feat: add multi-architecture support for Docker builds and scans

feat: add multi-architecture support for Docker builds and scans

Author: milsman2

.github/workflows/ci-cd.yaml

@@ -32,20 +32,17 @@ jobs:
   docker-build-and-image-scan:
     if: github.event_name == 'push'
     needs: test
-    uses: milsman2/python-app-template/.github/workflows/docker-build-and-scan.yaml@main
+    uses: ./.github/workflows/docker-build-and-scan.yaml
     with:
       DOCKER_PATH_CONTEXT: .
       DOCKER_BUILD_DOCKERFILE: ./Dockerfile
       DOCKER_TAGS: ${{ vars.DOCKER_USERNAME }}/${{ vars.DOCKER_REPOSITORY }}:${{ github.sha }}
-      DOCKER_LOAD_BOOL: false
-      DOCKER_PUSH_BOOL: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
       DOCKER_USERNAME: ${{ vars.DOCKER_USERNAME }}
     secrets: inherit
-
   release:
     if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
     needs: [test, docker-build-and-image-scan]
-    uses: milsman2/python-app-template/.github/workflows/release.yaml@main
+    uses: ./.github/workflows/release.yaml
     permissions:
       contents: write
     secrets: inherit

.github/workflows/docker-build-and-scan.yaml

@@ -12,50 +12,35 @@ on:
       DOCKER_TAGS:
         required: true
         type: string
-      DOCKER_LOAD_BOOL:
-        required: false
-        type: boolean
-        default: false
-      DOCKER_PUSH_BOOL:
-        required: false
-        type: boolean
-        default: false
       DOCKER_USERNAME:
         required: true
         type: string
 
 jobs:
   build-and-scan:
+    runs-on: ubuntu-latest
     env:
       DOCKER_PATH_CONTEXT: ${{ inputs.DOCKER_PATH_CONTEXT }}
       DOCKER_BUILD_DOCKERFILE: ${{ inputs.DOCKER_BUILD_DOCKERFILE }}
       DOCKER_TAGS: ${{ inputs.DOCKER_TAGS }}
-      DOCKER_LOAD_BOOL: ${{ inputs.DOCKER_LOAD_BOOL }}
-      DOCKER_PUSH_BOOL: ${{ inputs.DOCKER_PUSH_BOOL }}
       DOCKER_USERNAME: ${{ inputs.DOCKER_USERNAME }}
-    runs-on: ubuntu-latest
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
-      - name: Login to DockerHub
-        uses: docker/login-action@v4
+      - uses: actions/checkout@v6
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+      - uses: docker/login-action@v4
         with:
           username: ${{ env.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Build (and maybe push) Docker image
+      - name: Build & push multi-arch image
         uses: docker/build-push-action@v7
         with:
-          context: ${{  env.DOCKER_PATH_CONTEXT }}
-          file: ${{  env.DOCKER_BUILD_DOCKERFILE}}
-          load: ${{ env.DOCKER_LOAD_BOOL }}
-          push: ${{ env.DOCKER_PUSH_BOOL }}
-          tags: ${{  env.DOCKER_TAGS }}
-      - name: Run Trivy vulnerability scanner (remote)
-        if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
+          context: ${{ env.DOCKER_PATH_CONTEXT }}
+          file: ${{ env.DOCKER_BUILD_DOCKERFILE }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: docker.io/${{ env.DOCKER_TAGS }}
+      - name: Run Trivy vulnerability scanner (multi-arch manifest)
         uses: aquasecurity/trivy-action@0.35.0
         with:
           image-ref: docker.io/${{ env.DOCKER_TAGS }}

.github/workflows/release.yaml

@@ -93,7 +93,5 @@ jobs:
     with:
       DOCKER_PATH_CONTEXT: ${{ inputs.DOCKER_PATH_CONTEXT }}
       DOCKER_BUILD_DOCKERFILE: ${{ inputs.DOCKER_BUILD_DOCKERFILE }}
-      DOCKER_LOAD_BOOL: false
       DOCKER_TAGS: ${{ inputs.DOCKER_USERNAME }}/${{ inputs.DOCKER_REPOSITORY }}:${{ needs.Semantic-Release.outputs.tag }}
-      DOCKER_PUSH_BOOL: true
       DOCKER_USERNAME: ${{ inputs.DOCKER_USERNAME }}