ci: Fix pushing multiplatform image

ondj · ondj · commit 6fa91ffd9365 · 2025-05-19T19:41:05.000+02:00
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -8,6 +8,9 @@ on:
   schedule:
     - cron: '0 3 1,15 * *'
 
+env:
+  REGISTRY_IMAGE: ghcr.io/nukib/misp-modules
+
 jobs:
   build:
     runs-on: ${{ matrix.runner }}
@@ -17,71 +20,103 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v4
-    -
-      name: Set up Docker Buildx
+
+    - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
-    -
-      name: Cache Docker layers
+
+    - name: Cache Docker layers
       uses: actions/cache@v4
       with:
         path: /tmp/.buildx-cache
         key: ${{ runner.os }}-${{ runner.arch }}-buildx-${{ github.sha }}
         restore-keys: |
           ${{ runner.os }}-${{ runner.arch }}-buildx-
-    -
-      name: Build and export to Docker
+
+    - name: Build and export to Docker
       uses: docker/build-push-action@v6
       with:
         context: .
         load: true
-        tags: |
-          nukib/misp-modules:latest
-          ghcr.io/nukib/misp-modules:latest
+        tags: ${{ env.REGISTRY_IMAGE }}
         cache-from: type=local,src=/tmp/.buildx-cache/amd64
         cache-to: type=local,dest=/tmp/.buildx-cache-new/amd64,mode=max
-    -
-      name: Show image details
+
+    - name: Show image details
       run: |
-        docker image inspect nukib/misp-modules:latest
-        docker image history nukib/misp-modules:latest
-    - 
-      name: Test
+        docker image inspect ${{ env.REGISTRY_IMAGE }}
+        docker image history ${{ env.REGISTRY_IMAGE }}
+
+    - name: Test
       run: |
-        docker run --name misp-modules --rm -p 127.0.0.1:6666:6666 nukib/misp-modules:latest &
+        docker run --name misp-modules --rm -p 127.0.0.1:6666:6666 ${{ env.REGISTRY_IMAGE }} &
         sleep 5 # Wait until container is ready
         curl --fail http://localhost:6666/modules | jq
         docker stop misp-modules
-    -
-      # Temp fix
-      # https://github.com/docker/build-push-action/issues/252
-      # https://github.com/moby/buildkit/issues/1896
-      name: Move cache
+
+    # Temp fix
+    # https://github.com/docker/build-push-action/issues/252
+    # https://github.com/moby/buildkit/issues/1896
+    - name: Move cache
       run: |
         rm -rf /tmp/.buildx-cache
         mv /tmp/.buildx-cache-new /tmp/.buildx-cache
         du -sh /tmp/.buildx-cache
-    -
-      name: Login to GitHub Container Registry
+
+    - name: Login to GitHub Container Registry
       if: github.event_name != 'pull_request'
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    -
-      name: Login to DockerHub
+
+    - name: Push by digest
       if: github.event_name != 'pull_request'
-      uses: docker/login-action@v3
+      id: build
+      uses: docker/build-push-action@v6
       with:
-        username: nukib
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-    -
-      name: Push
+        tags: ${{ env.REGISTRY_IMAGE }}
+        outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+
+    - name: Export digest
       if: github.event_name != 'pull_request'
-      uses: docker/build-push-action@v6
+      run: |
+        mkdir -p ${{ runner.temp }}/digests
+        digest="${{ steps.build.outputs.digest }}"
+        touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+    - name: Upload digest
+      if: github.event_name != 'pull_request'
+      uses: actions/upload-artifact@v4
       with:
-        push: true
-        tags: |
-          nukib/misp-modules:latest
-          ghcr.io/nukib/misp-modules:latest
-    
+        name: digests-${{ runner.arch == 'X64' && 'amd64' || 'arm64' }}
+        path: ${{ runner.temp }}/digests/*
+        if-no-files-found: error
+        retention-days: 1
+
+  push:
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.event_name != 'pull_request'
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create --tag ${{ env.REGISTRY_IMAGE }}:latest $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
