fix: Revert to simpler multi-arch build approach

neverinfamous · neverinfamous · commit 140c67d2c5f6 · 2025-09-24T00:55:24.000-04:00
- Remove complex separate architecture builds that caused tag issues
- Back to single multi-arch build with linux/amd64,linux/arm64
- Simplified attestation approach with provenance=true, sbom=true
- Remove architecture-specific testing that failed on runners
- This should resolve the tag naming and architecture mismatch issues
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -45,15 +45,6 @@ jobs:
   build:
     runs-on: ubuntu-latest
     needs: test  # Only build if tests pass
-    strategy:
-      matrix:
-        variant:
-          - name: amd64
-            dockerfile: Dockerfile
-            platforms: linux/amd64
-          - name: arm64
-            dockerfile: Dockerfile
-            platforms: linux/arm64
 
     steps:
     - name: Checkout repository
@@ -81,30 +72,28 @@ jobs:
         images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
         flavor: |
           latest=auto
-          suffix=-${{ matrix.variant.name }}
         tags: |
-          # Create architecture-specific tags first
-          type=raw,value=latest-${{ matrix.variant.name }},enable={{is_default_branch}}
+          # Always create latest tag for master branch pushes with attestations
+          type=raw,value=latest,enable={{is_default_branch}}
           # Create version tags (v1.0.0) when pushing git tags
-          type=semver,pattern={{version}}-${{ matrix.variant.name }}
+          type=semver,pattern={{version}}
           # Create SHA tags for attestation linking
-          type=sha,prefix={{branch}}-{{date 'YYYYMMDD-HHmmss'}}-${{ matrix.variant.name }}-
+          type=sha,prefix={{branch}}-{{date 'YYYYMMDD-HHmmss'}}-
 
-    # Build locally first for security scanning (both architectures)
+    # Build locally first for security scanning (AMD64 only)
     - name: Build Docker image for scanning
       uses: docker/build-push-action@v6
       with:
         context: .
-        file: ${{ matrix.variant.dockerfile }}
-        platforms: ${{ matrix.variant.platforms }}
+        file: Dockerfile
+        platforms: linux/amd64
         push: false
         load: true
-        tags: local-scan:${{ matrix.variant.name }}
+        tags: local-scan:latest
         cache-from: type=gha
 
-    # Security scanning with Docker Scout CLI (both architectures)
+    # Security scanning with Docker Scout CLI
     - name: Docker Scout security scan
-      continue-on-error: ${{ matrix.variant.name == 'arm64' }}  # ARM64 scanning can be flaky
       timeout-minutes: 10  # Prevent hanging
       run: |
         # Install Docker Scout CLI
@@ -144,15 +133,15 @@ jobs:
       uses: docker/build-push-action@v6
       with:
         context: .
-        file: ${{ matrix.variant.dockerfile }}
-        platforms: ${{ matrix.variant.platforms }}
+        file: Dockerfile
+        platforms: linux/amd64,linux/arm64
         push: ${{ github.event_name != 'pull_request' }}
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         cache-from: type=gha
         cache-to: type=gha,mode=max
         # Enable attestations for supply chain security
-        provenance: mode=max
+        provenance: true
         sbom: true
 
     - name: Test Docker image functionality
@@ -165,7 +154,7 @@ jobs:
         # Test that the image starts and shows help (basic functionality)
         echo "Testing server help output..."
         if docker run --rm $FIRST_TAG --help | grep -q "SQLite MCP Server"; then
-          echo "✅ ${{ matrix.variant.name }} image: Server starts and shows help correctly"
+          echo "✅ Image: Server starts and shows help correctly"
         else
           echo "❌ Server help test failed"
           exit 1
@@ -174,13 +163,13 @@ jobs:
         # Test that the Python environment is working by overriding entrypoint
         echo "Testing Python environment..."
         if docker run --rm --entrypoint python $FIRST_TAG -c "import sys; print('✅ Python environment working')"; then
-          echo "✅ ${{ matrix.variant.name }} image: Python environment functional"
+          echo "✅ Image: Python environment functional"
         else
           echo "❌ Python environment test failed"
           exit 1
         fi
         
-        echo "✅ ${{ matrix.variant.name }} image tests passed"
+        echo "✅ Image tests passed"
 
     # Generate GitHub attestations for supply chain security
     - name: Generate artifact attestation
@@ -191,56 +180,3 @@ jobs:
         subject-digest: ${{ steps.build.outputs.digest }}
         push-to-registry: true
       continue-on-error: true  # Don't fail build if attestation fails
-
-  # Create multi-arch manifest after both architectures are built
-  manifest:
-    runs-on: ubuntu-latest
-    needs: build
-    if: github.event_name != 'pull_request'
-    
-    steps:
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-
-    - name: Log in to Docker Hub
-      uses: docker/login-action@v3
-      with:
-        registry: ${{ env.REGISTRY }}
-        username: ${{ secrets.DOCKER_USERNAME }}
-        password: ${{ secrets.DOCKER_PASSWORD }}
-
-    - name: Create and push multi-arch manifest
-      run: |
-        # Get the current date and commit for consistent tagging
-        DATE=$(date '+%Y%m%d-%H%M%S')
-        SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)
-        
-        # Create multi-arch manifest for latest tag
-        if [[ "${{ github.ref }}" == "refs/heads/master" ]]; then
-          echo "Creating multi-arch manifest for latest tag..."
-          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-amd64 \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-arm64
-          
-          # Create multi-arch manifest for SHA tag
-          echo "Creating multi-arch manifest for SHA tag..."
-          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:master-${DATE}-${SHORT_SHA} \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:master-${DATE}-amd64-${SHORT_SHA} \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:master-${DATE}-arm64-${SHORT_SHA}
-        fi
-        
-        # Create multi-arch manifest for version tags (if this is a tag push)
-        if [[ "${{ github.ref }}" == refs/tags/* ]]; then
-          VERSION=${GITHUB_REF#refs/tags/}
-          echo "Creating multi-arch manifest for version tag: $VERSION"
-          docker buildx imagetools create -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION} \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}-amd64 \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${VERSION}-arm64
-        fi
-
-    - name: Verify multi-arch manifest
-      run: |
-        if [[ "${{ github.ref }}" == "refs/heads/master" ]]; then
-          echo "Verifying latest manifest..."
-          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-        fi
