1515 registry :
1616 description : The registry to push container images to.
1717 type : string
18- required : true
18+ required : false
19+ default : ghcr.io
1920 username :
2021 description : The username for the registry.
2122 type : string
@@ -69,28 +70,33 @@ jobs:
6970 replace-with : " $1"
7071 flags : " g"
7172
72- # This is the intended approach to multi-arch image and all the other checks scanning,
73- # signing, etc only trigger from this.
74- call-build-images :
75- needs :
76- - call-build-images-meta
77- name : Multiarch container images to GHCR
78- runs-on : ubuntu-latest
79- environment : ${{ inputs.environment }}
73+ # Taken from https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
74+ # We split this out to make it easier to restart just one of them if it fails and do all in parallel
75+ call-build-single-arch-container-images :
76+ # Allow us to continue to create a manifest if we want
77+ continue-on-error : true
8078 permissions :
8179 contents : read
8280 packages : write
83- outputs :
84- production-digest : ${{ steps.build_push.outputs.digest }}
85- debug-digest : ${{ steps.debug_build_push.outputs.digest }}
81+ strategy :
82+ fail-fast : false
83+ matrix :
84+ platform :
85+ - amd64
86+ - arm64
87+ - arm/v7
88+ target :
89+ - production
90+ - debug
91+ name : ${{ matrix.platform }}/${{ matrix.target }} container image build
92+ # Use GitHub Actions ARM hosted runners
93+ runs-on : ${{ (contains(matrix.platform, 'arm') && 'ubuntu-22.04-arm') || 'ubuntu-latest' }}
8694 steps :
87- - name : Checkout code for modern style builds
95+ - name : Checkout code
8896 uses : actions/checkout@v4
8997 with :
9098 ref : ${{ inputs.ref }}
91-
92- - name : Set up QEMU
93- uses : docker/setup-qemu-action@v3
99+ token : ${{ secrets.token }}
94100
95101 - name : Set up Docker Buildx
96102 uses : docker/setup-buildx-action@v3
@@ -99,37 +105,108 @@ jobs:
99105 uses : docker/login-action@v3
100106 with :
101107 registry : ${{ inputs.registry }}
102- username : ${{ inputs.username }}
108+ username : ${{ github.actor }}
103109 password : ${{ secrets.token }}
104110
105- - name : Extract metadata from Github
106- id : meta
107- uses : docker/metadata-action@v5
108- with :
109- images : ${{ inputs.registry }}/${{ inputs.image }}
110- tags : |
111- raw,${{ inputs.version }}
112- raw,${{ needs.call-build-images-meta.outputs.major-version }}
113- raw,latest
114-
115- name : Build the production images
116- id : build_push
111+ - name : Build and push by digest the standard ${{ matrix.target }} image
112+ id : build
117113 uses : docker/build-push-action@v6
118114 with :
115+ # Use path context rather than Git context as we want local files
119116 file : ./dockerfiles/Dockerfile
120117 context : .
121- tags : ${{ steps.meta.outputs.tags }}
122- labels : ${{ steps.meta.outputs.labels }}
123- platforms : linux/amd64, linux/arm64, linux/arm/v7, linux/s390x
124- target : production
118+ target : ${{ matrix.target }}
119+ outputs : type=image,name=${{ inputs.registry }}/${{ inputs.image }},push-by-digest=true,name-canonical=true,push=true
120+ platforms : linux/${{ matrix.platform }}
125121 # Must be disabled to provide legacy format images from the registry
126122 provenance : false
127123 push : true
128124 load : false
129125 build-args : |
130126 FLB_NIGHTLY_BUILD=${{ inputs.unstable }}
131127 RELEASE_VERSION=${{ inputs.version }}
128+ WAMR_BUILD_TARGET=${{ (contains(matrix.platform, 'arm/v7') && 'ARMV7') || '' }}
129+
130+ name : Export ${{ matrix.target }} digest
131+ run : |
132+ mkdir -p /tmp/digests
133+ digest="${{ steps.build.outputs.digest }}"
134+ touch "/tmp/digests/${digest#sha256:}"
135+ shell : bash
136+
137+ - name : Upload ${{ matrix.target }} digest
138+ uses : actions/upload-artifact@v4
139+ with :
140+ name : ${{ matrix.target }}-digests-${{ (contains(matrix.platform, 'arm/v7') && 'arm-v7') || matrix.platform }}
141+ path : /tmp/digests/*
142+ if-no-files-found : error
143+ retention-days : 1
144+
145+ # Take the digests and produce a multi-arch manifest from them.
146+ call-build-container-image-manifests :
147+ permissions :
148+ contents : read
149+ packages : write
150+ name : Upload multi-arch container image manifests
151+ runs-on : ubuntu-latest
152+ needs :
153+ - call-build-images-meta
154+ - call-build-single-arch-container-images
155+ outputs :
156+ version : ${{ steps.meta.outputs.version }}
157+ steps :
158+ - name : Extract metadata from Github
159+ id : meta
160+ uses : docker/metadata-action@v5
161+ with :
162+ images : ${{ inputs.registry }}/${{ inputs.image }}
163+ tags : |
164+ raw,${{ inputs.version }}
165+ raw,${{ needs.call-build-images-meta.outputs.major-version }}
166+ raw,latest
167+
168+ name : Download production digests
169+ uses : actions/download-artifact@v4
170+ with :
171+ pattern : production-digests-*
172+ path : /tmp/production-digests
173+ merge-multiple : true
174+
175+ - name : Set up Docker Buildx
176+ uses : docker/setup-buildx-action@v3
177+
178+ - name : Log in to the Container registry
179+ uses : docker/login-action@v3
180+ with :
181+ registry : ${{ inputs.registry }}
182+ username : ${{ github.actor }}
183+ password : ${{ secrets.token }}
184+
185+ - name : Create production manifest
186+ run : |
187+ docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
188+ $(printf '${{ inputs.registry }}/${{ inputs.image }}@sha256:%s ' *)
189+ shell : bash
190+ working-directory : /tmp/production-digests
132191
192+ - name : Inspect image
193+ run : |
194+ docker buildx imagetools inspect ${{ inputs.registry }}/${{ inputs.image }}:${{ steps.meta.outputs.version }}
195+ shell : bash
196+
197+ # Take the digests and produce a multi-arch manifest from them.
