirmed working correctly with test values.

No issues found. The implementation correctly handles the BuildKit cache scope environment variables as intended.