Use native arm runner to build arm64 images

hanazuki · hanazuki · commit d897327cf4b1 · 2025-02-06T09:40:25.000Z
diff --git a/.github/workflows/docker-build-simple.libsonnet b/.github/workflows/docker-build-simple.libsonnet
@@ -3,6 +3,27 @@
 //   Docker manifest #{name}/Dockerfile
 //   ECR repository: #{name}
 
+local runnersMap = {
+  'linux/amd64': 'ubuntu-24.04',
+  'linux/arm64': 'ubuntu-24.04-arm',
+};
+
+local setupSteps = function(region) [
+  { uses: 'docker/setup-buildx-action@v2' },
+  {
+    uses: 'aws-actions/configure-aws-credentials@v1',
+    with: {
+      'aws-region': region,
+      'role-to-assume': 'arn:aws:iam::005216166247:role/GhaDockerPush',
+      'role-skip-session-tagging': true,
+    },
+  },
+  {
+    uses: 'aws-actions/amazon-ecr-login@v1',
+    id: 'login-ecr',
+  },
+];
+
 function(name, region='ap-northeast-1', platforms=['linux/arm64']) {
   name: std.format('docker-%s', name),
   on: {
@@ -17,33 +38,72 @@ function(name, region='ap-northeast-1', platforms=['linux/arm64']) {
   jobs: {
     build: {
       name: 'build',
-      'runs-on': 'ubuntu-latest',
+      strategy: {
+        matrix: {
+          include: std.map(function(platform) {
+            key: std.strReplace(platform, '/', '-'),  // for artifact name
+            platform: platform,
+            runner: runnersMap[platform],
+          }, platforms),
+        },
+      },
+      'runs-on': '${{ matrix.runner }}',
       permissions: { 'id-token': 'write', contents: 'read' },
-      steps: [] +
-             (if std.member(platforms, 'linux/arm64') then [{ uses: 'docker/setup-qemu-action@v2' }] else []) + [
-        { uses: 'docker/setup-buildx-action@v2' },
+      steps: setupSteps(region) + [
         {
-          uses: 'aws-actions/configure-aws-credentials@v1',
+          uses: 'docker/build-push-action@v3',
+          id: 'build-push',
           with: {
-            'aws-region': region,
-            'role-to-assume': 'arn:aws:iam::005216166247:role/GhaDockerPush',
-            'role-skip-session-tagging': true,
+            context: std.format('{{defaultContext}}:%s', name),
+            platforms: '${{ matrix.platform }}',
+            outputs: std.format('type=image,"name=${{ steps.login-ecr.outputs.registry }}/%s",push-by-digest=true,name-canonical=true,push=true', name),
           },
         },
         {
-          uses: 'aws-actions/amazon-ecr-login@v1',
-          id: 'login-ecr',
+          name: 'Export digest',
+          run: |||
+            mkdir -p "${RUNNER_TEMP}/digests"
+            printenv DIGEST > "${RUNNER_TEMP}/digests/${PLATFORM}"
+          |||,
+          env: {
+            RUNNER_TEMP: '${{ runner.temp }}',
+            DIGEST: '${{ steps.build-push.outputs.digest }}',
+            PLATFORM: '${{ matrix.key }}',
+          },
         },
         {
-          uses: 'docker/build-push-action@v3',
+          uses: 'actions/upload-artifact@v4',
           with: {
-            context: std.format('{{defaultContext}}:%s', name),
-            platforms: std.join(',', platforms),
-            tags: std.join(',', [
-              std.format('${{ steps.login-ecr.outputs.registry }}/%s:${{ github.sha }}', name),
-              std.format('${{ steps.login-ecr.outputs.registry }}/%s:latest', name),
-            ]),
-            push: true,
+            name: 'digests-${{ matrix.key }}',
+            path: '${{ runner.temp }}/digests/*',
+            'if-no-files-found': 'error',
+            'retention-days': 1,
+          },
+        },
+      ],
+    },
+    merge: {
+      'runs-on': 'ubuntu-latest',
+      needs: ['build'],
+      permissions: { 'id-token': 'write' },
+      steps: setupSteps(region) + [
+        {
+          uses: 'actions/download-artifact@v4',
+          with: {
+            path: '${{ runner.temp }}/digests',
+            pattern: 'digests-*',
+            'merge-multiple': true,
+          },
+        },
+        {
+          name: 'Push manifest',
+          run: |||
+            cat * | xargs -I{} printf "%s@%s" "${REPO}" {} | docker buildx imagetools create -f /dev/stdin -t "${REPO}:latest" -t "${REPO}:${SHA}"
