Screenly · vpetersson · Apr 30, 2026 · Apr 29, 2026 · Apr 29, 2026 · Apr 29, 2026
@@ -29,10 +29,10 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - name: Set up Python 3.11
+      - name: Set up Python 3.13
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
-          python-version: '3.11'
+          python-version: '3.13'
 
       - name: Install uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0

@@ -37,7 +37,7 @@ jobs:
   balena-build-images:
     strategy:
       matrix:
-        board: ['pi1', 'pi2', 'pi3', 'pi4', 'pi5']
+        board: ['pi2', 'pi3', 'pi4-64', 'pi5']
     runs-on: ubuntu-24.04
     permissions:
       contents: write
@@ -67,13 +67,11 @@ jobs:
 
       - name: Get base board
         run: |
-          if [ "${{ matrix.board }}" == 'pi1' ]; then
-            echo "BALENA_IMAGE=raspberry-pi" >> "$GITHUB_ENV"
-          elif [ "${{ matrix.board }}" == 'pi2' ]; then
+          if [ "${{ matrix.board }}" == 'pi2' ]; then
             echo "BALENA_IMAGE=raspberry-pi2" >> "$GITHUB_ENV"
           elif [ "${{ matrix.board }}" == 'pi3' ]; then
             echo "BALENA_IMAGE=raspberrypi3" >> "$GITHUB_ENV"
-          elif [ "${{ matrix.board }}" == 'pi4' ]; then
+          elif [ "${{ matrix.board }}" == 'pi4-64' ]; then
             echo "BALENA_IMAGE=raspberrypi4-64" >> "$GITHUB_ENV"
           elif [ "${{ matrix.board }}" == 'pi5' ]; then
             echo "BALENA_IMAGE=raspberrypi5" >> "$GITHUB_ENV"

@@ -19,9 +19,18 @@ on:
       - '!webview/README.md'
 
 jobs:
-  build-docker-image:
-    name: Build Docker Images (Pi 1-4)
+  compile-webview-part-1:
+    name: Compile Webview (Pi 2-3 / Qt 5)
+    strategy:
+      matrix:
+        board: ['pi2', 'pi3']
     runs-on: ubuntu-24.04
+    # `packages: write` so the build step's --cache-to can push the
+    # buildcache tag to GHCR on push events. Fork PRs auto-downgrade
+    # to read-only regardless of declared permissions.
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -33,53 +42,43 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
-      - name: Login to Docker Hub
+      - name: Login to GitHub Container Registry
         if: success() && github.event_name != 'pull_request'
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Set buildx arguments
-        if: github.event_name != 'pull_request'
-        id: prepare
-        run: |
-          GIT_SHORT_HASH=$(git rev-parse --short HEAD)
-
-          {
-            echo "buildx_args=--cache-from \"screenly/ose-qt-builder:latest\" \
-            --output \"type=image,push=true\" \
-            --build-arg \"BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\" \
-            --build-arg \"GIT_HASH=$GIT_SHORT_HASH\" \
-            --build-arg \"GIT_SHORT_HASH=$GIT_SHORT_HASH\" \
-            --build-arg \"GIT_BRANCH=$GITHUB_REF_NAME\""
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Building container
-        if: github.event_name != 'pull_request'
+      - name: Build Qt 5 builder image
+        env:
+          # Build the Qt 5 cross-compile builder inline rather than as a
+          # separate publish job. The image is a CI-internal artifact —
+          # only ever consumed by the next step in this same job — so
+          # there is no need to push it anywhere. Cache layers are still
+          # registry-backed (mirrors docker-build.yaml): `cache-from`
+          # always reads, `cache-to` writes only on push events because
+          # fork-PR GITHUB_TOKENs are read-only and would 401 on cache
+          # write. --load makes the resulting image available to the
+          # local Docker daemon for the `docker run` step below.
+          CACHE_REF: ghcr.io/screenly/anthias-webview-qt5-builder:buildcache
         run: |
           cd webview
+          set_args=( --cache-from "type=registry,ref=${CACHE_REF}" )
+          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
+            set_args+=( --cache-to "type=registry,ref=${CACHE_REF},mode=max,image-manifest=true" )
+          fi
+          GIT_HASH=$(git rev-parse HEAD)
+          GIT_SHORT_HASH=$(git rev-parse --short HEAD)
           docker buildx build \
-            ${{ steps.prepare.outputs.buildx_args }} \
-            -t screenly/ose-qt-builder:latest .
-
-  compile-webview-part-1:
-    name: Compile Webview (Pi 1-4 / Qt 5)
-    needs: build-docker-image
-    strategy:
-      matrix:
-        board: ['pi1', 'pi2', 'pi3', 'pi4']
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+            "${set_args[@]}" \
+            --load \
+            --build-arg "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
+            --build-arg "GIT_HASH=${GIT_HASH}" \
+            --build-arg "GIT_SHORT_HASH=${GIT_SHORT_HASH}" \
+            --build-arg "GIT_BRANCH=${GITHUB_REF_NAME}" \
+            -t webview-qt5-builder:latest \
+            .
 
