Update automated image build

theihor · theihor · commit dcd073d558c0 · 2026-01-26T17:25:28.000-08:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -11,50 +11,66 @@ on:
   push:
     branches:
       - main
-      - staging
-    # Publish semver tags as releases.
-    tags: [ 'v*.*.*' ]
   pull_request:
     branches:
       - main
-      - staging
   workflow_dispatch:
 
 env:
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
-
+  RUNNER_VERSION: 2.331.0
 
 jobs:
   build:
-
-    runs-on: ubuntu-latest
+    name: ${{ matrix.tag }}
+    runs-on: ${{ matrix.runs_on }}
     permissions:
       contents: read
       packages: write
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
       id-token: write
     strategy:
+      fail-fast: false
       matrix:
-        ubuntu_version: [noble]
-        arch: [s390x, aarch64, x86_64]
         include:
-          - arch: s390x
-            dockerfile: s390x.Dockerfile
-            platform: linux/s390x
+          - arch: x86_64
+            dockerfile: Dockerfile
+            platform: linux/amd64
+            tag: main-noble-x86_64
+            runs_on: ubuntu-latest
+
           - arch: aarch64
             dockerfile: Dockerfile
             platform: linux/arm64
+            tag: main-noble-aarch64
+            runs_on: ubuntu-24.04-arm
+
+          - arch: s390x
+            dockerfile: s390x.Dockerfile
+            platform: linux/s390x
+            tag: main-noble-s390x
+            runs_on: ubuntu-latest
+
           - arch: x86_64
-            dockerfile: Dockerfile
+            dockerfile: kbuilder-debian.Dockerfile
             platform: linux/amd64
+            tag: kbuilder-debian-x86_64
+            runs_on: ubuntu-latest
+
+          - arch: aarch64
+            dockerfile: kbuilder-debian.Dockerfile
+            platform: linux/arm64
+            tag: kbuilder-debian-aarch64
+            runs_on: ubuntu-24.04-arm
 
     steps:
+
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
@@ -66,9 +82,8 @@ jobs:
         run: cosign version
 
       - name: Set up QEMU
+        if: matrix.arch == 's390x'
         uses: docker/setup-qemu-action@v3
-        with:
-          image: tonistiigi/binfmt:qemu-v9.2.2
 
       - name: Setup Docker buildx
         uses: docker/setup-buildx-action@v3
@@ -83,27 +98,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          flavor: |
-            latest=auto
-            prefix=
-            suffix=-${{ matrix.ubuntu_version }}-${{ matrix.arch }}
-          tags: |
-            # Generate old tag names (e.g main-s390x, main-x86_64...) when building noble
-            # branch event
-            type=ref,enable=${{ matrix.ubuntu_version == 'noble' }},suffix=-${{ matrix.arch }},event=branch
-            # pr event
-            type=ref,enable=${{ matrix.ubuntu_version == 'noble' }},prefix=pr-,suffix=-${{ matrix.arch }},event=pr
-            # tags for all pr/branches
-            type=ref,event=branch,enable=true,priority=600
-            type=ref,event=pr,enable=true,prefix=pr-,priority=600
-
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
@@ -113,10 +107,9 @@ jobs:
           context: .
           file: ${{ matrix.dockerfile }}
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.tag }}
           platforms: ${{ matrix.platform }}
-          build-args: UBUNTU_VERSION=${{ matrix.ubuntu_version }}
+          build-args: RUNNER_VERSION=${{ env.RUNNER_VERSION }}
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker
@@ -127,7 +120,6 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
-          TAGS: ${{ steps.meta.outputs.tags }}
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
-        run: cosign sign --yes ${TAGS}
+        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.tag }}
diff --git a/.github/workflows/version_bump.yml b/.github/workflows/version_bump.yml
@@ -1,7 +1,7 @@
-name: s390x version bump
+name: RUNNER_VERSION bump
 
 # This workflow pulls the latest official actions runner version using GH API
-# and update our s390x Dockerfile.
+# and update RUNNER_VERSION variable.
 # If a change happens, the change will be commited in a versioned branch and
 # a PR will be created. Upon merging, the branch will be deleted.
 #
@@ -14,13 +14,13 @@ on:
 
 jobs:
   bump_version:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
     permissions:
       contents: write
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Get latest runner release
         id: release
@@ -35,14 +35,30 @@ jobs:
 
       - name: Update release
         id: bump
-        run: sed -i 's#^ARG RUNNER_VERSION=.*#ARG RUNNER_VERSION=${{ steps.release.outputs.ACTIONS_VERSION}}#' s390x.Dockerfile
+        run: |
+          sed -i 's#RUNNER_VERSION:.*#RUNNER_VERSION: ${{ steps.release.outputs.ACTIONS_VERSION }}#' .github/workflows/publish.yml
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
-        with:
-          title: "[automated] s390x: bump RUNNER_VERSION to v${{ steps.release.outputs.ACTIONS_VERSION}}"
-          commit-message: "[automated] s390x: bump RUNNER_VERSION to v${{ steps.release.outputs.ACTIONS_VERSION}}"
-          branch: "version-bump/${{ steps.release.outputs.ACTIONS_VERSION}}"
-          delete-branch: true
-          body: ""
-          reviewers: anakryiko, chantra, danielocfb, yurinnick, theihor
+        env:
+          GH_TOKEN: ${{ github.token }}
+          RUNNER_VERSION: ${{ steps.release.outputs.ACTIONS_VERSION }}
+          BRANCH: version-bump/${{ steps.release.outputs.ACTIONS_VERSION }}
+        run: |
+
+          if git diff --quiet; then
+            echo "No changes to commit"
+            exit 0
+          fi
+
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+          git checkout -b "${BRANCH}"
+          git add -A
+          git commit -m "[automated] Bump RUNNER_VERSION to v${VERSION}"
+          git push -u origin "${BRANCH}"
+
+          gh pr create \
+            --title "[automated] Bump RUNNER_VERSION to v${VERSION}" \
+            --body "" \
+            --reviewer anakryiko,danielocfb,theihor
