Added foundation of a new Docker CI workflow (#24745)

This commit adds a new `.github/workflows/ci-docker.yml` workflow,
including an initial job to build the Ghost development docker image and
push it to Github's container registry with appropriate tags. It also
includes a reusable action to pull the image in downstream jobs for
running tests.

It also includes a few changes to the Dockerfile to speed up the builds:
- Removes playwright and dependencies. This means the `e2e-browser` test
suite will no longer be able to be run in Docker (without extra steps).
The trade-off is that it removes ~2.5 GB from the final image size,
which reduces the time to push/pull the image, and currently very few if
any people are using the Docker image for this purpose.
- Adds a cache mount to the yarn install step, which also reduces the
final image size significantly, even in the case of a cache miss at this
step.

Author: cmraible

.docker/Dockerfile

@@ -12,40 +12,19 @@ RUN apt-get update && \
     libjemalloc2 \
     python3 \
     tar  \
-    git && \
-    rm -rf /var/lib/apt/lists/* && \
-    apt clean
-
-# --------------------
-# Playwright Version
-# --------------------
-# Cache Optimization: Extract the playwright version from package.json
-FROM base AS playwright-version
-WORKDIR /tmp
-COPY ghost/core/package.json ./
-RUN jq -r '.devDependencies."@playwright/test"' ./package.json > playwright-version.txt
-
-# --------------------
-# Playwright
-# --------------------
-# Cache Optimization: Playwright install is slow. Copy the version from the previous stage.
-# This way we only bust build cache when the playwright version changes.
-FROM base AS playwright
-RUN curl -s https://packages.stripe.dev/api/security/keypair/stripe-cli-gpg/public | gpg --dearmor | tee /usr/share/keyrings/stripe.gpg && \
+    git &&  \
+    curl -s https://packages.stripe.dev/api/security/keypair/stripe-cli-gpg/public | gpg --dearmor | tee /usr/share/keyrings/stripe.gpg && \
     echo "deb [signed-by=/usr/share/keyrings/stripe.gpg] https://packages.stripe.dev/stripe-cli-debian-local stable main" | tee -a /etc/apt/sources.list.d/stripe.list && \
-    apt update && \
-    apt install -y \
+    apt-get update && \
+    apt-get install -y \
     stripe && \
     rm -rf /var/lib/apt/lists/* && \
     apt clean
-WORKDIR /home/ghost
-COPY --from=playwright-version tmp/playwright-version.txt /tmp/playwright-version.txt
-RUN npx playwright@$(cat /tmp/playwright-version.txt) install --with-deps
 
 # --------------------
 # Development Base
 # --------------------
-FROM playwright AS development-base
+FROM base AS development-base
 WORKDIR /home/ghost
 
 COPY package.json yarn.lock ./
@@ -78,7 +57,8 @@ COPY ghost/i18n/package.json ghost/i18n/package.json
 # Copy patches directory so patch-package can apply patches during yarn install
 COPY patches patches
 
-RUN yarn install --frozen-lockfile --prefer-offline
+RUN --mount=type=cache,target=/usr/local/share/.cache/yarn,id=yarn-cache \
+    yarn install --frozen-lockfile --prefer-offline
 
 # --------------------
 # Shade Builder
@@ -152,6 +132,7 @@ RUN cd apps/admin-x-settings && yarn build
 FROM development-base AS admin-x-activitypub-builder
 WORKDIR /home/ghost
 COPY apps/admin-x-activitypub apps/admin-x-activitypub
+COPY ghost/core/core/frontend/src/cards ghost/core/core/frontend/src/cards
 COPY --from=shade-builder /home/ghost/apps/shade apps/shade
 COPY --from=admin-x-design-system-builder /home/ghost/apps/admin-x-design-system/es apps/admin-x-design-system/es
 COPY --from=admin-x-design-system-builder /home/ghost/apps/admin-x-design-system/types apps/admin-x-design-system/types
@@ -165,12 +146,14 @@ RUN cd apps/admin-x-activitypub && yarn build
 FROM development-base AS admin-ember-builder
 WORKDIR /home/ghost
 COPY ghost/admin ghost/admin
-COPY ghost/core ghost/core
+# Admin's asset-delivery pipeline needs the ghost module to resolve
+COPY ghost/core/package.json ghost/core/package.json
+COPY ghost/core/index.js ghost/core/index.js
 COPY --from=stats-builder /home/ghost/apps/stats/dist apps/stats/dist
 COPY --from=posts-builder /home/ghost/apps/posts/dist apps/posts/dist
 COPY --from=admin-x-settings-builder /home/ghost/apps/admin-x-settings/dist apps/admin-x-settings/dist
 COPY --from=admin-x-activitypub-builder /home/ghost/apps/admin-x-activitypub/dist apps/admin-x-activitypub/dist
-RUN cd ghost/admin && yarn build
+RUN mkdir -p ghost/core/core/built/admin && cd ghost/admin && yarn build
 
