Add arm image to publishing (#1422)

jsoref · vlad-ivanov-name · web-flow · commit 338ca164492f · 2025-05-02T22:42:06.000+02:00
* Replace `ADD` with `curl+run+rm` (rust)
* Build each architecture on its own runner
  This is similar to what docs.docker.com recommends, except without all
  of the places where they suggest bad practices, including:
  * using `${{}}` inside `run:` statements
  * needlessly introducing steps to parse variables
  * failing to declare permissions for jobs
* Merge some docker steps into a single layer
* Clean up dockerfile

---------

Signed-off-by: Josh Soref &lt;2119212+jsoref@users.noreply.github.com&gt;
Co-authored-by: Vladislav Ivanov &lt;vlad@ivanov.email&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,9 +5,24 @@ on:
     types: [published]
   pull_request:
     types: [labeled]
+env:
+  REGISTRY_IMAGE: ${{ secrets.DOCKERHUB_TOKEN == '' && format('ghcr.io/{0}', github.repository) || 'joshproject/josh-proxy' }}
 jobs:
   build:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: linux
+            arch: amd64
+            runner: ubuntu-latest
+          - os: linux
+            arch: arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      packages: write
     if: ${{ github.event_name == 'release' || (github.event_name == 'pull_request' && github.event.label.name == 'build-release-container') }}
     steps:
       - name: Setup BuildX
@@ -23,25 +38,91 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: |
-            joshproject/josh-proxy
+            ${{ env.REGISTRY_IMAGE }}
           tags: |
             type=ref,event=tag
-      - name: Login to DockerHub
+      - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: initcrash
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          registry: ${{ secrets.DOCKERHUB_TOKEN == '' && 'ghcr.io' || '' }}
+          username: ${{ secrets.DOCKERHUB_TOKEN == '' && github.actor || vars.DOCKERHUB_USER || 'initcrash' }}
+          password: ${{ secrets.DOCKERHUB_TOKEN == '' && github.token || secrets.DOCKERHUB_TOKEN }}
       - name: Build docker image
+        id: build
         uses: docker/build-push-action@v6
         with:
           context: .
           file: Dockerfile
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          platforms: ${{ matrix.os }}/${{ matrix.arch}}
           build-contexts: |
             git=.git
             docker=docker
           target: run
           push: ${{ github.event_name == 'release' && 'true' || 'false' }}
-          tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ env.REGISTRY_IMAGE }}
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+      - name: Export digest
+        env:
+          digest: ${{ steps.build.outputs.digest }}
+        run: |
+          : Create digests directory with a file whose name matches the digest env with the 'sha256:' prefix removed
+          mkdir -p "$RUNNER_TEMP/digests"
+          touch "$RUNNER_TEMP/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.os }}-${{ matrix.arch }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    needs:
+      - build
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.DOCKERHUB_TOKEN == '' && 'ghcr.io' || '' }}
+          username: ${{ secrets.DOCKERHUB_TOKEN == '' && github.actor || vars.DOCKERHUB_USER || 'initcrash' }}
+          password: ${{ secrets.DOCKERHUB_TOKEN == '' && github.token || secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_IMAGE }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf "$REGISTRY_IMAGE"'@sha256:%s ' *)
+
+      - name: Inspect image
+        env:
+          version: ${{ steps.meta.outputs.version }}
+        run: |
+          docker buildx imagetools inspect $REGISTRY_IMAGE:$version
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1.8@sha256:d6d396f3780b1dd56a3acbc975f57bd2fc501989b50164c41387c42d04e780d0
 
 ARG ALPINE_VERSION=3.21
-ARG ARCH=x86_64
+ARG ARCH=${TARGETARCH}
 
 FROM alpine:${ALPINE_VERSION} AS rust-base
 
@@ -18,18 +18,37 @@ ARG RUSTUP_VERSION=1.27.1
 
 # Update check: https://github.com/rust-lang/rust/tags
 ARG RUST_VERSION=1.85.0
-ARG RUST_ARCH=${ARCH}-unknown-linux-musl
 
