build multi-arch images

Author: romeroalx

.github/workflows/build-debian-images.yaml

@@ -11,73 +11,213 @@ jobs:
   build-and-push-debian-images:
     strategy:
       matrix:
+        platform:
+          - runner: ubuntu-24.04
+            arch: linux/amd64
+          - runner: ubuntu-24.04-arm
+            arch: linux/arm64
         branch-name:
           - master
-          - rel/auth-4.9.x
+          # - rel/auth-4.9.x
         image:
-          - id: debian-11-pdns-base
-            debian-image-name: python
-            debian-image-tag: 3.11-slim-bullseye
+          # - id: debian-11-pdns-base
+          #   debian-image-name: python
+          #   debian-image-tag: 3.11-slim-bullseye
           - id: debian-12-pdns-base
             debian-image-name: debian
             debian-image-tag: bookworm-slim
       fail-fast: false
-    runs-on: ubuntu-22.04
+    runs-on: ${{ matrix.platform.runner }}
     permissions:
       contents: read
       packages: write
     steps:
-      - uses: actions/checkout@v4
-
       - run: |
           echo "image-id-lowercase=ghcr.io/${{ github.repository }}/${{ matrix.image.id }}" | tr '[:upper:]' '[:lower:]' >> "$GITHUB_ENV"
           echo "image-tag=$(echo ${{ matrix.branch-name }} | cut -d '/' -f 2)" >> "$GITHUB_ENV"
-
-      - name: Build image
-        run: |
-          docker build . --file Dockerfile \
-            --tag ${{ env.image-id-lowercase }}:${{ env.image-tag }} \
-            --build-arg DEBIAN_IMAGE_NAME=${{ matrix.image.debian-image-name }} \
-            --build-arg DEBIAN_IMAGE_TAG=${{ matrix.image.debian-image-tag }} \
-            --build-arg REPO_BRANCH=${{ matrix.branch-name }}
-
+          echo "image-id-lowercase=ghcr.io/${{ github.repository }}/${{ matrix.image.id }}" | tr '[:upper:]' '[:lower:]'
+          echo "image-tag=$(echo ${{ matrix.branch-name }} | cut -d '/' -f 2)"
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Set up Docker Buildx for multi-platform builds
+        uses: docker/setup-buildx-action@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      # https://github.com/docker/buildx/issues/1335#issuecomment-1343712346
+      - run: docker ps --all
       - name: Login to GitHub Container Registry
         if: ${{ github.event_name != 'pull_request' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Push into Github Container Registry
-        if: ${{ github.event_name != 'pull_request' }}
-        run: |
-          docker push ${{ env.image-id-lowercase }}:${{ env.image-tag }}
-
-  purge-old-images:
-    name: Purge old PDNS CI images
-    needs: build-and-push-debian-images
-    runs-on: ubuntu-22.04
-    if: ${{ github.event_name != 'pull_request' }}
-    permissions:
-      contents: read
-      packages: write
-    strategy:
-      matrix:
-        image-id: 
-        - debian-11-pdns-base
-        - debian-12-pdns-base
-      fail-fast: false
-    steps:
-      - name: Get repository name
+      - name: Docker image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.image-id-lowercase }}
+          # tags: ${{ env.image-tag }}
+      - name: Build and load images
+        id: build-image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile
+          platforms: ${{ matrix.branch.platforms }}
+          push: ${{ github.event_name != 'pull_request' && 'true' || 'false' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          build-args: |
+            DEBIAN_IMAGE_NAME=${{ matrix.image.debian-image-name }}
+            DEBIAN_IMAGE_TAG=${{ matrix.image.debian-image-tag }}
+            REPO_BRANCH=${{ matrix.branch-name }}
+          outputs: type=image,push-by-digest=true,name-canonical=true
+      - name: Export output digest
+        env:
+          ARCH: ${{ matrix.platform.arch }}
+          DIGEST: ${{ steps.build-image.outputs.digest }}
         run: |
-          echo "${{ github.repository }}" | awk -F'/' '{print "repo-name="$2}' >> "$GITHUB_ENV"
+          mkdir -p $RUNNER_TEMP/digests
+          touch "$RUNNER_TEMP/digests/${DIGEST#sha256:}"
+          # generate suffix for digest file
+          echo "PLATFORM_PAIR=${ARCH//\//-}" >> $GITHUB_ENV
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.matrix.image.id }}-${{ env.image-tag }}-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
 
