From b817c17d31ffa29291c4f05ec71ca4fff8c9ce62 Mon Sep 17 00:00:00 2001 From: lelia <2418071+lelia@users.noreply.github.com> Date: Fri, 26 Jun 2026 17:29:16 -0400 Subject: [PATCH] ci: publish multi-arch Docker images Signed-off-by: lelia <2418071+lelia@users.noreply.github.com> --- .github/workflows/_docker-pipeline.yml | 109 ++++++++++--------- .github/workflows/publish-docker.yml | 144 +++++++++++++++++++++---- .github/workflows/smoke-test.yml | 15 ++- scripts/integration-test-docker.sh | 2 +- scripts/update_changelog.py | 8 +- 5 files changed, 201 insertions(+), 77 deletions(-) diff --git a/.github/workflows/_docker-pipeline.yml b/.github/workflows/_docker-pipeline.yml index 91d8367..cab2205 100644 --- a/.github/workflows/_docker-pipeline.yml +++ b/.github/workflows/_docker-pipeline.yml @@ -1,13 +1,16 @@ name: _docker-pipeline (reusable) -# Reusable workflow — the single lego brick for all Docker CI steps. +# Reusable workflow — the per-arch lego brick for all Docker CI steps. # -# Called by smoke-test.yml (push: false) and publish-docker.yml (push: true). -# Step visibility is controlled by the push/tag_push inputs; the caller sets permissions. +# Called by smoke-test.yml, dependabot-review.yml (push: false) and +# publish-docker.yml (push: true, once per arch via matrix). # # Two modes: # push: false → build + smoke test + integration test (main image only) -# push: true → above + push exact version tags to GHCR/Docker Hub +# push: true → above + push the built image by digest to GHCR + Docker Hub, +# and upload the resulting digest as an artifact. The caller's +# merge-manifests job assembles per-arch digests into a +# multi-arch manifest list at the user-facing tags. # # Permissions required from the calling workflow: # push: false → contents: read @@ -33,22 +36,23 @@ on: description: "Smoke-test tool set: main or app-tests" type: string required: true - push: - description: "Push to GHCR and Docker Hub after testing" - type: boolean + runs_on: + description: "Runner label (e.g. ubuntu-latest, ubuntu-24.04-arm). The build/test steps run natively on this arch." + type: string required: false - default: false - tag_push: - description: > - True when the caller was triggered by a tag push (e.g. v2.0.0). - Controls semver metadata-action tagging for exact release tags. - Passed explicitly rather than relying on github.ref_type inside the callee, - since context propagation in reusable workflows can be ambiguous. + default: "ubuntu-latest" + arch_label: + description: "Short arch identifier used for digest artifact name and cache scope (e.g. amd64, arm64). Required when push=true." + type: string + required: false + default: "" + push: + description: "Push to GHCR + Docker Hub by digest after testing. The publish workflow merges per-arch digests into a multi-arch manifest list." type: boolean required: false default: false version: - description: "Semver without v prefix (e.g. 2.0.0) — used for OCI labels and push tags" + description: "Semver without v prefix (e.g. 2.0.0) — passed as the SOCKET_BASICS_VERSION build-arg, baked into OCI labels" type: string required: false default: "dev" @@ -60,7 +64,7 @@ on: jobs: pipeline: - runs-on: ubuntu-latest + runs-on: ${{ inputs.runs_on }} timeout-minutes: 60 steps: @@ -87,31 +91,10 @@ jobs: # requests including pulling public base images (python, trivy, trufflehog). # Those public images pull fine without auth; only the push needs credentials. - - name: Extract image metadata - if: inputs.push - id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 - with: - images: | - ghcr.io/socketdev/${{ inputs.name }} - ${{ secrets.DOCKERHUB_USERNAME }}/${{ inputs.name }} - # Disable the automatic :latest tag — metadata-action adds it by default - # for semver tag pushes. Mutable tags are inappropriate for a security tool. - flavor: | - latest=false - tags: | - # Tag push (v2.0.0) → exact immutable version tag only. - # Minor (2.0) and latest tags are intentionally omitted. - type=semver,pattern={{version}} - # workflow_dispatch re-publish → use the version input directly - type=raw,value=${{ inputs.version }},enable=${{ !inputs.tag_push }} - labels: | - org.opencontainers.image.title=${{ inputs.name }} - org.opencontainers.image.source=https://github.com/SocketDev/socket-basics - # ── Step 1: