ci: refactor build-push to use native arm64 build (#813)

* ci: refactor build-push to use native arm64 build

* ci: fix issue with lower-casing arch

* ci: use correct runner label for arm

* chore: remove unused workflow

The registry_package event will never trigger when the package is uploaded (by build-push) with the GITHUB_TOKEN identity.

* chore: major refactor step

* chore: fix issues

* chore: fix arch env

* chore: more fixing

* chore: update reference format for size compare

* chore: several improvements

* chore: correct imagetools create and add manifest

* chore: add forgotten line continuation

* chore: correct manifest

* chore: move-over all tests to the build-push workflow

* chore: quote annotations

* chore: debug annotations later

* chore: completely ignore the annotions for now

* chore: don't use harden-runner in container job

* chore: split integration test to seprate workflow

This is needed because it does not seem possible to aquired the correct SHA otherwise.

* chore: fix issues in workflow file

* chore: switch strategy (again) to work around GitHub limitations

* chore: reinstate cache

* chore: correct concurrency of integration tests

* chore: select correct working directory

* chore: remove concurrency from reusable workflow

* chore: correct digests download path

* chore: fix cpp tests by moving conan home

* chore: disable word splitting warning when we intend to split words

* chore: fail tests if the test run has failures

* chore: disable safe bash in container, github uses sh

* chore: move shellcheck disable to correct line

* chore: make container size diff more appealing

* chore: try to fix rust usage in ci

Author: rjaegers

.devcontainer/cpp/Dockerfile

@@ -32,9 +32,10 @@ RUN python3 -m pip install --break-system-packages --require-hashes --no-cache-d
  && rm -rf /tmp/requirements.txt
 
 # Set default environment options for CMake and ccache
-ENV CMAKE_GENERATOR="Ninja"
-ENV CMAKE_EXPORT_COMPILE_COMMANDS="On"
 ENV CCACHE_DIR=/cache/.ccache
+ENV CMAKE_EXPORT_COMPILE_COMMANDS="On"
+ENV CMAKE_GENERATOR="Ninja"
+ENV CONAN_HOME=/opt/conan
 ENV CPM_SOURCE_CACHE=/cache/.cpm-cache
 
 # Install clang toolchain and mull mutation testing framework

.devcontainer/rust/Dockerfile

@@ -24,6 +24,7 @@ RUN wget -qO /usr/local/share/ca-certificates/Cisco_Umbrella_Root_CA.crt https:/
 
 # Install rust
 ENV CARGO_HOME=/usr/local/cargo \
+    RUSTUP_HOME=/usr/local/rustup \
     PATH=/usr/local/cargo/bin:"$PATH"
 RUN rustup set profile minimal \
  && rustup default ${RUST_VERSION} \

.github/actions/container-size-diff/container-size-diff.sh

@@ -23,16 +23,38 @@ get_sizes_from_manifest() {
 get_sizes_from_manifest ${FROM_CONTAINER} FROM_CONTAINER_SIZES
 get_sizes_from_manifest ${TO_CONTAINER} TO_CONTAINER_SIZES
 
-echo "## Compressed layer size comparison"
+echo "## 📊 Container Size Analysis"
 echo
-echo "Comparing \`${FROM_CONTAINER}\` to \`${TO_CONTAINER}\`"
+echo "Comparing compressed layer sizes of:"
+echo "📦 Base: \`${FROM_CONTAINER}\`"
+echo "📦 Current: \`${TO_CONTAINER}\`"
 echo
-echo "| OS/Platform | Previous Size | Current Size | Delta |"
-echo "|-------------|---------------|--------------|-------|"
+
+echo "### 📈 Size Comparison Table"
+echo
+echo "| OS/Platform | Previous Size | Current Size | Change | Trend |"
+echo "|-------------|:-------------:|:------------:|:------:|:-----:|"
+
 for PLATFORM in "${!FROM_CONTAINER_SIZES[@]}";
 do
     BASE_SIZE=${FROM_CONTAINER_SIZES[${PLATFORM}]}
     HEAD_SIZE=${TO_CONTAINER_SIZES[${PLATFORM}]}
+    DELTA=$((${HEAD_SIZE} - ${BASE_SIZE}))
+    PERCENT_CHANGE=$(python -c "print('{:+0.2f}'.format(((${HEAD_SIZE} - ${BASE_SIZE}) / ${BASE_SIZE}) * 100))")
+
+    if (( DELTA < 0 )); then
+        ICON="🔽"
+        MD_COLOR_START="<span style=\"color:green\">"
+        MD_COLOR_END="</span>"
+    elif (( DELTA > 0 )); then
+        ICON="🔼"
+        MD_COLOR_START="<span style=\"color:red\">"
+        MD_COLOR_END="</span>"
+    else
+        ICON="🔄"
+        MD_COLOR_START=""
+        MD_COLOR_END=""
+    fi
 
