X-Smart-Squash: Squashed 19 commits:

4829124 Add arm64 build and test images
591a0a4 matrix
f308f72 format
2bd6ed1 arm runners
c874046 include
029d72f failfastfalse
d088cd2 arch tags
c02366d create multiarch manifest
254e179 space
782ab48 handle
5432a37 fix
14f0332 target
2cfd390 flip
48f9992 amd64
01eddcb push arch
9a6b3ff quotes
407c401 update
4e30669 -
5e4456d flav

Author: robbycochran

.github/actions/build-and-push-image/action.yaml

@@ -4,11 +4,14 @@ inputs:
   image-flavor:
     description: A flavor used to tag the apollo-ci image.
     required: true
+  arch:
+    description: Arch for image build (amd64 or arm64)
+    required: true
 runs:
   using: composite
   steps:
-    - name: Build and push image
+    - name: Build and push x86_64 image
       run: |
         .github/actions/build-and-push-image/build-and-push-image.sh \
-          "${{ inputs.image-flavor }}"
+          "${{ inputs.image-flavor }}" "${{ inputs.arch }}"
       shell: bash

.github/actions/build-and-push-image/build-and-push-image.sh

@@ -4,14 +4,21 @@ set -euo pipefail
 
 build_and_push_image() {
     local image_flavor="$1"
+    local target_arch="$2"
+    local tag_suffix="-${target_arch}"
+
+    if [ -z $target_arch ]; then
+        target_arch="amd64"
+        tag_suffix=""
+    fi
 
     # Login may be required for pulling the base image for building (if used) and to avoid rate limits.
     docker login -u "$QUAY_RHACS_ENG_RW_USERNAME" --password-stdin <<<"$QUAY_RHACS_ENG_RW_PASSWORD" quay.io
 
-    TAG="$(scripts/get_tag.sh "$image_flavor")"
+    TAG="$(scripts/get_tag.sh "$image_flavor")${tag_suffix}"
     IMAGE="quay.io/rhacs-eng/apollo-ci:${TAG}"
 
-    make "$image_flavor"-image
+    make TARGETARCH="$target_arch" "$image_flavor"-image
 
     retry 5 true docker push "${IMAGE}"
 

.github/actions/create-multiarch-manifest/action.yml

@@ -0,0 +1,37 @@
+name: Create and push a multiarch manifest
+description: |
+  This action will create a multiarch manifest and push it to a remote registry.
+
+inputs:
+  base-image:
+    description:
+      The base image to used for the manifest
+    required: true
+  image-flavor:
+    description:
+      The image flavor tag to be used for the manifest
+    required: true
+  suffix:
+    description:
+      Optional suffix for the tags used and the manifest
+    default: ''
+  archs:
+    description:
+      Architectures to be included in the final manifest, separated by a space
+    default: 'amd64 arm64'
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      run: |
+        image_flavor="${{ inputs.image-flavor }}"
+        tag="$(scripts/get_tag.sh ${image_flavor})"
+        read -ra archs <<< "${{ inputs.archs }}"
+        declare -a images=()
+        for arch in "${archs[@]}"; do
+          images+=("${{ inputs.base-image }}:${tag}-${arch}${{ inputs.suffix }}")
+        done
+
+        docker manifest create "${{ inputs.base-image }}:${tag}${{ inputs.suffix }}" "${images[@]}"
+        docker manifest push "${{ inputs.base-image }}:${tag}${{ inputs.suffix }}"
+

.github/workflows/build.yaml

@@ -18,7 +18,15 @@ env:
 jobs:
 
   build-and-push-stackrox-build:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-24.04
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -28,9 +36,18 @@ jobs:
       - uses: ./.github/actions/build-and-push-image
         with:
           image-flavor: "stackrox-build"
+          arch: ${{ matrix.arch }}
 
   build-and-push-stackrox-test:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-24.04
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     needs:
       - build-and-push-stackrox-build
     steps:
@@ -42,7 +59,54 @@ jobs:
       - uses: ./.github/actions/build-and-push-image
         with:
           image-flavor: "stackrox-test"
-  
+          arch: ${{ matrix.arch }}
+
+  build-and-push-multiarch:
+    runs-on: ubuntu-latest
+    needs:
+      - build-and-push-stackrox-build
+      - build-and-push-stackrox-test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Login to quay.io/stackrox-io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
+          password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/stackrox-io/apollo-ci
+          image-flavor: stackrox-build
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/stackrox-io/apollo-ci
+          image-flavor: stackrox-test
+
+      - name: Login to quay.io/rhacs-eng
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
+          password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/rhacs-eng/apollo-ci
+          image-flavor: stackrox-build
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/rhacs-eng/apollo-ci
+          image-flavor: stackrox-test
+
   build-and-push-stackrox-ui-test:
     runs-on: ubuntu-latest
     steps:

Makefile

@@ -4,12 +4,14 @@ endif
 QUAY_REPO=rhacs-eng
 
 STACKROX_BUILD_TAG=$(shell scripts/get_tag.sh "stackrox-build")
+TARGETARCH?=amd64
 
 .PHONY: stackrox-build-image
 stackrox-build-image:
 	$(DOCKER) build \
-		--platform linux/amd64 \
+		--platform linux/$(TARGETARCH) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG) \
+		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG)-$(TARGETARCH) \
 		-f images/stackrox-build.Dockerfile \
 		images/
 
