Skip to content

ci: use arm runner for arm image build #1327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MrAlias merged 9 commits into from
Feb 18, 2026
Merged

ci: use arm runner for arm image build #1327

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
92acc57
ci: use arm runner for arm image build
skl Feb 18, 2026
77db206
ci: split arm and x86 native image building
skl Feb 18, 2026
8d338c7
fix: handle registry propagation delay
skl Feb 18, 2026
da2f878
fix: add explicit artifact_suffix
skl Feb 18, 2026
7506e82
fix: consistent manifest and digest between registries
skl Feb 18, 2026
b104cb9
fix: defensive digest discovery
skl Feb 18, 2026
7bcaae2
fix: minimal permissions
skl Feb 18, 2026
6e42901
fix: use nullglob to prevent misleading glob
skl Feb 18, 2026
c0e3c05
Merge branch 'main' into skl/optimise-docker-build-push
MrAlias Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
129 changes: 108 additions & 21 deletions .github/workflows/publish_dockerhub_k8s_cache_main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,27 +18,31 @@ on:
permissions:
contents: read

env:
IMAGE_NAME: opentelemetry-ebpf-k8s-cache

jobs:
build-and-push-image:
build:
if: github.repository == 'open-telemetry/opentelemetry-ebpf-instrumentation'
permissions:
id-token: write
packages: write
runs-on: ubuntu-latest
env:
IMAGE_NAME: opentelemetry-ebpf-k8s-cache
runs-on: ${{ matrix.runner }}
strategy:
fail-fast: false
matrix:
include:
- platform: linux/amd64
runner: ubuntu-latest
artifact_suffix: amd64
- platform: linux/arm64
runner: ubuntu-24.04-arm
artifact_suffix: arm64
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
ref: ${{ inputs.ref || github.sha }}
persist-credentials: false

- name: Install Cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

- name: Check Cosign version
run: cosign version

- name: Log in to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
Expand All @@ -52,36 +56,119 @@ jobs:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract metadata (tags, labels) for Docker
- name: Extract metadata for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: |
otel/${{ env.IMAGE_NAME }}
ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}

- name: Build and push
id: push
- name: Build and push by digest
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
file: ./k8scache.Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
outputs: type=image,"name=ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }},docker.io/otel/${{ env.IMAGE_NAME }}",push-by-digest=true,name-canonical=true,push=true

- name: Export digest
env:
DIGEST: ${{ steps.build.outputs.digest }}
run: |
mkdir -p "${{ runner.temp }}/digests"
touch "${{ runner.temp }}/digests/${DIGEST#sha256:}"

- name: Upload digest
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: k8s-cache-digests-${{ matrix.artifact_suffix }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1

create-manifest-and-sign:
if: github.repository == 'open-telemetry/opentelemetry-ebpf-instrumentation'
needs: build
permissions:
id-token: write
packages: write
runs-on: ubuntu-latest
steps:
- name: Download digests
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: ${{ runner.temp }}/digests
pattern: k8s-cache-digests-*

- name: Log in to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN_EBPF_INSTRUMENTATION }}

- name: Log in to the Container registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Install Cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

- name: Check Cosign version
run: cosign version

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: |
otel/${{ env.IMAGE_NAME }}
ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}

- name: Create manifest list and push
env:
GHCR_IMAGE: ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}
META_JSON: ${{ steps.meta.outputs.json }}
DIGESTS_DIR: ${{ runner.temp }}/digests
run: |
shopt -s nullglob
for arch in amd64 arm64; do
files=("${DIGESTS_DIR}"/k8s-cache-digests-${arch}/*)
if [ "${#files[@]}" -ne 1 ] || [ ! -f "${files[0]}" ]; then
echo "Error: Expected exactly one digest file in k8s-cache-digests-${arch}, found ${#files[@]}"
exit 1
Comment thread
skl marked this conversation as resolved.
fi
done
AMD64_DIGEST=$(basename "${DIGESTS_DIR}"/k8s-cache-digests-amd64/*)
ARM64_DIGEST=$(basename "${DIGESTS_DIR}"/k8s-cache-digests-arm64/*)
docker buildx imagetools create \
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "${META_JSON}") \
"${GHCR_IMAGE}@sha256:${AMD64_DIGEST}" \
"${GHCR_IMAGE}@sha256:${ARM64_DIGEST}"

