enable multi-arch builds

mmguero · mmguero · commit 1e141e07ed37 · 2024-05-21T13:34:47.000-06:00
diff --git a/.github/workflows/zeek-build-push-latest-ghcr.yml b/.github/workflows/zeek-build-push-latest-ghcr.yml
@@ -13,12 +13,11 @@ on:
   workflow_dispatch:
   repository_dispatch:
   schedule:
-    - cron: '0 12 * * 0'
+    - cron: '0 12 * * *'
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/zeek
-  IMAGE_PLATFORM: linux/amd64
   REPO_CONTEXT: .
   REPO_CONTAINERFILE: ./Dockerfile.clang
   BUILD_FROM_SOURCE: 1
@@ -35,49 +34,64 @@ jobs:
       packages: write
       contents: read
       security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
     steps:
       -
         name: Cancel previous run in progress
         id: cancel-previous-runs
-        uses: styfle/cancel-workflow-action@0.11.0
+        uses: styfle/cancel-workflow-action@0.12.1
         with:
           ignore_sha: true
           all_but_latest: true
           access_token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Checkout
         id: repo-checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+      -
+        name: Generate arch tag suffix
+        shell: bash
+        run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' || ( echo -n '-' ; echo "${{ matrix.platform }}" | cut -d '/' -f 2) )" >> $GITHUB_OUTPUT
+        id: arch_tag_suffix
       -
         name: Set up QEMU
         id: setup-qemu
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ matrix.platform }}
       -
         name: Log in to registry
         id: registry-login
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Build base image
         id: build-base-image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: ${{ env.REPO_CONTEXT }}
           file: ${{ env.REPO_CONTAINERFILE }}
           push: true
+          provenance: false
+          platforms: ${{ matrix.platform }}
           target: base
-          tags: ${{ env.IMAGE_NAME }}:latest,${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}
+          tags: ${{ env.IMAGE_NAME }}:latest${{ steps.arch_tag_suffix.outputs.archtag }},${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}${{ steps.arch_tag_suffix.outputs.archtag }}
           build-args: |
             BUILD_FROM_SOURCE=${{ env.BUILD_FROM_SOURCE }}
             BUILD_JOBS=${{ env.BUILD_JOBS }}
+            TARGETPLATFORM=${{ matrix.platform }}
             GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
             ZEEK_BRANCH=${{ env.ZEEK_BRANCH }}
             ZEEK_DBG=${{ env.ZEEK_DBG }}
             MAXMIND_GEOIP_DB_LICENSE_KEY=${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}
-          platforms: ${{ env.IMAGE_PLATFORM }}
       -
         name: Build plus image
         id: build-plus-image
@@ -86,17 +100,20 @@ jobs:
           context: ${{ env.REPO_CONTEXT }}
           file: ${{ env.REPO_CONTAINERFILE }}
           push: true
+          provenance: false
+          platforms: ${{ matrix.platform }}
           target: plus
-          tags: ${{ env.IMAGE_NAME }}:plus,${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}-plus
+          tags: ${{ env.IMAGE_NAME }}:plus${{ steps.arch_tag_suffix.outputs.archtag }},${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}-plus${{ steps.arch_tag_suffix.outputs.archtag }}
           build-args: |
             BUILD_FROM_SOURCE=${{ env.BUILD_FROM_SOURCE }}
             BUILD_JOBS=${{ env.BUILD_JOBS }}
+            TARGETPLATFORM=${{ matrix.platform }}
             GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
             ZEEK_BRANCH=${{ env.ZEEK_BRANCH }}
             ZEEK_DBG=${{ env.ZEEK_DBG }}
-          platforms: ${{ env.IMAGE_PLATFORM }}
       -
         name: Run Trivy vulnerability scanner
+        if: ${{ matrix.platform == 'linux/amd64' }}
         id: trivy-scan
         uses: aquasecurity/trivy-action@master
         with:
@@ -112,6 +129,7 @@ jobs:
           exit-code: '0'
       -
         name: Upload Trivy scan results to GitHub Security tab
+        if: ${{ matrix.platform == 'linux/amd64' }}
         uses: github/codeql-action/upload-sarif@v2
         if: always()
         with:
diff --git a/.github/workflows/zeek-debug-build-push-latest-ghcr.yml b/.github/workflows/zeek-debug-build-push-latest-ghcr.yml
@@ -13,12 +13,11 @@ on:
   workflow_dispatch:
   repository_dispatch:
   schedule:
-    - cron: '0 12 * * 0'
+    - cron: '0 12 * * *'
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/zeek
-  IMAGE_PLATFORM: linux/amd64
   REPO_CONTEXT: .
   REPO_CONTAINERFILE: ./Dockerfile.clang
   BUILD_FROM_SOURCE: 1
@@ -35,46 +34,61 @@ jobs:
       packages: write
       contents: read
       security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
     steps:
       -
         name: Cancel previous run in progress
         id: cancel-previous-runs
-        uses: styfle/cancel-workflow-action@0.11.0
+        uses: styfle/cancel-workflow-action@0.12.1
         with:
           ignore_sha: true
           all_but_latest: true
           access_token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Checkout
         id: repo-checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+      -
+        name: Generate arch tag suffix
+        shell: bash
+        run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' || ( echo -n '-' ; echo "${{ matrix.platform }}" | cut -d '/' -f 2) )" >> $GITHUB_OUTPUT
+        id: arch_tag_suffix
       -
         name: Set up QEMU
         id: setup-qemu
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ matrix.platform }}
       -
         name: Log in to registry
         id: registry-login
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Build base image
         id: build-base-image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: ${{ env.REPO_CONTEXT }}
           file: ${{ env.REPO_CONTAINERFILE }}
           push: true
+          provenance: false
+          platforms: ${{ matrix.platform }}
           target: base
-          tags: ${{ env.IMAGE_NAME }}:latest-debug,${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}-debug
+          tags: ${{ env.IMAGE_NAME }}:latest-debug${{ steps.arch_tag_suffix.outputs.archtag }},${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}-debug${{ steps.arch_tag_suffix.outputs.archtag }}
           build-args: |
             BUILD_FROM_SOURCE=${{ env.BUILD_FROM_SOURCE }}
             BUILD_JOBS=${{ env.BUILD_JOBS }}
+            TARGETPLATFORM=${{ matrix.platform }}
             GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
             ZEEK_BRANCH=${{ env.ZEEK_BRANCH }}
             ZEEK_DBG=${{ env.ZEEK_DBG }}
             MAXMIND_GEOIP_DB_LICENSE_KEY=${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}
-          platforms: ${{ env.IMAGE_PLATFORM }}
diff --git a/.github/workflows/zeek-debug-build-push-master-ghcr.yml b/.github/workflows/zeek-debug-build-push-master-ghcr.yml
@@ -18,7 +18,6 @@ on:
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/zeek
-  IMAGE_PLATFORM: linux/amd64
   REPO_CONTEXT: .
   REPO_CONTAINERFILE: ./Dockerfile.clang
   BUILD_FROM_SOURCE: 1
@@ -35,46 +34,61 @@ jobs:
       packages: write
       contents: read
       security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
     steps:
       -
         name: Cancel previous run in progress
         id: cancel-previous-runs
-        uses: styfle/cancel-workflow-action@0.11.0
+        uses: styfle/cancel-workflow-action@0.12.1
         with:
           ignore_sha: true
           all_but_latest: true
           access_token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Checkout
         id: repo-checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+      -
+        name: Generate arch tag suffix
+        shell: bash
+        run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' || ( echo -n '-' ; echo "${{ matrix.platform }}" | cut -d '/' -f 2) )" >> $GITHUB_OUTPUT
+        id: arch_tag_suffix
       -
         name: Set up QEMU
         id: setup-qemu
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ matrix.platform }}
       -
         name: Log in to registry
         id: registry-login
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Build base image
         id: build-base-image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: ${{ env.REPO_CONTEXT }}
           file: ${{ env.REPO_CONTAINERFILE }}
           push: true
+          provenance: false
+          platforms: ${{ matrix.platform }}
           target: base
-          tags: ${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}-debug
+          tags: ${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}-debug${{ steps.arch_tag_suffix.outputs.archtag }}
           build-args: |
             BUILD_FROM_SOURCE=${{ env.BUILD_FROM_SOURCE }}
             BUILD_JOBS=${{ env.BUILD_JOBS }}
+            TARGETPLATFORM=${{ matrix.platform }}
             GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
             ZEEK_BRANCH=${{ env.ZEEK_BRANCH }}
             ZEEK_DBG=${{ env.ZEEK_DBG }}
-            MAXMIND_GEOIP_DB_LICENSE_KEY=${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}
-          platforms: ${{ env.IMAGE_PLATFORM }}
+            MAXMIND_GEOIP_DB_LICENSE_KEY=${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}
diff --git a/README.md b/README.md
@@ -255,8 +255,15 @@ After building your derivative image, you could run it directly or run `zeek-doc
 