-    echo "| ${PLATFORM} | $(numfmt --to iec --format '%.2f' ${BASE_SIZE}) | $(numfmt --to iec --format '%.2f' ${HEAD_SIZE}) | $(numfmt --to iec --format '%.2f' -- $((${HEAD_SIZE} - ${BASE_SIZE}))) $(python -c "print('({:+0.2f}%)'.format(((${HEAD_SIZE} - ${BASE_SIZE}) / ${BASE_SIZE}) * 100))") |";
+    echo "| ${PLATFORM} | $(numfmt --to iec --format '%.2f' ${BASE_SIZE}) | $(numfmt --to iec --format '%.2f' ${HEAD_SIZE}) | ${MD_COLOR_START}$(numfmt --to iec --format '%.2f' ${DELTA}) (${PERCENT_CHANGE}%)${MD_COLOR_END} | ${ICON} |"
 done

.github/workflows/build-push.yml

@@ -20,18 +20,13 @@ env:
 
 jobs:
   build-push:
-    runs-on: ubuntu-latest
-    permissions:
-      attestations: write
-      # dependency-submission needs contents write permission.
-      contents: write
-      # attest-build-provenance needs id-token write permission.
-      id-token: write
-      packages: write
-      pull-requests: write
     strategy:
       matrix:
         flavor: ["cpp", "rust"]
+        runner: ["ubuntu-latest", "ubuntu-24.04-arm"]
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      packages: write
     steps:
       - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
         with:
@@ -46,72 +41,125 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        if: matrix.flavor == 'cpp'
-        id: buildkit-cache
-        with:
-          path: root-ccache
-          key: buildkit-cache-${{ github.run_id }}
-          restore-keys: |
-            buildkit-cache
-      - uses: reproducible-containers/buildkit-cache-dance@653a570f730e3b9460adc576db523788ba59a0d7 # v3.2.0
-        if: matrix.flavor == 'cpp'
-        with:
-          cache-map: |
-            {
-              "root-ccache": "/root/.ccache"
-            }
-          skip-extraction: ${{ steps.buildkit-cache.outputs.cache-hit }}
       - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-        id: metadata
         env:
-          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+          DOCKER_METADATA_SET_OUTPUT_ENV: false
+        id: metadata
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
-          # Generate Docker tags based on the following events/attributes
-          tags: |
-            type=raw,value=latest,enable={{is_default_branch}}
-            type=ref,event=pr
-            type=semver,pattern={{raw}}
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
       # Generate image LABEL for devcontainer.metadata
       # the sed expression is a workaround for quotes being eaten in arrays (e.g. ["x", "y", "z"] -> ["x",y,"z"])
       - run: echo "metadata=$(jq -cj '[.]' .devcontainer/${{ matrix.flavor }}/devcontainer-metadata-vscode.json | sed 's/,"/, "/g')" >> "$GITHUB_OUTPUT"
         id: devcontainer-metadata
       - run: echo "git-commit-epoch=$(git log -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
         id: devcontainer-epoch
+      - run: echo "arch=${RUNNER_ARCH@L}" >> "$GITHUB_OUTPUT"
+        id: devcontainer-arch
       - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         id: build-and-push
         env:
           SOURCE_DATE_EPOCH: ${{ steps.devcontainer-epoch.outputs.git-commit-epoch }}
         with:
           file: .devcontainer/${{ matrix.flavor }}/Dockerfile
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'merge_group' }}
-          tags: ${{ steps.metadata.outputs.tags }}
+          tags: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
           labels: |
             ${{ steps.metadata.outputs.labels }}
             devcontainer.metadata=${{ steps.devcontainer-metadata.outputs.metadata }}
           annotations: ${{ steps.metadata.outputs.annotations }}
           sbom: true
-          cache-from: type=gha,scope=${{ github.repository }}-${{ matrix.flavor }}
-          cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ matrix.flavor }}
+          outputs: type=image,push-by-digest=true,name-canonical=true
+          cache-to: type=gha,mode=max,scope=${{ github.repository }}-${{ matrix.flavor }}-${{ matrix.runner }}
+          cache-from: type=gha,scope=${{ github.repository }}-${{ matrix.flavor }}-${{ matrix.runner }}
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build-and-push.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: digests-${{ matrix.flavor }}-${{ steps.devcontainer-arch.outputs.arch }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge-image:
+    strategy:
+      matrix:
+        flavor: ["cpp", "rust"]
+    runs-on: ubuntu-latest
+    needs: build-push
+    permissions:
+      attestations: write
+      # dependency-submission needs contents write permission.
+      contents: write
+      # attest-build-provenance needs id-token write permission.
+      id-token: write
+      packages: write
+      pull-requests: write
+    steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-${{ matrix.flavor }}-*
+          merge-multiple: true
+      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        if: github.event_name != 'merge_group'
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        id: metadata
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: index
