Multi-platform Docker build using native runners (#1182)

jerbly · web-flow · commit 3759ac980661 · 2026-02-02T10:06:15.000-05:00
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -1,3 +1,5 @@
+# Multi-platform Docker build using native runners
+# Reference: https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
 name: Weaver Docker Generator
 on:
   push:
@@ -11,10 +13,19 @@ permissions:
   contents: read
 env:
   TEST_WEAVER_TAG: otel/weaver:test
+  REGISTRY_IMAGE: otel/weaver
 jobs:
-  make-docker-image:
-    name: Docker Image
-    runs-on: ubuntu-latest
+  build:
+    name: Build ${{ matrix.platform }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Setup Node.js
@@ -23,38 +34,84 @@ jobs:
         node-version-file: '.nvmrc'
         cache: 'npm'
         cache-dependency-path: ui/package-lock.json
-    - name: Set up QEMU
-      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
     - name: Extract metadata (tags, labels) for Docker
       id: meta
       uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
       with:
-        images: otel/weaver
+        images: ${{ env.REGISTRY_IMAGE }}
     - name: Build test image
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       with:
-          push: false
-          load: true
-          tags: ${{ env.TEST_WEAVER_TAG }}
-          labels: ${{ steps.meta.outputs.labels }}
+        push: false
+        load: true
+        platforms: ${{ matrix.platform }}
+        tags: ${{ env.TEST_WEAVER_TAG }}
+        labels: ${{ steps.meta.outputs.labels }}
     - name: Test
       run: |
-          docker run --rm ${{ env.TEST_WEAVER_TAG }} --help
+        docker run --rm ${{ env.TEST_WEAVER_TAG }} --help
     - name: Log in to Docker Hub
       uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
       if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
       with:
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}
-    - name: Build and push
+    - name: Build and push by digest
+      id: build
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
       with:
-        push: true
-        platforms: linux/amd64,linux/arm64
+        platforms: ${{ matrix.platform }}
         provenance: mode=max
         sbom: true
-        tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
+        outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
+    - name: Export digest
+      if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
+      run: |
+        mkdir -p /tmp/digests
+        digest="${{ steps.build.outputs.digest }}"
+        touch "/tmp/digests/${digest#sha256:}"
+    - name: Upload digest
+      if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: digests-${{ matrix.platform == 'linux/amd64' && 'amd64' || 'arm64' }}
+        path: /tmp/digests/*
+        if-no-files-found: error
+        retention-days: 1
+
+  merge:
+    name: Merge manifests
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
+    needs: build
+    steps:
+    - name: Download digests
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      with:
+        path: /tmp/digests
+        pattern: digests-*
+        merge-multiple: true
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+      with:
+        images: ${{ env.REGISTRY_IMAGE }}
+    - name: Log in to Docker Hub
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
+    - name: Create manifest list and push
+      working-directory: /tmp/digests
+      run: |
+        docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+          $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
+    - name: Inspect image
+      run: |
+        docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,14 +1,12 @@
 # The build image
-FROM --platform=$BUILDPLATFORM docker.io/rust:1.93.0@sha256:4c7eb947d7e078f5c076e086c7b75c36ea0ec7c685f2244b3d79306deb7e44b7 AS weaver-build
+FROM docker.io/rust:1.93.0@sha256:4c7eb947d7e078f5c076e086c7b75c36ea0ec7c685f2244b3d79306deb7e44b7 AS weaver-build
 WORKDIR /build
-ARG BUILDPLATFORM
-ARG TARGETPLATFORM
 
 # Install Node.js and musl build dependencies
 # renovate: datasource=node-version depName=node
 ARG NODE_VERSION=24
 RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - && \
-  apt-get install -y nodejs musl-tools musl-dev perl wget
+  apt-get install -y nodejs musl-tools musl-dev perl
 
 # Copy UI package files first for better layer caching
 COPY ui/package.json ui/package-lock.json /build/ui/
diff --git a/cross-arch-build.sh b/cross-arch-build.sh
@@ -1,47 +1,23 @@
 #!/bin/sh
 set -exu
 
-# Detect actual host architecture (not Docker platform vars which may differ with QEMU)
+# Detect host architecture for native musl builds
 HOST_ARCH=$(uname -m)
 echo "Host architecture: ${HOST_ARCH}"
-echo "Build platform: ${BUILDPLATFORM}"
-echo "Target platform: ${TARGETPLATFORM}"
 
-case "${TARGETPLATFORM}" in
-  linux/amd64)
+case "${HOST_ARCH}" in
+  x86_64)
     RUST_TARGET=x86_64-unknown-linux-musl
-    if [ "${HOST_ARCH}" = "x86_64" ]; then
-      # Native x86_64 - musl-tools provides musl-gcc
-      export CC_x86_64_unknown_linux_musl=musl-gcc
-      export CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=musl-gcc
-    else
-      # Cross-compiling to x86_64 from another arch
-      wget -q https://musl.cc/x86_64-linux-musl-cross.tgz
-      echo "52abd1a56e670952116e35d1a62e048a9b6160471d988e16fa0e1611923dd108a581d2e00874af5eb04e4968b1ba32e0eb449a1f15c3e4d5240ebe09caf5a9f3  x86_64-linux-musl-cross.tgz" | sha512sum -c -
-      tar xf x86_64-linux-musl-cross.tgz -C /opt
-      export PATH="/opt/x86_64-linux-musl-cross/bin:$PATH"
-      export CC_x86_64_unknown_linux_musl=x86_64-linux-musl-gcc
-      export CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=x86_64-linux-musl-gcc
-    fi
+    export CC_x86_64_unknown_linux_musl=musl-gcc
+    export CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_LINKER=musl-gcc
     ;;
-  linux/arm64*)
+  aarch64)
     RUST_TARGET=aarch64-unknown-linux-musl
-    if [ "${HOST_ARCH}" = "aarch64" ]; then
-      # Native arm64 - musl-tools provides musl-gcc
-      export CC_aarch64_unknown_linux_musl=musl-gcc
-      export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=musl-gcc
-    else
-      # Cross-compiling to arm64 from x86_64
-      wget -q https://musl.cc/aarch64-linux-musl-cross.tgz
-      echo "8695ff86979cdf30fbbcd33061711f5b1ebc3c48a87822b9ca56cde6d3a22abd4dab30fdcd1789ac27c6febbaeb9e5bde59d79d66552fae53d54cc1377a19272  aarch64-linux-musl-cross.tgz" | sha512sum -c -
-      tar xf aarch64-linux-musl-cross.tgz -C /opt
-      export PATH="/opt/aarch64-linux-musl-cross/bin:$PATH"
-      export CC_aarch64_unknown_linux_musl=aarch64-linux-musl-gcc
-      export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=aarch64-linux-musl-gcc
-    fi
+    export CC_aarch64_unknown_linux_musl=musl-gcc
+    export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER=musl-gcc
     ;;
   *)
-    echo "Unsupported target platform: ${TARGETPLATFORM}"
+    echo "Unsupported architecture: ${HOST_ARCH}"
     exit 1
     ;;
 esac