-      - name: Purge old images keeping the 5 more recent ones
-        # FIXME: move to tag v5 when available.
-        uses: actions/delete-package-versions@v5.0.0
-        with: 
-          package-name: ${{ env.repo-name }}/${{ matrix.image-id }}
-          package-type: container
-          min-versions-to-keep: 5
-          delete-only-untagged-versions: true
+# 
+#       - name: Build image
+#         run: |
+#           docker build . --file Dockerfile \
+#             --tag ${{ env.image-id-lowercase }}:${{ env.image-tag }} \
+#             --build-arg DEBIAN_IMAGE_NAME=${{ matrix.image.debian-image-name }} \
+#             --build-arg DEBIAN_IMAGE_TAG=${{ matrix.image.debian-image-tag }} \
+#             --build-arg REPO_BRANCH=${{ matrix.branch-name }}
+# 
+#       - name: Set up QEMU
+#         uses: docker/setup-qemu-action@v3
+#         with:
+#           platforms: linux/arm64/v8
+#       - name: Set up Docker Buildx for multi-platform builds
+#         uses: docker/setup-buildx-action@v3
+#         with:
+#           platforms: ${{ inputs.platforms }}
+#       - name: Login to Docker Hub
+#         uses: docker/login-action@v3
+#         with:
+#           username: ${{ secrets.DOCKERHUB_USERNAME }}
+#           password: ${{ secrets.DOCKERHUB_TOKEN }}
+#       - name: Docker image metadata
+#         id: meta
+#         uses: docker/metadata-action@v5
+#         with:
+#           images: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ inputs.image-name }}
+#           tags: ${{ inputs.image-tags }}
+#       - name: Build and load powerdns product images
+#         id: build-image
+#         uses: docker/build-push-action@v6
+#         with:
+#           context: .
+#           file: Dockerfile
+#           platforms: ${{ matrix.branch.platforms }}
+#           push: ${{ inputs.push }}
+#           sbom: true
+#           tags: ${{ steps.meta.outputs.tags }}
+#           build-args: ${{ inputs.build-args }}
+# 
+#       - name: Push into Github Container Registry
+#         if: ${{ github.event_name != 'pull_request' }}
+#         run: |
+#           docker push ${{ env.image-id-lowercase }}:${{ env.image-tag }}
+# 
+#   publish-tag:
+#     name: Generate and publish tag for multi-platform image
+#     runs-on: ubuntu-24.04
+#     if: ${{ inputs.push }}
+#     needs: build
+#     permissions:
+#       contents: read
+#       # This is used to complete the identity challenge
+#       # with sigstore/fulcio when running outside of PRs.
+#       id-token: write
+#     outputs:
+#       image-digest: ${{ steps.get-image-digest.outputs.image-digest }}
+#     env:
+#       IMAGE_NAME: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ inputs.image-name }}
+#     steps:
+#       - name: Install cosign
+#         uses: sigstore/cosign-installer@v3.7.0
+#       - name: Download digests
+#         uses: actions/download-artifact@v4
+#         with:
+#           path: ${{ runner.temp }}/digests
+#           pattern: digests-${{ inputs.product }}-*
+#           merge-multiple: true
+#       - name: Login to Docker Hub
+#         if: ${{ inputs.push }}
+#         uses: docker/login-action@v3
+#         with:
+#           username: ${{ secrets.DOCKERHUB_USERNAME }}
+#           password: ${{ secrets.DOCKERHUB_TOKEN }}
+#       - name: Set up Docker Buildx
+#         uses: docker/setup-buildx-action@v3
+#       - name: Docker meta
+#         id: meta
+#         uses: docker/metadata-action@v5
+#         with:
+#           images: ${{ env.IMAGE_NAME }}
+#           tags: ${{ inputs.image-tags }}
+#       - name: Create manifest list and push
+#         working-directory: ${{ runner.temp }}/digests
+#         run: |
+#           docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+#             $(printf $IMAGE_NAME'@sha256:%s ' *)
+#       - name: Get image digest
+#         id: get-image-digest
+#         env:
+#           TAG: ${{ steps.meta.outputs.version }}
+#         run: |
+#           echo "image-digest=$(docker buildx imagetools inspect $IMAGE_NAME:$TAG --format="{{json .Manifest}}" | jq -r .digest)" >> "$GITHUB_OUTPUT"
+#       - name: Sign product image
+#         id: sign-image
+#         env:
+#           TAG: |
+#             ${{ env.IMAGE_NAME }}@${{ steps.get-image-digest.outputs.image-digest }}
+#         # This step uses the identity token to provision an ephemeral certificate
+#         # against the sigstore community Fulcio instance.
+#         run: cosign sign --yes ${TAG}
+# 
+# 
+#   purge-old-images:
+#     name: Purge old PDNS CI images
+#     needs: build-and-push-debian-images
+#     runs-on: ubuntu-22.04
+#     if: ${{ github.event_name != 'pull_request' }}
+#     permissions:
+#       contents: read
+#       packages: write
+#     strategy:
+#       matrix:
+#         image-id:
+#         - debian-11-pdns-base
+#         - debian-12-pdns-base
+#       fail-fast: false
+#     steps:
+#       - name: Get repository name
+#         run: |
+#           echo "${{ github.repository }}" | awk -F'/' '{print "repo-name="$2}' >> "$GITHUB_ENV"
+# 
+#       - name: Purge old images keeping the 5 more recent ones
+#         # FIXME: move to tag v5 when available.
+#         uses: actions/delete-package-versions@v5.0.0
+#         with:
+#           package-name: ${{ env.repo-name }}/${{ matrix.image-id }}
+#           package-type: container
+#           min-versions-to-keep: 5
+#           delete-only-untagged-versions: true
+#