Run any Skill in Manus with one click

docker-buildx-stale-rust-binary

Fix deployed Rust binaries not reflecting code changes when using docker buildx. Use when: (1) Code changes are verified locally (tests pass) but production behavior doesn't change after deploy, (2) Docker image has a new tag but contains old compiled binary, (3) Dockerfile uses multi-stage build with dependency pre-compilation layer and source copy layer. Docker buildx layer caching can serve stale compilation output even when source files change, especially with cross-compilation (--platform linux/amd64).

Run Skill in Manus

Stars254

Forks50

UpdatedMay 5, 2026 at 02:08

Source

divinevideo

divinevideo/divine-mobile

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Software DevelopersComputer and Mathematical Occupations15-1252L4

SKILL.md

readonly

name	docker-buildx-stale-rust-binary
description	Fix deployed Rust binaries not reflecting code changes when using docker buildx. Use when: (1) Code changes are verified locally (tests pass) but production behavior doesn't change after deploy, (2) Docker image has a new tag but contains old compiled binary, (3) Dockerfile uses multi-stage build with dependency pre-compilation layer and source copy layer. Docker buildx layer caching can serve stale compilation output even when source files change, especially with cross-compilation (--platform linux/amd64).
author	Claude Code
version	1.0.0
date	"2026-03-31T00:00:00.000Z"

Docker Buildx Stale Rust Binary Cache

Problem

Docker buildx may serve stale compiled Rust binaries from layer cache even when source files have changed. The image gets a new tag and pushes successfully, but contains the old compiled binary. This is especially common with cross-platform builds (--platform linux/amd64 on ARM Macs).

Context / Trigger Conditions

Dockerfile uses multi-stage pattern: copy Cargo.toml → build deps → copy source → build
Using docker buildx build --push with --platform linux/amd64
Code changes verified locally (tests pass) but production shows old behavior
Image digest from cached build differs from --no-cache build
Adding a simple response header in code and it doesn't appear in production

Solution

Always use --no-cache when deploying code changes:

# WRONG — may use cached compilation layer with old code
docker buildx build --platform linux/amd64 --target api \
  -t registry/image:tag --push .

# CORRECT — forces full recompilation
docker buildx build --platform linux/amd64 --target api \
  --no-cache -t registry/image:tag --push .

Verification

Compare image digests between cached and no-cache builds:

# Build with cache
docker buildx build --platform linux/amd64 --target api \
  -t registry/image:cached --push . 2>&1 | grep "pushing manifest"
# Note the sha256 digest

# Build without cache  
docker buildx build --platform linux/amd64 --target api \
  --no-cache -t registry/image:nocache --push . 2>&1 | grep "pushing manifest"
# Note the sha256 digest

# If digests differ, the cached build had stale code

Example

Typical Dockerfile pattern vulnerable to this:

# Layer 1: Copy manifests (cached if Cargo.toml unchanged)
COPY Cargo.toml Cargo.lock ./
COPY crates/*/Cargo.toml crates/

# Layer 2: Build dependencies (cached — this is the good cache)
RUN cargo build --release && rm -rf src crates

# Layer 3: Copy actual source (SHOULD invalidate on source change)
COPY crates crates
COPY bin bin

# Layer 4: Rebuild with actual source
RUN touch crates/*/src/lib.rs && cargo build --release

The issue: buildx's content-addressable cache may match Layer 4's output from a previous build if the intermediate representations happen to collide, especially during cross-compilation where the build environment state is more complex.

Notes

This primarily affects --platform cross-compilation builds (ARM → x86)
Native-platform builds are less likely to hit this issue
The --no-cache flag adds ~5-10 minutes to Rust builds but guarantees fresh compilation
Alternative: use --cache-from with explicit cache scoping to avoid stale layers
Consider adding a build-time env var (like commit hash) that forces layer invalidation:
```
ARG BUILD_HASH
RUN echo $BUILD_HASH && cargo build --release
```

More from this repository

same repository

e2e-test

divinevideo/divine-mobile

Run and debug Flutter E2E integration tests that exercise the real app against a local Docker backend (no mocks). Use when running E2E tests, debugging failures, or working on the local harness.

2026-05-27254

review-before-commit

divinevideo/divine-mobile

Review all uncommitted changes before pushing. Checks for dead code, stale comments, CLAUDE.md rule violations, unused imports, and inconsistencies introduced during the current session. Invoke with /review-before-commit.

