feat: split Docker builds from GoReleaser into native CI jobs

mchmarny · mchmarny · commit d1ad1d5606aa · 2026-02-11T04:14:41.000-08:00
Move validator Docker image builds out of GoReleaser dockers_v2 into dedicated per-arch CI jobs using native runners (ubuntu-latest for amd64, ubuntu-arm64 for arm64). This eliminates QEMU emulation and the experimental dockers_v2 feature. GoReleaser now creates a draft release. A new publish job gates on both GoReleaser and Docker manifest completion before making the release public, ensuring all artifacts are available atomically. Revert point: ed2079e
diff --git a/.github/actions/go-build-release/action.yml b/.github/actions/go-build-release/action.yml
@@ -36,9 +36,6 @@ runs:
         install_syft: 'true'
         install_goreleaser: 'true'
 
-    - name: Setup Docker Buildx
-      uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
-
     - name: Authenticate to registry
       uses: ./.github/actions/ghcr-login
       with:
diff --git a/.github/workflows/on-tag.yaml b/.github/workflows/on-tag.yaml
@@ -26,6 +26,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
 
+env:
+  VALIDATOR_IMAGE: ghcr.io/nvidia/eidos-validator
+
 jobs:
 
   # =============================================================================
@@ -99,13 +102,13 @@ jobs:
           go_version: ${{ steps.versions.outputs.go }}
 
   # =============================================================================
-  # Build Job (runs after all tests pass)
+  # Build Job: GoReleaser (binaries, ko images, draft GitHub release)
   # =============================================================================
 
   build:
-    name: Build and Release
+    name: Build and Release (Draft)
     runs-on: ubuntu-latest
-    needs: [unit, integration, e2e]  # Wait for all tests to pass
+    needs: [unit, integration, e2e]
     timeout-minutes: 30
     outputs:
       release_outcome: ${{ steps.release.outputs.release_outcome }}
@@ -135,14 +138,144 @@ jobs:
         uses: ./.github/actions/go-build-release
 
   # =============================================================================
-  # Attestation Job (runs after build succeeds)
+  # Docker Jobs: Native per-arch validator builds (parallel with GoReleaser)
+  # =============================================================================
+
+  docker-amd64:
+    name: Docker Validator (amd64)
+    runs-on: ubuntu-latest
+    needs: [unit, integration, e2e]
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
+
+      - name: Authenticate to registry
+        uses: ./.github/actions/ghcr-login
+
+      - name: Build and push
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6.15.0
+        with:
+          context: .
+          file: Dockerfile.validator
+          platforms: linux/amd64
+          push: true
+          tags: ${{ env.VALIDATOR_IMAGE }}:${{ github.ref_name }}-amd64
+          labels: |
+            org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
+            org.opencontainers.image.title=eidos-validator
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.version=${{ github.ref_name }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+
+  docker-arm64:
+    name: Docker Validator (arm64)
+    runs-on: ubuntu-arm64
+    needs: [unit, integration, e2e]
+    timeout-minutes: 15
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
+
+      - name: Authenticate to registry
+        uses: ./.github/actions/ghcr-login
+
+      - name: Build and push
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4  # v6.15.0
+        with:
+          context: .
+          file: Dockerfile.validator
+          platforms: linux/arm64
+          push: true
+          tags: ${{ env.VALIDATOR_IMAGE }}:${{ github.ref_name }}-arm64
+          labels: |
+            org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
+            org.opencontainers.image.title=eidos-validator
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.version=${{ github.ref_name }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+
+  # =============================================================================
+  # Docker Manifest: Combine per-arch images into multi-arch manifests
+  # =============================================================================
+
+  docker-manifest:
+    name: Docker Manifest
+    runs-on: ubuntu-latest
+    needs: [docker-amd64, docker-arm64]
+    timeout-minutes: 5
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Authenticate to registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Create and push manifests
+        env:
+          TAG: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+
+          # Extract major and minor versions (e.g., v0.5.7 -> v0, v0.5)
+          MAJOR="v$(echo "$TAG" | sed 's/^v//' | cut -d. -f1)"
+          MAJOR_MINOR="v$(echo "$TAG" | sed 's/^v//' | cut -d. -f1-2)"
+
+          # Create and push manifest for each tag
+          for MANIFEST_TAG in "$TAG" "$MAJOR" "$MAJOR_MINOR" "latest"; do
+            docker manifest create "$VALIDATOR_IMAGE:$MANIFEST_TAG" \
+              "$VALIDATOR_IMAGE:$TAG-amd64" \
+              "$VALIDATOR_IMAGE:$TAG-arm64"
+            docker manifest push "$VALIDATOR_IMAGE:$MANIFEST_TAG"
+            echo "Pushed manifest: $VALIDATOR_IMAGE:$MANIFEST_TAG"
+          done
+
+  # =============================================================================
+  # Publish: Flip draft release to public after all artifacts are ready
+  # =============================================================================
+
+  publish:
+    name: Publish Release
+    runs-on: ubuntu-latest
+    needs: [build, docker-manifest]
+    if: needs.build.outputs.release_outcome == 'success'
+    timeout-minutes: 5
+    permissions:
+      contents: write
+    steps:
+      - name: Publish GitHub release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          gh release edit "${{ github.ref_name }}" \
+            --repo "${{ github.repository }}" \
+            --draft=false
+
+  # =============================================================================
+  # Attestation Job (runs after release is published)
   # =============================================================================
 
