workflows/docker: build and publish ARM64 Docker images

This modifies the Docker workflow to first build the images natively on x86_64 and ARM64 runners, push them by digest to the registry, and then merge the manifest lists to form a tagged multi-platform image. This allows e.g. `docker run homebrew/brew` to work on both platforms. Ref: https://docs.docker.com/build/ci/github-actions/multi-platform/
Homebrew · Feb 9, 2025 · 16f66b8 · 16f66b8
1 parent 6567eb2
commit 16f66b8
Showing 1 changed file with 77 additions and 13 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -18,14 +18,18 @@ defaults:
     shell: bash -xeuo pipefail {0}
 
 jobs:
-  ubuntu:
+  build:
     if: github.repository_owner == 'Homebrew'
-    name: docker (Ubuntu ${{ matrix.version }})
-    runs-on: ubuntu-latest
+    name: docker (${{ matrix.arch }} Ubuntu ${{ matrix.version }})
+    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
     strategy:
       fail-fast: false
       matrix:
         version: ["18.04", "20.04", "22.04", "24.04"]
+        arch: ["x86_64", "arm64"]
+    outputs:
+      tags: ${{ steps.attributes.outputs.tags }}
+      push: ${{ steps.attributes.outputs.push }}
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -122,6 +126,7 @@ jobs:
           labels: ${{ steps.attributes.outputs.labels }}
 
       - name: Run brew test-bot --only-setup
+        if: matrix.arch == 'x86_64'
         run: docker run --rm brew brew test-bot --only-setup
 
       - name: Log in to GitHub Packages (BrewTestBot)
@@ -132,21 +137,80 @@ jobs:
           username: BrewTestBot
           password: ${{ secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN }}
 
-      - name: Log in to Docker Hub
-        if: steps.attributes.outputs.push == 'true'
-        uses: docker/#-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          username: brewtestbot
-          password: ${{ secrets.HOMEBREW_BREW_DOCKER_TOKEN }}
-
-      - name: Deploy the tagged Docker image
+      - name: Deploy the Docker image by digest
+        id: digest
         if: steps.attributes.outputs.push == 'true'
         uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
           context: .
-          push: true
-          tags: ${{ steps.attributes.outputs.tags }}
           cache-from: type=registry,ref=ghcr.io/homebrew/ubuntu${{ matrix.version }}:cache
           cache-to: type=registry,ref=ghcr.io/homebrew/ubuntu${{ matrix.version }}:cache,mode=max
           build-args: version=${{ matrix.version }}
           labels: ${{ steps.attributes.outputs.labels }}
+          outputs: type=image,name=ghcr.io/homebrew/ubuntu${{ matrix.version }},name-canonical=true,push=true,push-by-digest=true
+
+      - name: Export the Docker image digest
+        if: steps.attributes.outputs.push == 'true'
+        run: |
+          mkdir -p "${RUNNER_TEMP}"/digests
+          echo "${DIGEST#sha256:}" >"${RUNNER_TEMP}"/digests/"${VERSION}-${ARCH}"
+        env:
+          DIGEST: ${{ steps.digest.outputs.digest }}
+          VERSION: ${{ matrix.version }}
+          ARCH: ${{ matrix.arch }}
+
+      - name: Upload the Docker image digest
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: digest-${{ matrix.version }}-${{ matrix.arch }}
+          path: ${{ runner.temp }}/digests/*
+
+  merge:
+    needs: build
+    if: github.repository_owner == 'Homebrew' && needs.build.outputs.push == 'true'
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        version: ["18.04", "20.04", "22.04", "24.04"]
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
+        with:
+          cache-binary: false
+
+      - name: Download Docker image digests
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digest-${{ matrix.version }}-*
+          merge-multiple: true
+
+      - name: Log in to Docker Hub
+        uses: docker/#-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          username: brewtestbot
+          password: ${{ secrets.HOMEBREW_BREW_DOCKER_TOKEN }}
+
+      - name: Log in to GitHub Packages (BrewTestBot)
+        uses: docker/#-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: BrewTestBot
+          password: ${{ secrets.HOMEBREW_BREW_GITHUB_PACKAGES_TOKEN }}
+
+      - name: Merge and push Docker image
+        run: |
+          tag_args=()
+          while IFS=$'\n' read -r tag; do
+            [[ -n "${tag}" ]] || continue
+            tag_args+=("--tag=${tag}")
+          done <<<"${TAGS}"
+
+          docker buildx imagetools create \
+            "${tag_args[@]}" \
+            "ghcr.io/homebrew/ubuntu${VERSION}@sha256:$(cat "${RUNNER_TEMP}"/digests/"${VERSION}-x86_64")" \
+            "ghcr.io/homebrew/ubuntu${VERSION}@sha256:$(cat "${RUNNER_TEMP}"/digests/"${VERSION}-arm64")"
+        env:
+          TAGS: ${{ needs.build.outputs.tags }}
+          VERSION: ${{ matrix.version }}