diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 210ad3ad..717d9e77 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -7,8 +7,14 @@ name: Docker on: workflow_dispatch: + inputs: + build_arm64: + description: 'Build and publish ARM64 image (multi-arch manifest)' + type: boolean + default: false push: branches: + - 'main' - 'develop' - 'release/**' - 'hotfix/**' @@ -44,12 +50,33 @@ jobs: - name: Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + # Set up QEMU for ARM64 cross-compilation on AMD64 runners + - name: Set up QEMU + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache # https://github.com/docker/setup-buildx-action - name: Set up Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + # ARM64 is included for main, develop, hotfix, release branches, version tags, and manual trigger. + # Pull requests (e.g. feature → develop) build AMD64 only; ARM64 is built on merge (push event). + - name: Determine build platforms + id: platforms + run: | + PLATFORMS="linux/amd64" + if [[ "${{ github.ref }}" == refs/heads/main ]] || \ + [[ "${{ github.ref }}" == refs/heads/develop ]] || \ + [[ "${{ github.ref }}" == refs/heads/hotfix/* ]] || \ + [[ "${{ github.ref }}" == refs/heads/release/* ]] || \ + [[ "${{ github.ref }}" == refs/tags/v* ]] || \ + [[ "${{ inputs.build_arm64 }}" == "true" ]]; then + PLATFORMS="linux/amd64,linux/arm64" + fi + echo "platforms=$PLATFORMS" >> $GITHUB_OUTPUT + echo "include_arm64=$([ "$PLATFORMS" = "linux/amd64,linux/arm64" ] && echo 'true' || echo 'false')" >> $GITHUB_OUTPUT + # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} @@ -89,6 +116,7 @@ jobs: provenance: mode=max context: ${{ env.BUILD_CONTEXT }} file: ${{ env.DOCKERFILE_PATH }} + platforms: ${{ steps.platforms.outputs.platforms }} push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} @@ -119,13 +147,28 @@ jobs: - name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container if: ${{ github.event_name != 'pull_request' }} uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 + env: + TRIVY_PLATFORM: linux/amd64 with: scan-type: 'image' format: 'cyclonedx' - output: 'sbom-output/sbom_container.cyclonedx.json' + output: 'sbom-output/sbom_container_amd64.cyclonedx.json' image-ref: ${{ steps.highest-priority-tag.outputs.value }} skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a separate SBOM for easier vulnerability management and because trivy misses important fields + # Scan ARM64 image separately when a multi-arch build was produced + - name: Run Trivy scan for ARM64 image + if: ${{ github.event_name != 'pull_request' && steps.platforms.outputs.include_arm64 == 'true' }} + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 + env: + TRIVY_PLATFORM: linux/arm64 + with: + scan-type: 'image' + format: 'cyclonedx' + output: 'sbom-output/sbom_container_arm64.cyclonedx.json' + image-ref: ${{ steps.highest-priority-tag.outputs.value }} + skip-dirs: '/App' + - name: Upload trivy/container AND application SBOMs as a Github artifact if: ${{ github.event_name != 'pull_request' }} uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1