From 012f08c1c81bb53357ad1b0a7ecf140c0c2978dd Mon Sep 17 00:00:00 2001 From: Alex Long Date: Sun, 25 May 2025 21:26:32 -0600 Subject: [PATCH 1/4] ci: add container builds for arm64 --- .github/workflows/container-image.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/container-image.yaml b/.github/workflows/container-image.yaml index 0517b070..3d1c531a 100644 --- a/.github/workflows/container-image.yaml +++ b/.github/workflows/container-image.yaml @@ -35,6 +35,12 @@ jobs: with: images: ghcr.io/${{ env.REPO }} + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' uses: docker/login-action@v3 @@ -49,6 +55,7 @@ jobs: context: . load: ${{ github.event_name == 'pull_request' }} push: ${{ github.event_name != 'pull_request' }} + platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} From 24566534ae2347a932331eb235692db8659da820 Mon Sep 17 00:00:00 2001 From: Alex Long Date: Mon, 26 May 2025 15:46:56 -0600 Subject: [PATCH 2/4] ci: enable containerd store to bypass docker buildx limitation --- .github/workflows/container-image.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/container-image.yaml b/.github/workflows/container-image.yaml index 3d1c531a..96775c6d 100644 --- a/.github/workflows/container-image.yaml +++ b/.github/workflows/container-image.yaml @@ -35,6 +35,16 @@ jobs: with: images: ghcr.io/${{ env.REPO }} + - name: Enable docker containerd store + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "features": { + "containerd-snapshotter": true + } + } + - name: Set up QEMU uses: docker/setup-qemu-action@v3 From ebd00b8342bac1cded1e6133e5d81714cbca1b24 Mon Sep 17 00:00:00 2001 From: Alex Long Date: Tue, 27 May 2025 07:10:46 -0600 Subject: [PATCH 3/4] ci: move multiplatform builds to a separate build-push-action invocation --- .github/workflows/container-image.yaml | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/.github/workflows/container-image.yaml b/.github/workflows/container-image.yaml index 96775c6d..bc88432f 100644 --- a/.github/workflows/container-image.yaml +++ b/.github/workflows/container-image.yaml @@ -35,16 +35,6 @@ jobs: with: images: ghcr.io/${{ env.REPO }} - - name: Enable docker containerd store - uses: docker/setup-docker-action@v4 - with: - daemon-config: | - { - "features": { - "containerd-snapshotter": true - } - } - - name: Set up QEMU uses: docker/setup-qemu-action@v3 @@ -59,17 +49,16 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push Docker image + - name: Build and push amd64 Docker image uses: docker/build-push-action@v6 with: context: . load: ${{ github.event_name == 'pull_request' }} push: ${{ github.event_name != 'pull_request' }} - platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - name: Scan image + - name: Scan amd64 image if: github.event_name == 'pull_request' uses: aquasecurity/trivy-action@0.30.0 id: scan @@ -78,3 +67,12 @@ jobs: exit-code: '1' ignore-unfixed: true severity: 'HIGH,CRITICAL' + + - name: Build and push multiplatform Docker image + uses: docker/build-push-action@v6 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + platforms: linux/amd64,linux/arm64 + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} From 9b2a2dff64c7ffdd6717bb0fb52754d4bfa70efa Mon Sep 17 00:00:00 2001 From: Alex Long Date: Tue, 27 May 2025 08:23:07 -0600 Subject: [PATCH 4/4] ci: Only scan container on PRs, build and push on other events --- .github/workflows/container-image.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/container-image.yaml b/.github/workflows/container-image.yaml index bc88432f..888ccb0a 100644 --- a/.github/workflows/container-image.yaml +++ b/.github/workflows/container-image.yaml @@ -49,12 +49,13 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push amd64 Docker image + - name: Build amd64 Docker image for scan + if: github.event_name == 'pull_request' uses: docker/build-push-action@v6 with: context: . - load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name != 'pull_request' }} + load: true + push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} @@ -69,10 +70,11 @@ jobs: severity: 'HIGH,CRITICAL' - name: Build and push multiplatform Docker image + if: github.event_name != 'pull_request' uses: docker/build-push-action@v6 with: context: . - push: ${{ github.event_name != 'pull_request' }} + push: true platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }}