Merge multi-arch images

Author: Bronek

.github/workflows/debian.yml

@@ -17,6 +17,7 @@ env:
 
 jobs:
   # Build the Docker image for Debian using different versions of GCC and Clang.
+  # Note, the `os` part of matrix must be kept in sync with the `merge` job below
   build:
     strategy:
       matrix:
@@ -56,8 +57,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to GitHub Registry
@@ -66,7 +65,7 @@ jobs:
           registry: ${{ env.CONTAINER_REGISTRY }}
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN  }}
-      - name: Determine the Docker image name.
+      - name: Prepare environment
         run: |
           # Convert the repository name to lowercase as the organization name is
           # uppercase, which is not permitted by the Docker registry. It's 2025 and GitHub
@@ -75,6 +74,8 @@ jobs:
           CONTAINER_REPO=${GITHUB_REPO@L}
           echo "CONTAINER_REPOSITORY=${CONTAINER_REPO}/debian-${{ matrix.os.release }}" >> $GITHUB_ENV
           echo "CONTAINER_IMAGE=${CONTAINER_REGISTRY}/${CONTAINER_REPO}/debian-${{ matrix.os.release }}" >> $GITHUB_ENV
+          PLATFORM=${{ matrix.architecture.platform }}
+          echo "PLATFORM_PAIR=${PLATFORM//\//-}" >> $GITHUB_ENV
       - name: Prepare container metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -89,6 +90,7 @@ jobs:
             org.opencontainers.image.vendor=XRPLF
             org.opencontainers.image.title=${{ env.CONTAINER_REPOSITORY }}
       - name: Build and push the Docker image
+        id: build
         uses: docker/build-push-action@v6
         with:
           build-args: |
@@ -104,7 +106,97 @@ jobs:
           outputs: type=image,name=${{ env.CONTAINER_IMAGE }},push-by-digest=true,name-canonical=true,push=true
           platforms: ${{ matrix.architecture.platform }}
           provenance: mode=max
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }}
           sbom: true
           labels: ${{ steps.meta.outputs.labels }}
           target: ${{ matrix.os.compiler_name }}
+      - name: Export digest
+        if: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }}
+        shell: bash
+        run: |
+          mkdir -p /tmp/digests
+          DIGEST="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${DIGEST#sha256:}"
+      - name: Upload digest
+        if: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.os.release }}-${{ matrix.os.compiler_name }}-${{ matrix.os.compiler_version }}-${{ env.PLATFORM_PAIR }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    if: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }}
+    strategy:
+      matrix:
+        os:
+          - release: bookworm
+            compiler_name: gcc
+            compiler_version: 12
+          - release: bookworm
+            compiler_name: gcc
+            compiler_version: 13
+          - release: bookworm
+            compiler_name: gcc
+            compiler_version: 14
+          - release: bookworm
+            compiler_name: clang
+            compiler_version: 16
+          - release: bookworm
+            compiler_name: clang
+            compiler_version: 17
+          - release: bookworm
+            compiler_name: clang
+            compiler_version: 18
+          - release: bookworm
+            compiler_name: clang
+            compiler_version: 19
+          - release: bookworm
+            compiler_name: clang
+            compiler_version: 20
+    runs-on: ubuntu-24.04
+    needs:
+      - build
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-${{ matrix.os.release }}-${{ matrix.os.compiler_name }}-${{ matrix.os.compiler_version }}-*
+          merge-multiple: true
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.CONTAINER_REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN  }}
+      - name: Prepare environment
+        run: |
+          GITHUB_REPO=${{ github.repository }}
+          CONTAINER_REPO=${GITHUB_REPO@L}
+          echo "CONTAINER_IMAGE=${CONTAINER_REGISTRY}/${CONTAINER_REPO}/debian-${{ matrix.os.release }}" >> $GITHUB_ENV
+      - name: Prepare container metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_IMAGE }}
+          tags: |
+            type=raw,value=${{ matrix.os.compiler_name }}-${{ matrix.os.compiler_version }}
+            type=sha,prefix=${{ matrix.os.compiler_name }}-${{ matrix.os.compiler_version }}-sha-
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        shell: bash
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.CONTAINER_IMAGE }}@sha256:%s ' *)
+      - name: Inspect image
+        shell: bash
+        run: |
+          docker buildx imagetools inspect ${{ env.CONTAINER_IMAGE }}:${{ steps.meta.outputs.version }}

