Skip to content

feat: Reusable workflow for multi-platform docker builds#73

Merged
maksym-iv-ef merged 3 commits into
mainfrom
reusable-docker-build
Jun 16, 2026
Merged

feat: Reusable workflow for multi-platform docker builds#73
maksym-iv-ef merged 3 commits into
mainfrom
reusable-docker-build

Conversation

@maksym-iv-ef

Copy link
Copy Markdown
Contributor

Description

Add opinionated reusable workflow to be used for multi-arch docker builds.
Core idea is to build with different runners per each target platform, use outputs: push-by-digest=true,type=image,push=true to push single-platform manifests and combine to a tagged manifest via:

docker buildx imagetools create \
  -t ${FULL_IMAGE} \
  ${registry}/${image}@${sha_patform_A} ${registry}/${image}@${sha_patform_B} ${registry}/${image}@${sha_patform_N}

Workflow feats/nuances:

  • There is support to push images to AWS, GCP, GitHub, Dockerhub, however only AWS and GitHub were tested so far.
  • Caching registry is mandatory for the workflow.
  • Attestation is pushed to GitHub if push to any registry is enabled

Also capable of building images without pushing which is usefulr for CI pipelines.

Also the hack is present in the workflow. Sometimes we need to inject Docker Secrets into the build to fetch non-public content (like dependencies), ideally we should not use any static secrets for any purposes. This principal imposes a problem, for example we need temporary GCP token to access the NPM registry hosted in GCP Artifact Registry, following approach is sub-optimal:

jobs:
  set_standard_vars:
    name: Set standard vars
    runs-on: ubuntu-latest
    outputs:
      sha_short: ${{ steps.set_standard_vars.outputs.sha_short }}
      gcp_auth: ${{ steps.gcp_auth.outputs.access_token }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: set outputs with default values
        id: set_standard_vars
        run: |
          echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
      - name: Configure GCP Credentials (NPM read)
        if: ${{ inputs.build_secret_npm_gcp }}
        id: gcp_auth
        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
        with:
          token_format: "access_token"
          ...

  docker_build_push:
    name: Docker Build/Push
    needs: set_standard_vars
    uses: ./.github/workflows/reusable_docker_build_multiarch.yaml
    permissions:
      ...
    with:
      ...
    secrets:
      build_secrets: |
        NPM_TOKEN=${{ needs.set_standard_vars.outputs.gcp_auth }}

because:

  1. On a job re-run in casew of failure we may use already invalid NPM token
  2. job outputs was not designed to pass sensitive data across multiple jobs.

So current workaround is to add necessary steps to the workflow itself (false by default) and customize via inputs, for example, in order to pass a GCP token for Artifact registry:

      build_secret_npm_gcp: true
      build_secret_npm_gcp_project_id: project_id
      build_secret_npm_gcp_workload_identity_provider: workload_identity_provider
      build_secret_npm_gcp_service_account: service_account_to_get_token_for
      # Optionally configure docker secret key, default NPM_TOKEN
      build_secret_npm_gcp_key: THE_TOKEN

In future other dynamic secrets will be added in a same manner.

@maksym-iv-ef maksym-iv-ef requested a review from kgrubb June 15, 2026 16:21
@maksym-iv-ef maksym-iv-ef self-assigned this Jun 15, 2026
Comment thread .github/workflows/reusable_docker_build_multiarch.yaml
@maksym-iv-ef maksym-iv-ef requested a review from kgrubb June 16, 2026 16:19
@maksym-iv-ef maksym-iv-ef merged commit a0aee7e into main Jun 16, 2026
5 checks passed
@maksym-iv-ef maksym-iv-ef deleted the reusable-docker-build branch June 16, 2026 16:38
@github-actions github-actions Bot mentioned this pull request Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants