Build images as multi-arch (amd64 + arm64) manifest lists.

.github/workflows/ci.yml

@@ -1,30 +1,29 @@
 name: "Build"
 on:
-  push:
-    branches:
-      - master
   pull_request:
     branches:
       - master
-  schedule:
-    - cron: '0 0 * * 0' 
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
 jobs:
-  build_push_check:
-    name: Build docker image, publish it and run vuln scanner against it
+  build_amd64:
+    name: Build amd64 images (push by digest)
     permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      packages: write # for image publication to GitHub Packages
-    runs-on: ubuntu-latest
+      contents: read
+      packages: write
+    runs-on: ubuntu-24.04
     environment:
       name: ci-build
+    outputs:
+      latest_image_tag: ${{ steps.build.outputs.LATEST_IMAGE_TAG }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
       - name: Set up Docker Buildx
-        id: buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
       - name: Login to ghcr.io
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
@@ -45,20 +44,129 @@ jobs:
         run: ./build --test
       - name: Describe images
         run: ./build --describe >> $GITHUB_STEP_SUMMARY
-      - name: Push images
+      - name: Push images by digest
+        env:
+          ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
         run: ./build --push
-      - name: Run Trivy vulnerability scanner
+      - name: Upload digest metadata
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: digests-amd64
+          path: digests/amd64-*.json
+          if-no-files-found: error
+          retention-days: 1
+
+  build_arm64:
+    name: Build arm64 images (push by digest)
+    permissions:
+      contents: read
+      packages: write
+    runs-on: ubuntu-24.04-arm
+    environment:
+      name: ci-build
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
+      - name: Login to ghcr.io
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+        with:
+          docker-images: false
+      - name: Build arm64 images
+        env:
+          ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
+          PLATFORM: linux/arm64
+        run: ./build
+      - name: Test arm64 images
+        env:
+          PLATFORM: linux/arm64
+        run: ./build --test
+      - name: Describe arm64 images
+        env:
+          PLATFORM: linux/arm64
+        run: ./build --describe >> $GITHUB_STEP_SUMMARY
+      - name: Push arm64 images by digest
+        env:
+          ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }}
+          PLATFORM: linux/arm64
+        run: ./build --push
+      - name: Upload digest metadata
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: digests-arm64
+          path: digests/arm64-*.json
+          if-no-files-found: error
+          retention-days: 1
+
+  merge_manifests:
+    name: Merge per-arch digests into multi-arch manifests
+    needs: [build_amd64, build_arm64]
+    permissions:
+      contents: read
+      security-events: write
+      packages: write
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
+      - name: Login to ghcr.io
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Download amd64 digests
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: digests-amd64
+          path: digests
+      - name: Download arm64 digests
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: digests-arm64
+          path: digests
+      - name: Create multi-arch manifests
+        run: ./build --merge
+      - name: Run Trivy vulnerability scanner (amd64)
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          image-ref: '${{ needs.build_amd64.outputs.latest_image_tag }}'
+          format: 'sarif'
+          output: 'trivy-results-amd64.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+        env:
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
+          TRIVY_PLATFORM: linux/amd64
+      - name: Upload amd64 Trivy results
+        uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        with:
+          sarif_file: 'trivy-results-amd64.sarif'
+          category: trivy-amd64
+      - name: Run Trivy vulnerability scanner (arm64)
         uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         with:
-          image-ref: '${{ steps.build.outputs.LATEST_IMAGE_TAG }}'
+          image-ref: '${{ needs.build_amd64.outputs.latest_image_tag }}'
           format: 'sarif'
-          output: 'trivy-results.sarif'
+          output: 'trivy-results-arm64.sarif'
           severity: 'CRITICAL,HIGH'
           limit-severities-for-sarif: true
         env:
           TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
           TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
-      - name: Upload Trivy scan results to GitHub Security tab
+          TRIVY_PLATFORM: linux/arm64
+      - name: Upload arm64 Trivy results
         uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-results-arm64.sarif'
+          category: trivy-arm64

