ci(linux): containerize cargo check and release build with cargo-chef

Replace bare-metal apt-get + toolchain setup with multi-stage Docker
build using cargo-chef for dependency caching. Blacksmith's Docker
layer caching (sticky disks) persists all layers across CI runs.

Dockerfile stages:
- deps: system packages, Rust nightly, Node.js, cargo-chef, tauri-cli
- planner: cargo-chef prepare (recipe.json from manifests)
- cook: cargo-chef cook for dev + release profiles
- check: cargo check --workspace (test workflow target)
- build: cargo tauri build + bundle (release workflow target)
- artifacts: extract .deb and binary

test.yml Linux build uses --target check via useblacksmith actions.
release.yml Linux build uses --target artifacts with local output.
macOS/Windows paths unchanged.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: pythoninthegrass

.github/workflows/release.yml

@@ -128,24 +128,26 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - name: Setup Tauri build environment
-        uses: ./.github/actions/setup-tauri-build
+      - name: Setup Docker builder
+        uses: useblacksmith/setup-docker-builder@v1
 
-      - name: Build binary
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          LASTFM_API_KEY: ${{ secrets.LASTFM_API_KEY }}
-          LASTFM_API_SECRET: ${{ secrets.LASTFM_API_SECRET }}
-        run: task ci:build TARGET=x86_64-unknown-linux-gnu
-
-      - name: Bundle
-        run: task ci:bundle TARGET=x86_64-unknown-linux-gnu BUNDLES=deb
+      - name: Build and bundle via Docker
+        uses: useblacksmith/build-push-action@v2
+        with:
+          context: .
+          file: docker/Dockerfile.linux-amd64
+          target: artifacts
+          push: false
+          outputs: type=local,dest=dist
+          build-args: |
+            LASTFM_API_KEY=${{ secrets.LASTFM_API_KEY }}
+            LASTFM_API_SECRET=${{ secrets.LASTFM_API_SECRET }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v7
         with:
           name: linux-amd64
-          path: target/x86_64-unknown-linux-gnu/release/bundle/deb/*.deb
+          path: dist/*.deb
           retention-days: 7
 
       - name: Upload release assets
@@ -154,7 +156,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh release upload "${{ github.event.release.tag_name }}" \
-            target/x86_64-unknown-linux-gnu/release/bundle/deb/*.deb
+            dist/*.deb
 
   build-windows:
     name: Build Windows (x64)

.github/workflows/test.yml

@@ -139,15 +139,24 @@ jobs:
 
       - uses: actions/checkout@v6
 
-      - name: Setup Tauri build environment
-        uses: ./.github/actions/setup-tauri-build
+      # Linux: containerized cargo check with Blacksmith Docker layer caching
+      - name: Setup Docker builder (Linux)
+        if: runner.os == 'Linux'
+        uses: useblacksmith/setup-docker-builder@v1
 
       - name: Cargo check (Linux)
         if: runner.os == 'Linux'
-        shell: bash
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        run: task ci:check TARGET=${{ matrix.target }}
+        uses: useblacksmith/build-push-action@v2
+        with:
+          context: .
+          file: docker/Dockerfile.linux-amd64
+          target: check
+          push: false
+
+      # macOS/Windows: bare-metal setup + cargo check
+      - name: Setup Tauri build environment
+        if: runner.os != 'Linux'
+        uses: ./.github/actions/setup-tauri-build
 
       - name: Cargo check (macOS)
         if: runner.os == 'macOS'

docker/Dockerfile.linux-amd64

@@ -1,7 +1,23 @@
 # syntax=docker/dockerfile:1.17.1
 # check=skip=all
 
-FROM debian:trixie-slim AS builder
+FROM debian:trixie-slim AS deps
+
+RUN true <<'DOCKERFILE'
+Multi-stage Dockerfile for Linux CI builds.
+
+Stages:
+  deps      - system packages, Rust nightly, Node.js, cargo-chef, tauri-cli
+  planner   - cargo-chef prepare (generates recipe.json from lock/manifests)
+  cook      - cargo-chef cook (compiles all dependencies, cached by Blacksmith)
+  check     - cargo check --workspace (test workflow target)
+  build     - cargo tauri build --no-bundle + cargo tauri bundle (release target)
+  artifacts - extract .deb and binary
+
+Usage:
+  test.yml:    docker build --target check .
+  release.yml: docker build --target artifacts --output type=local,dest=dist .
+DOCKERFILE
 
