fix: add --no-cache to docker build commands in CI workflows

[Mossaka]

Summary

• Add --no-cache flag to all docker build commands in CI workflow files to prevent stale apt package index errors (e.g., libexpat1 404 Not Found)
• When Ubuntu publishes new package versions and removes old .deb files from mirrors, Docker's build cache can reuse a stale apt-get update layer that references the now-removed packages, causing apt-get install to fail with 404 errors
• The --no-cache flag forces Docker to rebuild every layer from scratch, ensuring apt-get update always fetches the latest package indexes

Affected workflows

• test-chroot.yml (4 jobs, 8 docker build commands)
• container-scan.yml (2 jobs, 2 docker build commands)
• smoke-chroot.md + smoke-chroot.lock.yml (1 job, 2 docker build commands each)

Why not modify Dockerfiles?

The Dockerfiles already follow best practice of combining apt-get update && apt-get install in a single RUN command. The issue is Docker's build layer caching, not the Dockerfile structure. Adding --no-cache at the build command level in CI is the most targeted fix that avoids impacting local development or GHCR release builds.

Test plan

• Verify test-chroot.yml passes on CI (the workflow that was failing)
• Verify container-scan.yml passes on CI
• Verify smoke-chroot workflow passes on CI

🤖 Generated with Claude Code

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.18%	82.18%	➡️ +0.00%
Statements	82.24%	82.24%	➡️ +0.00%
Functions	81.95%	81.95%	➡️ +0.00%
Branches	74.54%	74.54%	➡️ +0.00%

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR updates CI workflows to build container images without using Docker’s layer cache, reducing failures caused by stale apt-get update layers referencing removed Ubuntu packages.

Changes:

• Add --no-cache to all docker build commands in the chroot integration test workflow.
• Add --no-cache to container image builds in the container security scan workflow.
• Add --no-cache to container builds in the smoke chroot workflow definitions.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
.github/workflows/test-chroot.yml	Forces fresh container rebuilds across all chroot test jobs to avoid stale apt index layers.
.github/workflows/container-scan.yml	Ensures scanned images are built from scratch to prevent cached-layer related build failures.
.github/workflows/smoke-chroot.md	Updates smoke chroot container builds to avoid Docker cache reuse.
.github/workflows/smoke-chroot.lock.yml	Keeps the locked smoke chroot workflow in sync by applying the same no-cache builds.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• fix: update testPathPattern to testPathPatterns for Jest 30
• fix: use lowercase discussion categories to restore create_discussion tool

Test Results:

• ✅ GitHub MCP: Retrieved PR list
• ✅ Playwright: Navigated to GitHub, title verified
• ✅ File Write: Created test file successfully
• ✅ Bash Tool: Read file back successfully

Overall Status: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• fix: update testPathPattern to testPathPatterns for Jest 30 #648: fix: update testPathPattern to testPathPatterns for Jest 30
• fix: use lowercase discussion categories to restore create_discussion tool #637: fix: use lowercase discussion categories to restore create_discussion tool

Test Results:

• ✅ GitHub MCP: Retrieved PR data
• ✅ Playwright: Verified page title contains "GitHub"
• ✅ File Write: Created test file
• ✅ Bash: Verified file contents

Overall: PASS

cc @Mossaka

AI generated by Smoke Copilot

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS ✅

All .NET projects successfully restored, built, and ran.

AI generated by Build Test .NET

[github-actions]

Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS ✅

All Bun projects built and tested successfully.

AI generated by Build Test Bun

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects built and tested successfully.

AI generated by Build Test Go

[github-actions]

Node.js Build Test Results

All Node.js projects tested successfully! ✅

Project	Install	Tests	Status
clsx	✅	PASS	✅ PASS
execa	✅	PASS	✅ PASS
p-limit	✅	PASS	✅ PASS

Overall: ✅ PASS

All projects installed dependencies and passed their test suites without errors.

