refactor workflow to build fixed commit with buildx push

Author: Madan Shah

.github/workflows/docker-publish-ecr.yml

@@ -23,13 +23,14 @@ env:
   PUBLIC_ECR_NAMESPACE: z5c7y9u9
   PUBLIC_ECR_REPOSITORY: mosaic
   PUBLIC_ECR_REGION: us-east-1
-  DOCKER_PLATFORM: linux/amd64
+  DEFAULT_BUILD_REF: bae62a54
+  DOCKER_PLATFORMS: linux/amd64,linux/arm64
 
 permissions:
   contents: read
 
 concurrency:
-  group: docker-publish-ecr-${{ inputs.ref || github.ref }}
+  group: docker-publish-ecr-${{ inputs.ref || 'bae62a54' }}
   cancel-in-progress: false
 
 jobs:
@@ -75,7 +76,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-          ref: ${{ inputs.ref || github.ref }}
+          ref: ${{ inputs.ref || env.DEFAULT_BUILD_REF }}
 
       - name: Resolve build metadata
         env:
@@ -86,13 +87,17 @@ jobs:
 
           resolved_sha="$(git rev-parse HEAD)"
           short_sha="$(git rev-parse --short=8 HEAD)"
-          checkout_ref="${INPUT_REF:-${GITHUB_REF}}"
+          checkout_ref="${INPUT_REF:-${DEFAULT_BUILD_REF}}"
           image_tag="${INPUT_IMAGE_TAG:-${short_sha}}"
+          image_ref="${ECR_REGISTRY}/${ECR_REPOSITORY}:${image_tag}"
+          public_image_ref="${PUBLIC_ECR_REGISTRY}/${PUBLIC_ECR_NAMESPACE}/${PUBLIC_ECR_REPOSITORY}:${image_tag}"
 
           {
             echo "CHECKOUT_REF=${checkout_ref}"
             echo "RESOLVED_SHA=${resolved_sha}"
             echo "IMAGE_TAG=${image_tag}"
+            echo "IMAGE_REF=${image_ref}"
+            echo "PUBLIC_IMAGE_REF=${public_image_ref}"
           } >> "${GITHUB_ENV}"
 
       - name: Cleanup space
@@ -126,22 +131,54 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
-      - name: Build Mosaic image
+      - name: Configure public ECR credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ vars.PUBLIC_AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ env.PUBLIC_ECR_REGION }}
+
+      - name: Login to public ECR
+        run: |
+          aws ecr-public get-login-password --region "${PUBLIC_ECR_REGION}" \
+            | docker login --username AWS --password-stdin "${PUBLIC_ECR_REGISTRY}"
+
+      - name: Build and push Mosaic images
         run: |
           set -euo pipefail
-          local_image="mosaic-local:${IMAGE_TAG}"
           docker buildx build \
-            --platform "${DOCKER_PLATFORM}" \
+            --platform "${DOCKER_PLATFORMS}" \
             --file docker/Dockerfile \
-            --tag "${local_image}" \
-            --load \
+            --tag "${IMAGE_REF}" \
+            --tag "${PUBLIC_IMAGE_REF}" \
+            --push \
             .
 
+      - name: Reconfigure private AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to ECR for follow-up checks
+        run: |
+          aws ecr get-login-password --region "${AWS_REGION}" \
+            | docker login --username AWS --password-stdin "${ECR_REGISTRY}"
+
+      - name: Resolve pushed image digest
+        id: digest
+        run: |
+          set -euo pipefail
+          digest="$(aws ecr describe-images \
+            --repository-name "${ECR_REPOSITORY}" \
+            --image-ids imageTag="${IMAGE_TAG}" \
+            --query 'imageDetails[0].imageDigest' \
+            --output text)"
+          echo "digest=${digest}" >> "${GITHUB_OUTPUT}"
+
       - name: Scan Mosaic image with Trivy
         run: |
           set -euo pipefail
           mkdir -p trivy-results
-          local_image="mosaic-local:${IMAGE_TAG}"
           docker run --rm \
             -v /var/run/docker.sock:/var/run/docker.sock \
             aquasec/trivy:0.65.0 \
@@ -151,7 +188,7 @@ jobs:
             --ignore-unfixed \
             --exit-code 0 \
             --no-progress \
-            "${local_image}" > trivy-results/mosaic.txt
+            "${IMAGE_REF}" > trivy-results/mosaic.txt
 