Build ────────────────────────────────────────────────────── # Loads image into the local Docker daemon without pushing. - # Writes all layers to the GHA cache so the push step is just an upload. + # Per-arch cache scope ensures amd64 and arm64 builds don't pollute each + # other's layer cache. arch_label defaults to "smoke" when push=false. - name: 🔨 Build (load for testing) uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: @@ -125,8 +108,8 @@ jobs: SOCKET_BASICS_VERSION=${{ inputs.version }} VCS_REF=${{ github.sha }} BUILD_DATE=${{ github.event.repository.updated_at }} - cache-from: type=gha,scope=${{ inputs.name }} - cache-to: type=gha,mode=max,scope=${{ inputs.name }} + cache-from: type=gha,scope=${{ inputs.name }}-${{ inputs.arch_label || 'smoke' }} + cache-to: type=gha,mode=max,scope=${{ inputs.name }}-${{ inputs.arch_label || 'smoke' }} # Disable attestations for the test build — provenance/SBOM cause BuildKit # to pull docker/buildkit-syft-scanner from Docker Hub, which fails with a # repo-scoped token. Attestations are enabled on the push step only. @@ -153,7 +136,7 @@ jobs: bash ./scripts/integration-test-docker.sh \ --image-tag "$IMAGE_NAME:pipeline-test" - # ── Step 4: Push to registries (publish mode only) ───────────────────── + # ── Step 4: Push by digest (publish mode only) ───────────────────────── # Docker Hub login happens here — after build and tests, immediately before # push. Keeping it here prevents the repo-scoped token from interfering # with public image pulls during the build step. @@ -164,30 +147,50 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - # All layers are in the GHA cache from step 1 — this is just an upload. - - name: 🚀 Push to registries + # Per-arch by-digest push to BOTH registries. No tags are written here; + # the publish workflow's merge-manifests job creates the multi-arch + # manifest list at user-facing tags via `docker buildx imagetools create`. + # Layer cache from step 1 means this is mostly a metadata write + push. + - name: 🚀 Build & push by digest if: inputs.push + id: build-digest uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: # zizmor: ignore[template-injection] — safe: always hardcoded "." from same-repo callers; passed as array element to exec, not shell-interpolated context: ${{ inputs.context }} file: ${{ inputs.dockerfile }} - load: false - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} build-args: | SOCKET_BASICS_VERSION=${{ inputs.version }} VCS_REF=${{ github.sha }} BUILD_DATE=${{ github.event.repository.updated_at }} - cache-from: type=gha,scope=${{ inputs.name }} + # One `--output` per registry → blobs land in both, by digest. + # build-push-action splits this scalar on newlines into separate outputs. + outputs: | + type=image,name=ghcr.io/socketdev/${{ inputs.name }},push-by-digest=true,name-canonical=true,push=true + type=image,name=${{ secrets.DOCKERHUB_USERNAME }}/${{ inputs.name }},push-by-digest=true,name-canonical=true,push=true + cache-from: type=gha,scope=${{ inputs.name }}-${{ inputs.arch_label }} + cache-to: type=gha,mode=max,scope=${{ inputs.name }}-${{ inputs.arch_label }} # SBOM and provenance generation pull docker/buildkit-syft-scanner from # Docker Hub, which fails with a repo-scoped token. Disabled until a # token with broader Docker Hub read access is available. provenance: false sbom: false - # Floating major version tags (v2 → latest v2.x.y) have been intentionally - # removed. Mutable tags are structurally equivalent to :latest and are - # inappropriate for a security tool. Users should pin to an immutable - # version tag or digest and use Dependabot to manage upgrades. + # Persist the per-arch digest as an artifact so the merge-manifests job + # can reference it via `@sha256:` when creating the list. + - name: 📤 Export digest + if: inputs.push + env: + DIGEST: ${{ steps.build-digest.outputs.digest }} + run: | + mkdir -p /tmp/digests + touch "/tmp/digests/${DIGEST#sha256:}" + + - name: ⬆️ Upload digest artifact + if: inputs.push + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: digests-${{ inputs.name }}-${{ inputs.arch_label }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml index 82d10fb..cdf1f13 100644 --- a/.github/workflows/publish-docker.yml +++ b/.github/workflows/publish-docker.yml @@ -1,8 +1,13 @@ name: publish-docker -# Builds, tests, and publishes the socket-basics image to GHCR and Docker Hub. +# Builds, tests, and publishes a multi-arch socket-basics image +# (linux/amd64 + linux/arm64) to GHCR and Docker Hub. # -# Flow: resolve-version → build-test-push → create-release +# Flow: +# resolve-version +# → build-test-push (matrix: amd64 native, arm64 native — each pushes by digest) +# → merge-manifests (assembles per-arch digests into a multi-arch manifest list) +# → create-release (tag pushes only) # # Tag convention: # v2.0.0 — immutable exact release (floating major tags intentionally not published) @@ -19,7 +24,7 @@ on: workflow_dispatch: inputs: tag: - description: "Full git tag to publish (e.g. v2.0.0 for new releases, 1.1.3 for old). Must exist in the repo." + description: "Full git tag to publish (e.g. v2.0.3 or 2.0.3). Must exist in the repo." required: true # Default: deny everything. Each job below grants only what it needs. @@ -39,11 +44,6 @@ jobs: outputs: version: ${{ steps.version.outputs.clean }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }} - persist-credentials: false - - name: 🏷️ Resolve version id: version env: @@ -52,42 +52,150 @@ jobs: REF_NAME: ${{ github.ref_name }} run: | if [ "$EVENT_NAME" = "workflow_dispatch" ]; then - CLEAN="$INPUT_TAG" # full tag as provided (e.g. 1.1.3 or v2.0.0) + CLEAN="$INPUT_TAG" # full tag as provided (e.g. 2.0.3 or v2.0.3) else - CLEAN="$REF_NAME" # e.g. v2.0.0 + CLEAN="$REF_NAME" # e.g. v2.0.3 + fi + CLEAN="${CLEAN#v}" # strip leading v if present → 2.0.3 + if [[ ! "$CLEAN" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "Invalid release tag: $CLEAN" >&2 + exit 1 fi - CLEAN="${CLEAN#v}" # strip leading v if present → 2.0.0 or 1.1.3 echo "clean=$CLEAN" >> "$GITHUB_OUTPUT" + echo "ref=refs/tags/v$CLEAN" >> "$GITHUB_OUTPUT" - # ── Job 2: Build → test → push ───────────────────────────────────────────── - # Delegates all Docker steps to the reusable _docker-pipeline workflow. + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ steps.version.outputs.ref }} + persist-credentials: false + + # ── Job 2: Build → test → push by digest (per arch, native runners) ──────── + # Each matrix entry runs the full build/smoke/integration pipeline on a + # native runner for its target arch and pushes the resulting image by digest + # to both registries. The digest is exported as an artifact for the merge job. build-test-push: - name: publish (socket-basics) + name: publish (${{ matrix.arch }}) needs: resolve-version permissions: contents: read packages: write # push images to GHCR + strategy: + fail-fast: false + matrix: + include: + - arch: amd64 + runs_on: ubuntu-latest + - arch: arm64 + runs_on: ubuntu-24.04-arm uses: ./.github/workflows/_docker-pipeline.yml with: name: socket-basics dockerfile: Dockerfile context: . check_set: main + runs_on: ${{ matrix.runs_on }} + arch_label: ${{ matrix.arch }} push: true - tag_push: ${{ github.ref_type == 'tag' }} version: ${{ needs.resolve-version.outputs.version }} secrets: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - # ── Job 3: Create GitHub release ─────────────────────────────────────────── - # Runs once after the image is successfully pushed (not for workflow_dispatch + # ── Job 3: Merge per-arch digests into a multi-arch manifest list ────────── + # Floating major version tags (v2 → latest v2.x.y) are intentionally omitted. + # Mutable tags are structurally equivalent to :latest and inappropriate for a + # security tool. Users should pin to an exact version and use Dependabot. + merge-manifests: + name: merge-manifests + needs: [resolve-version, build-test-push] + permissions: + contents: read + packages: write + runs-on: ubuntu-latest + steps: + - name: ⬇️ Download per-arch digest artifacts + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + path: /tmp/digests + pattern: digests-socket-basics-* + merge-multiple: true + + - name: 🔨 Set up Docker Buildx + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + + - name: Login to GHCR + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} + + - name: Login to Docker Hub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Extract image metadata + id: meta + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + with: + images: | + ghcr.io/socketdev/socket-basics + ${{ secrets.DOCKERHUB_USERNAME }}/socket-basics + # Disable the automatic :latest tag — metadata-action adds it by default + # for semver tag pushes. Mutable tags are inappropriate for a security tool. + flavor: | + latest=false + tags: | + # Tag push (v2.0.0) → exact immutable version tag only. + type=semver,pattern={{version}} + # workflow_dispatch re-publish → use the version input directly + type=raw,value=${{ needs.resolve-version.outputs.version }},enable=${{ github.event_name == 'workflow_dispatch' }} + + - name: 🧬 Create multi-arch manifest list + working-directory: /tmp/digests + env: + GHCR_IMAGE: ghcr.io/socketdev/socket-basics + DH_IMAGE: ${{ secrets.DOCKERHUB_USERNAME }}/socket-basics + META_TAGS: ${{ steps.meta.outputs.tags }} + run: | + set -euo pipefail + # Each by-digest push from the matrix step landed blobs in BOTH + # registries, so per-registry imagetools-create only writes manifests. + for image in "$GHCR_IMAGE" "$DH_IMAGE"; do + tag_args=() + while IFS= read -r tag; do + [ -z "$tag" ] && continue + case "$tag" in + "$image:"*) tag_args+=(-t "$tag") ;; + esac + done <<< "$META_TAGS" + if [ ${#tag_args[@]} -eq 0 ]; then + echo "→ no tags resolved for $image; skipping" && continue + fi + sources=() + for digest in *; do + sources+=("${image}@sha256:${digest}") + done + echo "→ creating manifest list for $image with ${#sources[@]} arch sources" + docker buildx imagetools create "${tag_args[@]}" "${sources[@]}" + done + + - name: 🔍 Inspect published manifest + env: + GHCR_IMAGE: ghcr.io/socketdev/socket-basics + VERSION: ${{ needs.resolve-version.outputs.version }} + run: docker buildx imagetools inspect "${GHCR_IMAGE}:${VERSION}" + + # ── Job 4: Create GitHub release ─────────────────────────────────────────── + # Runs once after the manifest is published (not for workflow_dispatch # re-publishes — those don't create new releases). # Generates categorised release notes from merged PR labels (.github/release.yml). # CHANGELOG updates are intentionally human-authored in the release PR so this # workflow never needs to push commits to the protected default branch. create-release: - needs: [resolve-version, build-test-push] + needs: [resolve-version, merge-manifests] if: github.ref_type == 'tag' permissions: contents: write # create GitHub release diff --git a/.github/workflows/smoke-test.yml b/.github/workflows/smoke-test.yml index 480e9db..c56af9c 100644 --- a/.github/workflows/smoke-test.yml +++ b/.github/workflows/smoke-test.yml @@ -29,12 +29,25 @@ concurrency: cancel-in-progress: true jobs: + # Native build + smoke per arch. amd64 covers the standard runner; arm64 + # covers ubuntu-24.04-arm and Apple Silicon self-hosted runners (issue #69). + # Native runners build ~5x faster than QEMU and exercise the real binaries. smoke: - name: smoke (socket-basics) + name: smoke (${{ matrix.arch }}) + strategy: + fail-fast: false + matrix: + include: + - arch: amd64 + runs_on: ubuntu-latest + - arch: arm64 + runs_on: ubuntu-24.04-arm uses: ./.github/workflows/_docker-pipeline.yml with: name: socket-basics dockerfile: Dockerfile context: . check_set: main + runs_on: ${{ matrix.runs_on }} + arch_label: ${{ matrix.arch }} push: false diff --git a/scripts/integration-test-docker.sh b/scripts/integration-test-docker.sh index 748242d..77545ff 100755 --- a/scripts/integration-test-docker.sh +++ b/scripts/integration-test-docker.sh @@ -8,7 +8,7 @@ # # Usage: # ./scripts/integration-test-docker.sh [--image-tag TAG] -# ./scripts/integration-test-docker.sh --image-tag socket-basics:1.1.3 +# ./scripts/integration-test-docker.sh --image-tag socket-basics:2.0.3 set -euo pipefail diff --git a/scripts/update_changelog.py b/scripts/update_changelog.py index 373f4cc..1787c1c 100755 --- a/scripts/update_changelog.py +++ b/scripts/update_changelog.py @@ -85,11 +85,11 @@ def _update_links(content: str, version: str, prev_tag: str) -> str: Update the comparison links block at the bottom of the changelog. Before: - [Unreleased]: .../compare/1.1.3...HEAD + [Unreleased]: .../compare/v2.0.3...HEAD - After publishing v2.0.1: - [Unreleased]: .../compare/v2.0.1...HEAD - [2.0.1]: .../compare/v2.0.0...v2.0.1 + After publishing v2.0.4: + [Unreleased]: .../compare/v2.0.4...HEAD + [2.0.4]: .../compare/v2.0.3...v2.0.4 """ new_tag = _tag(version)