ci: split per-arch builds and aggregate with manifest (no QEMU)

Author: pubino

.github/workflows/docker-multi-arch.yml

@@ -9,112 +9,135 @@ on:
         default: ""
 
 jobs:
-  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: [self-hosted, Linux, X64]
-            platform: linux/amd64
-          - os: [self-hosted, macOS, ARM64]
-            platform: linux/arm64
-    runs-on: ${{ matrix.os }}
-
+  build-amd64:
+    runs-on: [self-hosted, Linux, X64]
     permissions:
       contents: read
       packages: write
-
     outputs:
       sha_tag: ${{ steps.meta.outputs.sha_tag }}
       date_tag: ${{ steps.meta.outputs.date_tag }}
       user_tag: ${{ steps.meta.outputs.user_tag }}
       image_name: ${{ steps.name.outputs.image_name }}
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-
       - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Set lowercase image name
         id: name
         run: |
           IMAGE_NAME_LOWERCASE=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')/rsafd-docker
           echo "image_name=$IMAGE_NAME_LOWERCASE" >> $GITHUB_OUTPUT
-
       - name: Compute tags
         id: meta
         run: |
           DATE_TAG=$(date +'%Y%m%d')
-          SHA_TAG=${GITHUB_SHA::12}
-          USER_TAG="${{ github.event.inputs.tag }}"
-
-          echo "sha_tag=$SHA_TAG" >> $GITHUB_OUTPUT
-          echo "date_tag=$DATE_TAG" >> $GITHUB_OUTPUT
-          echo "user_tag=$USER_TAG" >> $GITHUB_OUTPUT
-          echo "tags=ghcr.io/${{ steps.name.outputs.image_name }}:${SHA_TAG}" >> $GITHUB_OUTPUT
+            SHA_TAG=${GITHUB_SHA::12}
+            USER_TAG="${{ github.event.inputs.tag }}"
+            echo "sha_tag=$SHA_TAG" >> $GITHUB_OUTPUT
+            echo "date_tag=$DATE_TAG" >> $GITHUB_OUTPUT
+            echo "user_tag=$USER_TAG" >> $GITHUB_OUTPUT
+      - name: Build & Push (amd64)
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          # Rely on native host arch (amd64)
+          tags: ghcr.io/${{ steps.name.outputs.image_name }}:${{ steps.meta.outputs.sha_tag }}-amd64
+          push: true
+          provenance: false
+          sbom: false
+          build-args: |
+            GH_OWNER=${{ github.repository_owner }}
 
-      - name: Build & Push
+  build-arm64:
+    runs-on: [self-hosted, macOS, ARM64]
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      sha_tag: ${{ steps.meta.outputs.sha_tag }}
+      date_tag: ${{ steps.meta.outputs.date_tag }}
+      user_tag: ${{ steps.meta.outputs.user_tag }}
+      image_name: ${{ steps.name.outputs.image_name }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set lowercase image name
+        id: name
+        run: |
+          IMAGE_NAME_LOWERCASE=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')/rsafd-docker
+          echo "image_name=$IMAGE_NAME_LOWERCASE" >> $GITHUB_OUTPUT
+      - name: Compute tags
+        id: meta
+        run: |
+          DATE_TAG=$(date +'%Y%m%d')
+            SHA_TAG=${GITHUB_SHA::12}
+            USER_TAG="${{ github.event.inputs.tag }}"
+            echo "sha_tag=$SHA_TAG" >> $GITHUB_OUTPUT
+            echo "date_tag=$DATE_TAG" >> $GITHUB_OUTPUT
+            echo "user_tag=$USER_TAG" >> $GITHUB_OUTPUT
+      - name: Build & Push (arm64)
         uses: docker/build-push-action@v5
         with:
           context: .
-          platforms: ${{ matrix.platform }}
-          tags: ${{ steps.meta.outputs.tags }}
+          # Native arm64 host build
+          tags: ghcr.io/${{ steps.name.outputs.image_name }}:${{ steps.meta.outputs.sha_tag }}-arm64
           push: true
           provenance: false
           sbom: false
           build-args: |
             GH_OWNER=${{ github.repository_owner }}
 