       - name: Upload Trivy results artifact
         if: always()
@@ -161,59 +198,19 @@ jobs:
           path: trivy-results/mosaic.txt
           if-no-files-found: ignore
 
-      - name: Tag and push Mosaic image
-        run: |
-          set -euo pipefail
-          local_image="mosaic-local:${IMAGE_TAG}"
-          image_ref="${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}"
-          docker tag "${local_image}" "${image_ref}"
-          docker push "${image_ref}"
-
-      - name: Resolve pushed image digest
-        id: digest
-        run: |
-          set -euo pipefail
-          digest="$(aws ecr describe-images \
-            --repository-name "${ECR_REPOSITORY}" \
-            --image-ids imageTag="${IMAGE_TAG}" \
-            --query 'imageDetails[0].imageDigest' \
-            --output text)"
-          echo "digest=${digest}" >> "${GITHUB_OUTPUT}"
-
-      - name: Configure public ECR credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
-        with:
-          role-to-assume: ${{ vars.PUBLIC_AWS_ROLE_TO_ASSUME }}
-          aws-region: ${{ env.PUBLIC_ECR_REGION }}
-
-      - name: Login to public ECR
-        run: |
-          aws ecr-public get-login-password --region "${PUBLIC_ECR_REGION}" \
-            | docker login --username AWS --password-stdin "${PUBLIC_ECR_REGISTRY}"
-
-      - name: Tag and push public Mosaic image
-        run: |
-          set -euo pipefail
-          local_image="mosaic-local:${IMAGE_TAG}"
-          public_image_ref="${PUBLIC_ECR_REGISTRY}/${PUBLIC_ECR_NAMESPACE}/${PUBLIC_ECR_REPOSITORY}:${IMAGE_TAG}"
-          docker tag "${local_image}" "${public_image_ref}"
-          docker push "${public_image_ref}"
-
       - name: Append publish summary
         if: always()
         env:
           IMAGE_DIGEST: ${{ steps.digest.outputs.digest }}
         run: |
           trivy_artifact="trivy-mosaic-${IMAGE_TAG}"
-          image_ref="${ECR_REGISTRY}/${ECR_REPOSITORY}:${IMAGE_TAG}"
-          public_image_ref="${PUBLIC_ECR_REGISTRY}/${PUBLIC_ECR_NAMESPACE}/${PUBLIC_ECR_REPOSITORY}:${IMAGE_TAG}"
           {
             echo "## Mosaic image publish"
             echo
             echo "- Checkout ref: \`${CHECKOUT_REF}\`"
             echo "- Resolved SHA: \`${RESOLVED_SHA}\`"
-            echo "- Image: \`${image_ref}\`"
-            echo "- Public image: \`${public_image_ref}\`"
+            echo "- Image: \`${IMAGE_REF}\`"
+            echo "- Public image: \`${PUBLIC_IMAGE_REF}\`"
             echo "- Digest: \`${IMAGE_DIGEST}\`"
             echo "- Trivy artifact: \`${trivy_artifact}\`"
             echo

docker/Dockerfile

@@ -6,9 +6,7 @@
 FROM ubuntu:24.04 AS builder
 
 # Install build dependencies and Rust nightly toolchain.
-RUN sed -i 's|http://|https://|g' /etc/apt/sources.list.d/ubuntu.sources \
-    && printf 'Acquire::Retries "5";\nAcquire::http::Timeout "30";\nAcquire::https::Timeout "30";\n' > /etc/apt/apt.conf.d/80-retries \
-    && apt-get update \
+RUN apt-get update \
     && apt-get install -y --no-install-recommends \
     adduser build-essential ca-certificates clang curl libclang-dev pkg-config \
     && curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
@@ -50,8 +48,6 @@ FROM ubuntu:24.04 AS runtime
 ARG TARGETARCH
 ARG FDB_VERSION=7.3.75
 RUN FDB_ARCH=$([ "$TARGETARCH" = "arm64" ] && echo "aarch64" || echo "amd64") \
-    && sed -i 's|http://|https://|g' /etc/apt/sources.list.d/ubuntu.sources \
-    && printf 'Acquire::Retries "5";\nAcquire::http::Timeout "30";\nAcquire::https::Timeout "30";\n' > /etc/apt/apt.conf.d/80-retries \
     && apt-get update \
     && apt-get install -y --no-install-recommends adduser ca-certificates curl \
     && curl -fsSLO --proto "=https" --tlsv1.2 \