Build

Build images as multi-arch (amd64 + arm64) manifest lists. (#163) #551

Workflow file for this run

	name: "Build"
	on:
	push:
	branches:
	- master
	pull_request:
	branches:
	- master
	schedule:
	- cron: '0 0 * * 0'
	workflow_dispatch:

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}

	jobs:
	build_amd64:
	name: Build amd64 images (push by digest)
	permissions:
	contents: read
	packages: write
	runs-on: ubuntu-24.04
	environment:
	name: ci-build
	outputs:
	latest_image_tag: ${{ steps.build.outputs.LATEST_IMAGE_TAG }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
	- name: Login to ghcr.io
	uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Free Disk Space (Ubuntu) # Reclaim disk space for build
	uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
	with:
	docker-images: false # Do not remove locally built images (including trivy scanner)
	- name: Build images
	id: build
	env:
	ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
	run: ./build
	- name: Test images
	run: ./build --test
	- name: Describe images
	run: ./build --describe >> $GITHUB_STEP_SUMMARY
	- name: Push images by digest
	env:
	ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
	run: ./build --push
	- name: Upload digest metadata
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: digests-amd64
	path: digests/amd64-*.json
	if-no-files-found: error
	retention-days: 1

	build_arm64:
	name: Build arm64 images (push by digest)
	permissions:
	contents: read
	packages: write
	runs-on: ubuntu-24.04-arm
	environment:
	name: ci-build
	outputs:
	latest_image_tag: ${{ steps.build.outputs.LATEST_IMAGE_TAG }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
	- name: Login to ghcr.io
	uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Free Disk Space (Ubuntu)
	uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
	with:
	docker-images: false
	- name: Build arm64 images
	id: build
	env:
	ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
	PLATFORM: linux/arm64
	run: ./build
	- name: Test arm64 images
	env:
	PLATFORM: linux/arm64
	run: ./build --test
	- name: Describe arm64 images
	env:
	PLATFORM: linux/arm64
	run: ./build --describe >> $GITHUB_STEP_SUMMARY
	- name: Push arm64 images by digest
	env:
	ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
	PLATFORM: linux/arm64
	run: ./build --push
	- name: Upload digest metadata
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: digests-arm64
	path: digests/arm64-*.json
	if-no-files-found: error
	retention-days: 1

	merge_manifests:
	name: Merge per-arch digests into multi-arch manifests
	needs: [build_amd64, build_arm64]
	permissions:
	contents: read
	security-events: write
	packages: write
	runs-on: ubuntu-24.04
	steps:
	- name: Checkout repository
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
	- name: Login to ghcr.io
	uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Download amd64 digests
	uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: digests-amd64
	path: digests
	- name: Download arm64 digests
	uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: digests-arm64
	path: digests
	- name: Create multi-arch manifests
	run: ./build --merge
	- name: Run Trivy vulnerability scanner (amd64)
	uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
	with:
	image-ref: '${{ needs.build_amd64.outputs.latest_image_tag }}'
	format: 'sarif'
	output: 'trivy-results-amd64.sarif'
	severity: 'CRITICAL,HIGH'
	limit-severities-for-sarif: true
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	TRIVY_PLATFORM: linux/amd64
	- name: Upload amd64 Trivy results
	uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
	with:
	sarif_file: 'trivy-results-amd64.sarif'
	category: trivy-amd64
	- name: Run Trivy vulnerability scanner (arm64)
	uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
	with:
	image-ref: '${{ needs.build_arm64.outputs.latest_image_tag }}'
	format: 'sarif'
	output: 'trivy-results-arm64.sarif'
	severity: 'CRITICAL,HIGH'
	limit-severities-for-sarif: true
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
	TRIVY_PLATFORM: linux/arm64
	- name: Upload arm64 Trivy results
	uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
	with:
	sarif_file: 'trivy-results-arm64.sarif'
	category: trivy-arm64

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build images as multi-arch (amd64 + arm64) manifest lists. (#163) #551

Workflow file

Build images as multi-arch (amd64 + arm64) manifest lists. (#163) #551

Uh oh!

Workflow file for this run