Are you using a self-hosted runner or are you using the hosted Github runner?

the step before these should provide the caching. Have a look in the runner logs to see if there are any hints to why it is having to rebuild instead of pulling from these caches.

      - uses: docker/build-push-action@v5
        with:
          context: .
          cache-from: type=gha
          cache-to: type=gha,mode=max

I do not think that OTP are a replacement for passwords as they are two different levels of security. Passwords is something a user knows while OTP is something a user has. I'll have to think about this as a OTP and Passkey cover the same level of security but with different approaches. Passkeys are much more secure than OTP and it baffles me that financial institutions haven't moved over to this technology. I know of someone who was recently social engineered to provide their OTP to a bad actor and they had their bank account drained. The same situation would not have happened if the bank had implemented Passkeys as they are not something that can be shared. 

I'll look into this to see if anything has changed with Importmaps in the past few months. However, the last time I looked, there's a lot of "going against the grain" with importmaps when it comes to javascript libraries that also provide their own CSS. My initial thought is that you would still need to use Yarn to also bring in those libraries so that you can consume the CSS.

I'm glad you were able to figure out a solution, would you mind posting it in case it helps someone else?

Smaller applications, I'm thinking like Campfire, makes sense to go without a dockerized environment. But, at the same time, if you have to context switch a lot between different applications, it can really solve environmental conflicts (different PG versions, imagemagick versions, etc.) Ideally, all of our apps will be on the same version and updated, but that's not always reality.