Add linux/arm64 support via native arm64 runners (no QEMU)

pavanputhra · claude · pavanputhra · commit a308ac767118 · 2026-03-06T08:20:34.000+05:30
- 4 parallel build jobs: api + conserver × amd64 + arm64
- amd64 on ubuntu-latest, arm64 on ubuntu-24.04-arm (native, no emulation)
- Merge job combines platform digests into multi-arch manifests
- Separate GHA cache scopes per service+platform

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -6,15 +6,19 @@ name: Build and Push Docker images
 # Version format: YYYY.MM.DD (e.g., 2026.01.16)
 # If multiple releases happen on the same day, adds sequence: YYYY.MM.DD.2, YYYY.MM.DD.3, etc.
 #
-# Two separate images are built and pushed:
+# Two separate images are built and pushed for both linux/amd64 and linux/arm64:
 #   vcon-server-api        — lightweight FastAPI/uvicorn image (main deps only)
 #   vcon-server-conserver  — full processing image (main + links + storage deps)
 #
+# Build strategy: native runners (no QEMU) for maximum speed
+#   amd64 builds on ubuntu-latest
+#   arm64 builds on ubuntu-24.04-arm
+#
 # Docker tags created for each image:
-#   - CalVer tag (e.g., 2026.01.16)
+#   - CalVer tag (e.g., 2026.01.16)       [main only]
+#   - latest                               [main only]
 #   - Branch name (e.g., main)
-#   - Git short hash (e.g., main-a1b2c3d)
-#   - latest (for main branch only)
+#   - Branch + short sha (e.g., main-a1b2c3d)
 
 on:
   push:
@@ -82,7 +86,7 @@ jobs:
 
   build:
     needs: prepare
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
     permissions:
       contents: read
       packages: write
@@ -92,9 +96,27 @@ jobs:
           - service: api
             dockerfile: ./docker/Dockerfile.api
             image: public.ecr.aws/r4g1k2s3/vcon-dev/vcon-server-api
+            platform: linux/amd64
+            platform_tag: amd64
+            runner: ubuntu-latest
+          - service: api
+            dockerfile: ./docker/Dockerfile.api
+            image: public.ecr.aws/r4g1k2s3/vcon-dev/vcon-server-api
+            platform: linux/arm64
+            platform_tag: arm64
+            runner: ubuntu-24.04-arm
           - service: conserver
             dockerfile: ./docker/Dockerfile.conserver
             image: public.ecr.aws/r4g1k2s3/vcon-dev/vcon-server-conserver
+            platform: linux/amd64
+            platform_tag: amd64
+            runner: ubuntu-latest
+          - service: conserver
+            dockerfile: ./docker/Dockerfile.conserver
+            image: public.ecr.aws/r4g1k2s3/vcon-dev/vcon-server-conserver
+            platform: linux/arm64
+            platform_tag: arm64
+            runner: ubuntu-24.04-arm
 
     steps:
       - name: Checkout code
@@ -110,39 +132,71 @@ jobs:
           username: ${{ secrets.AWS_ACCESS_KEY }}
           password: ${{ secrets.AWS_SECRET }}
 
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ matrix.image }}
-          tags: |
-            type=raw,value=${{ needs.prepare.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }}
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=sha,prefix={{branch}}-
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
-
-      - name: Build and push ${{ matrix.service }} image
+      - name: Build and push ${{ matrix.service }} (${{ matrix.platform_tag }})
         uses: docker/build-push-action@v5
         with:
           context: .
           file: ${{ matrix.dockerfile }}
-          platforms: linux/amd64
+          platforms: ${{ matrix.platform }}
           push: true
-          cache-from: type=gha,scope=${{ matrix.service }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.service }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=${{ matrix.service }}-${{ matrix.platform_tag }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.service }}-${{ matrix.platform_tag }}
+          tags: ${{ matrix.image }}:${{ github.ref_name }}-${{ matrix.platform_tag }}
           build-args: |
             VCON_SERVER_VERSION=${{ needs.prepare.outputs.version }}
             VCON_SERVER_GIT_COMMIT=${{ needs.prepare.outputs.short_sha }}
             VCON_SERVER_BUILD_TIME=${{ needs.prepare.outputs.build_time }}
 
-  release:
+  merge:
     needs: [prepare, build]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        include:
+          - service: api
+            image: public.ecr.aws/r4g1k2s3/vcon-dev/vcon-server-api
+          - service: conserver
+            image: public.ecr.aws/r4g1k2s3/vcon-dev/vcon-server-conserver
+
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Amazon ECR Public
+        uses: docker/login-action@v3
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.AWS_ACCESS_KEY }}
+          password: ${{ secrets.AWS_SECRET }}
+
+      - name: Create multi-arch manifest for ${{ matrix.service }}
+        env:
+          IMAGE: ${{ matrix.image }}
+          VERSION: ${{ needs.prepare.outputs.version }}
+          SHORT_SHA: ${{ needs.prepare.outputs.short_sha }}
+          BRANCH: ${{ github.ref_name }}
+        run: |
+          AMD64="${IMAGE}:${BRANCH}-amd64"
+          ARM64="${IMAGE}:${BRANCH}-arm64"
+
+          # Branch tag (always)
+          docker buildx imagetools create --tag "${IMAGE}:${BRANCH}" "${AMD64}" "${ARM64}"
+
+          # Branch + sha tag (always)
+          docker buildx imagetools create --tag "${IMAGE}:${BRANCH}-${SHORT_SHA}" "${AMD64}" "${ARM64}"
+
+          # CalVer and latest (main only)
+          if [ "${BRANCH}" = "main" ]; then
+            docker buildx imagetools create --tag "${IMAGE}:${VERSION}" "${AMD64}" "${ARM64}"
+            docker buildx imagetools create --tag "${IMAGE}:latest" "${AMD64}" "${ARM64}"
+          fi
+
+  release:
+    needs: [prepare, merge]
+    runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main'
     permissions:
       contents: write
@@ -160,6 +214,8 @@ jobs:
 
             ### Docker Images
 
+            Both images support `linux/amd64` and `linux/arm64`.
+
             **API service** (FastAPI/uvicorn, lightweight):
             ```bash
             docker pull public.ecr.aws/r4g1k2s3/vcon-dev/vcon-server-api:${{ needs.prepare.outputs.version }}
@@ -187,6 +243,6 @@ jobs:
           echo "| **Build Time** | ${{ needs.prepare.outputs.build_time }} |" >> $GITHUB_STEP_SUMMARY
           echo "| **Branch** | ${{ github.ref_name }} |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "### Docker Images Built" >> $GITHUB_STEP_SUMMARY
+          echo "### Docker Images Built (linux/amd64 + linux/arm64)" >> $GITHUB_STEP_SUMMARY
           echo "- \`vcon-server-api\` — API service (main deps only)" >> $GITHUB_STEP_SUMMARY
           echo "- \`vcon-server-conserver\` — Conserver service (main + links + storage)" >> $GITHUB_STEP_SUMMARY