AI generated by Build Test Node.js

[github-actions]

GitHub MCP (merged PR titles): ✅ fix: update testPathPattern to testPathPatterns for Jest 30; fix: use lowercase discussion categories to restore create_discussion tool
safeinputs-gh PR list (titles): ✅ ci: dummy PR to test CI pipeline status; fix: add --no-cache to docker build commands in CI workflows
Playwright github.com title: ✅
Tavily search: ❌ (tool unavailable)
File write: ✅
Bash cat verify: ✅
Discussion comment: ✅
Build (npm ci && npm run build): ✅
Overall: FAIL

AI generated by Smoke Codex

[github-actions]

Chroot Version Comparison Test Results

Runtime	Host Version	Chroot Version	Match?
Python	3.12.12	3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Status: ❌ Tests Failed

Not all runtime versions match between host and chroot environments. Only Go versions match correctly.

AI generated by Smoke Chroot

[github-actions]

Java Build Test Results

All Java build tests PASSED ✅

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS

Both projects compiled successfully and all tests passed through the AWF firewall with Maven proxy configuration.

AI generated by Build Test Java

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

Smoke Test Results for Claude Engine (Run #21886284615)

Last 2 merged PRs:

• fix: update testPathPattern to testPathPatterns for Jest 30
• fix: use lowercase discussion categories to restore create_discussion tool

✅ GitHub MCP: PASS
✅ Playwright: PASS (GitHub page title verified)
✅ File Writing: PASS
✅ Bash Tool: PASS

Overall Status: PASS

AI generated by Smoke Claude

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS

All C++ projects built successfully.

AI generated by Build Test C++

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS ✅

All Go projects successfully downloaded dependencies and passed their test suites.

AI generated by Build Test Go

[github-actions]

Smoke Test Results

✅ GitHub MCP: Retrieved last 2 merged PRs

• fix: update testPathPattern to testPathPatterns for Jest 30 #648: fix: update testPathPattern to testPathPatterns for Jest 30
• fix: use lowercase discussion categories to restore create_discussion tool #637: fix: use lowercase discussion categories to restore create_discussion tool

✅ Playwright: Navigated to github.com, title verified
✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-21886284625.txt
✅ Bash Tool: File verified via cat

Status: PASS ✅

cc @Mossaka

AI generated by Smoke Copilot

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

• Deno version: 2.6.9
• Test execution time: < 5ms per project

AI generated by Build Test Deno

[github-actions]

Build Test: Bun - Results

All tests completed successfully! ✅

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS

Both projects installed dependencies and ran tests successfully using Bun v1.3.9.

AI generated by Build Test Bun

[github-actions]

Build Test: Node.js - Results

Project	Install	Tests	Status
clsx	✅	All passed	PASS
execa	✅	All passed	PASS
p-limit	✅	All passed	PASS

Overall: PASS ✅

All Node.js projects built and tested successfully.

AI generated by Build Test Node.js

[github-actions]

Build Test: Rust - ❌ FAILED

Error: Missing Rust toolchain (rustc/cargo) in GitHub Actions runner environment.

Test Results

Project	Build	Tests	Status
fd	❌	-	FAILED
zoxide	❌	-	FAILED

Overall: ❌ FAIL

Error Details

bash: cargo: command not found

Resolution

The workflow needs to install Rust before running tests. Add this step to the workflow:

- name: Setup Rust
  uses: actions-rust-lang/setup-rust-toolchain@v1

Or manually install via rustup:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source $HOME/.cargo/env

AI generated by Build Test Rust

[github-actions]

Chroot Runtime Version Test Results

Runtime	Host Version	Chroot Version	Match?
Python	3.12.12	3.12.3	❌ NO
Node.js	v24.13.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Result: ❌ FAILED - Not all runtime versions match between host and chroot environment.

Analysis

• Python: Minor version mismatch (3.12.12 vs 3.12.3)
• Node.js: Major version mismatch (v24 vs v20)
• Go: Versions match ✓

The chroot mode successfully accesses host binaries, but version mismatches indicate the container's bundled runtimes are being used instead of the host's for Python and Node.js.

AI generated by Smoke Chroot

[github-actions]

fix: update testPathPattern to testPathPatterns for Jest 30
fix: use lowercase discussion categories to restore create_discussion tool
GitHub MCP review last 2 merged PRs: ✅
safeinputs-gh pr list: ✅
Playwright title check: ✅
Tavily search: ❌
File write + cat: ✅
Discussion comment: ✅
Build (npm ci && npm run build): ✅
Overall status: FAIL

AI generated by Smoke Codex

[github-actions]

Build Test: Java - Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS ✅

All Java projects compiled successfully and all tests passed through the AWF firewall.

AI generated by Build Test Java