AP-735: use shared GHA workflows to ensure multi-arch builds (#25)

anarchivist · web-flow · commit d5c9b4b68b8b · 2026-06-22T08:35:22.000-07:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,111 +6,20 @@ on:
       - '**'
   workflow_dispatch:
 
-env:
-  DOCKER_METADATA_SET_OUTPUT_ENV: 'true'
 
 jobs:
-  build:
-    runs-on: ${{ matrix.runner }}
-    outputs:
-      build-image-arm: ${{ steps.gen-output.outputs.image-arm64 }}
-      build-image-x64: ${{ steps.gen-output.outputs.image-x64 }}
-    strategy:
-      fail-fast: false
-      matrix:
-        runner:
-          - ubuntu-24.04
-          - ubuntu-24.04-arm
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          # note Specifies a single tag to ensure the default doesn't add more than one.
-          #      The actual tag is not used, this is just used to sanitize the registry name
-          #      and produce labels.
-          tags: type=sha
-
-      - name: Sanitize registry repository name
-        id: get-reg
-        run: |
-          echo "registry=$(echo '${{ steps.meta.outputs.tags }}' | cut -f1 -d:)" | tee -a "$GITHUB_OUTPUT"
-
-      - name: Build/push the arch-specific image
-        id: build
-        uses: docker/build-push-action@v6
-        with:
-          # @todo GHA caching needs tuning, these tend not to hit. Perhaps switch to type=registry?
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          labels: ${{ steps.meta.outputs.labels }}
-          provenance: mode=max
-          sbom: true
-          tags: ${{ steps.get-reg.outputs.registry }}
-          outputs: type=image,push-by-digest=true,push=true
-
-      - name: Write arch-specific image digest to outputs
-        id: gen-output
-        run: |
-          echo "image-${RUNNER_ARCH,,}=${{ steps.get-reg.outputs.registry }}@${{ steps.build.outputs.digest }}" | tee -a "$GITHUB_OUTPUT"
-
-  merge:
-    runs-on: ubuntu-24.04
-    needs:
-      - build
-    env:
-      DOCKER_APP_IMAGE_ARM64: ${{ needs.build.outputs.build-image-arm }}
-      DOCKER_APP_IMAGE_X64: ${{ needs.build.outputs.build-image-x64 }}
-    outputs:
-      build-image: ${{ steps.meta.outputs.tags }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=sha,suffix=-build-${{ github.run_id }}_${{ github.run_attempt }}
-
-      - name: Push the multi-platform image
-        run: |
-          docker buildx imagetools create \
-            --tag "$DOCKER_METADATA_OUTPUT_TAGS" \
-            "$DOCKER_APP_IMAGE_ARM64" "$DOCKER_APP_IMAGE_X64"
+  docker-build:
+    uses: BerkeleyLibrary/.github/.github/workflows/docker-build.yml@v2.0.0
+    with:
+      image: ghcr.io/${{ github.repository }}
+    secrets: inherit
 
   test:
     runs-on: ubuntu-latest
     needs:
-      - merge
+      - docker-build
     container:
-      image: ${{ needs.merge.outputs.build-image }}
+      image: ${{ needs.docker-build.outputs.image }}
     defaults:
       run:
         working-directory: /opt/app
@@ -138,41 +47,18 @@ jobs:
 
       - name: Upload artifacts
         if: ${{ always() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         with:
           name: artifacts
           path: artifacts/**
 
   push:
-    runs-on: ubuntu-24.04
     needs:
-      - merge
+      - docker-build
       - test
-    env:
-      DOCKER_APP_IMAGE: ${{ needs.merge.outputs.build-image }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Produce permanent image tags
-        id: branch-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=sha
-            type=ref,event=branch
-            type=raw,value=latest,enable={{is_default_branch}}
-
-      - name: Retag and push the image
-        run: |
-          docker pull "$DOCKER_APP_IMAGE"
-          echo "$DOCKER_METADATA_OUTPUT_TAGS" | tr ' ' '\n' | xargs -n1 docker tag "$DOCKER_APP_IMAGE"
-          docker push --all-tags "$(echo "$DOCKER_APP_IMAGE" | cut -f1 -d:)"
+    uses: BerkeleyLibrary/.github/.github/workflows/docker-push.yml@v2.0.0
+    with:
+      image: ghcr.io/${{ github.repository }}
+      build-image-arm64: ${{ needs.docker-build.outputs.image-arm64 }}
+      build-image-x64: ${{ needs.docker-build.outputs.image-x64 }}
+    secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,59 +4,12 @@ on:
   push:
     tags:
       - '**'
+  workflow_call:
   workflow_dispatch:
 
-env:
-  DOCKER_METADATA_SET_OUTPUT_ENV: 'true'
-
 jobs:
-  retag:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Determine the sha-based image tag to retag
-        id: get-base-image
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: type=sha
-
-      - name: Verify that the image was previously built
-        env:
-          BASE_IMAGE: ${{ steps.get-base-image.outputs.tags }}
-        run: |
-          docker pull "$BASE_IMAGE"
-
-      - name: Produce release tags
-        id: tag-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          flavor: latest=false
-          tags: |
-            type=ref,event=tag
-            type=semver,pattern={{major}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{version}}
-
-      - name: Retag the pulled image
-        env:
-          BASE_IMAGE: ${{ steps.get-base-image.outputs.tags }}
-        run: |
-          echo "$DOCKER_METADATA_OUTPUT_TAGS" | tr ' ' '\n' | xargs -n1 docker tag "$BASE_IMAGE"
-          docker push --all-tags "$(echo "$BASE_IMAGE" | cut -f1 -d:)"
+  release:
+    uses: BerkeleyLibrary/.github/.github/workflows/docker-release.yml@v2.0.0
+    with:
+      image: ghcr.io/${{ github.repository }}
+    secrets: inherit