       - name: Cache build layers
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
@@ -121,7 +120,7 @@ jobs:
             -v $(pwd):/webview:ro \
             -e TARGET=${{ matrix.board }} \
             -e WEBVIEW_VERSION="$WEBVIEW_VERSION" \
-            screenly/ose-qt-builder:latest
+            webview-qt5-builder:latest
           docker exec -it qt-builder /webview/build_webview_with_qt5.sh
           docker rm -f qt-builder
 
@@ -145,6 +144,14 @@ jobs:
     strategy:
       matrix:
         board: ['pi5', 'pi4-64', 'x86']
+    # `packages: write` so the build step below can push the buildcache
+    # tag to GHCR on push events. PRs from forks won't have this scope
+    # in practice (GITHUB_TOKEN is read-only on fork PRs), which is why
+    # `cache-to` is gated to non-PR events; cache-from still works
+    # because the published cache package is public.
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -155,6 +162,14 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
+      - name: Login to GitHub Container Registry
+        if: success() && github.event_name != 'pull_request'
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set environment variables
         run: |
           # WebView-v2026.04.0 → 2026.04.0 on tag pushes; date-stamped
@@ -172,9 +187,31 @@ jobs:
           } >> "$GITHUB_ENV"
 
       - name: Build Docker Image
+        env:
+          # Mirrors docker-build.yaml's registry-cache pattern, scoped per
+          # board because each Qt 6 board uses a distinct Dockerfile
+          # (Dockerfile.{pi4,pi5,x86}) and shares almost nothing across
+          # boards. cache-to is push-only: PRs from forks have a read-only
+          # GITHUB_TOKEN and would auth-fail on the registry write.
+          CACHE_REF: ghcr.io/screenly/anthias-webview-qt6-builder:buildcache-${{ matrix.board }}
+          BAKE_TARGET: builder-${{ matrix.board }}
         run: |
           cd webview
-          docker compose build
+          # `docker buildx bake` reads the compose file, then --set lets us
+          # inject cache-from / cache-to per target without modifying the
+          # YAML (which has to stay PR-fork-safe). --load makes the
+          # resulting image available to the local Docker daemon so the
+          # subsequent `docker compose run` step finds it via the
+          # explicit `image:` tag in docker-compose.yml.
+          set_args=( --set "${BAKE_TARGET}.cache-from=type=registry,ref=${CACHE_REF}" )
+          if [[ "${{ github.event_name }}" != "pull_request" ]]; then
+            set_args+=( --set "${BAKE_TARGET}.cache-to=type=registry,ref=${CACHE_REF},mode=max,image-manifest=true" )
+          fi
+          docker buildx bake \
+            -f docker-compose.yml \
+            --load \
+            "${set_args[@]}" \
+            "${BAKE_TARGET}"
 
       - name: Prepare bind-mount target for non-root builder user
         run: |
@@ -214,7 +251,7 @@ jobs:
       - compile-webview-part-2
     strategy:
       matrix:
-        board: ['pi1', 'pi2', 'pi3', 'pi4', 'pi4-64', 'pi5', 'x86']
+        board: ['pi2', 'pi3', 'pi4-64', 'pi5', 'x86']
     runs-on: ubuntu-24.04
     permissions:
       contents: write

@@ -68,8 +68,8 @@ jobs:
       # dedup at the registry level. See refactor: drop celery image.
       fail-fast: false
       matrix:
-        board: ['pi1', 'pi2', 'pi3', 'pi4', 'pi4-64', 'pi5', 'x86']
-        python-version: ["3.11"]
+        board: ['pi2', 'pi3', 'pi4-64', 'pi5', 'x86']
+        python-version: ["3.13"]
     runs-on: ubuntu-24.04
 
