Publish per-artifact layers as multi-arch OCI indexes: (tinkerbell#39)

## Description


Each artifact file is now its own layer so registries deduplicate shared blobs between per-arch and combined images. All three images (amd64, arm64, combined) are multi-arch OCI indexes.

- Add --target flag (amd64/arm64/both) separate from --arch
- Remove index subcommand; publish creates all three images
- Update tag to tag all three images via tag_all
- Add recap messages to publish, pull, and tag
- Fix crane tarball filename in Dockerfile.release
- Update CI to use target matrix and remove create-artifact-index job

Fixes: #

## How Has This Been Tested?





## How are existing users impacted? What migration steps/scripts do we need?





## Checklist:

I have:

- [ ] updated the documentation and/or roadmap (if required)
- [ ] added unit or e2e tests
- [ ] provided instructions on how to upgrade

Author: mergify[bot]

.github/workflows/ci.yml

@@ -364,14 +364,15 @@ jobs:
   # -------------------------------------------------------------------
   publish-artifacts:
     if: github.ref == 'refs/heads/main'
-    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
+    runs-on: ${{ matrix.target == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
     needs: [build-iso]
     strategy:
       fail-fast: false
       matrix:
-        arch: [amd64, arm64]
+        target: [amd64, arm64, both]
     env:
-      ARCH: ${{ matrix.arch }}
+      ARCH: ${{ matrix.target == 'both' && 'amd64' || matrix.target }}
+      TARGET: ${{ matrix.target }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
@@ -381,55 +382,50 @@ jobs:
       - name: Load shared config
         run: cat .github/config.env >> "$GITHUB_ENV"
 
-      - name: Download kernel artifacts
+      - name: Download kernel artifacts (amd64)
+        if: matrix.target == 'amd64' || matrix.target == 'both'
         uses: actions/download-artifact@v4
         with:
-          name: kernel-${{ matrix.arch }}
+          name: kernel-amd64
           path: mkosi.output
 
-      - name: Download initramfs artifacts
+      - name: Download initramfs artifacts (amd64)
+        if: matrix.target == 'amd64' || matrix.target == 'both'
         uses: actions/download-artifact@v4
         with:
-          name: initramfs-${{ matrix.arch }}
+          name: initramfs-amd64
           path: out
 
-      - name: Download ISO artifact
+      - name: Download ISO artifact (amd64)
+        if: matrix.target == 'amd64' || matrix.target == 'both'
         uses: actions/download-artifact@v4
         with:
-          name: iso-${{ matrix.arch }}
+          name: iso-amd64
           path: out
 
-      - name: Install Python dependencies
-        run: pip install -r requirements.txt
-
-      - name: Log in to GHCR
-        uses: docker/login-action@v3
+      - name: Download kernel artifacts (arm64)
+        if: matrix.target == 'arm64' || matrix.target == 'both'
+        uses: actions/download-artifact@v4
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install crane
-        uses: imjasonh/setup-crane@v0.4
+          name: kernel-arm64
+          path: mkosi.output
 
-      - name: Publish artifacts to GHCR
-        run: ./build.py release publish
+      - name: Download initramfs artifacts (arm64)
+        if: matrix.target == 'arm64' || matrix.target == 'both'
+        uses: actions/download-artifact@v4
+        with:
+          name: initramfs-arm64
+          path: out
 
-  # -------------------------------------------------------------------
-  # Create multi-arch OCI index from per-arch artifact manifests
-  # -------------------------------------------------------------------
-  create-artifact-index:
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
-    needs: [publish-artifacts]
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v6
+      - name: Download ISO artifact (arm64)
+        if: matrix.target == 'arm64' || matrix.target == 'both'
+        uses: actions/download-artifact@v4
         with:
-          fetch-depth: 0
+          name: iso-arm64
+          path: out
 
-      - name: Load shared config
-        run: cat .github/config.env >> "$GITHUB_ENV"
+      - name: Install Python dependencies
+        run: pip install -r requirements.txt
 
       - name: Log in to GHCR
         uses: docker/login-action@v3
@@ -441,8 +437,5 @@ jobs:
       - name: Install crane
         uses: imjasonh/setup-crane@v0.4
 
-      - name: Install Python dependencies
-        run: pip install -r requirements.txt
-
-      - name: Create multi-arch artifact index
-        run: ./build.py release index
+      - name: Publish artifacts to GHCR
+        run: ./build.py release publish

.github/workflows/release.yml

@@ -33,29 +33,21 @@ jobs:
       - name: Install Python dependencies
         run: pip install -r requirements.txt
 
-      - name: Pull release artifacts (amd64)
+      - name: Pull release artifacts (both)
         env:
-          ARCH: amd64
           VERSION_EXCLUDE: ${{ github.ref_name }}
-        run: ./build.py release pull --pull-output artifacts/amd64
-
-      - name: Pull release artifacts (arm64)
-        env:
-          ARCH: arm64
-          VERSION_EXCLUDE: ${{ github.ref_name }}
-        run: ./build.py release pull --pull-output artifacts/arm64
+        run: ./build.py release pull --target both --pull-output artifacts/both
 
       - name: Create GitHub Release
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
           gh release create "${{ github.ref_name }}" \
-            artifacts/amd64/* \
-            artifacts/arm64/* \
+            artifacts/both/* \
             --generate-notes \
             --title "${{ github.ref_name }}"
 
