ci: optimize e2e tests with docker caching

[jy-tan]

Summary

Cache the E2E test base Docker image in GitHub Container Registry (GHCR) to reduce redundant builds across matrix jobs and improve CI reproducibility.

Changes

• Add new build-base job that builds and pushes the base image to GHCR with BuildKit layer caching
• Use content-hashed image tags (Dockerfile hash + Tusk CLI version) for reproducibility and to avoid race conditions with concurrent workflow runs
• Add fork PR detection and fallback to local builds (forks cannot push to GHCR)
• Update all 11 library Dockerfiles to accept BASE_IMAGE as a build arg with local fallback default
• Update all 11 docker-compose.yml files to pass BASE_IMAGE from environment
• Add packages: write permission for GHCR push

Notes

• Local development is unaffected - Dockerfiles default to python-e2e-base:latest which can be built locally
• Fork PRs will build the base image locally in each matrix job (same as before)
• The base image is still built on every CI run, but BuildKit caching makes unchanged layers fast

No significant gains (e2e tests still take ~1 min each), not worth the effort and cache maintenance, shelving for now.

[cubic-dev-ai]

1 issue found across 23 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name=".github/workflows/e2e.yml">

<violation number="1" location=".github/workflows/e2e.yml:187">
P2: Use the content-hashed image tag from `build-base` instead of the mutable `latest` tag so the E2E job uses the exact base image built in this workflow run.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}