fix: multi-arch builds

Xetera · Xetera · commit 13e063e52eed · 2025-06-18T20:38:34.000+03:00
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -7,12 +7,13 @@ on:
       - main
   pull_request:
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: query-doctor/sync
+
 jobs:
   build:
     name: Build container
-    env:
-      REGISTRY: ghcr.io
-      IMAGE_NAME: query-doctor/sync
     permissions:
       id-token: write
       contents: read
@@ -37,15 +38,28 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
       - uses: actions/checkout@v3
       - name: Login to ghcr
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: "${{ github.actor }}"
+          username: "${{ github.repository_owner }}"
           password: "${{ secrets.GITHUB_TOKEN }}"
       - name: Setup Docker Buildx
+        id: buildx
         uses: docker/setup-buildx-action@v3
+      - name: Cache Docker layers
+        uses: actions/cache@v4
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
       - name: Set sync_version from deno.json
         run: |
           platform=${{ matrix.platform }}
@@ -57,18 +71,90 @@ jobs:
         with:
           context: .
           file: Dockerfile
+          builder: ${{ steps.buildx.outputs.name }}
+          push: ${{ github.event_name == 'push' }}
           outputs: type=docker
           platforms: ${{ matrix.platform }}
-          push: ${{ github.event_name == 'push' }}
-          tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.sync_version }}
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-      - name: Attest
-        uses: actions/attest-build-provenance@v2
+          tags: ${{ steps.meta.outputs.tags }}
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,mode=max,dest=/tmp/.buildx-cache-new
+      # This ugly bit is necessary if you don't want your cache to grow forever
+      # until it hits GitHub's limit of 5GB.
+      # Temp fix
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+      - name: Export digest
+        if: ${{ github.event_name == 'push' }}
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
         if: ${{ github.event_name == 'push' }}
         with:
-          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+      # TODO: Attest is not working for some reason
+      # - name: Attest
+      #   uses: actions/attest-build-provenance@v2
+      #   with:
+      #     subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      #     subject-digest: ${{ steps.build.outputs.digest }}
+      #     push-to-registry: true
+
+  merge:
+    runs-on: ubuntu-24.04
+    if: ${{ github.event_name == 'push' }}
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+      packages: write
+    needs:
+      - build
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
 
-          
+      - name: Login to ghcr
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: "${{ github.actor }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.IMAGE_NAME }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
