feat: native multi-arch docker build (opt-in reusable workflow)#278
Open
DeepDiver1975 wants to merge 4 commits into
Open
feat: native multi-arch docker build (opt-in reusable workflow)#278DeepDiver1975 wants to merge 4 commits into
DeepDiver1975 wants to merge 4 commits into
Conversation
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Guard the digest export and manifest-merge steps so an empty digest fails the job explicitly instead of silently publishing a single-arch or broken manifest. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Add a build-native job to main.yml that invokes docker-build-native.yml against the repo's own v24.04 base image on native amd64 + arm64 runners with push:false. This asserts the new reusable workflow builds and smoke-tests on both architectures end-to-end before any consumer relies on it, mirroring how the existing build job dogfoods docker-build.yml. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
phil-davis
approved these changes
Jun 2, 2026
Contributor
phil-davis
left a comment
phil-davis
left a comment
There was a problem hiding this comment.
Looks Ok. The amd and arm test builds worked.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a new opt-in reusable workflow
docker-build-native.ymlthat builds each architecture on a native runner instead of emulating arm64 under QEMU.The existing
docker-build.ymlis left completely untouched — current consumers (server,base,php,ocisrelease) are unaffected. A repo opts in by changing itsuses:line todocker-build-native.yml@master.Why
docker-build.ymlhardcodesplatforms: linux/amd64,linux/arm64on an amd64-onlyubuntu-latestrunner, so the arm64 half builds under QEMU emulation. For source-compiled images (e.g. oCIS:CGO_ENABLED=1 ENABLE_VIPS=true make release) the emulated half dominates wall-clock time (~60 min observed). It also means the arm64 image is never actually run/smoke-tested today.How
Identical input/secret surface to
docker-build.yml, with this topology:build(matrix:amd64→ubuntu-latest,arm64→ubuntu-24.04-arm):builds +
--loads the single-arch image, Trivy-scans it, smoke-tests it on its native runner, then (whenpush) logs in, re-builds withpush-by-digestoutput, and uploads the digest as an artifact.cache-from/toget a per-archscope=<arch>so the two legs don't clobber each other's GHA cache.merge(if: push): downloads both digests, runsdocker buildx imagetools createto assemble the multi-arch manifest under all tags, thenimagetools inspectto verify.This is Docker's documented multi-arch-via-matrix pattern.
Notes
ubuntu-24.04-armis a GitHub-hosted runner, free for public repos.::error::+ non-zero exit) if a digest is missing, so a partial build can never silently publish a single-arch manifest.actionlintclean.🤖 Generated with Claude Code