-  create-manifest:
+  manifest:
     runs-on: ubuntu-latest
-    needs: build
+    needs: [build-amd64, build-arm64]
     permissions:
       contents: read
       packages: write
-
     steps:
       - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Create and push manifest list
+      - name: Create multi-arch manifest tags
         run: |
           set -euo pipefail
-          IMAGE=ghcr.io/${{ needs.build.outputs.image_name }}
-          SHA_TAG=${{ needs.build.outputs.sha_tag }}
-          DATE_TAG=${{ needs.build.outputs.date_tag }}
-          USER_TAG=${{ needs.build.outputs.user_tag }}
-
-          # Re-tag the already-built image/manifest (single-arch or multi-arch) using imagetools.
-          # This avoids attempting to create a manifest from an existing manifest list (which caused the failure).
-          ARGS=(-t "$IMAGE:$DATE_TAG" -t "$IMAGE:latest")
-          if [ -n "$USER_TAG" ]; then
-            ARGS+=( -t "$IMAGE:$USER_TAG" )
-          fi
-          # Create new tags pointing to the same digest/manifest
-          docker buildx imagetools create "${ARGS[@]}" "$IMAGE:$SHA_TAG"
-
-          echo "Retagged $IMAGE:$SHA_TAG as: $IMAGE:$DATE_TAG, $IMAGE:latest${USER_TAG:+, $IMAGE:$USER_TAG}" 
-
+          IMAGE=ghcr.io/${{ needs.build-amd64.outputs.image_name }}
+          SHA_TAG=${{ needs.build-amd64.outputs.sha_tag }}
+          DATE_TAG=${{ needs.build-amd64.outputs.date_tag }}
+          USER_TAG=${{ needs.build-amd64.outputs.user_tag }}
+          SRC_AMD64=$IMAGE:${SHA_TAG}-amd64
+          SRC_ARM64=$IMAGE:${SHA_TAG}-arm64
+          if ! docker buildx imagetools inspect $SRC_AMD64 >/dev/null 2>&1; then echo "Missing $SRC_AMD64"; exit 1; fi
+          if ! docker buildx imagetools inspect $SRC_ARM64 >/dev/null 2>&1; then echo "Missing $SRC_ARM64"; exit 1; fi
+          ARGS=(-t $IMAGE:$SHA_TAG -t $IMAGE:$DATE_TAG -t $IMAGE:latest)
+          if [ -n "$USER_TAG" ]; then ARGS+=( -t $IMAGE:$USER_TAG ); fi
+          docker buildx imagetools create "${ARGS[@]}" $SRC_AMD64 $SRC_ARM64
+          docker buildx imagetools inspect $IMAGE:$SHA_TAG
       - name: Summary
         run: |
-          IMAGE=ghcr.io/${{ needs.build.outputs.image_name }}
-          echo "Pushed manifests for:" >> $GITHUB_STEP_SUMMARY
-          echo "$IMAGE:${{ needs.build.outputs.sha_tag }}" >> $GITHUB_STEP_SUMMARY
+          IMAGE=ghcr.io/${{ needs.build-amd64.outputs.image_name }}
+          echo "Published multi-arch tags:" >> $GITHUB_STEP_SUMMARY
+          echo "$IMAGE:${{ needs.build-amd64.outputs.sha_tag }}" >> $GITHUB_STEP_SUMMARY
+          echo "$IMAGE:${{ needs.build-amd64.outputs.date_tag }}" >> $GITHUB_STEP_SUMMARY
           echo "$IMAGE:latest" >> $GITHUB_STEP_SUMMARY
-          echo "$IMAGE:${{ needs.build.outputs.date_tag }}" >> $GITHUB_STEP_SUMMARY
-          if [ -n "${{ needs.build.outputs.user_tag }}" ]; then
-            echo "$IMAGE:${{ needs.build.outputs.user_tag }}" >> $GITHUB_STEP_SUMMARY
+          if [ -n "${{ needs.build-amd64.outputs.user_tag }}" ]; then
+            echo "$IMAGE:${{ needs.build-amd64.outputs.user_tag }}" >> $GITHUB_STEP_SUMMARY
           fi