ci: PLT-859: migrate to arm64 runner for image builds

farioas · farioas · commit a81a861d9522 · 2025-08-19T09:55:17.000+01:00
diff --git a/.github/workflows/docker-build-ontop.yml b/.github/workflows/docker-build-ontop.yml
@@ -43,29 +43,25 @@ env:
   IMAGE_NAME: "${{ vars.DOCKERHUB_ORG }}/label-studio"
 
 jobs:
-  docker_build_and_push:
-    name: "Docker image"
+  docker_build:
+    name: "Docker image (${{ matrix.platform }})"
     timeout-minutes: 90
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
     steps:
       - uses: hmarr/debug-action@v3.0.0
 
-      - name: Check user's membership
-        uses: actions/github-script@v7
-        id: actor-membership
-        env:
-          ACTOR: ${{ github.actor }}
-        with:
-          github-token: ${{ secrets.GIT_PAT }}
-          script: |
-            const { repo, owner } = context.repo;
-            const actor = process.env.ACTOR;
-            const { data: membership } = await github.rest.orgs.getMembershipForUser({
-              org: owner,
-              username: actor,
-            });
-            core.setOutput("state", membership.state);
-            core.setOutput("active", membership.state == "active");
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
 
       - name: Checkout
         id: checkout
@@ -75,13 +71,6 @@ jobs:
           ref: ${{ inputs.ref }}
           fetch-depth: 0
 
-      - name: Calculate Docker tags
-        id: calculate-docker-tags
-        uses: actions/github-script@v7
-        with:
-          script: |
-            core.setOutput('docker-tags', `${{ inputs.tags }}`.split(",").join("\n"))
-
       - name: Edit Dockerfile
         env:
           BASE_DOCKER_IMAGE_VERSION: ${{ inputs.base_docker_image_version }}
@@ -90,9 +79,6 @@ jobs:
           sed -i "s#^FROM .*#FROM ${IMAGE_NAME}:${BASE_DOCKER_IMAGE_VERSION}#g" "${DOCKERFILE_PATH}"
           cat "${DOCKERFILE_PATH}"
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.11.1
 
@@ -102,27 +88,83 @@ jobs:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Extract Docker metadata
+      - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.IMAGE_NAME }}
-          labels: |
-            org.opencontainers.image.revision=${{ steps.checkout.outputs.commit }}
-          tags: |
-            ${{ steps.calculate-docker-tags.outputs.docker-tags }}
 
-      - name: Push Docker image
+      - name: Push Docker image (${{ matrix.platform }})
         uses: docker/build-push-action@v6.18.0
         id: docker_build_and_push
         with:
           context: .
           file: ${{ inputs.dockerfile_path }}
-          platforms: linux/amd64,linux/arm64
-          push: ${{ steps.actor-membership.outputs.active }}
+          platforms: ${{ matrix.platform }}
           sbom: true
           provenance: true
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ${{ env.IMAGE_NAME }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-to: type=gha,mode=min
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.docker_build_and_push.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge_docker_manifest:
+    runs-on: ubuntu-latest
+    needs:
+      - docker_build
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Calculate Docker tags
+        id: calculate-docker-tags
+        uses: actions/github-script@v7
+        with:
+          script: |
+            core.setOutput('docker-tags', `${{ inputs.tags }}`.split(",").join("\n"))
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            ${{ steps.calculate-docker-tags.outputs.docker-tags }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.IMAGE_NAME }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
diff --git a/.github/workflows/docker-release-promote.yml b/.github/workflows/docker-release-promote.yml
@@ -17,17 +17,25 @@ env:
   DOCKER_IMAGE_TAG_CHECK_NAME: "Docker image tag"
   IMAGE_NAME: "${{ vars.DOCKERHUB_ORG }}/label-studio"
   RELEASE_DOCKERFILE: "Dockerfile.release"
-  PREFLIGHT_REPO: "quay.io/opdev/preflight:stable"
-  DOCKER_CONFIG_PATH: "/home/runner/.docker/config.json"
   LAUNCHDARKLY_DOWNLOAD_PATH: "feature_flags.json"
 
 jobs:
   docker_release_retag:
-    name: "Docker image"
+    name: "Docker image (${{ matrix.platform }})"
     timeout-minutes: 90
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
     outputs:
       image_version: ${{ steps.get_info.outputs.image_version }}
+      ubuntu_tags: ${{ steps.generate-tags.outputs.ubuntu-tags }}
+      sha: ${{ steps.get_info.outputs.sha }}
     steps:
       - uses: hmarr/debug-action@v3.0.0
 
@@ -134,9 +142,6 @@ jobs:
           python3 $(pwd)/label_studio/core/version.py
           cat $(pwd)/label_studio/core/version_.py
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.11.1
 
@@ -146,6 +151,11 @@ jobs:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
       - name: Prepare Release Dockerfile
         id: release_dockerfile
         env:
@@ -173,26 +183,82 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.IMAGE_NAME }}
-          labels: |
-            org.opencontainers.image.revision=${{ steps.get_info.outputs.sha }}
-          tags: |
-            ${{ steps.generate-tags.outputs.ubuntu-tags }}
 
-      - name: Build and Push Release Ubuntu Docker image
+      - name: Build and Push Release Ubuntu Docker image (${{ matrix.platform }})
         uses: docker/build-push-action@v6.18.0
         id: docker_build
         with:
           context: ${{ steps.release_dockerfile.outputs.release_dir }}
           file: ${{ steps.release_dockerfile.outputs.release_dir }}/${{ env.RELEASE_DOCKERFILE }}
-          push: true
           sbom: true
           provenance: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.platform }}
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.docker_build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge_docker_manifest:
+    runs-on: ubuntu-latest
+    needs:
+      - docker_release_retag
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.revision=${{ needs.docker_release_retag.outputs.sha }}
+          tags: |
+            ${{ steps.generate-tags.outputs.ubuntu-tags }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.IMAGE_NAME }}@sha256:%s ' *)
 
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+
+  copy_static_files:
+    name: "Copy compiled static from built Docker image"
+    runs-on: ubuntu-latest
+    needs: [docker_release_retag, merge_docker_manifest]
+    steps:
       - name: Copy compiled static from builded Docker image
         run: |
           # Usually it takes 10-20 sec so the image becomes available