.github/workflows/docker-tag.yml

@@ -14,7 +14,7 @@ on:
 jobs:
   tag-images:
     name: Tag new images version
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
@@ -28,6 +28,8 @@ jobs:
           tar -xzf crane.tar.gz crane
           sudo mv crane /usr/local/bin/crane
           rm crane.tar.gz
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # 4.0.0
       - name: Login to ghcr.io
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # 4.1.0
         with:

.github/workflows/registry-cleanup.yml

@@ -12,7 +12,7 @@ jobs:
       contents: read
       packages: write
     steps:
-    - name: Prune untagged images
+    - name: Prune stale PR test image tags
       uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 #v0.6.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
@@ -21,4 +21,8 @@ jobs:
         keep-younger-than: 30 # days
         prune-tags-regexes: |
           ^[a-z0-9]+_merge-
-        prune-untagged: true
+        # IMPORTANT: do NOT enable prune-untagged. With multi-arch manifest
+        # lists, each per-arch child manifest appears "untagged" in GHCR even
+        # though it is referenced by a tagged manifest list. Pruning untagged
+        # images would dereference the manifest lists and break pulls.
+        prune-untagged: false

.gitignore

@@ -1 +1,3 @@
 .idea
+.DS_Store
+digests/

Dockerfile

@@ -1,11 +1,20 @@
-# syntax=docker/dockerfile:1.6
-
+# syntax=docker/dockerfile:1.10
+
+# NOTE: This Dockerfile is intended to be invoked via the `./build` script,
+# which sets ALL_JDK_STAGE / FULL_STAGE according to the target architecture.
+# The defaults below are for amd64. When building arm64 directly with `docker
+# build`, you MUST pass `--build-arg ALL_JDK_STAGE=all-jdk-arm64 --build-arg
+# FULL_STAGE=full-arm64` (and `--platform linux/arm64`), or the produced image
+# will silently mix amd64 binaries (zulu7, ibm8) into an arm64 image.
 ARG LATEST_VERSION
+ARG ALL_JDK_STAGE=all-jdk-amd64
+ARG FULL_STAGE=full-amd64
 FROM eclipse-temurin:${LATEST_VERSION}-jdk-noble AS temurin-latest
 
 # Intermediate image used to prune cruft from JDKs and squash them all.
-FROM ubuntu:24.04 AS all-jdk
+FROM ubuntu:24.04 AS all-jdk-common
 ARG LATEST_VERSION
+ARG TARGETARCH
 
 RUN <<-EOT
 	set -eux
@@ -54,12 +63,9 @@ COPY --from=eclipse-temurin:25-jdk-noble /opt/java/openjdk /usr/lib/jvm/25
 COPY --from=eclipse-temurin:26-jdk-noble /opt/java/openjdk /usr/lib/jvm/26
 COPY --from=temurin-latest /opt/java/openjdk /usr/lib/jvm/${LATEST_VERSION}
 
-COPY --from=azul/zulu-openjdk:7 /usr/lib/jvm/zulu7 /usr/lib/jvm/7
 COPY --from=azul/zulu-openjdk:8 /usr/lib/jvm/zulu8 /usr/lib/jvm/zulu8
 COPY --from=azul/zulu-openjdk:11 /usr/lib/jvm/zulu11 /usr/lib/jvm/zulu11
 
