Miguel/chore/arm runner for arm images (#52)

Author: darrenkel

.github/workflows/build-image.yaml

@@ -0,0 +1,30 @@
+name: Build Docker Image
+
+on:
+  workflow_call:
+
+jobs:
+  build-docker-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and export
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          tags: thor-pipeline:${{ github.sha }}
+          outputs: type=docker,dest=/tmp/thor-pipeline.tar
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: thor-pipeline-image-${{ github.sha }}
+          path: /tmp/thor-pipeline.tar

.github/workflows/on-master-commit.yaml

@@ -30,20 +30,10 @@ jobs:
     name: Go Module Check
     uses: ./.github/workflows/go-mod-check.yaml
 
-  run-e2e-tests:
-    name: E2E Tests
-    uses: ./.github/workflows/test-e2e.yaml
-    permissions:
-      contents: read
-    secrets: inherit
-
-  run-smoke-tests:
-    name: Smoke Tests
-    uses: ./.github/workflows/test-smoke.yaml
-    permissions:
-      contents: read
-    secrets: inherit
-    needs: [run-e2e-tests]
+  thor-docker-test-suite:
+    uses: ./.github/workflows/thor-docker-test-suite.yaml
+    secrets:
+      DRAUPNIR_TOKEN: ${{ secrets.DRAUPNIR_TOKEN }}
 
   run-rosetta-tests:
     name: Rosetta Tests
@@ -76,7 +66,7 @@ jobs:
     secrets: inherit
     needs:
       - run-unit-tests
-      - run-e2e-tests
+      - thor-docker-test-suite
       - generate-tags
       - lint
       - license-check
@@ -89,7 +79,6 @@ jobs:
       tags: |
         type=raw,value=${{ needs.generate-tags.outputs.clean_ref_name }}-${{ needs.generate-tags.outputs.tag_date }}-${{ needs.generate-tags.outputs.short_sha }}
         type=raw,value=${{ needs.generate-tags.outputs.clean_ref_name }}-latest
-      trigger_internal_ci: true
 
   notify-slack:
     name: Notify Slack
@@ -100,25 +89,23 @@ jobs:
       - lint
       - module-check
       - run-unit-tests
-      - run-e2e-tests
+      - thor-docker-test-suite
     if: github.ref_name == 'master' && always() && (
       needs.publish-docker-image.result != 'success' || 
       needs.run-unit-tests.result != 'success' || 
       needs.lint.result != 'success' || 
-      needs.run-e2e-tests.result != 'success' || 
+      needs.thor-docker-test-suite.result != 'success' || 
       needs.license-check.result != 'success' || 
       needs.module-check.result != 'success')
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
       - name: Get the commit message
         id: commit_message
         # This is a workaround to get the first line of the commit message. Passing the entire message can cause the payload (JSON) to be invalid.
         run: |
           echo "commit_message=$(git show-branch --no-name HEAD)" >> "$GITHUB_ENV"
-
       - name: Notify Slack
         uses: slackapi/slack-github-action@v1.25.0
         env:
@@ -130,7 +117,7 @@ jobs:
               "docker-publish-status": "${{ needs.publish-docker-image.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}",
               "commit-message": "${{ env.commit_message }}",
               "commit-url": "${{ github.event.head_commit.url }}",
-              "e2e-test-status": "${{ needs.run-e2e-tests.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}",
+              "e2e-test-status": "${{ needs.thor-docker-test-suite.result != 'success' && ':alert: Failure' || ':white_check_mark: Success' }}",
               "branch": "${{ github.ref }}",
               "repository": "${{ github.repository }}",
               "commit-author": "${{ github.event.head_commit.author.name }}",

.github/workflows/on-pull-request.yaml

@@ -26,21 +26,11 @@ jobs:
     name: Go Module Check
     uses: ./.github/workflows/go-mod-check.yaml
 
-  run-e2e-tests:
-    name: E2E Tests
-    uses: ./.github/workflows/test-e2e.yaml
-    permissions:
-      contents: read
-    secrets: inherit
+  thor-docker-test-suite:
+    uses: ./.github/workflows/thor-docker-test-suite.yaml
+    secrets:
+      DRAUPNIR_TOKEN: ${{ secrets.DRAUPNIR_TOKEN }}
 
-  run-smoke-tests:
-    name: Smoke Tests
-    uses: ./.github/workflows/test-smoke.yaml
-    permissions:
-      contents: read
-    secrets: inherit
-    needs: [run-e2e-tests]
-    
   run-rosetta-tests:
     name: Rosetta Tests
     uses: ./.github/workflows/test-rosetta.yaml

