feat: add multi-architecture support for Docker builds and scans

milsman2 · milsman2 · commit 368b1768ebca · 2026-03-29T22:06:57.000-05:00
diff --git a/.github/workflows/ci-cd.yaml b/.github/workflows/ci-cd.yaml
@@ -32,20 +32,21 @@ jobs:
   docker-build-and-image-scan:
     if: github.event_name == 'push'
     needs: test
-    uses: milsman2/python-app-template/.github/workflows/docker-build-and-scan.yaml@main
+    uses: ./.github/workflows/docker-build-and-scan.yaml
     with:
       DOCKER_PATH_CONTEXT: .
       DOCKER_BUILD_DOCKERFILE: ./Dockerfile
-      DOCKER_TAGS: ${{ vars.DOCKER_USERNAME }}/${{ vars.DOCKER_REPOSITORY }}:${{ github.sha }}
+      DOCKER_TAGS: ${{ vars.DOCKER_USERNAME }}_${{ vars.DOCKER_REPOSITORY }}_${{ github.sha }}
       DOCKER_LOAD_BOOL: false
       DOCKER_PUSH_BOOL: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
       DOCKER_USERNAME: ${{ vars.DOCKER_USERNAME }}
+      DOCKER_PLATFORMS: '["linux/amd64","linux/arm64"]'
     secrets: inherit
 
   release:
     if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
     needs: [test, docker-build-and-image-scan]
-    uses: milsman2/python-app-template/.github/workflows/release.yaml@main
+    uses: ./.github/workflows/release.yaml
     permissions:
       contents: write
     secrets: inherit
diff --git a/.github/workflows/docker-build-and-scan.yaml b/.github/workflows/docker-build-and-scan.yaml
@@ -23,44 +23,62 @@ on:
       DOCKER_USERNAME:
         required: true
         type: string
+      DOCKER_PLATFORMS:
+        required: false
+        type: string
+        default: 'linux/amd64,linux/arm64'
 
 jobs:
-  build-and-scan:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        platform: ${{ fromJson(inputs.DOCKER_PLATFORMS) }}
     env:
       DOCKER_PATH_CONTEXT: ${{ inputs.DOCKER_PATH_CONTEXT }}
       DOCKER_BUILD_DOCKERFILE: ${{ inputs.DOCKER_BUILD_DOCKERFILE }}
       DOCKER_TAGS: ${{ inputs.DOCKER_TAGS }}
-      DOCKER_LOAD_BOOL: ${{ inputs.DOCKER_LOAD_BOOL }}
-      DOCKER_PUSH_BOOL: ${{ inputs.DOCKER_PUSH_BOOL }}
       DOCKER_USERNAME: ${{ inputs.DOCKER_USERNAME }}
-    runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
-      - name: Login to DockerHub
-        uses: docker/login-action@v4
+      - uses: actions/checkout@v6
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+      - uses: docker/login-action@v4
         with:
           username: ${{ env.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Build (and maybe push) Docker image
+      - name: Build & push per-arch image
         uses: docker/build-push-action@v7
         with:
-          context: ${{  env.DOCKER_PATH_CONTEXT }}
-          file: ${{  env.DOCKER_BUILD_DOCKERFILE}}
-          load: ${{ env.DOCKER_LOAD_BOOL }}
-          push: ${{ env.DOCKER_PUSH_BOOL }}
-          tags: ${{  env.DOCKER_TAGS }}
-      - name: Run Trivy vulnerability scanner (remote)
-        if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
+          context: ${{ env.DOCKER_PATH_CONTEXT }}
+          file: ${{ env.DOCKER_BUILD_DOCKERFILE }}
+          platforms: ${{ matrix.platform }}
+          push: true
+          tags: docker.io/${{ env.DOCKER_TAGS }}-${{ matrix.platform }}
+      - name: Run Trivy vulnerability scanner (per-arch)
         uses: aquasecurity/trivy-action@0.35.0
         with:
-          image-ref: docker.io/${{ env.DOCKER_TAGS }}
+          image-ref: docker.io/${{ env.DOCKER_TAGS }}-${{ matrix.platform }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
+
+  manifest:
+    runs-on: ubuntu-latest
+    needs: build
+    env:
+      DOCKER_TAGS: ${{ inputs.DOCKER_TAGS }}
+      DOCKER_USERNAME: ${{ inputs.DOCKER_USERNAME }}
+    steps:
+      - uses: docker/login-action@v4
+        with:
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Create and push multi-arch manifest
+        run: |
+          docker buildx imagetools create \
+            -t docker.io/${{ env.DOCKER_TAGS }} \
+            docker.io/${{ env.DOCKER_TAGS }}-linux_amd64 \
+            docker.io/${{ env.DOCKER_TAGS }}-linux_arm64
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -94,6 +94,7 @@ jobs:
       DOCKER_PATH_CONTEXT: ${{ inputs.DOCKER_PATH_CONTEXT }}
       DOCKER_BUILD_DOCKERFILE: ${{ inputs.DOCKER_BUILD_DOCKERFILE }}
       DOCKER_LOAD_BOOL: false
-      DOCKER_TAGS: ${{ inputs.DOCKER_USERNAME }}/${{ inputs.DOCKER_REPOSITORY }}:${{ needs.Semantic-Release.outputs.tag }}
+      DOCKER_TAGS: ${{ inputs.DOCKER_USERNAME }}_${{ inputs.DOCKER_REPOSITORY }}_${{ needs.Semantic-Release.outputs.tag }}
       DOCKER_PUSH_BOOL: true
       DOCKER_USERNAME: ${{ inputs.DOCKER_USERNAME }}
+      DOCKER_PLATFORMS: '["linux/amd64","linux/arm64"]'