 # --------------------
 # Development

.github/actions/load-docker-image/action.yml

@@ -0,0 +1,66 @@
+name: 'Load Docker Image'
+description: 'Load Docker image from registry or artifact based on build source'
+inputs:
+  is-fork:
+    description: 'Whether this is a fork PR build'
+    required: true
+  image-tags:
+    description: 'Docker image tags (multi-line string)'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Download image artifact (fork PR)
+      if: inputs.is-fork == 'true'
+      uses: actions/download-artifact@v4
+      with:
+        name: docker-image
+
+    - name: Load image from artifact (fork PR)
+      if: inputs.is-fork == 'true'
+      shell: bash
+      run: |
+        echo "Loading Docker image from artifact..."
+        gunzip -c docker-image.tar.gz | docker load
+        echo "Available images after load:"
+        docker images
+
+    - name: Log in to GitHub Container Registry
+      if: inputs.is-fork == 'false'
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
+
+    - name: Pull image from registry (main repo/branch)
+      if: inputs.is-fork == 'false'
+      shell: bash
+      run: |
+        IMAGE_TAG=$(echo "${{ inputs.image-tags }}" | head -n1)
+        echo "Pulling image from registry: $IMAGE_TAG"
+        docker pull "$IMAGE_TAG"
+
+    - name: Verify image is available
+      id: verify
+      shell: bash
+      run: |
+        IMAGE_TAG=$(echo "${{ inputs.image-tags }}" | head -n1)
+        echo "Checking for image: $IMAGE_TAG"
+        echo "image-tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+        if docker inspect "$IMAGE_TAG" > /dev/null 2>&1; then
+          echo "✅ Image $IMAGE_TAG is available"
+        else
+          echo "❌ Image $IMAGE_TAG is not available"
+          echo "Available images:"
+          docker images
+          exit 1
+        fi
+
+
+outputs:
+  image-tag:
+    description: 'The Docker image tag to use'
+    value: ${{ steps.verify.outputs.image-tag }}

