rivet-dev · NathanFlurry · Apr 14, 2026
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -37,9 +37,6 @@ on:
         default: true
 
 env:
-  # Base image tag pinned here. Update after rebuilding base images with
-  # scripts/docker-builder-base/build-push.sh all --push.
-  BASE_TAG: 0e33ceb98
   # Depot project ID (rivet-dev/rivet-engine).
   DEPOT_PROJECT_ID: 1rcpv5rn8n
 
@@ -216,7 +213,6 @@ jobs:
           depot build \
             --project ${{ env.DEPOT_PROJECT_ID }} \
             --secret id=DEPOT_TOKEN,env=DEPOT_TOKEN \
-            --build-arg BASE_TAG=${{ env.BASE_TAG }} \
             --build-arg BUILD_TARGET=${{ matrix.build_target }} \
             --build-arg BUILD_MODE=${{ steps.mode.outputs.build_mode }} \
             --build-arg BUILD_FRONTEND=false \
@@ -236,43 +232,11 @@ jobs:
           path: artifacts/${{ matrix.artifact }}
           if-no-files-found: error
 
-  # ---------------------------------------------------------------------------
-  # engine-base-images — publish engine-specific GHCR bases for this commit SHA
-  # ---------------------------------------------------------------------------
-  engine-base-images:
-    needs: [context]
-    name: "Engine Base ${{ matrix.base }}"
-    if: needs.context.outputs.is_fork != 'true'
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - base: engine-builder
-          - base: engine-runtime-full
-          - base: engine-runtime-slim
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-buildx-action@v3
-      - name: Log in to ghcr.io
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build & Push Engine Base
-        run: |
-          TAG_OVERRIDE=${{ needs.context.outputs.sha }} \
-            ./scripts/docker-builder-base/build-push.sh ${{ matrix.base }} --push
-
   # ---------------------------------------------------------------------------
   # docker-images — per-arch runtime images pushed to Docker Hub
   # ---------------------------------------------------------------------------
   docker-images:
-    needs: [context, engine-base-images]
+    needs: [context]
     name: "Docker ${{ matrix.arch_suffix }}"
     if: needs.context.outputs.is_fork != 'true'
     strategy:
@@ -315,7 +279,6 @@ jobs:
           target: engine-full
           platforms: ${{ matrix.platform }}
           build-args: |
-            ENGINE_BASE_TAG=${{ needs.context.outputs.sha }}
             BUILD_FRONTEND=${{ steps.mode.outputs.build_frontend }}
             CARGO_BUILD_MODE=${{ steps.mode.outputs.cargo_build_mode }}
       - name: Build & Push (rivetdev/engine:slim)
@@ -328,7 +291,6 @@ jobs:
           target: engine-slim
           platforms: ${{ matrix.platform }}
           build-args: |
-            ENGINE_BASE_TAG=${{ needs.context.outputs.sha }}
             BUILD_FRONTEND=${{ steps.mode.outputs.build_frontend }}
             CARGO_BUILD_MODE=${{ steps.mode.outputs.cargo_build_mode }}
 

diff --git a/docker/build/darwin-arm64.Dockerfile b/docker/build/darwin-arm64.Dockerfile
@@ -3,8 +3,7 @@
 # See linux-x64-gnu.Dockerfile for build arg documentation.
 #
 # Base image: docker/builder-base/osxcross.Dockerfile
-ARG BASE_TAG=latest
-FROM ghcr.io/rivet-dev/rivet/builder-base-osxcross:${BASE_TAG}
+FROM ghcr.io/rivet-dev/rivet/builder-base-osxcross:0e33ceb98
 
 ARG BUILD_TARGET=engine
 ARG BUILD_MODE=release

diff --git a/docker/build/darwin-x64.Dockerfile b/docker/build/darwin-x64.Dockerfile
@@ -3,8 +3,7 @@
 # See linux-x64-gnu.Dockerfile for build arg documentation.
 #
 # Base image: docker/builder-base/osxcross.Dockerfile
-ARG BASE_TAG=latest
-FROM ghcr.io/rivet-dev/rivet/builder-base-osxcross:${BASE_TAG}
+FROM ghcr.io/rivet-dev/rivet/builder-base-osxcross:0e33ceb98
 
 ARG BUILD_TARGET=engine
 ARG BUILD_MODE=release

diff --git a/docker/build/linux-arm64-gnu.Dockerfile b/docker/build/linux-arm64-gnu.Dockerfile
@@ -3,8 +3,7 @@
 # See linux-x64-gnu.Dockerfile for build arg documentation.
 #
 # Base image: docker/builder-base/linux-gnu.Dockerfile
-ARG BASE_TAG=latest
-FROM ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:${BASE_TAG}
+FROM ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:0e33ceb98
 