 # https://github.com/sfackler/rust-openssl/issues/1462
 ENV RUSTFLAGS="-Ctarget-feature=-crt-static"
 
-ADD --chmod=755 https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/${RUST_ARCH}/rustup-init /tmp
-RUN /tmp/rustup-init \
+RUN <<EOF
+set -eux
+
+apk add --no-cache curl
+
+if [ "$ARCH" = amd64 ]; then
+    rust_arch=x86_64;
+elif [ "$ARCH" = arm64 ]; then
+    rust_arch=aarch64;
+else
+    echo "Unsupported arch";
+    exit 1
+fi
+
+rust_arch=${rust_arch}-unknown-linux-musl
+
+curl -sSL https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/${rust_arch}/rustup-init -o /tmp/rustup-init
+chmod +x /tmp/rustup-init
+/tmp/rustup-init \
     -y \
     --no-modify-path \
     --profile minimal \
     --default-toolchain ${RUST_VERSION} \
-    --default-host ${RUST_ARCH}
+    --default-host ${rust_arch}
+rm /tmp/rustup-init
+apk del curl
+EOF
 
 FROM rust-base AS dev-planner
 
@@ -51,8 +70,8 @@ RUN apk add --no-cache \
 
 WORKDIR /usr/src/josh
 RUN rustup component add rustfmt
-RUN cargo install --version 0.1.71 cargo-chef
-RUN cargo install --verbose --version 0.10.0 graphql_client_cli
+RUN cargo install --version 0.1.71 cargo-chef &&\
+    cargo install --verbose --version 0.10.0 graphql_client_cli
 
 RUN apk add --no-cache \
     bash \
@@ -73,11 +92,13 @@ RUN apk add --no-cache \
 
 # Update check: https://github.com/git/git/tags
 ARG GIT_VERSION=2.45.2
+ENV PATH=${PATH}:/opt/git-install/bin
 WORKDIR /usr/src/git
 RUN <<EOF
 set -e
 wget https://mirrors.edge.kernel.org/pub/software/scm/git/git-${GIT_VERSION}.tar.gz
 tar --extract --gzip --file git-${GIT_VERSION}.tar.gz
+rm git-${GIT_VERSION}.tar.gz
 cd git-${GIT_VERSION}
 make configure
 ./configure \
@@ -86,13 +107,11 @@ make configure
     --exec-prefix=/opt/git-install
 make -j$(nproc)
 make install
+mkdir /opt/git-install/etc
+git config -f /opt/git-install/etc/gitconfig --add safe.directory "*"
+git config -f /opt/git-install/etc/gitconfig protocol.file.allow "always"
 EOF
 
-ENV PATH=${PATH}:/opt/git-install/bin
-RUN mkdir /opt/git-install/etc
-RUN git config -f /opt/git-install/etc/gitconfig --add safe.directory "*" && \
-    git config -f /opt/git-install/etc/gitconfig protocol.file.allow "always"
-
 # Update check: https://github.com/prysk/prysk/releases
 ARG PRYSK_VERSION=0.20.0
 
@@ -109,20 +128,23 @@ RUN cd lfs-test-server && GOPATH=/opt/git-lfs go install
 
 ENV PATH=${PATH}:/opt/git-lfs/bin
 
-RUN git clone https://github.com/git-lfs/git-lfs.git /usr/src/git-lfs
-WORKDIR /usr/src/git-lfs
-RUN make
-RUN cp bin/git-lfs /opt/git-lfs/bin
+RUN <<EOF
+set -eux
+git clone https://github.com/git-lfs/git-lfs.git /usr/src/git-lfs
+cd /usr/src/git-lfs
+make
+cp bin/git-lfs /opt/git-lfs/bin
+EOF
 
