Build images as multi-arch (amd64 + arm64) manifest lists. (#163)

Build images as multi-arch (amd64 + arm64) manifest lists.
---------
Co-authored-by: Brice Dutheil <brice.dutheil@gmail.com>

Author: AlexeyKuznetsov-DD

.github/workflows/ci.yml

@@ -7,24 +7,28 @@ on:
     branches:
       - master
   schedule:
-    - cron: '0 0 * * 0' 
+    - cron: '0 0 * * 0'
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
+
 jobs:
-  build_push_check:
-    name: Build docker image, publish it and run vuln scanner against it
+  build_amd64:
+    name: Build amd64 images (push by digest)
     permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      packages: write # for image publication to GitHub Packages
-    runs-on: ubuntu-latest
+      contents: read
+      packages: write
+    runs-on: ubuntu-24.04
     environment:
       name: ci-build
+    outputs:
+      latest_image_tag: ${{ steps.build.outputs.LATEST_IMAGE_TAG }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
       - name: Set up Docker Buildx
-        id: buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
       - name: Login to ghcr.io
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
@@ -45,20 +49,132 @@ jobs:
         run: ./build --test
       - name: Describe images
         run: ./build --describe >> $GITHUB_STEP_SUMMARY
-      - name: Push images
+      - name: Push images by digest
+        env:
+          ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
+        run: ./build --push
+      - name: Upload digest metadata
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: digests-amd64
+          path: digests/amd64-*.json
+          if-no-files-found: error
+          retention-days: 1
+
+  build_arm64:
+    name: Build arm64 images (push by digest)
+    permissions:
+      contents: read
+      packages: write
+    runs-on: ubuntu-24.04-arm
+    environment:
+      name: ci-build
+    outputs:
+      latest_image_tag: ${{ steps.build.outputs.LATEST_IMAGE_TAG }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
+      - name: Login to ghcr.io
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          docker-images: false
+      - name: Build arm64 images
+        id: build
+        env:
+          ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
+          PLATFORM: linux/arm64
+        run: ./build
+      - name: Test arm64 images
+        env:
+          PLATFORM: linux/arm64
+        run: ./build --test
+      - name: Describe arm64 images
+        env:
+          PLATFORM: linux/arm64
+        run: ./build --describe >> $GITHUB_STEP_SUMMARY
+      - name: Push arm64 images by digest
+        env:
+          ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
+          PLATFORM: linux/arm64
         run: ./build --push
-      - name: Run Trivy vulnerability scanner
+      - name: Upload digest metadata
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: digests-arm64
+          path: digests/arm64-*.json
+          if-no-files-found: error
+          retention-days: 1
+
+  merge_manifests:
+    name: Merge per-arch digests into multi-arch manifests
+    needs: [build_amd64, build_arm64]
+    permissions:
+      contents: read
+      security-events: write
+      packages: write
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
+      - name: Login to ghcr.io
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Download amd64 digests
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: digests-amd64
+          path: digests
+      - name: Download arm64 digests
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: digests-arm64
+          path: digests
+      - name: Create multi-arch manifests
+        run: ./build --merge
+      - name: Run Trivy vulnerability scanner (amd64)
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          image-ref: '${{ needs.build_amd64.outputs.latest_image_tag }}'
+          format: 'sarif'
+          output: 'trivy-results-amd64.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+          TRIVY_PLATFORM: linux/amd64
+      - name: Upload amd64 Trivy results
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        with:
+          sarif_file: 'trivy-results-amd64.sarif'
+          category: trivy-amd64
+      - name: Run Trivy vulnerability scanner (arm64)
         uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
-          image-ref: '${{ steps.build.outputs.LATEST_IMAGE_TAG }}'
+          image-ref: '${{ needs.build_arm64.outputs.latest_image_tag }}'
           format: 'sarif'
-          output: 'trivy-results.sarif'
+          output: 'trivy-results-arm64.sarif'
           severity: 'CRITICAL,HIGH'
           limit-severities-for-sarif: true
         env:
           TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
-      - name: Upload Trivy scan results to GitHub Security tab
+          TRIVY_PLATFORM: linux/arm64
+      - name: Upload arm64 Trivy results
         uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-results-arm64.sarif'
+          category: trivy-arm64

.github/workflows/docker-tag.yml

@@ -14,7 +14,7 @@ on:
 jobs:
   tag-images:
     name: Tag new images version
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
@@ -28,6 +28,8 @@ jobs:
           tar -xzf crane.tar.gz crane
           sudo mv crane /usr/local/bin/crane
           rm crane.tar.gz
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
       - name: Login to ghcr.io
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
         with:
@@ -47,7 +49,12 @@ jobs:
           # Collect all image references from COPY --from= and FROM directives
           mapfile -t ALL_REFS < <({
             sed -n 's/.*--from=\([^ ]*\).*/\1/p' Dockerfile
-            awk '/^FROM/{print $2}' Dockerfile
+            # Skip FROM options like `--platform` to capture the image reference
+            awk '/^FROM/ {
+              for (i = 2; i <= NF; i++) {
+                if ($i !~ /^--/) { print $i; break }
+              }
+            }' Dockerfile
           })
 
           # Filter to only external images

.github/workflows/registry-cleanup.yml

@@ -12,7 +12,7 @@ jobs:
       contents: read
       packages: write
     steps:
-    - name: Prune untagged images
+    - name: Prune stale PR test image tags
       uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 #v0.6.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
@@ -21,4 +21,8 @@ jobs:
         keep-younger-than: 30 # days
         prune-tags-regexes: |
           ^[a-z0-9]+_merge-
-        prune-untagged: true
+        # IMPORTANT: do NOT enable prune-untagged. With multi-arch manifest
+        # lists, each per-arch child manifest appears "untagged" in GHCR even
+        # though it is referenced by a tagged manifest list. Pruning untagged
+        # images would dereference the manifest lists and break pulls.
+        prune-untagged: false

.github/workflows/vuln-check.yml

@@ -29,20 +29,42 @@ jobs:
         with:
           docker-images: false # Do not remove locally built images (including trivy scanner)
 
-      - name: Run Trivy vulnerability scanner
+      - name: Run Trivy vulnerability scanner (amd64)
         uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
           image-ref: 'ghcr.io/datadog/dd-trace-java-docker-build:latest'
           format: 'sarif'
-          output: 'trivy-results.sarif'
+          output: 'trivy-results-amd64.sarif'
           severity: 'CRITICAL,HIGH'
           limit-severities-for-sarif: true
         env:
           TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+          TRIVY_PLATFORM: linux/amd64
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload amd64 Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
         if: always()
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-results-amd64.sarif'
+          category: trivy-amd64
+
+      - name: Run Trivy vulnerability scanner (arm64)
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          image-ref: 'ghcr.io/datadog/dd-trace-java-docker-build:latest'
+          format: 'sarif'
+          output: 'trivy-results-arm64.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+          TRIVY_PLATFORM: linux/arm64
+
+      - name: Upload arm64 Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        if: always()
+        with:
+          sarif_file: 'trivy-results-arm64.sarif'
+          category: trivy-arm64

.gitignore

@@ -1 +1,3 @@
 .idea
+.DS_Store
+digests/