.github/workflows/ci-docker.yml

@@ -0,0 +1,186 @@
+name: CI (Docker)
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize, reopened, labeled, unlabeled]
+  push:
+    # Ref: GHA Filter pattern syntax: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#filter-pattern-cheat-sheet
+    # Run on pushes to main, release branches, and previous/future major version branches
+    branches:
+      - main
+      - 'v[0-9]+.*' # Matches any release branch, e.g. v6.0.3, v12.1.0
+      - '[0-9]+.x' # Matches any major version branch, e.g. 5.x, 23.x
+
+jobs:
+  build:
+    name: Build & Push
+    runs-on: ubuntu-latest-16-cores
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+        # We can't access secrets from forks, so we can't push to the registry
+        # Instead, we upload the image as an artifact, and download it in downstream jobs
+      - name: Determine build strategy
+        id: strategy
+        run: |
+          IS_FORK_PR="false"
+          if [ "${{ github.event_name }}" = "pull_request" ] && [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then
+            IS_FORK_PR="true"
+          fi
+          IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/ghost-development"
+          if [ "$IS_FORK_PR" = "true" ]; then
+            IMAGE_NAME="ghcr.io/${{ github.event.pull_request.head.repo.owner.login }}/ghost-development"
+          fi
+          CACHE_KEY=$(echo $IMAGE_NAME | tr '[:upper:]' '[:lower:]')
+          echo "is-fork-pr=$IS_FORK_PR" >> $GITHUB_OUTPUT
+          echo "should-push=$( [ "$IS_FORK_PR" = "false" ] && echo "true" || echo "false" )" >> $GITHUB_OUTPUT
+          echo "should-load=$( [ "$IS_FORK_PR" = "true" ] && echo "true" || echo "false" )" >> $GITHUB_OUTPUT
+          echo "image-name=$IMAGE_NAME" >> $GITHUB_OUTPUT
+          echo "cache-key=$CACHE_KEY" >> $GITHUB_OUTPUT
+          echo "Build Strategy: "
+          echo "  Is fork PR: $IS_FORK_PR"
+          echo "  Should push: $( [ "$IS_FORK_PR" = "false" ] && echo "true" || echo "false" )"
+          echo "  Should load: $( [ "$IS_FORK_PR" = "true" ] && echo "true" || echo "false" )"
+          echo "  Image name: $IMAGE_NAME"
+          echo "  Cache key: $CACHE_KEY"
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ steps.strategy.outputs.image-name }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha
+            type=raw,value=latest,enable={{is_default_branch}}
+          labels: |
+            org.opencontainers.image.title=Ghost Development
+            org.opencontainers.image.description=Ghost development build
+            org.opencontainers.image.vendor=TryGhost
+            maintainer=TryGhost
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          context: .
+          file: .docker/Dockerfile
+          push: ${{ steps.strategy.outputs.should-push }}
+          load: ${{ steps.strategy.outputs.should-load }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          # On PRs: use both main cache and PR-specific cache
+          # On main: only use main cache
+          cache-from: |
+            type=registry,ref=${{ steps.strategy.outputs.cache-key }}:cache-main
+            ${{ github.event_name == 'pull_request' && format('type=registry,ref={0}:cache-pr-{1}', steps.strategy.outputs.cache-key, github.event.pull_request.number) || '' }}
+          # Only export cache if we can push (not on fork PRs)
+          cache-to: ${{ steps.strategy.outputs.should-push == 'true' && format('type=registry,ref={0}:cache-{1},mode=max', steps.strategy.outputs.cache-key, github.event_name == 'pull_request' && format('pr-{0}', github.event.pull_request.number) || 'main') || '' }}
+
+      - name: Save image as artifact (fork PR)
+        if: steps.strategy.outputs.is-fork-pr == 'true'
+        run: |
+          # Get the first tag from the multi-line tags output
+          IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
+          echo "Saving image: $IMAGE_TAG"
+          docker save "$IMAGE_TAG" | gzip > docker-image.tar.gz
+          echo "Image saved as docker-image.tar.gz"
+          ls -lh docker-image.tar.gz
+
+      - name: Upload image artifact (fork PR)
+        if: steps.strategy.outputs.is-fork-pr == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-image
+          path: docker-image.tar.gz
+          retention-days: 1
+
+    outputs:
+      image-tags: ${{ steps.meta.outputs.tags }}
+      image-digest: ${{ steps.build.outputs.digest }}
+      is-fork: ${{ steps.strategy.outputs.is-fork-pr }}
+
+  inspect_image:
+    name: Inspect Docker Image
+    needs: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            .github/actions/load-docker-image
+
+      - name: Load Docker Image
+        id: load
+        uses: ./.github/actions/load-docker-image
+        with:
+          is-fork: ${{ needs.build.outputs.is-fork }}
+          image-tags: ${{ needs.build.outputs.image-tags }}
+
+      - name: Inspect image size and layers
+        shell: bash
+        run: |
+          IMAGE_TAG="${{ steps.load.outputs.image-tag }}"
+          echo "Analyzing Docker image: $IMAGE_TAG"
+
+          # Get the image size in bytes
+          IMAGE_SIZE_BYTES=$(docker inspect "$IMAGE_TAG" --format='{{.Size}}')
+
+          # Convert to human readable format
+          IMAGE_SIZE_MB=$(( IMAGE_SIZE_BYTES / 1024 / 1024 ))
+          IMAGE_SIZE_GB=$(echo "scale=2; $IMAGE_SIZE_BYTES / 1024 / 1024 / 1024" | bc)
+
+          # Format size display based on magnitude
+          if [ $IMAGE_SIZE_MB -ge 1024 ]; then
+            IMAGE_SIZE_DISPLAY="${IMAGE_SIZE_GB} GB"
+          else
+            IMAGE_SIZE_DISPLAY="${IMAGE_SIZE_MB} MB"
+          fi
+
+          echo "Image size: ${IMAGE_SIZE_DISPLAY}"
+
+          # Write to GitHub Step Summary
+          {
+            echo "# Docker Image Analysis"
+            echo ""
+            echo "**Image:** \`$IMAGE_TAG\`"
+            echo ""
+            echo "**Total Size:** ${IMAGE_SIZE_DISPLAY}"
+            echo ""
+            echo "## Image Layers"
+            echo ""
+            echo "| Size | Layer |"
+            echo "|------|-------|"
+
+            # Get all layers (including 0B ones)
+            docker history "$IMAGE_TAG" --format "{{.Size}}@@@{{.CreatedBy}}" --no-trunc | \
+            while IFS='@@@' read -r size cmd; do
+              # Clean up the command for display
+              cmd_clean=$(echo "$cmd" | sed 's/^\/bin\/sh -c //' | sed 's/^#(nop) //' | sed 's/^@@//' | sed 's/|/\\|/g' | cut -c1-80)
+              if [ ${#cmd} -gt 80 ]; then
+                cmd_clean="${cmd_clean}..."
+              fi
+              echo "| $size | \`${cmd_clean}\` |"
+            done
+
+          } >> $GITHUB_STEP_SUMMARY