+          DOCKER_METADATA_SET_OUTPUT_ENV: false
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
+          # Generate Docker tags based on the following events/attributes
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=pr
+            type=semver,pattern={{raw}}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          set -Eeuo pipefail
+          # shellcheck disable=SC2046
+          docker buildx imagetools create \
+            $(echo '${{ steps.metadata.outputs.json }}' | jq -r '.tags | map("--tag " + .) | join(" ")') \
+            $(printf '${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@sha256:%s ' *)
+      - name: Inspect manifest and extract digest
+        id: inspect-manifest
+        run: |
+          set -Eeuo pipefail
+          output=$(docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:${{ steps.metadata.outputs.version }} --format '{{json .}}')
+          digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')
+          echo "digest=$digest" >> "$GITHUB_OUTPUT"
       - uses: ./.github/actions/container-size-diff
         id: container-size-diff
         with:
           from-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:latest
-          to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
+          to-container: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}:${{ steps.metadata.outputs.version }}
       - uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
         with:
           header: container-size-diff-${{ matrix.flavor }}
           message: |
             ${{ steps.container-size-diff.outputs.size-diff-markdown }}
       - uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
-        if: steps.build-and-push.outputs.digest != '' && github.event_name != 'merge_group'
+        if: steps.inspect-manifest.outputs.digest != '' && github.event_name != 'merge_group'
         with:
-          image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
+          image: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.inspect-manifest.outputs.digest }}
           dependency-snapshot: true
       - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
         if: github.event_name == 'pull_request'
@@ -122,22 +170,22 @@ jobs:
         if: github.event_name != 'merge_group'
         with:
           subject-name: ${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}
-          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          subject-digest: ${{ steps.inspect-manifest.outputs.digest }}
           push-to-registry: true
       - name: Verify attestation
         if: github.event_name != 'merge_group'
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
+          gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.inspect-manifest.outputs.digest }}
       - name: Upload provenance to release
         if: startsWith(github.ref, 'refs/tags/')
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          RAW_SHA=${{ steps.build-and-push.outputs.digest }}
+          RAW_SHA=${{ steps.inspect-manifest.outputs.digest }}
           FORMATTED_SHA=${RAW_SHA//:/_}
-          gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ matrix.flavor }}_${FORMATTED_SHA}.intoto.jsonl"
+          gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.inspect-manifest.outputs.digest }} --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ matrix.flavor }}_${FORMATTED_SHA}.intoto.jsonl"
           gh release upload ${{ github.ref_name }} ./*.intoto.jsonl
       - name: Update package details in release
         if: startsWith(github.ref, 'refs/tags/')
@@ -146,12 +194,45 @@ jobs:
         run: |
           UPDATED_NOTES=$(gh release view ${{ github.ref_name }} --json body -q '.body')
           UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ matrix.flavor }}-version }}'/'${{ github.ref_name }}'}
-          UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ matrix.flavor }}-sha }}'/'${{ steps.build-and-push.outputs.digest }}'}
+          UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ matrix.flavor }}-sha }}'/'${{ steps.inspect-manifest.outputs.digest }}'}
           gh release edit ${{ github.ref_name }} --notes "${UPDATED_NOTES}"
+
+  integration-test:
+    if: github.event_name == 'pull_request'
+    strategy:
+      matrix:
+        flavor: [cpp, rust]
+        runner: ["ubuntu-latest", "ubuntu-24.04-arm"]
+    needs: merge-image
+    secrets: inherit
+    uses: ./.github/workflows/integration-test.yml
+    with:
+      flavor: ${{ matrix.flavor }}
+      runner: ${{ matrix.runner }}
+
   acceptance-test:
     if: github.event_name == 'pull_request'
-    needs: build-push
+    needs: merge-image
     secrets: inherit
     uses: ./.github/workflows/acceptance-test.yml
     with:
       flavor: cpp
+
+  publish-test-results:
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
+    needs: [acceptance-test, integration-test]
+    if: always()
+    steps:
+      - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          merge-multiple: true
+          pattern: test-results-*
+      - uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0
+        with:
+          files: test-report-*.xml