-COPY --from=ibmjava:8-sdk /opt/ibm/java /usr/lib/jvm/ibm8
-
 COPY --from=ibm-semeru-runtimes:open-8-jdk-noble /opt/java/openjdk /usr/lib/jvm/semeru8
 COPY --from=ibm-semeru-runtimes:open-11-jdk-noble /opt/java/openjdk /usr/lib/jvm/semeru11
 COPY --from=ibm-semeru-runtimes:open-17-jdk-noble /opt/java/openjdk /usr/lib/jvm/semeru17
@@ -76,9 +82,14 @@ COPY --from=ghcr.io/graalvm/native-image-community:25-ol10 /usr/lib64/graalvm/gr
 # 2. Once created, token should be added to GitHub protected environment by repository administrator.
 RUN --mount=type=secret,id=oracle_java8_token,uid=1001,gid=1001,mode=0400 <<-EOT
 	set -eux
+	case "${TARGETARCH}" in
+		amd64) ORACLE_JAVA8_PACKAGE="jdk-8-linux-x64_bin.tar.gz" ;;
+		arm64) ORACLE_JAVA8_PACKAGE="jdk-8-linux-aarch64_bin.tar.gz" ;;
+		*) echo "Unsupported TARGETARCH for Oracle Java 8: ${TARGETARCH}" >&2; exit 1 ;;
+	esac
 	sudo mkdir -p /usr/lib/jvm/oracle8
 	ORACLE_JAVA8_TOKEN="$(cat /run/secrets/oracle_java8_token)"
-	sudo curl -L --fail -H "token:${ORACLE_JAVA8_TOKEN}" https://java.oraclecloud.com/java/8/latest/jdk-8-linux-x64_bin.tar.gz | sudo tar -xvzf - -C /usr/lib/jvm/oracle8 --strip-components 1
+	sudo curl -L --fail -H "token:${ORACLE_JAVA8_TOKEN}" "https://java.oraclecloud.com/java/8/latest/${ORACLE_JAVA8_PACKAGE}" | sudo tar -xvzf - -C /usr/lib/jvm/oracle8 --strip-components 1
 	unset ORACLE_JAVA8_TOKEN
 EOT
 
@@ -91,6 +102,25 @@ RUN <<-EOT
 		/usr/lib/jvm/graalvm*/lib/installer
 EOT
 
+FROM --platform=linux/amd64 azul/zulu-openjdk:7 AS zulu7-amd64
+FROM --platform=linux/amd64 ibmjava:8-sdk AS ibm8-amd64
+
+FROM all-jdk-common AS all-jdk-arm64
+
+FROM all-jdk-common AS all-jdk-amd64
+
+COPY --from=zulu7-amd64 /usr/lib/jvm/zulu7 /usr/lib/jvm/7
+COPY --from=ibm8-amd64 /opt/ibm/java /usr/lib/jvm/ibm8
+
+RUN <<-EOT
+	sudo rm -rf \
+		/usr/lib/jvm/*/lib/src.zip \
+		/usr/lib/jvm/*/demo \
+		/usr/lib/jvm/*/sample
+EOT
+
+FROM ${ALL_JDK_STAGE} AS all-jdk
+
 FROM scratch AS default-jdk
 ARG LATEST_VERSION
 
@@ -107,6 +137,7 @@ COPY --from=all-jdk /usr/lib/jvm/${LATEST_VERSION} /usr/lib/jvm/${LATEST_VERSION
 FROM ubuntu:24.04 AS base
 ARG LATEST_VERSION
 ARG DATADOG_CI_VERSION=5.17.0
+ARG TARGETARCH
 ENV LATEST_VERSION=${LATEST_VERSION}
 
 # https://docs.github.com/en/packages/learn-github-packages/connecting-a-repository-to-a-package
@@ -163,13 +194,25 @@ RUN <<-EOT
 	sudo pip3 install --break-system-packages awscli
 	sudo pip3 cache purge
 
+	case "${TARGETARCH}" in
+		amd64)
+			DATADOG_CI_ARCH="x64"
+			VAULT_ARCH="amd64"
+			;;
+		arm64)
+			DATADOG_CI_ARCH="arm64"
+			VAULT_ARCH="arm64"
+			;;
+		*) echo "Unsupported TARGETARCH for tooling: ${TARGETARCH}" >&2; exit 1 ;;
+	esac
+
 	# datadog-ci
-	sudo curl -L --fail "https://github.com/DataDog/datadog-ci/releases/download/v${DATADOG_CI_VERSION}/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
+	sudo curl -L --fail "https://github.com/DataDog/datadog-ci/releases/download/v${DATADOG_CI_VERSION}/datadog-ci_linux-${DATADOG_CI_ARCH}" --output "/usr/local/bin/datadog-ci"
 	sudo chmod +x /usr/local/bin/datadog-ci
 