2026-05-11254

argocd-externalsecret-namespace-permission

divinevideo/divine-mobile

Fix ArgoCD ExternalSecret deployment failing with "namespace X is not permitted in project Y". Use when: (1) ExternalSecret shows OutOfSync in ArgoCD but won't sync, (2) ArgoCD application status shows "namespace X is not permitted in project 'infrastructure'", (3) ExternalSecret targets a namespace managed by a different ArgoCD project, (4) Using apps-of-apps pattern with separate infrastructure and application projects.

2026-05-05254

art-direct

divinevideo/divine-mobile

Art direction for any content — reads text, PDF, Word, HTML, PPT, then proposes 2-3 creative directions with photography style, mood, and visual language. After selection, generates AI image prompts and visual briefs section-by-section. Use when the user shares content and needs visual direction, image sourcing, or creative direction for any material.

2026-05-05254

async-await-null-race-condition

divinevideo/divine-mobile

Fix "Null check operator used on a null value" errors when an object is set to null during an async await. Use when: (1) Object reference is nullified while awaiting, (2) Code accesses object with ! after await returns, (3) Cancel/dispose operations run concurrently with async operations on same object. Solution: capture local reference before await.

2026-05-05254

aws-v4-signing-custom-headers-gcs

divinevideo/divine-mobile

Add custom metadata headers (x-amz-meta-*) to AWS v4 signed requests for GCS S3-compatible API. Use when: (1) Adding custom metadata to GCS uploads via S3 API, (2) Getting signature mismatch errors after adding new headers, (3) x-amz-meta-* headers being ignored or causing 403 errors. Custom headers MUST be included in canonical headers and signed headers list.

2026-05-05254

name	docker-buildx-stale-rust-binary
description	Fix deployed Rust binaries not reflecting code changes when using docker buildx. Use when: (1) Code changes are verified locally (tests pass) but production behavior doesn't change after deploy, (2) Docker image has a new tag but contains old compiled binary, (3) Dockerfile uses multi-stage build with dependency pre-compilation layer and source copy layer. Docker buildx layer caching can serve stale compilation output even when source files change, especially with cross-compilation (--platform linux/amd64).
author	Claude Code
version	1.0.0
date	"2026-03-31T00:00:00.000Z"

Docker Buildx Stale Rust Binary Cache

Problem

Context / Trigger Conditions

Dockerfile uses multi-stage pattern: copy Cargo.toml → build deps → copy source → build
Using docker buildx build --push with --platform linux/amd64
Code changes verified locally (tests pass) but production shows old behavior
Image digest from cached build differs from --no-cache build
Adding a simple response header in code and it doesn't appear in production

Solution

Always use --no-cache when deploying code changes:

# WRONG — may use cached compilation layer with old code
docker buildx build --platform linux/amd64 --target api \
  -t registry/image:tag --push .

# CORRECT — forces full recompilation
docker buildx build --platform linux/amd64 --target api \
  --no-cache -t registry/image:tag --push .

Verification

Compare image digests between cached and no-cache builds:

# Build with cache
docker buildx build --platform linux/amd64 --target api \
  -t registry/image:cached --push . 2>&1 | grep "pushing manifest"
# Note the sha256 digest

# Build without cache  
docker buildx build --platform linux/amd64 --target api \
  --no-cache -t registry/image:nocache --push . 2>&1 | grep "pushing manifest"
# Note the sha256 digest

# If digests differ, the cached build had stale code

Example

Typical Dockerfile pattern vulnerable to this:

# Layer 1: Copy manifests (cached if Cargo.toml unchanged)
COPY Cargo.toml Cargo.lock ./
COPY crates/*/Cargo.toml crates/

# Layer 2: Build dependencies (cached — this is the good cache)
RUN cargo build --release && rm -rf src crates

# Layer 3: Copy actual source (SHOULD invalidate on source change)
COPY crates crates
COPY bin bin

# Layer 4: Rebuild with actual source
RUN touch crates/*/src/lib.rs && cargo build --release

Notes

This primarily affects --platform cross-compilation builds (ARM → x86)
Native-platform builds are less likely to hit this issue
The --no-cache flag adds ~5-10 minutes to Rust builds but guarantees fresh compilation
Alternative: use --cache-from with explicit cache scoping to avoid stale layers
Consider adding a build-time env var (like commit hash) that forces layer invalidation:
```
ARG BUILD_HASH
RUN echo $BUILD_HASH && cargo build --release
```