198+ call-build-debug-container-image-manifests :
199+ permissions :
200+ contents : read
201+ packages : write
202+ name : Upload debug multi-arch container image manifests
203+ runs-on : ubuntu-latest
204+ needs :
205+ - call-build-images-meta
206+ - call-build-single-arch-container-images
207+ outputs :
208+ version : ${{ steps.debug-meta.outputs.version }}
209+ steps :
133210 - id : debug-meta
134211 uses : docker/metadata-action@v5
135212 with :
@@ -139,28 +216,39 @@ jobs:
139216 raw,${{ needs.call-build-images-meta.outputs.major-version }}-debug
140217 raw,latest-debug
141218
142- name : Build the debug multi-arch images
143- id : debug_build_push
144- uses : docker/build-push-action@v6
219+ name : Download debug digests
220+ uses : actions/download-artifact@v4
145221 with :
146- file : ./dockerfiles/Dockerfile
147- context : .
148- tags : ${{ steps.debug-meta.outputs.tags }}
149- labels : ${{ steps.debug-meta.outputs.labels }}
150- platforms : linux/amd64, linux/arm64, linux/arm/v7, linux/s390x
151- # Must be disabled to provide legacy format images from the registry
152- provenance : false
153- target : debug
154- push : true
155- load : false
156- build-args : |
157- FLB_NIGHTLY_BUILD=${{ inputs.unstable }}
158- RELEASE_VERSION=${{ inputs.version }}
222+ pattern : debug-digests-*
223+ path : /tmp/debug-digests
224+ merge-multiple : true
225+
226+ - name : Set up Docker Buildx
227+ uses : docker/setup-buildx-action@v3
228+
229+ - name : Log in to the Container registry
230+ uses : docker/login-action@v3
231+ with :
232+ registry : ${{ inputs.registry }}
233+ username : ${{ github.actor }}
234+ password : ${{ secrets.token }}
235+
236+ - name : Create debug manifest
237+ run : |
238+ docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
239+ $(printf '${{ inputs.registry }}/${{ inputs.image }}@sha256:%s ' *)
240+ shell : bash
241+ working-directory : /tmp/debug-digests
242+
243+ - name : Inspect image
244+ run : |
245+ docker buildx imagetools inspect ${{ inputs.registry }}/${{ inputs.image }}:${{ steps.debug-meta.outputs.version }}
246+ shell : bash
159247
160248 call-build-images-generate-schema :
161249 needs :
162250 - call-build-images-meta
163- - call-build-images
251+ - call-build-container-image-manifests
164252 runs-on : ubuntu-latest
165253 environment : ${{ inputs.environment }}
166254 permissions :
@@ -190,7 +278,7 @@ jobs:
190278 call-build-images-scan :
191279 needs :
192280 - call-build-images-meta
193- - call-build-images
281+ - call-build-container-image-manifests
194282 name : Trivy + Dockle image scan
195283 runs-on : ubuntu-latest
196284 environment : ${{ inputs.environment }}
@@ -225,7 +313,8 @@ jobs:
225313 call-build-images-sign :
226314 needs :
227315 - call-build-images-meta
228- - call-build-images
316+ - call-build-container-image-manifests
317+ - call-build-debug-container-image-manifests
229318 name : Deploy and sign multi-arch container image manifests
230319 permissions :
231320 contents : read
@@ -246,13 +335,13 @@ jobs:
246335 #
247336 # We use recursive signing on the manifest to cover all the images.
248337 run : |
249- cosign sign --recursive \
338+ cosign sign --recursive --force \
250339 -a "repo=${{ github.repository }}" \
251340 -a "workflow=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
252341 -a "ref=${{ github.sha }}" \
253342 -a "release=${{ inputs.version }}" \
254- "${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-images .outputs.production-digest }}" \
255- "${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-images .outputs.debug-digest }}"
343+ "${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-container-image-manifests .outputs.version }}" \
344+ "${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-debug-container-image-manifests .outputs.version }}"
256345shell : bash
257346 # Ensure we move on to key-based signing as well
258347 continue-on-error : true
@@ -265,13 +354,13 @@ jobs:
265354 # The key needs to cope with newlines
266355 run : |
267356 echo -e "${COSIGN_PRIVATE_KEY}" > /tmp/my_cosign.key
268- cosign sign --key /tmp/my_cosign.key --recursive \
357+ cosign sign --key /tmp/my_cosign.key --recursive --force \
269358 -a "repo=${{ github.repository }}" \
270359 -a "workflow=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
271360 -a "ref=${{ github.sha }}" \
272361 -a "release=${{ inputs.version }}" \
273- "${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-images .outputs.production-digest }}" \
274- "${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-images .outputs.debug-digest }}"
362+ "${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-container-image-manifests .outputs.version }}" \
363+ "${{ inputs.registry }}/${{ inputs.image }}@${{ needs.call-build-debug-container-image-manifests .outputs.version }}"
275364 rm -f /tmp/my_cosign.key
276365shell : bash
277366 continue-on-error : true
0 commit comments