-      - name: Tag OCI artifact index with version
+      - name: Tag OCI artifacts with version
         env:
           VERSION_EXCLUDE: ${{ github.ref_name }}
         run: ./build.py release tag ${{ github.ref_name }}

Dockerfile.release

@@ -14,7 +14,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
     tar \
-    && rm -rf /var/lib/apt/lists/*
+    && rm -rf /var/lib/apt/lists/* \
+    && git config --global --add safe.directory /work
 
 # Install crane (with checksum verification)
 RUN DPKG_ARCH="$(dpkg --print-architecture)" \
@@ -25,12 +26,12 @@ RUN DPKG_ARCH="$(dpkg --print-architecture)" \
        esac \
     && CRANE_TARBALL="go-containerregistry_Linux_${CRANE_ARCH}.tar.gz" \
     && CRANE_BASE_URL="https://github.com/google/go-containerregistry/releases/download/${CRANE_VERSION}" \
-    && curl -fsSL "${CRANE_BASE_URL}/${CRANE_TARBALL}" -o /tmp/crane.tar.gz \
+    && curl -fsSL "${CRANE_BASE_URL}/${CRANE_TARBALL}" -o /tmp/${CRANE_TARBALL} \
     && curl -fsSL "${CRANE_BASE_URL}/checksums.txt" -o /tmp/checksums.txt \
     && grep " ${CRANE_TARBALL}$" /tmp/checksums.txt | (cd /tmp && sha256sum -c -) \
-    && tar -xz -f /tmp/crane.tar.gz -C /usr/local/bin crane \
+    && tar -xz -f /tmp/${CRANE_TARBALL} -C /usr/local/bin crane \
     && chmod +x /usr/local/bin/crane \
-    && rm -f /tmp/crane.tar.gz /tmp/checksums.txt \
+    && rm -f /tmp/${CRANE_TARBALL} /tmp/checksums.txt \
     && crane version
 
 # Install Python dependencies

README.md

@@ -92,6 +92,52 @@ Output artifacts are placed in `out/`:
 - `out/captainos-<arch>.iso` — UEFI-bootable ISO image
 - `out/sha256sums-<arch>.txt` — SHA-256 checksums
 
+## Release
+
+CI publishes build artifacts as OCI images on every push to `main`. Pushing a version tag (`v*`) creates a GitHub Release with downloadable files and tags the OCI images with the release version.
+
+### OCI artifact images
+
+Three multi-arch OCI indexes are published per build:
+
+| Image | Tag | Contents |
+| --- | --- | --- |
+| amd64-only | `vX.Y.Z-<sha7>-amd64` | vmlinuz, initramfs, ISO, checksums (amd64) |
+| arm64-only | `vX.Y.Z-<sha7>-arm64` | vmlinuz, initramfs, ISO, checksums (arm64) |
+| combined | `vX.Y.Z-<sha7>` | all artifacts from both architectures |
+
+Each artifact file is pushed as its own OCI layer. Deterministic tar creation (zeroed metadata) ensures identical layer digests across per-arch and combined images, so registries deduplicate shared blobs — the combined image adds zero additional storage.
+
+All three images are multi-arch OCI indexes with `linux/amd64` and `linux/arm64` platform entries pointing to the same content, so any platform can pull them. Images are compatible with:
+
+- **containerd** — valid `rootfs.diff_ids` in the config; Kubernetes image-volume mounts work
+- **crane export** — extracts individual artifact files for release workflows
+
+### GitHub Release
+
+When a `v*` tag is pushed, the release workflow:
+
+1. Pulls the combined OCI image (both architectures)
+2. Attaches all artifacts as downloadable files on the GitHub Release page:
+   - `vmlinuz-amd64`, `initramfs-amd64.cpio.zst`, `captainos-amd64.iso`, `sha256sums-amd64.txt`
+   - `vmlinuz-arm64`, `initramfs-arm64.cpio.zst`, `captainos-arm64.iso`, `sha256sums-arm64.txt`
+3. Tags all three OCI images with the clean release version (`vX.Y.Z`, `vX.Y.Z-amd64`, `vX.Y.Z-arm64`)
+
+### Release subcommands
+
+```bash
+# Publish artifacts as a multi-arch OCI image
+./build.py release publish --target amd64
+
+# Pull and extract artifacts
+./build.py release pull --target both --pull-output ./out/release/
+
+# Tag all artifact images with a release version
+./build.py release tag v1.0.0
+```
+
+Run `./build.py release <subcommand> -h` for full flag reference.
+
 ## Build modes
 
 Each stage can be executed in one of three modes:
@@ -137,11 +183,14 @@ Each stage can be executed in one of three modes:
 │   ├── kernel.py               # Kernel compilation logic
 │   ├── tools.py                # Binary tool downloader
 │   ├── artifacts.py            # Artifact collection & checksums
+│   ├── oci.py                  # OCI artifact publish/pull/tag
+│   ├── crane.py                # crane CLI wrapper
 │   ├── iso.py                  # ISO image assembly
 │   ├── qemu.py                 # QEMU boot testing
 │   ├── log.py                  # Colored logging
 │   └── util.py                 # Shared helpers & arch mapping
 ├── Dockerfile                  # Builder container definition
+├── Dockerfile.release          # Lightweight container for OCI release ops
 ├── mkosi.conf                  # mkosi image configuration
 ├── mkosi.postinst              # Post-install hooks (symlinks, cleanup)
 ├── mkosi.finalize              # Final image adjustments