- name: Sign the images using Cosign with GitHub OIDC Token
env: # interpolation via env is safer: https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.push.outputs.digest }}
IMAGE_TO_INSPECT: ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
run: |
for i in 1 2 3 4 5; do
DIGEST=$(docker buildx imagetools inspect "${IMAGE_TO_INSPECT}" --format '{{.Manifest.Digest}}' 2>/dev/null | tr -d '\n')
[ -n "${DIGEST}" ] && break
echo "Inspect attempt $i failed, retrying in 5s..."
sleep 5
done
if [ -z "${DIGEST}" ]; then echo "Failed to inspect image after 5 attempts"; exit 1; fi
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
Expand Down
129 changes: 108 additions & 21 deletions .github/workflows/publish_dockerhub_main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,27 +18,31 @@ on:
permissions:
contents: read

env:
IMAGE_NAME: ebpf-instrument

jobs:
build-and-push-image:
build:
if: github.repository == 'open-telemetry/opentelemetry-ebpf-instrumentation'
permissions:
id-token: write
packages: write
runs-on: ubuntu-latest
env:
IMAGE_NAME: ebpf-instrument
runs-on: ${{ matrix.runner }}
strategy:
fail-fast: false
matrix:
include:
- platform: linux/amd64
runner: ubuntu-latest
artifact_suffix: amd64
- platform: linux/arm64
runner: ubuntu-24.04-arm
artifact_suffix: arm64
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
ref: ${{ inputs.ref || github.sha }}
persist-credentials: false

- name: Install Cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

- name: Check Cosign version
run: cosign version

- name: Log in to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
Expand All @@ -52,36 +56,119 @@ jobs:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract metadata (tags, labels) for Docker
- name: Extract metadata for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: |
otel/${{ env.IMAGE_NAME }}
ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}

- name: Build and push
id: push
- name: Build and push by digest
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
file: ./Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
outputs: type=image,"name=ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }},docker.io/otel/${{ env.IMAGE_NAME }}",push-by-digest=true,name-canonical=true,push=true

- name: Export digest
env:
DIGEST: ${{ steps.build.outputs.digest }}
run: |
mkdir -p "${{ runner.temp }}/digests"
touch "${{ runner.temp }}/digests/${DIGEST#sha256:}"

- name: Upload digest
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: ebpf-instrument-digests-${{ matrix.artifact_suffix }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1

create-manifest-and-sign:
if: github.repository == 'open-telemetry/opentelemetry-ebpf-instrumentation'
needs: build
permissions:
id-token: write
packages: write
runs-on: ubuntu-latest
steps:
- name: Download digests
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: ${{ runner.temp }}/digests
pattern: ebpf-instrument-digests-*

- name: Log in to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN_EBPF_INSTRUMENTATION }}

- name: Log in to the Container registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Install Cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

- name: Check Cosign version
run: cosign version

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: |
otel/${{ env.IMAGE_NAME }}
ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}

- name: Create manifest list and push
env:
GHCR_IMAGE: ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}
META_JSON: ${{ steps.meta.outputs.json }}
DIGESTS_DIR: ${{ runner.temp }}/digests
run: |
shopt -s nullglob
for arch in amd64 arm64; do
files=("${DIGESTS_DIR}"/ebpf-instrument-digests-${arch}/*)
if [ "${#files[@]}" -ne 1 ] || [ ! -f "${files[0]}" ]; then
echo "Error: Expected exactly one digest file in ebpf-instrument-digests-${arch}, found ${#files[@]}"
exit 1
fi
done
AMD64_DIGEST=$(basename "${DIGESTS_DIR}"/ebpf-instrument-digests-amd64/*)
ARM64_DIGEST=$(basename "${DIGESTS_DIR}"/ebpf-instrument-digests-arm64/*)
docker buildx imagetools create \
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "${META_JSON}") \
Comment thread
skl marked this conversation as resolved.
"${GHCR_IMAGE}@sha256:${AMD64_DIGEST}" \
"${GHCR_IMAGE}@sha256:${ARM64_DIGEST}"

- name: Sign the images using Cosign with GitHub OIDC Token
env: # interpolation via env is safer: https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.push.outputs.digest }}
IMAGE_TO_INSPECT: ghcr.io/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
run: |
for i in 1 2 3 4 5; do
DIGEST=$(docker buildx imagetools inspect "${IMAGE_TO_INSPECT}" --format '{{.Manifest.Digest}}' 2>/dev/null | tr -d '\n')
[ -n "${DIGEST}" ] && break
echo "Inspect attempt $i failed, retrying in 5s..."
sleep 5
done
if [ -z "${DIGEST}" ]; then echo "Failed to inspect image after 5 attempts"; exit 1; fi
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
Expand Down
29 changes: 17 additions & 12 deletions .github/workflows/pull_request_docker_build_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,31 +19,36 @@ permissions:
jobs:
build:
permissions:
id-token: write
packages: write
runs-on: ubuntu-latest
contents: read
runs-on: ${{ matrix.runner }}
strategy:
matrix:
platform: [linux/amd64] # linux/arm64 is too slow on GitHub Actions.
file: [Dockerfile, k8scache.Dockerfile]
include:
- file: Dockerfile
platform: linux/amd64
runner: ubuntu-latest
- file: Dockerfile
platform: linux/arm64
runner: ubuntu-24.04-arm
- file: k8scache.Dockerfile
platform: linux/amd64
runner: ubuntu-latest
- file: k8scache.Dockerfile
platform: linux/arm64
runner: ubuntu-24.04-arm
steps:
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
with:
ref: ${{ inputs.ref || github.sha }}
persist-credentials: false

- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Build and push
- name: Build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
file: ./${{ matrix.file }}
push: false
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ matrix.platform }}
platforms: ${{ matrix.platform }}