 	# vault installation inspired by https://github.com/DataDog/datadog-agent-buildimages/blob/main/agent-deploy/Dockerfile
 	VAULT_VERSION=1.20.4
-	curl -fsSL "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" -o vault.zip
+	curl -fsSL "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" -o vault.zip
 	unzip vault.zip
 	sudo mv vault /usr/local/bin/vault
 	chmod +x /usr/local/bin/vault
@@ -210,32 +253,26 @@ ENV JAVA_${VARIANT_UPPER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
 ENV JAVA_${VARIANT_LOWER}_HOME=/usr/lib/jvm/${VARIANT_LOWER}
 
 # Full image for debugging, contains all JDKs.
-FROM base AS full
+FROM base AS full-common
 
 USER non-root-user
 WORKDIR /home/non-root-user
 
-COPY --from=all-jdk /usr/lib/jvm/7 /usr/lib/jvm/7
 COPY --from=all-jdk /usr/lib/jvm/zulu8 /usr/lib/jvm/zulu8
 COPY --from=all-jdk /usr/lib/jvm/zulu11 /usr/lib/jvm/zulu11
 COPY --from=all-jdk /usr/lib/jvm/oracle8 /usr/lib/jvm/oracle8
-COPY --from=all-jdk /usr/lib/jvm/ibm8 /usr/lib/jvm/ibm8
 COPY --from=all-jdk /usr/lib/jvm/semeru8 /usr/lib/jvm/semeru8
 COPY --from=all-jdk /usr/lib/jvm/semeru11 /usr/lib/jvm/semeru11
 COPY --from=all-jdk /usr/lib/jvm/semeru17 /usr/lib/jvm/semeru17
 COPY --from=all-jdk /usr/lib/jvm/graalvm17 /usr/lib/jvm/graalvm17
 COPY --from=all-jdk /usr/lib/jvm/graalvm21 /usr/lib/jvm/graalvm21
 COPY --from=all-jdk /usr/lib/jvm/graalvm25 /usr/lib/jvm/graalvm25
 
-ENV JAVA_7_HOME=/usr/lib/jvm/7
-
-ENV JAVA_ZULU7_HOME=/usr/lib/jvm/7
 ENV JAVA_ZULU8_HOME=/usr/lib/jvm/zulu8
 ENV JAVA_ZULU11_HOME=/usr/lib/jvm/zulu11
 
 ENV JAVA_ORACLE8_HOME=/usr/lib/jvm/oracle8
 
-ENV JAVA_IBM8_HOME=/usr/lib/jvm/ibm8
 # Temporarily set these aliases for backwards compatibility.
 ENV JAVA_IBM11_HOME=/usr/lib/jvm/semeru11
 ENV JAVA_IBM17_HOME=/usr/lib/jvm/semeru17
@@ -247,3 +284,16 @@ ENV JAVA_SEMERU17_HOME=/usr/lib/jvm/semeru17
 ENV JAVA_GRAALVM17_HOME=/usr/lib/jvm/graalvm17
 ENV JAVA_GRAALVM21_HOME=/usr/lib/jvm/graalvm21
 ENV JAVA_GRAALVM25_HOME=/usr/lib/jvm/graalvm25
+
+FROM full-common AS full-arm64
+
+FROM full-common AS full-amd64
+
+COPY --from=all-jdk /usr/lib/jvm/7 /usr/lib/jvm/7
+COPY --from=all-jdk /usr/lib/jvm/ibm8 /usr/lib/jvm/ibm8
+
+ENV JAVA_7_HOME=/usr/lib/jvm/7
+ENV JAVA_ZULU7_HOME=/usr/lib/jvm/7
+ENV JAVA_IBM8_HOME=/usr/lib/jvm/ibm8
+
+FROM ${FULL_STAGE} AS full