ci: include base image digest in depends cache key

[UdjinM6]

Issue being fixed or feature implemented

The depends cache key previously used only the Dockerfile content hash, which didn't capture upstream base image updates (e.g. ubuntu:noble security patches bumping compiler minor versions). When the container was rebuilt with new toolchain versions, the cache key still matched the old cache, but gen_id computed different build_ids, causing every package to be rebuilt from source in the Rebuild depends prefix step.

See any build-src job e.g. https://github.com/dashpay/dash/actions/runs/24005214781/job/70007740187

What was done?

Add the ubuntu:noble manifest digest (fetched once via Docker Hub registry API in the check-skip job) to the depends cache key. This ensures the cache is properly invalidated when the base image changes. The digest query includes proper token auth and falls back to "unknown" on failure so CI is not blocked by transient registry issues.

How Has This Been Tested?

Breaking Changes

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation
• I have assigned this pull request to a milestone (for repository code-owners and collaborators only)

[github-actions]

⚠️ Potential Merge Conflicts Detected

This PR has potential conflicts with the following open PRs:

• ci: resolve warnings and implement linter for GitHub Actions #7018 - ci: resolve warnings and implement linter for GitHub Actions

Please coordinate with the authors of these PRs to avoid merge conflicts.

[thepastaclaw]

✅ Review complete (commit e41e5ad)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ab023546-afc9-42d9-8cc0-77fce7b9a9a5

📥 Commits

Reviewing files that changed from the base of the PR and between 8e628c4 and e41e5ad.

📒 Files selected for processing (2)

• .github/workflows/build-depends.yml
• .github/workflows/build.yml

---

Walkthrough

The changes modify GitHub Actions workflows to incorporate Docker base image digest information into the dependency cache strategy. In build.yml, a new step fetches the Docker registry manifest list digest for ubuntu:noble and exports it as base-image-digest. This digest is then passed as a new required input base-image-digest to the build-depends.yml reusable workflow across six downstream dependency build jobs. In build-depends.yml, the cache key computation is restructured to use the base-image-digest as part of a new CACHE_KEY_PREFIX, which is exported alongside the updated CACHE_KEY. The cache restore pattern is updated to reference this prefix.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding base image digest to the depends cache key strategy.
Description check	✅ Passed	The description clearly explains the problem (cache key not capturing base image updates), the solution (adding manifest digest), and implementation details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[thepastaclaw]

Code Review

The base-image digest wiring is correct and the cache-key prefix change fixes the intended stale-cache problem, but the workflow currently keys on the top-level multi-arch ubuntu:noble manifest-list digest, which can trigger unnecessary depends cache rebuilds when only unrelated architectures change.

Reviewed commit: e41e5ad

🟡 1 suggestion(s)

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

In `.github/workflows/build.yml`:
- [SUGGESTION] lines 76-78: Tag-level manifest-list digest invalidates caches for unrelated architecture changes
  Validated against the new digest lookup: the workflow requests the `application/vnd.docker.distribution.manifest.list.v2+json` representation for `library/ubuntu:noble` and uses the returned `docker-content-digest` header in every depends cache key. That digest is for the top-level multi-arch manifest list, so any update to any platform entry under `ubuntu:noble` changes the cache key, even if the concrete image used by a given runner architecture is unchanged. This can force avoidable depends rebuilds across amd64/arm64 jobs.

[PastaPastaPasta]

utACK e41e5ad