@@ -18,9 +20,10 @@ STACKROX_TEST_TAG=$(shell scripts/get_tag.sh "stackrox-test")
 .PHONY: stackrox-test-image
 stackrox-test-image:
 	$(DOCKER) build \
-		--platform linux/amd64 \
+		--platform linux/$(TARGETARCH) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_TEST_TAG) \
-		--build-arg BASE_TAG=$(STACKROX_BUILD_TAG) \
+		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_TEST_TAG)-$(TARGETARCH) \
+		--build-arg BASE_TAG=$(STACKROX_BUILD_TAG)-$(TARGETARCH) \
 		-f images/stackrox-test.Dockerfile \
 		images/
 
@@ -40,7 +43,7 @@ test-cci-export:
 	$(DOCKER) build \
 		--platform linux/amd64 \
 		-t test-cci-export \
-		--build-arg BASE_TAG=$(STACKROX_TEST_TAG) \
+		--build-arg BASE_TAG=$(STACKROX_TEST_TAG)-amd64 \
 		-f images/test.cci-export.Dockerfile \
 		images/
 	$(DOCKER) run \

images/stackrox-build.Dockerfile

@@ -55,31 +55,41 @@ RUN dnf update -y && \
     dnf clean all && \
     rm -rf /var/cache/dnf /var/cache/yum
 
+ENV GOPATH=/go
+ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
 ARG GOLANG_VERSION=1.23.6
-ARG GOLANG_SHA256=9379441ea310de000f33a4dc767bd966e72ab2826270e038e78b2c53c2e7802d
-ENV GOPATH /go
-ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-RUN url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz" && \
-    wget --no-verbose -O go.tgz "$url" && \
+RUN set -e; case "$(uname -m)" in \
+        "x86_64" ) GOLANG_ARCH="amd64" GOLANG_SHA256="9379441ea310de000f33a4dc767bd966e72ab2826270e038e78b2c53c2e7802d";; \
+        "aarch64") GOLANG_ARCH="arm64" GOLANG_SHA256="561c780e8f4a8955d32bf72e46af0b5ee5e0debe1e4633df9a03781878219202";; \
+        *) echo "Unsupported $(uname -m)"; exit 1;; \
+    esac && \
+    wget --no-verbose -O go.tgz "https://dl.google.com/go/go${GOLANG_VERSION}.linux-${GOLANG_ARCH}.tar.gz" && \
     echo "${GOLANG_SHA256} *go.tgz" | sha256sum -c - && \
     tar -C /usr/local -xzf go.tgz && \
     rm go.tgz && \
     mkdir -p "$GOPATH/src" "$GOPATH/bin" && \
     chmod -R 777 "$GOPATH"
 
-ARG FETCH_VERSION=0.3.5
-ARG FETCH_SHA256=8d4d99e903b30dbd24290e9a056a982ea2326a05ded24c63be64df16e7e0d9f0
-RUN wget --no-verbose -O fetch https://github.com/gruntwork-io/fetch/releases/download/v${FETCH_VERSION}/fetch_linux_amd64 && \
+ARG FETCH_VERSION=0.4.6
+RUN set -e; case "$(uname -m)" in \
+        "x86_64" ) FETCH_ARCH="amd64" FETCH_SHA256="a67ed3141d6deb7e7841f40505cba11eb7a37abbab78374712a42373e7854209";; \
+        "aarch64") FETCH_ARCH="arm64" FETCH_SHA256="4b9115a1f1a90c7088bff9ffc7d2de3547ef1d21709528e878af09a4c348dea3";; \
+        *) echo "Unsupported $(uname -m)"; exit 1;; \
+    esac && \
+    wget --no-verbose -O fetch https://github.com/gruntwork-io/fetch/releases/download/v${FETCH_VERSION}/fetch_linux_${FETCH_ARCH} && \
     echo "${FETCH_SHA256} fetch" | sha256sum -c - && \
     install fetch /usr/bin && \
     rm fetch
 
 ARG OSSLS_VERSION=0.11.1
-ARG OSSLS_SHA256=f1bf3012961c1d90ba307a46263f29025028d35c209b9a65e5c7d502c470c95f
-RUN fetch --repo="https://github.com/stackrox/ossls" --tag="${OSSLS_VERSION}" --release-asset="ossls_linux_amd64" . && \
-    echo "${OSSLS_SHA256} *ossls_linux_amd64" | sha256sum -c - && \
-    install ossls_linux_amd64 /usr/bin/ossls && \
-    rm ossls_linux_amd64 && \
+RUN set -e; case "$(uname -m)" in \
+        "x86_64" ) OSSLS_ARCH="amd64" OSSLS_SHA256="f1bf3012961c1d90ba307a46263f29025028d35c209b9a65e5c7d502c470c95f";; \
+        *) echo "Unsupported $(uname -m), skipping."; exit 0;; \
+    esac && \
+    fetch --repo="https://github.com/stackrox/ossls" --tag="${OSSLS_VERSION}" --release-asset="ossls_linux_${OSSLS_ARCH}" . && \
+    echo "${OSSLS_SHA256} *ossls_linux_${OSSLS_ARCH}" | sha256sum -c - && \
+    install ossls_linux_${OSSLS_ARCH} /usr/bin/ossls && \
+    rm ossls_linux_${OSSLS_ARCH} && \
     ossls version
 
 ENV CGO_ENABLED=1