Merge pull request #1549 from mnfst/fix/docker-native-arm64-runners

brunobuddy · web-flow · commit e1e07e32042f · 2026-04-12T21:59:35.000-07:00
ci(docker): build arm64 on native runners, drop QEMU emulation
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -25,30 +25,93 @@ on:
 permissions:
   contents: read
 
+env:
+  IMAGE: manifestdotbuild/manifest
+
 jobs:
   validate:
-    name: Build (validate)
+    name: Build (validate, ${{ matrix.platform.arch }})
     if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - { os: ubuntu-latest, arch: amd64 }
+          - { os: ubuntu-24.04-arm, arch: arm64 }
+    runs-on: ${{ matrix.platform.os }}
     steps:
       - uses: actions/checkout@v4
 
-      - uses: docker/setup-qemu-action@v3
-
       - uses: docker/setup-buildx-action@v3
 
       - uses: docker/build-push-action@v6
         with:
           context: .
           file: docker/Dockerfile
           push: false
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          platforms: linux/${{ matrix.platform.arch }}
+          cache-from: type=gha,scope=${{ matrix.platform.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.platform.arch }}
+
+  build:
+    name: Build (${{ matrix.platform.arch }})
+    if: github.event_name == 'workflow_dispatch'
+    strategy:
+      fail-fast: true
+      matrix:
+        platform:
+          - { os: ubuntu-latest, arch: amd64 }
+          - { os: ubuntu-24.04-arm, arch: arm64 }
+    runs-on: ${{ matrix.platform.os }}
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ${{ env.IMAGE }}
+
+      - id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/${{ matrix.platform.arch }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=${{ env.IMAGE }},push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha,scope=${{ matrix.platform.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.platform.arch }}
+          sbom: true
+          provenance: mode=max
 
-  publish:
-    name: Build & Publish
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.platform.arch }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    name: Merge & Publish
     if: github.event_name == 'workflow_dispatch'
+    needs: build
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -68,7 +131,12 @@ jobs:
           fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
-      - uses: docker/setup-qemu-action@v3
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
 
       - uses: docker/setup-buildx-action@v3
 
@@ -80,7 +148,7 @@ jobs:
       - uses: docker/metadata-action@v5
         id: meta
         with:
-          images: manifestdotbuild/manifest
+          images: ${{ env.IMAGE }}
           flavor: |
             latest=true
           tags: |
@@ -89,27 +157,34 @@ jobs:
             type=semver,pattern={{major}},value=${{ steps.version.outputs.version }}
             type=sha
 
-      - uses: docker/build-push-action@v6
-        id: build
-        with:
-          context: .
-          file: docker/Dockerfile
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          sbom: true
-          provenance: mode=max
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create \
+            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.IMAGE }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.meta.outputs.version }}
 
       - uses: sigstore/cosign-installer@v3
 
       - name: Sign published image
         env:
           TAGS: ${{ steps.meta.outputs.tags }}
-          DIGEST: ${{ steps.build.outputs.digest }}
+          VERSION: ${{ steps.meta.outputs.version }}
         run: |
+          # Extract the manifest-list digest from the freshly-pushed tag.
+          # Uses the pattern established by the dagger project and others: format
+          # the full inspect output as JSON and pull .manifest.digest out with jq.
+          DIGEST=$(docker buildx imagetools inspect "${{ env.IMAGE }}:${VERSION}" --format '{{json .}}' | jq -r '.manifest.digest')
+          if [ -z "$DIGEST" ] || [ "$DIGEST" = "null" ]; then
+            echo "::error::Failed to extract manifest-list digest for ${{ env.IMAGE }}:${VERSION}"
+            docker buildx imagetools inspect "${{ env.IMAGE }}:${VERSION}" --format '{{json .}}'
+            exit 1
+          fi
+          echo "Signing manifest list digest: $DIGEST"
           for tag in ${TAGS}; do
             cosign sign --yes "${tag}@${DIGEST}"
           done