.github/workflows/rhel.yml

@@ -16,8 +16,9 @@ env:
 
 jobs:
   # Build the Docker image for Red Hat Enterprise Linux using different versions
-  # of GCC and Clang.
-  gcc:
+  # of GCC
+  # Note, the `os` part of matrix must be kept in sync with the `merge` job below
+  build:
     strategy:
       matrix:
         architecture:
@@ -38,8 +39,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to GitHub Registry
@@ -54,7 +53,7 @@ jobs:
           registry: ${{ env.REDHAT_REGISTRY }}
           username: ${{ secrets.REDHAT_USER }}
           password: ${{ secrets.REDHAT_TOKEN }}
-      - name: Determine the Docker image name.
+      - name: Prepare environment
         run: |
           # Convert the repository name to lowercase as the organization name is
           # uppercase, which is not permitted by the Docker registry. It's 2025 and GitHub
@@ -63,6 +62,8 @@ jobs:
           CONTAINER_REPO=${GITHUB_REPO@L}
           echo "CONTAINER_REPOSITORY=${CONTAINER_REPO}/rhel-${{ matrix.os.release }}" >> $GITHUB_ENV
           echo "CONTAINER_IMAGE=${CONTAINER_REGISTRY}/${CONTAINER_REPO}/rhel-${{ matrix.os.release }}" >> $GITHUB_ENV
+          PLATFORM=${{ matrix.architecture.platform }}
+          echo "PLATFORM_PAIR=${PLATFORM//\//-}" >> $GITHUB_ENV
       - name: Prepare container metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -77,6 +78,7 @@ jobs:
             org.opencontainers.image.vendor=XRPLF
             org.opencontainers.image.title=${{ env.CONTAINER_REPOSITORY }}
       - name: Build and push the Docker image
+        id: build
         uses: docker/build-push-action@v6
         with:
           build-args: |
@@ -91,7 +93,79 @@ jobs:
           outputs: type=image,name=${{ env.CONTAINER_IMAGE }},push-by-digest=true,name-canonical=true,push=true
           platforms: ${{ matrix.architecture.platform }}
           provenance: mode=max
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }}
           sbom: true
           labels: ${{ steps.meta.outputs.labels }}
           target: ${{ matrix.os.compiler_name }}
+      - name: Export digest
+        if: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }}
+        shell: bash
+        run: |
+          mkdir -p /tmp/digests
+          DIGEST="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${DIGEST#sha256:}"
+      - name: Upload digest
+        if: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.os.release }}-${{ matrix.os.compiler_name }}-${{ matrix.os.compiler_version }}-${{ env.PLATFORM_PAIR }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    if: ${{ github.ref_type == 'branch' && github.ref_name == 'main' }}
+    strategy:
+      matrix:
+        os:
+          - release: 9.6
+            compiler_name: gcc
+            compiler_version: 13
+          - release: 9.6
+            compiler_name: gcc
+            compiler_version: 14
+    runs-on: ubuntu-24.04
+    needs:
+      - build
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-${{ matrix.os.release }}-${{ matrix.os.compiler_name }}-${{ matrix.os.compiler_version }}-*
+          merge-multiple: true
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.CONTAINER_REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN  }}
+      - name: Prepare environment
+        run: |
+          GITHUB_REPO=${{ github.repository }}
+          CONTAINER_REPO=${GITHUB_REPO@L}
+          echo "CONTAINER_IMAGE=${CONTAINER_REGISTRY}/${CONTAINER_REPO}/rhel-${{ matrix.os.release }}" >> $GITHUB_ENV
+      - name: Prepare container metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.CONTAINER_IMAGE }}
+          tags: |
+            type=raw,value=${{ matrix.os.compiler_name }}-${{ matrix.os.compiler_version }}
+            type=sha,prefix=${{ matrix.os.compiler_name }}-${{ matrix.os.compiler_version }}-sha-
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        shell: bash
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.CONTAINER_IMAGE }}@sha256:%s ' *)
+      - name: Inspect image
+        shell: bash
+        run: |
+          docker buildx imagetools inspect ${{ env.CONTAINER_IMAGE }}:${{ steps.meta.outputs.version }}