 ENV DEBIAN_FRONTEND=noninteractive
 
@@ -36,7 +52,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     librsvg2-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# -- Rust (nightly) --
 ENV RUSTUP_HOME=/usr/local/rustup \
     CARGO_HOME=/usr/local/cargo \
     PATH="/usr/local/cargo/bin:${PATH}"
@@ -45,65 +60,71 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
     | sh -s -- -y --default-toolchain nightly --profile minimal \
     && rustup target add x86_64-unknown-linux-gnu
 
-# -- Node.js --
+RUN cargo install cargo-chef --locked \
+    && cargo install cargo-binstall --locked \
+    && cargo binstall tauri-cli --locked --no-confirm
+
 ARG NODE_MAJOR=24
 RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_MAJOR}.x | bash - \
     && apt-get install -y --no-install-recommends nodejs \
     && rm -rf /var/lib/apt/lists/*
 
-# -- Deno --
-RUN curl -fsSL -L https://github.com/denoland/deno/releases/latest/download/deno-x86_64-unknown-linux-gnu.zip \
-    -o /tmp/deno.zip \
-    && unzip -o /tmp/deno.zip -d /usr/local/bin \
-    && chmod +x /usr/local/bin/deno \
-    && rm /tmp/deno.zip
-
-# -- Last.fm API keys (embedded at compile time via build.rs) --
-ARG LASTFM_API_KEY
-ARG LASTFM_API_SECRET
-ENV LASTFM_API_KEY=${LASTFM_API_KEY}
-ENV LASTFM_API_SECRET=${LASTFM_API_SECRET}
-
-# -- Build environment --
 ENV RUSTUP_TOOLCHAIN=nightly \
     RUSTFLAGS="-Zthreads=16"
 
 WORKDIR /build
 
-# -- Layer: dependency files (cached unless deps change) --
+FROM deps AS planner
+
 COPY Cargo.toml Cargo.lock ./
-COPY crates/mt-tauri/Cargo.toml crates/mt-tauri/
+COPY crates/ crates/
+
+RUN cargo chef prepare --recipe-path recipe.json
+
+FROM deps AS cook
+
+COPY --from=planner /build/recipe.json recipe.json
 COPY crates/mt-tauri/.cargo crates/mt-tauri/.cargo/
 
-# Stub source files for cargo fetch
-RUN mkdir -p crates/mt-tauri/src && echo "fn main() {}" > crates/mt-tauri/src/main.rs \
-    && echo "" > crates/mt-tauri/src/lib.rs
+RUN cargo chef cook --recipe-path recipe.json \
+    --target x86_64-unknown-linux-gnu
 
-RUN cargo fetch --target x86_64-unknown-linux-gnu
+RUN cargo chef cook --release --recipe-path recipe.json \
+    --target x86_64-unknown-linux-gnu
 
-# Frontend deps
-COPY deno.jsonc deno.lock ./
 COPY app/frontend/package.json app/frontend/package-lock.json app/frontend/
+RUN cd app/frontend && npm ci
+
+FROM cook AS check
+
+COPY Cargo.toml Cargo.lock ./
+COPY crates/ crates/
 
-RUN deno install --node-modules-dir=auto
+RUN cargo check --workspace --target x86_64-unknown-linux-gnu
 
-# -- Layer: full source --
-RUN rm -rf crates/mt-tauri/src
+FROM cook AS build
 
+ARG LASTFM_API_KEY
+ARG LASTFM_API_SECRET
+ENV LASTFM_API_KEY=${LASTFM_API_KEY} \
+    LASTFM_API_SECRET=${LASTFM_API_SECRET}
+
+COPY Cargo.toml Cargo.lock ./
 COPY crates/ crates/
 COPY app/ app/
-COPY scripts/ scripts/
 COPY static/ static/
 
-# -- Build frontend --
 RUN cd app/frontend && npm run build
 
-# -- Build Tauri app --
-RUN deno run -A npm:@tauri-apps/cli build \
+RUN cargo tauri build --no-bundle \
+    --target x86_64-unknown-linux-gnu \
+    --config '{"build":{"beforeBuildCommand":""}}'
+
+RUN cargo tauri bundle \
     --target x86_64-unknown-linux-gnu \
     --bundles deb
 
 FROM scratch AS artifacts
 
-COPY --from=builder /build/target/x86_64-unknown-linux-gnu/release/bundle/deb/*.deb /
-COPY --from=builder /build/target/x86_64-unknown-linux-gnu/release/mt-tauri /mt-tauri
+COPY --from=build /build/target/x86_64-unknown-linux-gnu/release/bundle/deb/*.deb /
+COPY --from=build /build/target/x86_64-unknown-linux-gnu/release/mt-tauri /mt-tauri