 ARG BUILD_TARGET=engine
 ARG BUILD_MODE=release

diff --git a/docker/build/linux-arm64-musl.Dockerfile b/docker/build/linux-arm64-musl.Dockerfile
@@ -3,8 +3,7 @@
 # See linux-x64-gnu.Dockerfile for build arg documentation.
 #
 # Base image: docker/builder-base/linux-musl.Dockerfile
-ARG BASE_TAG=latest
-FROM ghcr.io/rivet-dev/rivet/builder-base-linux-musl:${BASE_TAG}
+FROM ghcr.io/rivet-dev/rivet/builder-base-linux-musl:0e33ceb98
 
 ARG BUILD_TARGET=engine
 ARG BUILD_MODE=release

diff --git a/docker/build/linux-x64-gnu.Dockerfile b/docker/build/linux-x64-gnu.Dockerfile
@@ -3,15 +3,13 @@
 # Builds either rivet-engine or rivetkit-native based on BUILD_TARGET.
 #
 # Build args:
-#   BASE_TAG        - base image tag (set by build-push script)
 #   BUILD_TARGET    - "engine" or "rivetkit-native"
 #   BUILD_MODE      - "debug" (fast) or "release" (optimized)
 #   BUILD_FRONTEND  - "true" or "false" (engine only)
 #
 # Base image: docker/builder-base/linux-gnu.Dockerfile
 # Rebuild base: scripts/docker-builder-base/build-push.sh linux-gnu --push
-ARG BASE_TAG=latest
-FROM ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:${BASE_TAG}
+FROM ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:0e33ceb98
 
 ARG BUILD_TARGET=engine
 ARG BUILD_MODE=release

diff --git a/docker/build/linux-x64-musl.Dockerfile b/docker/build/linux-x64-musl.Dockerfile
@@ -3,8 +3,7 @@
 # See linux-x64-gnu.Dockerfile for build arg documentation.
 #
 # Base image: docker/builder-base/linux-musl.Dockerfile
-ARG BASE_TAG=latest
-FROM ghcr.io/rivet-dev/rivet/builder-base-linux-musl:${BASE_TAG}
+FROM ghcr.io/rivet-dev/rivet/builder-base-linux-musl:0e33ceb98
 
 ARG BUILD_TARGET=engine
 ARG BUILD_MODE=release

diff --git a/docker/build/windows-x64.Dockerfile b/docker/build/windows-x64.Dockerfile
@@ -9,8 +9,7 @@
 # into MSVC Node.js in practice as long as we statically link libgcc/libstdc++.
 #
 # Base image: docker/builder-base/windows-mingw.Dockerfile
-ARG BASE_TAG=latest
-FROM ghcr.io/rivet-dev/rivet/builder-base-windows-mingw:${BASE_TAG}
+FROM ghcr.io/rivet-dev/rivet/builder-base-windows-mingw:0e33ceb98
 
 ARG BUILD_TARGET=engine
 ARG BUILD_MODE=release

diff --git a/docker/engine/Dockerfile b/docker/engine/Dockerfile
@@ -1,10 +1,8 @@
 # syntax=docker/dockerfile:1.10.0
 
-ARG ENGINE_BASE_TAG=latest
-
 # MARK: Builder
 # TODO(RVT-4168): Compile libfdb from scratch for ARM
-FROM ghcr.io/rivet-dev/rivet/engine-base-builder:${ENGINE_BASE_TAG} AS builder
+FROM ghcr.io/rivet-dev/rivet/engine-base-builder:a36b881 AS builder
 
 # Docker automatically provides TARGETARCH
 ARG TARGETARCH
@@ -54,7 +52,7 @@ RUN \
     cp target/$CARGO_BUILD_MODE/rivet-engine /app/dist/
 
 # MARK: Engine (full, base)
-FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-full:${ENGINE_BASE_TAG} AS engine-full-base
+FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-full:a36b881 AS engine-full-base
 
 # MARK: Engine (Full)
 FROM engine-full-base AS engine-full
@@ -67,7 +65,7 @@ ENTRYPOINT ["/usr/bin/rivet-engine"]
 CMD ["start"]
 
 # MARK: Engine (Slim)
-FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-slim:${ENGINE_BASE_TAG} AS engine-slim
+FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-slim:a36b881 AS engine-slim
 
