perf(ci): use stage aliasing to skip Rust recompilation in build-agents

.github/workflows/build-images.yml

@@ -121,7 +121,7 @@ jobs:
         with:
           context: .
           file: Dockerfile.unified
-          target: builder
+          target: local_builder
           platforms: ${{ matrix.platform.os }}
           push: true
           tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/builder:${{ needs.matrix.outputs.tag }}-${{ matrix.platform.arch }}
@@ -168,9 +168,6 @@ jobs:
           build-args: |
             BUILDER_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/builder:${{ needs.matrix.outputs.tag }}-${{ matrix.platform.arch }}
           outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
-          cache-from: |
-            type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/builder:${{ needs.matrix.outputs.tag }}-${{ matrix.platform.arch }}
-            type=gha,scope=builder-${{ matrix.platform.arch }}
 
       - name: Export digest
         run: |

.github/workflows/build-operator.yml

@@ -107,7 +107,7 @@ jobs:
         with:
           context: .
           file: Dockerfile.unified
-          target: builder
+          target: local_builder
           platforms: ${{ matrix.platform.os }}
           # Always push builder — it's an internal image needed by build-agents.
           # dry_run only gates the final agent image push + manifest creation.
@@ -154,10 +154,7 @@ jobs:
             BUILDER_IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/builder:${{ needs.resolve-tag.outputs.chart_version }}-${{ matrix.platform.arch }}
           outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ inputs.dry_run != true }}
           no-cache: ${{ inputs.no_cache == true }}
-          cache-from: |
-            type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/builder:${{ needs.resolve-tag.outputs.chart_version }}-${{ matrix.platform.arch }}
-            ${{ inputs.no_cache != true && format('type=gha,scope=unified-builder-{0}', matrix.platform.arch) || '' }}
-            ${{ inputs.no_cache != true && format('type=gha,scope=unified-agent-{0}-{1}', matrix.agent, matrix.platform.arch) || '' }}
+          cache-from: ${{ inputs.no_cache != true && format('type=gha,scope=unified-agent-{0}-{1}', matrix.agent, matrix.platform.arch) || '' }}
           cache-to: ${{ inputs.no_cache != true && format('type=gha,scope=unified-agent-{0}-{1},mode=max', matrix.agent, matrix.platform.arch) || '' }}
 
       - name: Export digest

.github/workflows/docker-smoke-test-unified.yml

@@ -30,7 +30,7 @@ jobs:
         with:
           context: .
           file: Dockerfile.unified
-          target: builder
+          target: local_builder
           load: true
           tags: openab-builder:local
           cache-to: type=gha,scope=unified-smoke-builder,mode=max

Dockerfile.unified

@@ -1,14 +1,23 @@
 # Dockerfile.unified — Single multi-target Dockerfile for all OpenAB agent variants.
 # Usage: docker build --target <agent> -t ghcr.io/openabdev/openab:<tag>-<agent> .
 #
-# The shared builder compiles the openab binary once (unified mode, superset).
-# Each agent target is a thin runtime layer that installs only the agent CLI.
+# Architecture:
+#   local_builder — compiles the openab binary (only runs locally or in build-core CI job)
+#   builder       — alias that resolves to local_builder (default) or a prebuilt registry
+#                   image (when BUILDER_IMAGE is overridden in CI). BuildKit prunes
+#                   local_builder when it's not needed.
+#   <agent>       — thin runtime layer that installs only the agent CLI + copies binary
+#                   from builder stage.
+
+# Global ARG — must be declared before first FROM for use in FROM instructions
+ARG BUILDER_IMAGE=local_builder
 
 # =============================================================================
-# Stage: builder — compile openab binary (unified mode)
+# Stage: local_builder — compile openab binary (unified mode)
+# Only executed during build-core or local dev. When BUILDER_IMAGE is overridden
+# (CI build-agents), BuildKit prunes this stage entirely via dependency analysis.
 # =============================================================================
-ARG BUILDER_IMAGE=rust:1-bookworm
-FROM ${BUILDER_IMAGE} AS builder
+FROM rust:1-bookworm AS local_builder
 WORKDIR /build
 COPY Cargo.toml Cargo.lock ./
 COPY crates/openab-core/Cargo.toml crates/openab-core/Cargo.toml
@@ -30,6 +39,14 @@
 COPY agy-acp/ agy-acp/
 RUN cd agy-acp && printf '\n[workspace]\n' >> Cargo.toml && cargo build --release
 
+# =============================================================================
+# Stage: builder — resolves to either local_builder or prebuilt registry image
+# =============================================================================
+FROM ${BUILDER_IMAGE} AS builder
+RUN test -x /build/target/release/openab \
+    && test -x /build/openab-agent/target/release/openab-agent \
+    && test -x /build/agy-acp/target/release/agy-acp
+
 # =============================================================================
 # Stage: base-debian — shared runtime base for debian-based agents
 # =============================================================================
@@ -81,7 +98,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="kiro-cli acp --trust-all-tools"
 ENV OPENAB_AGENT_AUTH_COMMAND="kiro-cli login --use-device-flow"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -101,7 +118,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="claude"
 ENV OPENAB_AGENT_AUTH_COMMAND="claude auth login"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -120,7 +137,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="codex-acp"
 ENV OPENAB_AGENT_AUTH_COMMAND="codex login --device-auth"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -138,7 +155,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="copilot --acp --stdio"
 ENV OPENAB_AGENT_AUTH_COMMAND="copilot login"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -163,7 +180,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="cursor-agent acp"
 ENV OPENAB_AGENT_AUTH_COMMAND="cursor-agent login"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -181,7 +198,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="gemini --acp"
 ENV OPENAB_AGENT_AUTH_COMMAND="gemini auth"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -212,7 +229,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="grok agent stdio"
 ENV OPENAB_AGENT_AUTH_COMMAND="grok login --device-auth"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -247,7 +264,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="hermes-acp"
 ENV OPENAB_AGENT_AUTH_COMMAND="hermes auth add"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -265,7 +282,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="mimo acp"
 ENV OPENAB_AGENT_AUTH_COMMAND="mimo auth login --provider mimo --method \"MiMo Auto (free)\""
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -283,7 +300,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="opencode acp"
 ENV OPENAB_AGENT_AUTH_COMMAND="opencode auth login"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -311,7 +328,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="agy-acp"
 ENV OPENAB_AGENT_AUTH_COMMAND="agy auth"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -330,7 +347,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="openab-agent"
 ENV OPENAB_AGENT_AUTH_COMMAND="pi /login"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]
 
@@ -347,7 +364,7 @@
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
   CMD pgrep -x openab || exit 1
 ENV OPENAB_AGENT_COMMAND="openab-agent"
 ENV OPENAB_AGENT_AUTH_COMMAND="openab-agent auth codex-oauth --no-browser"
 ENTRYPOINT ["tini", "--"]
 CMD ["openab", "run", "-c", "/etc/openab/config.toml"]