 The [GitHub workflows](.github/workflows) in this repository build and tag the following images:
 
-* `oci.guero.top/zeek:latest` and `oci.guero.top/zeek:v6.2.1`
-* `oci.guero.top/zeek:latest-debug` and `oci.guero.top/zeek:v6.2.1-debug`
-* `oci.guero.top/zeek:plus` and `oci.guero.top/zeek:v6.2.1-plus`
-* `oci.guero.top/zeek:master`
-* `oci.guero.top/zeek:master-debug`
+* AMD64
+   - `oci.guero.top/zeek:latest` and `oci.guero.top/zeek:v6.2.1`
+   - `oci.guero.top/zeek:latest-debug` and `oci.guero.top/zeek:v6.2.1-debug`
+   - `oci.guero.top/zeek:plus` and `oci.guero.top/zeek:v6.2.1-plus`
+   - `oci.guero.top/zeek:master`
+   - `oci.guero.top/zeek:master-debug`
+* ARM64
+   - `oci.guero.top/zeek:latest-arm64` and `oci.guero.top/zeek:v6.2.1-arm64`
+   - `oci.guero.top/zeek:latest-debug-arm64` and `oci.guero.top/zeek:v6.2.1-debug-arm64`
+   - `oci.guero.top/zeek:plus-arm64` and `oci.guero.top/zeek:v6.2.1-plus-arm64`
+   - `oci.guero.top/zeek:master-arm64`
+   - `oci.guero.top/zeek:master-debug-arm64`
