Artifacts and Multi Arch Builds

munchtoast · Jul 14, 2024 · 9f6fd03 · 9f6fd03
1 parent 0fa3ea6
commit 9f6fd03
Show file tree

Hide file tree

Showing 2 changed files with 97 additions and 11 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -1,6 +1,6 @@
 # GitHub actions workflow which builds and publishes the docker images.
 
-name: Build docker images
+name: Build and Publish Docker Images
 
 on:
   push:
@@ -15,12 +15,24 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm/v6
+          - linux/arm/v7
+          - linux/arm64
     steps:
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV  
+
       - name: Set up QEMU
-        id: qemu
         uses: docker/setup-qemu-action@v3
         with:
-          platforms: arm64
+          platforms: arm64,arm/v6,arm/v7
 
       - name: Set up Docker Buildx
         id: buildx
@@ -29,9 +41,6 @@ jobs:
       - name: Inspect builder
         run: docker buildx inspect
 
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.5.0
-
       - name: Checkout repository
         uses: actions/checkout@v4
 
@@ -70,20 +79,93 @@ jobs:
             org.opencontainers.image.version=${{ env.ELICHIKA_VERSION }}
           tags: "${{ steps.set-tag.outputs.tags }}"
           file: "docker/Dockerfile"
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.platform }}
 
           # arm64 builds OOM without the git fetch setting. c.f.
           # https://github.com/rust-lang/cargo/issues/10583
           build-args: |
             CARGO_NET_GIT_FETCH_WITH_CLI=true
 
-      - name: Sign the images with GitHub OIDC Token
+      - name: Export digest
         env:
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        run: |
+          mkdir -p /tmp/digests
+          touch "/tmp/digests/${DIGEST#sha256:}" 
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 7
+
+  publish:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.5.0
+
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Calculate docker image tag
+        id: set-tag
+        uses: docker/metadata-action@master
+        with:
+          images: |
+            docker.io/yunimoo/elichika
+          flavor: |
+            latest=false
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/fix-docker-build-architecture' }}
+            type=pep440,pattern={{raw}}
+      
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        env:
+          TAGS: ${{ steps.set-tag.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}"
+          done
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf "${images}@sha256:%s " *)
+      
+      - name: Inspect image
+        env:
+          TAGS: ${{ steps.set-tag.outputs.tags }}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}"
+          done
+          docker buildx imagetools inspect ${images}
+
+      - name: Sign the images with GitHub OIDC Token
+        working-directory: /tmp/digests
+        env:
           TAGS: ${{ steps.set-tag.outputs.tags }}
         run: |
           images=""
           for tag in ${TAGS}; do
-            images+="${tag}@${DIGEST} "
+            images+=$(printf "${tag}@sha256:%s " *)
           done
           cosign sign --yes ${images}
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,4 +1,6 @@
-FROM docker.io/library/debian:latest AS builder
+FROM --platform=$BUILDPLATFORM docker.io/library/debian:latest AS builder
+
+ARG BUILDPLATFORM
 
 # First - build
 
@@ -26,7 +28,9 @@ RUN export PATH=$PATH:/usr/local/go/bin && go build
 
 ## Second - sort stuff idk
 
-FROM docker.io/library/debian:bookworm-slim
+FROM --platform=$BUILDPLATFORM docker.io/library/debian:bookworm-slim
+
+ARG BUILDPLATFORM
 
 RUN mkdir -p /root/elichika/
 COPY --from=builder /elichika/elichika /root/elichika/elichika