feat/ci: native arm64 build

NN708 · NN708 · commit e09d86bc81b2 · 2026-01-17T09:54:16.000+08:00
diff --git a/.github/workflows/vib-build.yml b/.github/workflows/vib-build.yml
@@ -3,7 +3,7 @@ name: Vib Build
 on:
   push:
     branches:
-      - 'main'
+      - 'dev'
     tags:
       - '*'
   workflow_dispatch:
@@ -18,22 +18,35 @@ jobs:
 
     steps:
     - name: Verify Base Image Integrity
+      if: ${{ github.ref_type == 'tag' }}
       run:
-        gh attestation verify oci://ghcr.io/vanilla-os/pico:main --owner Vanilla-OS
+        gh attestation verify oci://ghcr.io/vanilla-os/desktop:main --owner Vanilla-OS
       env:
         GH_TOKEN: ${{ github.token }}
 
   build:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            arch: amd64
+          - runner: ubuntu-24.04-arm
+            arch: arm64
+    runs-on: ${{ matrix.runner }}
     needs: verify-image
     permissions:
-      contents: write # Allow actions to create release
       packages: write # Allow pushing images to GHCR
       attestations: write # To create and write attestations
       id-token: write # Additional permissions for the persistence of the attestations
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
+
+    - name: Change tag in recipe.
+      if: ${{ github.ref_type == 'tag' }}
+      run: |
+        sed 's/ghcr.io\/vanilla-os\/desktop:dev/ghcr.io\/vanilla-os\/desktop:main/' -i recipe.yml
 
     - uses: vanilla-os/vib-gh-action@v1.0.6
       with:
@@ -42,8 +55,9 @@ jobs:
 
     - uses: actions/upload-artifact@v4
       with:
-         name: Containerfile
-         path: Containerfile
+        name: Containerfile
+        path: Containerfile
+        overwrite: true
 
     - name: Generate image name
       run: |
@@ -52,17 +66,10 @@ jobs:
         echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/waydroid" >> "$GITHUB_ENV"
 
     - name: Docker meta
-      id: docker_meta
+      id: meta
       uses: docker/metadata-action@v5
       with:
-        images: |
-          ${{ env. IMAGE_URL }}
-        tags: |
-          type=semver,pattern={{version}}
-          type=semver,pattern={{major}}.{{minor}}
-          type=semver,pattern={{raw}}
-          type=semver,pattern=v{{major}}
-          type=ref,event=branch
+        images: ${{ env.IMAGE_URL }}
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
@@ -75,25 +82,127 @@ jobs:
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Build and Push the Docker image
-      id: push
+    - name: Build and push by digest
+      id: build
       uses: docker/build-push-action@v6
       with:
         context: .
         file: Containerfile
-        push: ${{ github.event_name != 'pull_request' }}
-        tags: ${{ steps.docker_meta.outputs.tags }}
-        labels: ${{ steps.docker_meta.outputs.labels }}
+        tags: ${{ env.IMAGE_URL }}
+        labels: ${{ steps.meta.outputs.labels }}
         cache-from: type=gha
         cache-to: type=gha,mode=max
-        platforms: linux/amd64
+        platforms: linux/${{ matrix.arch }}
         provenance: false
+        outputs: type=image,push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
 
     - name: Attest pushed image
-      uses: actions/attest-build-provenance@v1
+      uses: actions/attest-build-provenance@v3
       id: attest
       if: ${{ github.event_name != 'pull_request' }}
       with:
         subject-name: ${{ env.IMAGE_URL }}
-        subject-digest: ${{ steps.push.outputs.digest }}
+        subject-digest: ${{ steps.build.outputs.digest }}
         push-to-registry: false
+
+    - name: Export digest
+      if: ${{ github.event_name != 'pull_request' }}
+      run: |
+        mkdir -p ${{ runner.temp }}/digests
+        digest="${{ steps.build.outputs.digest }}"
+        touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+    - name: Upload digest
+      uses: actions/upload-artifact@v4
+      if: ${{ github.event_name != 'pull_request' }}
+      with:
+        name: digests-${{ matrix.arch }}
+        path: ${{ runner.temp }}/digests/*
+        if-no-files-found: error
+        retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name != 'pull_request' }}
+    needs: build
+    permissions:
+      contents: write # Allow actions to create release
+      packages: write # Allow pushing images to GHCR
+
+    steps:
+    - name: Generate image name
+      run: |
+        REPO_OWNER_LOWERCASE="$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')"
+        echo "REPO_OWNER_LOWERCASE=$REPO_OWNER_LOWERCASE" >> "$GITHUB_ENV"
+        echo "IMAGE_URL=ghcr.io/$REPO_OWNER_LOWERCASE/waydroid" >> "$GITHUB_ENV"
+
+    - name: Download digests
+      uses: actions/download-artifact@v4
+      with:
+        path: ${{ runner.temp }}/digests
+        pattern: digests-*
+        merge-multiple: true
+
+    - name: Extra image tag branch
+      if: ${{ github.ref_type != 'tag' }}
+      run: |
+        echo "EXTRA_TAG=ref,event=branch" >> "$GITHUB_ENV"
+
+    - name: Extra image tag release
+      if: ${{ github.ref_type == 'tag' }}
+      run: |
+        echo "EXTRA_TAG=raw,main" >> "$GITHUB_ENV"
+
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.IMAGE_URL }}
+        tags: |
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{raw}}
+          type=semver,pattern=v{{major}}
+          type=${{ env.EXTRA_TAG }}
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to GitHub Package Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Create manifest list and push
+      working-directory: ${{ runner.temp }}/digests
+      run: |
+        docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+          $(printf '${{ env.IMAGE_URL }}@sha256:%s ' *)
+
+  differ:
+    runs-on: ubuntu-latest
+    if: github.repository == 'vanilla-os/waydroid-image' && github.ref_type == 'tag'
+    needs: merge
+    container:
+      image: ghcr.io/vanilla-os/waydroid:main
+
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Generate package diff
+        run: |
+          lpkg --unlock
+          PACKAGE_LIST=$(.github/gen_package_list.sh)
+          apt-get install -y curl
+          IMAGE_DIGEST=$(curl -s -L -H "Accept: application/vnd.github+json" \
+          -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          https://api.github.com/orgs/Vanilla-OS/packages/container/waydroid/versions | grep -m1 name | sed -E 's/^\s*"name": "(.+)".*$/\1/')
+          curl -X POST \
+          -H 'Accept:application/json' \
+          -H "Authorization:Basic $(echo -n "${{ secrets.DIFFER_USER }}:${{ secrets.DIFFER_PSW }}" | base64)" \
+          -d "{\"digest\":\"${IMAGE_DIGEST}\",${PACKAGE_LIST}}" \
+          ${{ vars.DIFFER_URL }}/images/waydroid/new
+          lpkg --lock