     steps:
@@ -208,7 +208,7 @@ jobs:
         run: |
           set -euo pipefail
           GIT_SHORT_HASH=$(git rev-parse --short=7 HEAD)
-          BOARDS=(pi1 pi2 pi3 pi4 pi4-64 pi5 x86)
+          BOARDS=(pi2 pi3 pi4-64 pi5 x86)
           SERVICES=(server redis viewer)
           # GHCR first so the canonical primary is current even if the
           # Docker Hub mirror later in the loop flakes.
@@ -266,23 +266,19 @@ jobs:
     needs: buildx
     strategy:
       matrix:
-        board: ['pi1', 'pi2', 'pi3', 'pi4', 'pi5']
+        board: ['pi2', 'pi3', 'pi4-64', 'pi5']
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set Docker tag
         run: |
-          echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)" >> "$GITHUB_ENV"
-
-          if [ "${{ matrix.board }}" == "pi4" ]; then
-            echo "BOARD=${{ matrix.board }}-64" >> "$GITHUB_ENV"
-          else
-            echo "BOARD=${{ matrix.board }}" >> "$GITHUB_ENV"
-          fi
-
-          echo "SHM_SIZE=256mb" >> "$GITHUB_ENV"
+          {
+            echo "GIT_SHORT_HASH=$(git rev-parse --short HEAD)"
+            echo "BOARD=${{ matrix.board }}"
+            echo "SHM_SIZE=256mb"
+          } >> "$GITHUB_ENV"
 
       - name: Prepare Balena file
         run: |

@@ -42,10 +42,10 @@ jobs:
     uses: ./.github/workflows/test-runner.yml
     with:
       test-type: 'typescript'
-      python-version: '3.11'
+      python-version: '3.13'
 
   run-python-tests:
     uses: ./.github/workflows/test-runner.yml
     with:
       test-type: 'python'
-      python-version: '3.11'
+      python-version: '3.13'
@@ -58,10 +58,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
-      - name: Set up Python 3.11
+      - name: Set up Python 3.13
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
-          python-version: "3.11"
+          python-version: "3.13"
 
       - name: Install uv
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        python-version: ["3.11"]
+        python-version: ["3.13"]
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        python-version: ["3.11"]
+        python-version: ["3.13"]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 

@@ -10,7 +10,7 @@ on:
       python-version:
         description: 'Python version to use'
         required: false
-        default: '3.11'
+        default: '3.13'
         type: string
 
 jobs:

@@ -1,5 +1,6 @@
 *.py[co]
 .idea/
+.qt5-toolchain-build/
 
 # Packages
 *.egg

@@ -1 +1 @@
-3.11
+3.13
@@ -16,11 +16,11 @@
           - anthias_user | length > 0
           - anthias_branch | length > 0
           - device_type | length > 0
-          - device_type in ['pi1', 'pi2', 'pi3', 'pi4', 'pi5', 'x86']
+          - device_type in ['pi2', 'pi3', 'pi4-64', 'pi5', 'x86']
         fail_msg: >-
           Required environment variables missing or invalid.
           USER must be set; DEVICE_TYPE must be one of
-          pi1, pi2, pi3, pi4, pi5, x86.
+          pi2, pi3, pi4-64, pi5, x86.
 
   roles:
     - system

@@ -6,7 +6,7 @@ print_help() {
     echo "Usage: deploy_to_balena.sh [options]"
     echo "Options:"
     echo "  -h, --help            show this help message and exit"
-    echo "  -b, --board BOARD     specify the board to build for (pi1, pi2, pi3, pi4, pi5)"
+    echo "  -b, --board BOARD     specify the board to build for (pi2, pi3, pi4-64, pi5)"
     echo "  -f, --fleet FLEET     specify the fleet name to deploy to"
     echo "  -s, --short-hash HASH specify the short hash to use for the image tag"
     echo "  -d, --dev             run in dev mode"
@@ -23,7 +23,7 @@ while [[ $# -gt 0 ]]; do
         -b|--board)
             export BOARD="$2"
 
-            if [[ $BOARD =~ ^(pi1|pi2|pi3|pi4|pi5)$ ]]; then
+            if [[ $BOARD =~ ^(pi2|pi3|pi4-64|pi5)$ ]]; then
                 echo "Building for $BOARD"
             else
                 echo "Invalid board $BOARD"
@@ -82,10 +82,6 @@ if [[ -z "${SHM_SIZE+x}" ]]; then
 fi
 
 function prepare_balena_file() {
-    if [[ "$BOARD" == "pi4" ]]; then
-        export BOARD="pi4-64"
-    fi
-
     mkdir -p balena-deploy
     cp balena.yml balena-deploy/
     cat docker-compose.balena.yml.tmpl | \