.github/workflows/publish-docker-images.yaml

@@ -15,18 +15,7 @@ on:
         type: string
         required: true
         description: 'The images to publish'
-      trigger_internal_ci:
-        description: 'Trigger the internal CI'
-        required: false
-        type: boolean
-        default: false
   workflow_dispatch:
-    inputs:
-      trigger_internal_ci:
-        description: 'Trigger the internal CI'
-        required: true
-        type: boolean
-        default: false
 
 permissions:
   contents: read
@@ -35,20 +24,23 @@ permissions:
 jobs:
   build-and-push-image:
     name: Build and Push Docker Image
-    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runs_on: ubuntu-22.04
+            platform: linux/amd64
+          - runs_on: ubuntu-22.04-arm
+            platform: linux/arm64
+    runs-on: ${{ matrix.runs_on }}
 
     environment: ${{ inputs.environment }}
     steps:
 
       - name: Checkout Repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
-        if: ${{ github.event_name != 'pull_request' }}
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
@@ -76,26 +68,192 @@ jobs:
           # use the branch + sha if workflow_dispatch
           tags: ${{ inputs.tags || format('type=raw,value={0}-{1}', github.ref_name, github.sha) }}
 
-      - name: Push to Registry(s)
+      - name: Compute cache scopes
+        # BuildKit GHA cache scopes to avoid cross-arch/branch clobbering.
+        # Shared scope depends on TARGET branch (PRs use github.base_ref):
+        #   - default(master)   -> shared-default
+        #   - release/* -> shared-release-<release-branch>
+        # Writes per event:
+        #   - pull_request           : read shared+branch, write branch
+        #   - workflow_dispatch      : if TARGET is master/release/* write shared+branch; else like PR
+        #   - push (master/release/*): read shared, write shared+branch
+        id: cache
+        shell: bash
+        env:
+          REPO: ${{ github.repository }}
+          PLATFORM: ${{ matrix.platform }}
+          REF: ${{ github.ref_name }}
+          EVENT: ${{ github.event_name }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          BASE_REF: ${{ github.base_ref }}
+        run: |
+          set -euo pipefail
+          # Determine TARGET branch for shared cache (master or a specific release/*)
+          TARGET_REF="${REF}"
+          if [ "${EVENT}" = "pull_request" ] && [ -n "${BASE_REF}" ]; then
+            TARGET_REF="${BASE_REF}"
+          fi
+          if [ "${TARGET_REF}" = "${DEFAULT_BRANCH}" ]; then
+            SHARED_SUFFIX="default"
+          elif [[ "${TARGET_REF}" == release/* ]]; then
+            SANITIZED_TARGET=$(echo "${TARGET_REF}" | sed 's|/|-|g')
+            SHARED_SUFFIX="release-${SANITIZED_TARGET}"
+          else
+            SHARED_SUFFIX="default"
+          fi
+          SHARED="${REPO}-${PLATFORM}-shared-${SHARED_SUFFIX}"
+          BRANCH="${REPO}-${PLATFORM}-${REF}"
+          case "${EVENT}" in
+            pull_request)
+              FROM=$(printf '%s\n' "type=gha,scope=${SHARED}" "type=gha,scope=${BRANCH}")
+              TO=$(printf '%s\n' "type=gha,mode=max,scope=${BRANCH}")
+              ;;
+            workflow_dispatch)
+              if [ "${TARGET_REF}" = "${DEFAULT_BRANCH}" ] || [[ "${TARGET_REF}" == release/* ]]; then
+                FROM=$(printf '%s\n' "type=gha,scope=${SHARED}")
+                TO=$(printf '%s\n' "type=gha,mode=max,scope=${SHARED}" "type=gha,mode=max,scope=${BRANCH}")
+              else
+                FROM=$(printf '%s\n' "type=gha,scope=${SHARED}" "type=gha,scope=${BRANCH}")
+                TO=$(printf '%s\n' "type=gha,mode=max,scope=${BRANCH}")
+              fi
+              ;;
+            *)
+              FROM=$(printf '%s\n' "type=gha,scope=${SHARED}")
+              TO=$(printf '%s\n' "type=gha,mode=max,scope=${SHARED}" "type=gha,mode=max,scope=${BRANCH}")
+              ;;
+          esac
+          echo "from<<EOF" >> "$GITHUB_OUTPUT"; echo "${FROM}" >> "$GITHUB_OUTPUT"; echo "EOF" >> "$GITHUB_OUTPUT"
+          echo "to<<EOF"   >> "$GITHUB_OUTPUT"; echo "${TO}"   >> "$GITHUB_OUTPUT"; echo "EOF" >> "$GITHUB_OUTPUT"
+
+      - name: Compute arch-suffixed tags
+        id: tags
+        shell: bash
+        env:
+          META_TAGS: ${{ steps.meta.outputs.tags }}
+        run: |
+          set -euo pipefail
+          case "${{ matrix.platform }}" in
+            linux/amd64) ARCH="amd64" ;;
+            linux/arm64) ARCH="arm64" ;;
+            *) echo "Unsupported platform: ${{ matrix.platform }}" >&2; exit 1 ;;
+          esac
+          TMP_FILE="$(mktemp)"
+          printf '%s\n' "${META_TAGS}" | awk -v a="$ARCH" 'NF{print $0 "-" a}' > "$TMP_FILE"
+          if [ ! -s "$TMP_FILE" ]; then
+            echo "No arch-suffixed tags produced" >&2
+            exit 1
+          fi
+          echo "tags<<EOF" >> "$GITHUB_OUTPUT"
+          cat "$TMP_FILE" >> "$GITHUB_OUTPUT"
+          echo "EOF" >> "$GITHUB_OUTPUT"
+          rm -f "$TMP_FILE"
+
+      - name: Build and push (${{ matrix.platform }})
+        id: build
+        if: ${{ github.event_name != 'pull_request' || matrix.platform == 'linux/amd64' }}
         uses: docker/build-push-action@v6
         with:
           context: .
-          platforms: ${{ github.event_name != 'pull_request' && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
+          platforms: ${{ matrix.platform }}
           push: ${{ github.event_name != 'pull_request' }}
           load: ${{ github.event_name == 'pull_request' }}
           provenance: ${{ github.event_name != 'pull_request' }}
           sbom: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ${{ steps.tags.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: ${{ steps.cache.outputs.from }}
+          cache-to:   ${{ steps.cache.outputs.to }}
+
+      - name: Compute safe platform name
+        id: platform
+        shell: bash
+        run: |
+          SAFE=$(echo "${{ matrix.platform }}" | tr '/' '_')
+          echo "safe=${SAFE}" >> $GITHUB_OUTPUT
+
+      - name: Export digest
+        if: ${{ github.event_name != 'pull_request' }}
+        shell: bash
+        run: |
+          PLATFORM="${{ matrix.platform }}"
+          SAFE="${PLATFORM//\//_}"
+          echo "${{ steps.build.outputs.digest }}" > "digest-${SAFE}.txt"
+
+      - name: Upload digest artifact
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: digest-${{ steps.platform.outputs.safe }}
+          path: digest-${{ steps.platform.outputs.safe }}.txt
 