+            docker buildx imagetools inspect "${REPO}:${SHA}"
+          |||,
+          env: {
+            REPO: std.format('${{ steps.login-ecr.outputs.registry }}/%s', name),
+            SHA: '${{ github.sha }}',
           },
         },
       ],
diff --git a/.github/workflows/docker-unbound.yml b/.github/workflows/docker-unbound.yml
@@ -6,11 +6,8 @@
             "contents": "read",
             "id-token": "write"
          },
-         "runs-on": "ubuntu-latest",
+         "runs-on": "${{ matrix.runner }}",
          "steps": [
-            {
-               "uses": "docker/setup-qemu-action@v2"
-            },
             {
                "uses": "docker/setup-buildx-action@v2"
             },
@@ -27,13 +24,84 @@
                "uses": "aws-actions/amazon-ecr-login@v1"
             },
             {
+               "id": "build-push",
                "uses": "docker/build-push-action@v3",
                "with": {
                   "context": "{{defaultContext}}:unbound",
-                  "platforms": "linux/arm64",
-                  "push": true,
-                  "tags": "${{ steps.login-ecr.outputs.registry }}/unbound:${{ github.sha }},${{ steps.login-ecr.outputs.registry }}/unbound:latest"
+                  "outputs": "type=image,\"name=${{ steps.login-ecr.outputs.registry }}/unbound\",push-by-digest=true,name-canonical=true,push=true",
+                  "platforms": "${{ matrix.platform }}"
+               }
+            },
+            {
+               "env": {
+                  "DIGEST": "${{ steps.build-push.outputs.digest }}",
+                  "PLATFORM": "${{ matrix.key }}",
+                  "RUNNER_TEMP": "${{ runner.temp }}"
+               },
+               "name": "Export digest",
+               "run": "mkdir -p \"${RUNNER_TEMP}/digests\"\nprintenv DIGEST > \"${RUNNER_TEMP}/digests/${PLATFORM}\"\n"
+            },
+            {
+               "uses": "actions/upload-artifact@v4",
+               "with": {
+                  "if-no-files-found": "error",
+                  "name": "digests-${{ matrix.key }}",
+                  "path": "${{ runner.temp }}/digests/*",
+                  "retention-days": 1
+               }
+            }
+         ],
+         "strategy": {
+            "matrix": {
+               "include": [
+                  {
+                     "key": "linux-arm64",
+                     "platform": "linux/arm64",
+                     "runner": "ubuntu-24.04-arm"
+                  }
+               ]
+            }
+         }
+      },
+      "merge": {
+         "needs": [
+            "build"
+         ],
+         "permissions": {
+            "id-token": "write"
+         },
+         "runs-on": "ubuntu-latest",
+         "steps": [
+            {
+               "uses": "docker/setup-buildx-action@v2"
+            },
+            {
+               "uses": "aws-actions/configure-aws-credentials@v1",
+               "with": {
+                  "aws-region": "ap-northeast-1",
+                  "role-skip-session-tagging": true,
+                  "role-to-assume": "arn:aws:iam::005216166247:role/GhaDockerPush"
                }
+            },
+            {
+               "id": "login-ecr",
+               "uses": "aws-actions/amazon-ecr-login@v1"
+            },
+            {
+               "uses": "actions/download-artifact@v4",
+               "with": {
+                  "merge-multiple": true,
+                  "path": "${{ runner.temp }}/digests",
+                  "pattern": "digests-*"
+               }
+            },
+            {
+               "env": {
+                  "REPO": "${{ steps.login-ecr.outputs.registry }}/unbound",
+                  "SHA": "${{ github.sha }}"
+               },
+               "name": "Push manifest",
+               "run": "cat * | xargs -I{} printf \"%s@%s\" \"${REPO}\" {} | docker buildx imagetools create -f /dev/stdin -t \"${REPO}:latest\" -t \"${REPO}:${SHA}\"\ndocker buildx imagetools inspect \"${REPO}:${SHA}\"\n"
             }
          ]
       }