 WORKDIR /usr/src/josh
 
 FROM dev AS dev-local
 
-RUN mkdir -p /opt/cache && \
-    chmod 777 /opt/cache
-
-RUN mkdir -p /josh/static && \
-    chmod 777 /josh/static
+RUN <<EOF
+set -eux
+mkdir -p /opt/cache /josh/static
+chmod 777 /opt/cache /josh/static
+EOF
 
 VOLUME /opt/cache
 
@@ -136,19 +158,21 @@ RUN npm config set cache /opt/cache/npm-cache --global
 ARG USER_GID
 ARG USER_UID
 
-RUN \
-  if [ ! $(getent group ${USER_GID}) ] ; then \
-    addgroup \
-      -g ${USER_GID} dev ; \
-  fi
+RUN <<EOF
+set -eux
+
+if [ ! $(getent group ${USER_GID}) ] ; then
+    addgroup -g ${USER_GID} dev
+fi
 
-RUN adduser \
-      -u ${USER_UID} \
-      -G $(getent group ${USER_GID} | cut -d: -f1) \
-      -D \
-      -H \
-      -g '' \
-      dev
+adduser \
+    -u ${USER_UID} \
+    -G $(getent group ${USER_GID} | cut -d: -f1) \
+    -D \
+    -H \
+    -g '' \
+    dev
+EOF
 
 FROM dev AS dev-cache
 
@@ -201,16 +225,40 @@ COPY --from=build --link=false /opt/cargo-target/release/josh-ssh-shell /usr/bin
 COPY --from=build --link=false /usr/src/josh/static/ /josh/static/
 
 ARG S6_OVERLAY_VERSION=3.1.2.1
-ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz /tmp
-RUN tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz
 ARG ARCH
-ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${ARCH}.tar.xz /tmp
-RUN tar -C / -Jxpf /tmp/s6-overlay-${ARCH}.tar.xz
+RUN <<EOF
+set -eux
+
+apk add --no-cache curl
+
+curl -sSL https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz \
+    -o /tmp/s6-overlay-noarch.tar.xz
+tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz
+rm /tmp/s6-overlay-noarch.tar.xz
+
+if [ "$ARCH" = amd64 ]; then
+    s6_arch=x86_64;
+elif [ "$ARCH" = arm64 ]; then
+    s6_arch=aarch64;
+else
+    echo "Unsupported arch";
+    exit 1
+fi
+
+curl -sSL https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${s6_arch}.tar.xz \
+    -o /tmp/s6-overlay-arch.tar.xz
+tar -C / -Jxpf /tmp/s6-overlay-arch.tar.xz
+rm /tmp/s6-overlay-arch.tar.xz
+
+apk del curl
+EOF
 
 ARG GIT_GID_UID=2001
 
-RUN addgroup -g ${GIT_GID_UID} git
-RUN adduser \
+RUN <<EOF
+set -eux
+addgroup -g ${GIT_GID_UID} git
+adduser \
     -h /home/git \
     -s /usr/bin/josh-ssh-shell \
     -G git \
@@ -219,7 +267,8 @@ RUN adduser \
     git
 
 # https://unix.stackexchange.com/a/193131/336647
-RUN usermod -p '*' git
+usermod -p '*' git
+EOF
 
 COPY --from=docker --link=false etc/ssh/sshd_config.template /etc/ssh/sshd_config.template
 
diff --git a/tester.sh b/tester.sh
@@ -22,12 +22,6 @@ else
     TESTS="$*"
 fi
 
-ARCH=$(arch)
-
-if [ "$ARCH" = "arm64" ]; then
-    ARCH="aarch64"
-fi
-
 echo "running: ${TESTS}"
 
 if (( ! NO_BUILD_CONTAINER )); then
@@ -36,7 +30,6 @@ if (( ! NO_BUILD_CONTAINER )); then
         --tag=josh-dev-local \
         --build-arg USER_UID="$(id -u)" \
         --build-arg USER_GID="$(id -g)" \
-        --build-arg ARCH="${ARCH}" \
         .
 fi
 
