From 2944fccdebb00fad12865ced3043c3339767572f Mon Sep 17 00:00:00 2001 From: David Parry Date: Tue, 24 Mar 2026 13:38:11 +1100 Subject: [PATCH] feat: automate multi-arch image builds on release via QEMU Replace native arm64 runners (unavailable on free tier) with QEMU emulation. All three image builds now trigger automatically on `release: published`, deriving version and :latest flag from the GitHub release event. workflow_dispatch retained for manual rebuilds. --- .github/workflows/build-disk-collector.yml | 107 ++++++++---------- .github/workflows/build-primary-image.yml | 113 ++++++++------------ .github/workflows/build-sidecar-updater.yml | 107 ++++++++---------- 3 files changed, 135 insertions(+), 192 deletions(-) diff --git a/.github/workflows/build-disk-collector.yml b/.github/workflows/build-disk-collector.yml index 57f8a23..4c7f06b 100644 --- a/.github/workflows/build-disk-collector.yml +++ b/.github/workflows/build-disk-collector.yml @@ -1,6 +1,8 @@ name: Build Disk Collector Image on: + release: + types: [published] workflow_dispatch: inputs: version: @@ -22,69 +24,49 @@ jobs: steps: - name: check-auth id: check-auth - run: echo "is_authorized=${{ contains(secrets.DEPLOYMENT_AUTHORIZED_USERS, github.triggering_actor) }}" >> $GITHUB_OUTPUT + run: | + if [ "${{ github.event_name }}" = "release" ]; then + echo "is_authorized=true" >> $GITHUB_OUTPUT + else + echo "is_authorized=${{ contains(secrets.DEPLOYMENT_AUTHORIZED_USERS, github.triggering_actor) }}" >> $GITHUB_OUTPUT + fi build: - name: Build disk-collector image (${{ matrix.platform }}) + name: Build and push multi-arch disk-collector image needs: check_authorization if: needs.check_authorization.outputs.isAuthorized == 'true' - runs-on: ${{ matrix.runner }} - permissions: - contents: read - packages: write - strategy: - fail-fast: false - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - - platform: linux/arm64 - runner: ubuntu-latest-arm64 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push by digest - id: build - uses: docker/build-push-action@v6 - with: - context: install/sidecar-disk-collector - platforms: ${{ matrix.platform }} - outputs: type=image,name=ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector,push-by-digest=true,name-canonical=true,push=true - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - merge: - name: Create and push multi-arch manifest - needs: build runs-on: ubuntu-latest permissions: contents: read packages: write steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true + - name: Checkout code + uses: actions/checkout@v4 + - name: Resolve version and tags + id: vars + run: | + if [ "${{ github.event_name }}" = "release" ]; then + VERSION="${{ github.event.release.tag_name }}" + VERSION="${VERSION#v}" + TAG_LATEST=${{ !github.event.release.prerelease }} + else + VERSION="${{ inputs.version }}" + TAG_LATEST=${{ inputs.tag_latest }} + fi + + TAGS="ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector:${VERSION} + ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector:v${VERSION}" + if [ "$TAG_LATEST" = "true" ]; then + TAGS="$TAGS + ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector:latest" + fi + + echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "tags<> $GITHUB_OUTPUT + echo "$TAGS" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry @@ -93,14 +75,13 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create \ - -t ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector:${{ inputs.version }} \ - -t ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector:v${{ inputs.version }} \ - ${{ inputs.tag_latest && '-t ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector:latest' || '' }} \ - $(printf 'ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector@sha256:%s ' *) + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: install/sidecar-disk-collector + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.vars.outputs.tags }} - name: Inspect image run: | - docker buildx imagetools inspect ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector:${{ inputs.version }} + docker buildx imagetools inspect ghcr.io/${{ github.repository_owner }}/project-nomad-disk-collector:${{ steps.vars.outputs.version }} diff --git a/.github/workflows/build-primary-image.yml b/.github/workflows/build-primary-image.yml index b2d54b3..1d776ab 100644 --- a/.github/workflows/build-primary-image.yml +++ b/.github/workflows/build-primary-image.yml @@ -1,6 +1,8 @@ name: Build Primary Docker Image on: + release: + types: [published] workflow_dispatch: inputs: version: @@ -22,72 +24,49 @@ jobs: steps: - name: check-auth id: check-auth - run: echo "is_authorized=${{ contains(secrets.DEPLOYMENT_AUTHORIZED_USERS, github.triggering_actor) }}" >> $GITHUB_OUTPUT + run: | + if [ "${{ github.event_name }}" = "release" ]; then + echo "is_authorized=true" >> $GITHUB_OUTPUT + else + echo "is_authorized=${{ contains(secrets.DEPLOYMENT_AUTHORIZED_USERS, github.triggering_actor) }}" >> $GITHUB_OUTPUT + fi build: - name: Build primary image (${{ matrix.platform }}) + name: Build and push multi-arch primary image needs: check_authorization if: needs.check_authorization.outputs.isAuthorized == 'true' - runs-on: ${{ matrix.runner }} - permissions: - contents: read - packages: write - strategy: - fail-fast: false - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - - platform: linux/arm64 - runner: ubuntu-latest-arm64 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push by digest - id: build - uses: docker/build-push-action@v6 - with: - platforms: ${{ matrix.platform }} - outputs: type=image,name=ghcr.io/${{ github.repository_owner }}/project-nomad,push-by-digest=true,name-canonical=true,push=true - build-args: | - VERSION=${{ inputs.version }} - BUILD_DATE=${{ github.event.workflow_run.created_at }} - VCS_REF=${{ github.sha }} - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - merge: - name: Create and push multi-arch manifest - needs: build runs-on: ubuntu-latest permissions: contents: read packages: write steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true + - name: Checkout code + uses: actions/checkout@v4 + - name: Resolve version and tags + id: vars + run: | + if [ "${{ github.event_name }}" = "release" ]; then + VERSION="${{ github.event.release.tag_name }}" + VERSION="${VERSION#v}" + TAG_LATEST=${{ !github.event.release.prerelease }} + else + VERSION="${{ inputs.version }}" + TAG_LATEST=${{ inputs.tag_latest }} + fi + + TAGS="ghcr.io/${{ github.repository_owner }}/project-nomad:${VERSION} + ghcr.io/${{ github.repository_owner }}/project-nomad:v${VERSION}" + if [ "$TAG_LATEST" = "true" ]; then + TAGS="$TAGS + ghcr.io/${{ github.repository_owner }}/project-nomad:latest" + fi + + echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "tags<> $GITHUB_OUTPUT + echo "$TAGS" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry @@ -96,14 +75,16 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create \ - -t ghcr.io/${{ github.repository_owner }}/project-nomad:${{ inputs.version }} \ - -t ghcr.io/${{ github.repository_owner }}/project-nomad:v${{ inputs.version }} \ - ${{ inputs.tag_latest && '-t ghcr.io/${{ github.repository_owner }}/project-nomad:latest' || '' }} \ - $(printf 'ghcr.io/${{ github.repository_owner }}/project-nomad@sha256:%s ' *) + - name: Build and push + uses: docker/build-push-action@v6 + with: + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.vars.outputs.tags }} + build-args: | + VERSION=${{ steps.vars.outputs.version }} + BUILD_DATE=${{ github.event.release.created_at }} + VCS_REF=${{ github.sha }} - name: Inspect image run: | - docker buildx imagetools inspect ghcr.io/${{ github.repository_owner }}/project-nomad:${{ inputs.version }} + docker buildx imagetools inspect ghcr.io/${{ github.repository_owner }}/project-nomad:${{ steps.vars.outputs.version }} diff --git a/.github/workflows/build-sidecar-updater.yml b/.github/workflows/build-sidecar-updater.yml index 1a09368..3cd6c07 100644 --- a/.github/workflows/build-sidecar-updater.yml +++ b/.github/workflows/build-sidecar-updater.yml @@ -1,6 +1,8 @@ name: Build Sidecar Updater Image on: + release: + types: [published] workflow_dispatch: inputs: version: @@ -22,69 +24,49 @@ jobs: steps: - name: check-auth id: check-auth - run: echo "is_authorized=${{ contains(secrets.DEPLOYMENT_AUTHORIZED_USERS, github.triggering_actor) }}" >> $GITHUB_OUTPUT + run: | + if [ "${{ github.event_name }}" = "release" ]; then + echo "is_authorized=true" >> $GITHUB_OUTPUT + else + echo "is_authorized=${{ contains(secrets.DEPLOYMENT_AUTHORIZED_USERS, github.triggering_actor) }}" >> $GITHUB_OUTPUT + fi build: - name: Build sidecar-updater image (${{ matrix.platform }}) + name: Build and push multi-arch sidecar-updater image needs: check_authorization if: needs.check_authorization.outputs.isAuthorized == 'true' - runs-on: ${{ matrix.runner }} - permissions: - contents: read - packages: write - strategy: - fail-fast: false - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - - platform: linux/arm64 - runner: ubuntu-latest-arm64 - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Build and push by digest - id: build - uses: docker/build-push-action@v6 - with: - context: install/sidecar-updater - platforms: ${{ matrix.platform }} - outputs: type=image,name=ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater,push-by-digest=true,name-canonical=true,push=true - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - merge: - name: Create and push multi-arch manifest - needs: build runs-on: ubuntu-latest permissions: contents: read packages: write steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true + - name: Checkout code + uses: actions/checkout@v4 + - name: Resolve version and tags + id: vars + run: | + if [ "${{ github.event_name }}" = "release" ]; then + VERSION="${{ github.event.release.tag_name }}" + VERSION="${VERSION#v}" + TAG_LATEST=${{ !github.event.release.prerelease }} + else + VERSION="${{ inputs.version }}" + TAG_LATEST=${{ inputs.tag_latest }} + fi + + TAGS="ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater:${VERSION} + ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater:v${VERSION}" + if [ "$TAG_LATEST" = "true" ]; then + TAGS="$TAGS + ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater:latest" + fi + + echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "tags<> $GITHUB_OUTPUT + echo "$TAGS" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry @@ -93,14 +75,13 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create \ - -t ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater:${{ inputs.version }} \ - -t ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater:v${{ inputs.version }} \ - ${{ inputs.tag_latest && '-t ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater:latest' || '' }} \ - $(printf 'ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater@sha256:%s ' *) + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: install/sidecar-updater + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.vars.outputs.tags }} - name: Inspect image run: | - docker buildx imagetools inspect ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater:${{ inputs.version }} + docker buildx imagetools inspect ghcr.io/${{ github.repository_owner }}/project-nomad-sidecar-updater:${{ steps.vars.outputs.version }}