       - name: Scan for vulnerabilities
         uses: crazy-max/ghaction-container-scan@v3
-        if: ${{ github.event_name == 'pull_request' || github.ref_name == 'master' }}
+        if: ${{ (github.event_name == 'pull_request' && matrix.platform == 'linux/amd64') || (github.ref_name == 'master' && matrix.platform == 'linux/amd64') }}
         with:
-          image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          image: ${{ github.event_name == 'pull_request' && steps.tags.outputs.tags || fromJSON(steps.meta.outputs.json).tags[0] }}
           annotations: true
           severity: LOW
           dockerfile: ./Dockerfile
         env:
           # See https://github.com/aquasecurity/trivy/discussions/7538
           TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+
+  merge-manifest:
+    name: Create multi-arch manifest
+    needs: [build-and-push-image]
+    if: ${{ github.event_name != 'pull_request' }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        if: ${{ inputs.environment == 'docker-publish' }}
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # default to ghcr.io for workflow_dispatch
+          images: ${{ inputs.images || format('ghcr.io/{0}', github.repository) }}
+          # use the branch + sha if workflow_dispatch
+          tags: ${{ inputs.tags || format('type=raw,value={0}-{1}', github.ref_name, github.sha) }}
+
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          pattern: digest-*
+          path: ./digests
+          merge-multiple: true
+
+      - name: Create and push manifest list
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          IMAGE: ${{ inputs.images || format('ghcr.io/{0}', github.repository) }}
+        shell: bash
+        run: |
+          AMD64_DIGEST=$(cat digests/digest-linux_amd64.txt)
+          ARM64_DIGEST=$(cat digests/digest-linux_arm64.txt)
+          TAG_ARGS=""
+          while IFS= read -r tag; do
+            [ -z "$tag" ] && continue
+            TAG_ARGS="$TAG_ARGS -t $tag"
+          done <<< "$TAGS"
+          docker buildx imagetools create \
+            $TAG_ARGS \
+            "$IMAGE@${AMD64_DIGEST}" \
+            "$IMAGE@${ARM64_DIGEST}"