fix(frontend): allow optional Turbo remote cache in web Docker builds

[mmabrouk]

Summary

This PR adds optional Vercel Turbo Remote Cache support to the web Docker builds in agenta.

The recent CI cache work in agenta_cloud fixed Docker layer caching for image builds. That helped a lot with repeated image builds, but web builds still spent most of their time inside the pnpm turbo run build step. The Docker cache can only reuse that layer when the source tree is unchanged. Small frontend changes still invalidate the layer and force Turbo to rebuild the package graph and Next.js apps from scratch.

This PR makes the web Dockerfiles able to consume Turbo remote cache credentials when they are provided by CI. When those credentials are not present, the build keeps the existing behavior and uses the local BuildKit cache mounts only.

What changed

Shared helper

• Added web/docker/run-turbo-build.sh
• The helper checks whether /run/secrets/turbo_team and /run/secrets/turbo_token are present and non-empty
• If both exist, it exports TURBO_TEAM and TURBO_TOKEN before running pnpm turbo run build
• If either secret is missing, it prints a short fallback message and runs the same Turbo command without remote cache credentials

OSS web Dockerfile

• Updated web/oss/docker/Dockerfile.gh
• Copies the shared helper into the builder image
• Uses BuildKit secret mounts for turbo_team and turbo_token on the Turbo build step
• Keeps the existing local cache mounts for .turbo and .next/cache

EE web Dockerfile

• Updated web/ee/docker/Dockerfile.gh
• Uses the same helper and the same optional BuildKit secret mounts
• Keeps the current local cache mounts intact

Why this is safe

The main requirement here is not breaking local builds or environments that do not have Vercel cache credentials.

This implementation keeps that contract:

• The secret mounts are marked required=false
• If CI does not pass the secrets, Docker still builds successfully
• If a developer runs the Docker build locally without any secrets, the helper falls back to the existing local Turbo cache behavior
• No secret values are printed to logs

Flow with secrets

1. CI passes TURBO_TEAM and TURBO_TOKEN into the Docker build as BuildKit secrets
2. The Dockerfile mounts those secrets only for the Turbo build step
3. run-turbo-build.sh exports the values and runs pnpm turbo run build
4. Turbo can reuse Vercel remote cache artifacts across CI runs

Flow without secrets

1. No Turbo secrets are passed
2. The Dockerfile still builds because the mounts are optional
3. run-turbo-build.sh detects that the secrets are missing
4. The same Turbo command runs with the current local cache mounts only

Why this PR is separate from agenta_cloud

The agenta_cloud workflow checks out this repo and uses the Dockerfiles from here. That means agenta_cloud cannot activate Turbo remote caching by itself. It also needs these Dockerfiles to understand the BuildKit secrets.

This PR is paired with an agenta_cloud PR that passes the optional secrets into the web image build.

Validation

• sh -n web/docker/run-turbo-build.sh
• git diff --check
• Reviewed the secret path end to end to confirm the fallback path remains unchanged when secrets are absent

Companion PR

• agenta_cloud: wires TURBO_TEAM and TURBO_TOKEN into the web image build as BuildKit secrets

---

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	Mar 11, 2026 9:59pm

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[github-actions]

Railway Preview Environment

Preview URL	https://gateway-production-48ce.up.railway.app/w
Project	agenta-oss-pr-3967
Image tag	pr-3967-7cb9fef
Status	Deployed
Railway logs	Open logs
Workflow logs	View workflow run
Updated at 2026-03-12T14:10:05.570Z