Skip to content

ci: add support for multiarch build #9

ci: add support for multiarch build

ci: add support for multiarch build #9

Workflow file for this run

name: Build Ockam Distroless Images
on:
workflow_dispatch:
inputs:
commit_sha:
description: Git commit sha, on which, to run this workflow
push:
paths:
- 'tools/docker/wolfi/**'
permissions:
contents: read
defaults:
run:
shell: bash
env:
ARCH_TO_BUILD_IMAGES: amd64,arm64
ORGANIZATION: ${{ github.repository_owner }}
jobs:
build_base_image:
name: "Build Ockam Distroless Base Image"
runs-on: ubuntu-20.04
permissions:
packages: write
# environment: release
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
ref: ${{ github.event.inputs.commit_sha }}
- name: Generate Signing Key
run: docker run --rm -v "${PWD}":/work cgr.dev/chainguard/melange keygen
- name: Build Erlang Image
run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/erlang_package.yaml -k melange.rsa.pub --signing-key melange.rsa --arch ${{ env.ARCH_TO_BUILD_IMAGES }}
- name: Build Elixir Image
run: docker run --rm --privileged -v "${PWD}":/work cgr.dev/chainguard/melange build tools/docker/wolfi/elixir_package.yaml -k melange.rsa.pub --signing-key melange.rsa --arch ${{ env.ARCH_TO_BUILD_IMAGES }}
- name: Build Builder Image
run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/builder_image.yaml -k melange.rsa.pub ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest builder_image.tar
- name: Build Base Image
run: docker run --rm -v ${PWD}:/work -w /work cgr.dev/chainguard/apko build tools/docker/wolfi/base_image.yaml -k melange.rsa.pub ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest base_image.tar
- name: Load Images
run: |
docker load < base_image.tar
docker load < builder_image.tar
- uses: docker/login-action@bc135a1993a1d0db3e9debefa0cfcb70443cc94c # v2.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push Images
run: |
manifests=""
IFS=';' read -ra ARCHS <<< "$ARCH_TO_BUILD_IMAGES"
for arch in "${ARCHS[@]}"; do
echo "Pushing for ${arch}"
docker push ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest-${arch}
docker push ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest-${arch}
base_manifests="${base_manifests} --amend ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest-${arch}"
builder_manifests="${builder_manifests} --amend ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest-${arch}"
done
# Create manifest
docker manifest create ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest $base_manifests
docker manifest create ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest $builder_manifests
docker manifest push ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest
docker manifest push ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest
- name: Get Image ref
id: image_ref
run: |
base=$(docker image inspect ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest | jq -r .[0].Id)
builder=$(docker image inspect ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest | jq -r .[0].Id)
echo "BUILDER=$builder" >> $GITHUB_OUTPUT
echo "BASE=$base" >> $GITHUB_OUTPUT
- name: Install Cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19
with:
cosign-release: 'v2.2.1'
- uses: build-trust/.github/actions/image_cosign@custom-actions
with:
cosign_private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}'
cosign_password: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-base:latest'
ref: ${{ steps.image_ref.outputs.BASE }}
- uses: build-trust/.github/actions/image_cosign@custom-actions
with:
cosign_private_key: '${{ secrets.COSIGN_PRIVATE_KEY }}'
cosign_password: '${{ secrets.COSIGN_PRIVATE_KEY_PASSWORD }}'
image: 'ghcr.io/${{ env.ORGANIZATION }}/ockam-elixir-builder:latest'
ref: ${{ steps.image_ref.outputs.BUILDER }}