build arm images

.github/workflows/publish-image.yml

@@ -15,58 +15,22 @@ on:
       - '*'
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
-
+env:
+  DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+  GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
+  GHCR_ENABLED: "${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) && 'true' || 'false' }}"
 jobs:
 
-  build-and-push-image:
+  define-variables:
     runs-on: ubuntu-latest
-    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+
-    permissions:
+    outputs:
-      contents: read
+      images: ${{ steps.var.outputs.images }}
-      packages: write
+      images_list: ${{ steps.var.outputs.images_list }}
-      attestations: write
+      build_matrix: ${{ steps.var.outputs.build_matrix }}
-      id-token: write
+      merge_matrix: ${{ steps.var.outputs.merge_matrix }}
-    env:
+
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
-      GHCR_ENABLED: "${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) && 'true' || 'false' }}"
-    strategy:
-      matrix:
-        target:
-          - base
-          - haswell
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
-        
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-            registry: ghcr.io
-            username: ${{ github.actor }}
-            password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Docker Hub
-        if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }}
-        uses: docker/login-action@v3
-        with:
-            registry: docker.io
-            username: ${{ vars.DOCKER_USERNAME }}
-            password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GitLab Container Registry
-        if: ${{ (vars.GITLAB_USERNAME != '') && (env.GITLAB_TOKEN != '') }}
-        uses: docker/login-action@v3
-        with:
-            registry: registry.gitlab.com
-            username: ${{ vars.GITLAB_USERNAME }}
-            password: ${{ secrets.GITLAB_TOKEN }}
-            
       - name: Setting variables
         uses: actions/github-script@v7
         id: var
@@ -93,40 +57,84 @@ jobs:
               images.push(glhrImage)
             }
             core.setOutput('images', images.join("\n"))
+            core.setOutput('images_list', images.join(","))
+            const platforms = ['linux/amd64', 'linux/arm64']
+            // specific CPU build variations
+            const includes = [
+              {
+                platform: 'linux/amd64',
+                target_cpu: 'haswell',
+                tag_suffix: '-haswell'
+              }
+            ]
+            // Image builds
+            core.setOutput('build_matrix', JSON.stringify({
+              platform: platforms,
+              target_cpu: ['base'],
+              include: includes
+            }))
+            // image publishes
+            core.setOutput('merge_matrix', JSON.stringify({
+              tag_suffix: ['', ...includes.map((i) => i.tag_suffix).filter((i) => typeof i == 'string')]
+            }))
+  build-image:
+    runs-on: ubuntu-latest
+    
+    needs: define-variables
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    strategy:
+      matrix: ${{ fromJSON(needs.define-variables.outputs.build_matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      
+      # For publishing multi-platform manifests
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to Docker Hub
+        if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }}
+        uses: docker/login-action@v3
+        with:
+            registry: docker.io
+            username: ${{ vars.DOCKER_USERNAME }}
+            password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitLab Container Registry
+        if: ${{ (vars.GITLAB_USERNAME != '') && (env.GITLAB_TOKEN != '') }}
+        uses: docker/login-action@v3
+        with:
+            registry: registry.gitlab.com
+            username: ${{ vars.GITLAB_USERNAME }}
+            password: ${{ secrets.GITLAB_TOKEN }}
 
       # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
       - name: Extract metadata (tags, labels) for Docker
-        id: meta-base
-        if: ${{ matrix.target == 'base' }}
-        uses: docker/metadata-action@v5
-        with:
-          flavor: |
-            suffix=-tiny
-          tags: |
-            type=semver,pattern=v{{version}}
-            type=semver,pattern=v{{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }}
-            type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
-            type=ref,event=branch
-            type=ref,event=pr
-          images: ${{steps.var.outputs.images}}
-          # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
-        env:
-          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
-
-      - name: Extract metadata (tags, labels) for Docker (optimised)
         id: meta
-        if: ${{ matrix.target != 'base' }}
         uses: docker/metadata-action@v5
         with:
-          flavor: |
+          images: ${{needs.define-variables.outputs.images}}
-            suffix=-tiny-${{ matrix.target }}
-          tags: |
-            type=semver,pattern=v{{version}}
-            type=semver,pattern=v{{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }}
-            type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
-            type=ref,event=branch
-            type=ref,event=pr
-          images: ${{steps.var.outputs.images}}
           # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
         env:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
@@ -136,7 +144,7 @@ jobs:
       # We use 
       - uses: Swatinem/rust-cache@v2
         with:
-          prefix-key: v0-rust-${{matrix.target}}
+          prefix-key: v0-rust-${{matrix.platform}}-${{matrix.target_cpu}}
         id: rust-cache
 
       - name: Inject cache into Docker
@@ -153,17 +161,111 @@ jobs:
       # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
       # It will not push images generated from a pull request
-      - name: Build and push Docker image
+      - name: Build and push Docker image by digest
-        id: push
+        id: build
         uses: docker/build-push-action@v6
         with:
           context: .
           file: "Containerfile"
-          build-args: ${{ matrix.target != 'base' && format('TARGET_CPU={0}', matrix.target) || '' }}
+          build-args: ${{ matrix.target_cpu != 'base' && format('TARGET_CPU={0}', matrix.target_cpu) || '' }}
+          platforms: ${{ matrix.platform }}
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ matrix.target == 'base' && steps.meta-base.outputs.tags || steps.meta.outputs.tags }}
+          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ matrix.target == 'base' && steps.meta-base.outputs.labels || steps.meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
-          annotations: ${{ matrix.target == 'base' && steps.meta-base.outputs.annotations || steps.meta.outputs.annotations }}
+          annotations: ${{ steps.meta.outputs.annotations }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           sbom: true
+          outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true
+
+      # For publishing multi-platform manifests
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"          
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{matrix.tag_suffix || ''}}digests-${{ env.PLATFORM_PAIR }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+  
+  merge:
+    runs-on: ubuntu-latest
+    needs: [define-variables, build-image]
+    strategy:
+      matrix: ${{ fromJSON(needs.define-variables.outputs.merge_matrix) }}
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: ${{matrix.tag_suffix || ''}}digests-*
+          merge-multiple: true
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to Docker Hub
+        if: ${{ (vars.DOCKER_USERNAME != '') && (env.DOCKERHUB_TOKEN != '') }}
+        uses: docker/login-action@v3
+        with:
+            registry: docker.io
+            username: ${{ vars.DOCKER_USERNAME }}
+            password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitLab Container Registry
+        if: ${{ (vars.GITLAB_USERNAME != '') && (env.GITLAB_TOKEN != '') }}
+        uses: docker/login-action@v3
+        with:
+            registry: registry.gitlab.com
+            username: ${{ vars.GITLAB_USERNAME }}
+            password: ${{ secrets.GITLAB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          flavor: |
+            suffix=-tiny${{ matrix.tag_suffix }}
+          tags: |
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }}
+            type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
+            type=ref,event=branch
+            type=ref,event=pr
+          images: ${{needs.define-variables.outputs.images}}
+          # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: index,manifest         
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        env:
+          IMAGES: ${{needs.define-variables.outputs.images}}
+        run: |
+          IMAGES_LIST=($IMAGES)
+          for REPO in "${IMAGES_LIST[@]}"; do
+            docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ 
+              $(printf -- "--annotation \"%s\" " "${DOCKER_METADATA_OUTPUT_ANNOTATIONS[@]}") \
+              $(printf "$REPO@sha256:%s " *)
+          done
+
+      - name: Inspect image
+        env:
+          IMAGES: ${{needs.define-variables.outputs.images}}
+        run: |
+          IMAGES_LIST=($IMAGES)
+          for REPO in "${IMAGES_LIST[@]}"; do
+            docker buildx imagetools inspect $REPO:${{ steps.meta.outputs.version }}
+          done