 LABEL org.opencontainers.image.source=https://github.com/rivet-dev/rivet
 

diff --git a/scripts/docker-builder-base/build-push.sh b/scripts/docker-builder-base/build-push.sh
@@ -17,8 +17,8 @@ set -e
 #   ghcr.io/rivet-dev/rivet/builder-base-osxcross:<sha>
 #   ghcr.io/rivet-dev/rivet/engine-base-builder:<sha>
 #
-# After pushing shared builder bases, update BASE_TAG in
-# .github/workflows/publish.yaml to reference the new tag.
+# After pushing all bases, this script updates the pinned GHCR tags in the
+# consumer Dockerfiles.
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 REPO_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
@@ -68,6 +68,69 @@ ensure_multiarch_builder() {
     docker buildx inspect "$MULTIARCH_BUILDER" --bootstrap >/dev/null
 }
 
+update_from_line() {
+    local file="$1"
+    local pattern="$2"
+    local replacement="$3"
+
+    if ! grep -Eq "^FROM ${pattern}\$" "$file"; then
+        echo "ERROR: Failed to find pinned base image reference in $file"
+        return 1
+    fi
+
+    perl -0pi -e "s#^FROM ${pattern}\$#FROM ${replacement}#m" "$file"
+
+    if ! grep -Fqx "FROM ${replacement}" "$file"; then
+        echo "ERROR: Failed to update pinned base image reference in $file"
+        return 1
+    fi
+}
+
+pin_consumer_dockerfiles() {
+    echo "==> Updating pinned base image references to tag: $TAG"
+
+    update_from_line \
+        "$REPO_ROOT/docker/build/linux-x64-gnu.Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/builder-base-linux-gnu:[^[:space:]]+' \
+        "ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:${TAG}"
+    update_from_line \
+        "$REPO_ROOT/docker/build/linux-arm64-gnu.Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/builder-base-linux-gnu:[^[:space:]]+' \
+        "ghcr.io/rivet-dev/rivet/builder-base-linux-gnu:${TAG}"
+    update_from_line \
+        "$REPO_ROOT/docker/build/linux-x64-musl.Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/builder-base-linux-musl:[^[:space:]]+' \
+        "ghcr.io/rivet-dev/rivet/builder-base-linux-musl:${TAG}"
+    update_from_line \
+        "$REPO_ROOT/docker/build/linux-arm64-musl.Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/builder-base-linux-musl:[^[:space:]]+' \
+        "ghcr.io/rivet-dev/rivet/builder-base-linux-musl:${TAG}"
+    update_from_line \
+        "$REPO_ROOT/docker/build/darwin-x64.Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/builder-base-osxcross:[^[:space:]]+' \
+        "ghcr.io/rivet-dev/rivet/builder-base-osxcross:${TAG}"
+    update_from_line \
+        "$REPO_ROOT/docker/build/darwin-arm64.Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/builder-base-osxcross:[^[:space:]]+' \
+        "ghcr.io/rivet-dev/rivet/builder-base-osxcross:${TAG}"
+    update_from_line \
+        "$REPO_ROOT/docker/build/windows-x64.Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/builder-base-windows-mingw:[^[:space:]]+' \
+        "ghcr.io/rivet-dev/rivet/builder-base-windows-mingw:${TAG}"
+    update_from_line \
+        "$REPO_ROOT/docker/engine/Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/engine-base-builder:[^[:space:]]+ AS builder' \
+        "ghcr.io/rivet-dev/rivet/engine-base-builder:${TAG} AS builder"
+    update_from_line \
+        "$REPO_ROOT/docker/engine/Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/engine-base-runtime-full:[^[:space:]]+ AS engine-full-base' \
+        "ghcr.io/rivet-dev/rivet/engine-base-runtime-full:${TAG} AS engine-full-base"
+    update_from_line \
+        "$REPO_ROOT/docker/engine/Dockerfile" \
+        'ghcr\\.io/rivet-dev/rivet/engine-base-runtime-slim:[^[:space:]]+' \
+        "ghcr.io/rivet-dev/rivet/engine-base-runtime-slim:${TAG}"
+}
+
 build_one() {
     local name="$1"
     local dockerfile="$DOCKERFILE_DIR/${name}.Dockerfile"
@@ -158,6 +221,7 @@ if [ "$BASE_NAME" = "all" ]; then
         for base in $BASES; do
             push_one "$base"
         done
+        pin_consumer_dockerfiles
     fi
 else
     build_one "$BASE_NAME"
@@ -169,4 +233,8 @@ fi
 echo ""
 echo "Done. Tag: $TAG"
 echo ""
-echo "Update BASE_TAG to use tag: $TAG if you rebuilt shared builder bases"
+if [ "$BASE_NAME" = "all" ] && [ "$PUSH" = "true" ]; then
+    echo "Pinned consumer Dockerfiles to tag: $TAG"
+else
+    echo "Consumer Dockerfiles were not updated. Run ./scripts/docker-builder-base/build-push.sh all --push to pin them to this tag."
+fi