   attest:
     name: Attest Images
     runs-on: ubuntu-latest
-    needs: [build]
-    if: needs.build.outputs.release_outcome == 'success'
+    needs: [publish]
     timeout-minutes: 10
     permissions:
       contents: read
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -89,6 +89,7 @@ release:
     owner: NVIDIA
     name: eidos
   prerelease: auto
+  draft: true
 
 kos:
   - id: eidos
@@ -119,31 +120,6 @@ kos:
     preserve_import_paths: false
     bare: true
 
-dockers_v2:
-  - id: eidos-validator
-    dockerfile: Dockerfile.validator
-    images:
-      - ghcr.io/nvidia/eidos-validator
-    tags:
-      - latest
-      - "{{.Tag}}"
-      - "v{{.Major}}"
-      - "v{{.Major}}.{{.Minor}}"
-    platforms:
-      - linux/amd64
-      - linux/arm64
-    labels:
-      org.opencontainers.image.created: "{{.Date}}"
-      org.opencontainers.image.title: "{{.ProjectName}}-validator"
-      org.opencontainers.image.revision: "{{.FullCommit}}"
-      org.opencontainers.image.version: "{{.Version}}"
-      org.opencontainers.image.source: "{{.GitURL}}"
-    extra_files:
-      - go.mod
-      - go.sum
-      - pkg
-      - cmd
-
 archives:
   - id: eidos
     ids:
diff --git a/Dockerfile.validator b/Dockerfile.validator
@@ -12,28 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Build stage: runs on the host platform, cross-compiles via GOOS/GOARCH
-# This avoids slow QEMU emulation for the non-native architecture.
-FROM --platform=$BUILDPLATFORM golang:1.25-bookworm AS builder
-
-ARG TARGETOS TARGETARCH
-
-WORKDIR /workspace
-
-# Copy go mod files first for better caching
-COPY go.mod go.sum ./
-RUN go mod download
-
-# Copy source code
-COPY . .
-
-# Cross-compile test binaries for the target platform
-RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go test -c -o /tmp/readiness.test ./pkg/validator/checks/readiness && \
-    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go test -c -o /tmp/deployment.test ./pkg/validator/checks/deployment && \
-    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go test -c -o /tmp/performance.test ./pkg/validator/checks/performance && \
-    CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go test -c -o /tmp/conformance.test ./pkg/validator/checks/conformance || true
-
-# Runtime stage: full Go toolchain needed because agent/job.go runs "go test" at runtime
+# Validator image includes Go toolchain for running validation tests in-cluster.
+# Built natively per-arch via CI (no cross-compilation or QEMU needed).
 FROM golang:1.25-bookworm
 
 RUN apt-get update && apt-get install -y \
@@ -43,15 +23,15 @@ RUN apt-get update && apt-get install -y \
 
 WORKDIR /workspace
 
-# Copy source for runtime "go test" execution
-COPY --from=builder /workspace/go.mod /workspace/go.sum ./
-COPY --from=builder /workspace/pkg/ pkg/
-COPY --from=builder /workspace/cmd/ cmd/
+COPY go.mod go.sum ./
+RUN go mod download
 
-# Copy pre-compiled test binaries
-COPY --from=builder /tmp/*.test /usr/local/bin/
+COPY . .
 
-# Pre-warm module cache for runtime
-RUN go mod download
+# Pre-compile test binaries for faster Job startup
+RUN go test -c -o /usr/local/bin/readiness.test ./pkg/validator/checks/readiness && \
+    go test -c -o /usr/local/bin/deployment.test ./pkg/validator/checks/deployment && \
+    go test -c -o /usr/local/bin/performance.test ./pkg/validator/checks/performance && \
+    go test -c -o /usr/local/bin/conformance.test ./pkg/validator/checks/conformance || true
 
 CMD ["/bin/bash"]
