From 009816f4ce3255d2ab681a941666adc422bf766b Mon Sep 17 00:00:00 2001
From: Zanie Blue <contact@zanie.dev>
Date: Thu, 15 Jan 2026 12:48:47 -0600
Subject: [PATCH] Update Docker build workflow to use CI plan step (#17490)

Matching the rest of our CI to consolidating planning

Co-authored-by: Claude <noreply@anthropic.com>
---
 .github/workflows/build-docker.yml | 23 ++++++-----------------
 .github/workflows/ci.yml           | 17 +++++++++++++++++
 2 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
index 41f9b275d..2a5ff3706 100644
--- a/.github/workflows/build-docker.yml
+++ b/.github/workflows/build-docker.yml
@@ -4,7 +4,9 @@
 # is just the binary in a scratch image, and a set of extra, common images with
 # the uv binary installed.
 #
-# Images are built on all runs.
+# On pull requests, triggered via CI workflow when Docker-related files change
+# (e.g., Dockerfile, Cargo.toml, rust-toolchain.toml). Images are built but not
+# pushed, to verify the build still works.
 #
 # On release, assumed to run as a subworkflow of .github/workflows/release.yml;
 # specifically, as a local artifacts job within `cargo-dist`. In this case,
@@ -19,22 +21,9 @@ on:
   workflow_call:
     inputs:
       plan:
-        required: true
+        required: false
         type: string
-  pull_request:
-    paths:
-      # We want to ensure that the maturin builds still work when we change
-      # Project metadata
-      - pyproject.toml
-      - Cargo.toml
-      - .cargo/config.toml
-      # Toolchain or dependency versions
-      - Cargo.lock
-      - rust-toolchain.toml
-      # The Dockerfile itself
-      - Dockerfile
-      # And the workflow itself
-      - .github/workflows/build-docker.yml
+        default: ""
 
 env:
   UV_GHCR_IMAGE: ghcr.io/${{ github.repository_owner }}/uv
@@ -73,7 +62,6 @@ jobs:
           fi
 
   docker-publish-base:
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'build:docker') || (!contains(github.event.pull_request.labels.*.name, 'build:skip') && !contains(github.event.pull_request.labels.*.name, 'build:skip-docker')) }}
     name: ${{ needs.docker-plan.outputs.action }} uv
     needs:
       - docker-plan
@@ -105,6 +93,7 @@ jobs:
           password: ${{ needs.docker-plan.outputs.push == 'true' && secrets.DOCKERHUB_TOKEN_RW || secrets.DOCKERHUB_TOKEN_RO }}
 
       - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        if: ${{ needs.docker-plan.outputs.push == 'true' }}
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ae8a540cd..7e58ce2f8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,6 +28,7 @@ jobs:
       test-ecosystem: ${{ steps.plan.outputs.test_ecosystem }}
       test-integration: ${{ steps.plan.outputs.test_integration }}
       test-system: ${{ steps.plan.outputs.test_system }}
+      build-docker: ${{ steps.plan.outputs.build_docker }}
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
@@ -71,6 +72,8 @@ jobs:
             [[ "$file" =~ ^crates/uv-publish/ || "$file" =~ ^scripts/publish/ ]] && publish_code_changed=1
             [[ "$file" =~ ^crates/uv-trampoline/ || "$file" =~ ^crates/uv-trampoline-builder/ ]] && trampoline_changed=1
             [[ "$file" =~ ^crates/uv-build/ ]] && uv_build_changed=1
+            [[ "$file" == "Dockerfile" ]] && dockerfile_changed=1
+            [[ "$file" == ".github/workflows/build-docker.yml" ]] && docker_workflow_changed=1
             [[ "$file" =~ ^docs/ || "$file" =~ ^mkdocs.*\.yml$ || "$file" =~ \.md$ || "$file" =~ ^bin/ || "$file" =~ ^assets/ ]] && continue
             any_code_changed=1
           done <<< "$(git diff --name-only "${BASE_SHA:-origin/main}...HEAD")"
@@ -80,6 +83,7 @@ jobs:
           [[ $python_config_changed || $rust_deps_changed || $rust_config_changed || $uv_build_changed || $release_workflow_changed ]] && release_build_changed=1
           [[ $publish_code_changed || $ci_workflow_changed ]] && publish_changed=1
           [[ $rust_deps_changed || $rust_config_changed || $workflow_changed ]] && cache_relevant_changed=1
+          [[ $python_config_changed || $rust_deps_changed || $rust_config_changed || $dockerfile_changed || $docker_workflow_changed ]] && docker_build_changed=1
 
           # Decisions
           [[ ! $has_skip_label && ($any_code_changed || $on_main_branch) ]] && test_code=1
@@ -94,6 +98,7 @@ jobs:
           [[ ! $has_skip_label ]] && test_ecosystem=1
           [[ $has_integration_label || $has_extended_label || $on_main_branch ]] && test_integration=1
           [[ $has_system_label || $has_extended_label || $on_main_branch ]] && test_system=1
+          [[ ! $has_skip_label && $docker_build_changed ]] && build_docker=1
 
           # Output (convert 1/empty to true/false for GHA)
           out() { [[ "$2" ]] && echo "$1=true" || echo "$1=false"; }
@@ -110,6 +115,7 @@ jobs:
             out test_ecosystem          "$test_ecosystem"
             out test_integration        "$test_integration"
             out test_system             "$test_system"
+            out build_docker            "$build_docker"
           } >> "$GITHUB_OUTPUT"
 
   check-fmt:
@@ -218,6 +224,17 @@ jobs:
     uses: ./.github/workflows/build-release-binaries.yml
     secrets: inherit
 
+  build-docker:
+    needs: plan
+    if: ${{ needs.plan.outputs.build-docker == 'true' }}
+    uses: ./.github/workflows/build-docker.yml
+    secrets: inherit
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+      attestations: write
+
   bench:
     needs: plan
     if: ${{ needs.plan.outputs.run-bench == 'true' }}