@@ -25,10 +25,17 @@ jobs:
2525 GH_TOKEN : ${{ github.token }}
2626
2727 build :
28- runs-on : ubuntu-latest
29- needs : [verify-image]
28+ strategy :
29+ fail-fast : false
30+ matrix :
31+ include :
32+ - runner : ubuntu-latest
33+ arch : amd64
34+ - runner : ubuntu-24.04-arm
35+ arch : arm64
36+ runs-on : ${{ matrix.runner }}
37+ needs : verify-image
3038 permissions :
31- contents : write # Allow actions to create release
3239 packages : write # Allow pushing images to GHCR
3340 attestations : write # To create and write attestations
3441 id-token : write # Additional permissions for the persistence of the attestations
@@ -48,37 +55,21 @@ jobs:
4855
4956 - uses : actions/upload-artifact@v4
5057 with :
51- name : Containerfile
52- path : Containerfile
58+ name : Containerfile
59+ path : Containerfile
60+ overwrite : true
5361
5462 - name : Generate image name
5563 run : |
5664 REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
5765 echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
5866 echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/core" >> "$GITHUB_ENV"
5967
60- name : Extra image tag branch
61- if : ${{ github.ref_type != 'tag' }}
62- run : |
63- echo "EXTRA_TAG=ref,event=branch" >> "$GITHUB_ENV"
64-
65- name : Extra image tag release
66- if : ${{ github.ref_type == 'tag' }}
67- run : |
68- echo "EXTRA_TAG=raw,main" >> "$GITHUB_ENV"
69-
7068name : Docker meta
71- id : docker_meta
69+ id : meta
7270 uses : docker/metadata-action@v5
7371 with :
74- images : |
75- ${{ env. IMAGE_URL }}
76- tags : |
77- type=semver,pattern={{version}}
78- type=semver,pattern={{major}}.{{minor}}
79- type=semver,pattern={{raw}}
80- type=semver,pattern=v{{major}}
81- type=${{ env.EXTRA_TAG }}
72+ images : ${{ env.IMAGE_URL }}
8273
8374 - name : Set up Docker Buildx
8475 uses : docker/setup-buildx-action@v3
@@ -91,35 +82,111 @@ jobs:
9182 username : ${{ github.repository_owner }}
9283 password : ${{ secrets.GITHUB_TOKEN }}
9384
94- - name : Build and Push the Docker image
95- id : push
85+ - name : Build and push by digest
86+ id : build
9687 uses : docker/build-push-action@v6
9788 with :
9889 context : .
9990 file : Containerfile
100- push : ${{ github.event_name != 'pull_request' }}
101- tags : ${{ steps.docker_meta.outputs.tags }}
102- labels : ${{ steps.docker_meta.outputs.labels }}
91+ tags : ${{ env.IMAGE_URL }}
92+ labels : ${{ steps.meta.outputs.labels }}
10393 cache-from : type=gha
10494 cache-to : type=gha,mode=max
105- platforms : linux/amd64
95+ platforms : linux/${{ matrix.arch }}
10696 provenance : false
97+ outputs : type=image,push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
10798
10899 - name : Attest pushed image
109100 uses : actions/attest-build-provenance@v3
110101 id : attest
111102 if : ${{ github.event_name != 'pull_request' }}
112103 with :
113104 subject-name : ${{ env.IMAGE_URL }}
114- subject-digest : ${{ steps.push .outputs.digest }}
105+ subject-digest : ${{ steps.build .outputs.digest }}
115106 push-to-registry : false
116107
108+ - name : Export digest
109+ if : ${{ github.event_name != 'pull_request' }}
110+ run : |
111+ mkdir -p ${{ runner.temp }}/digests
112+ digest="${{ steps.build.outputs.digest }}"
113+ touch "${{ runner.temp }}/digests/${digest#sha256:}"
114+
115+ name : Upload digest
116+ uses : actions/upload-artifact@v4
117+ if : ${{ github.event_name != 'pull_request' }}
118+ with :
119+ name : digests-${{ matrix.arch }}
120+ path : ${{ runner.temp }}/digests/*
121+ if-no-files-found : error
122+ retention-days : 1
123+
124+ merge :
125+ runs-on : ubuntu-latest
126+ if : ${{ github.event_name != 'pull_request' }}
127+ needs : build
128+ permissions :
129+ contents : write # Allow actions to create release
130+ packages : write # Allow pushing images to GHCR
131+
132+ steps :
133+ - name : Generate image name
134+ run : |
135+ REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
136+ echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
137+ echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/core" >> "$GITHUB_ENV"
138+
139+ name : Download digests
140+ uses : actions/download-artifact@v4
141+ with :
142+ path : ${{ runner.temp }}/digests
143+ pattern : digests-*
144+ merge-multiple : true
145+
146+ - name : Extra image tag branch
147+ if : ${{ github.ref_type != 'tag' }}
148+ run : |
149+ echo "EXTRA_TAG=ref,event=branch" >> "$GITHUB_ENV"
150+
151+ name : Extra image tag release
152+ if : ${{ github.ref_type == 'tag' }}
153+ run : |
154+ echo "EXTRA_TAG=raw,main" >> "$GITHUB_ENV"
155+
156+ name : Docker meta
157+ id : meta
158+ uses : docker/metadata-action@v5
159+ with :
160+ images : ${{ env.IMAGE_URL }}
161+ tags : |
162+ type=semver,pattern={{version}}
163+ type=semver,pattern={{major}}.{{minor}}
164+ type=semver,pattern={{raw}}
165+ type=semver,pattern=v{{major}}
166+ type=${{ env.EXTRA_TAG }}
167+
168+ name : Set up Docker Buildx
169+ uses : docker/setup-buildx-action@v3
170+
171+ - name : Login to GitHub Package Registry
172+ uses : docker/login-action@v3
173+ with :
174+ registry : ghcr.io
175+ username : ${{ github.repository_owner }}
176+ password : ${{ secrets.GITHUB_TOKEN }}
177+
178+ - name : Create manifest list and push
179+ working-directory : ${{ runner.temp }}/digests
180+ run : |
181+ docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
182+ $(printf '${{ env.IMAGE_URL }}@sha256:%s ' *)
183+
117184differ :
118185 runs-on : ubuntu-latest
186+ if : github.ref_type == 'tag' && github.repository == 'vanilla-os/core-image'
187+ needs : merge
119188 container :
120189 image : ghcr.io/vanilla-os/core:main
121- if : github.ref_type == 'tag' && github.repository == 'vanilla-os/core-image'
122- needs : build
123190
124191 steps :
125192 - uses : actions/checkout@v5
0 commit comments