Build and test architecture images before push

Wuodan · Wuodan · commit 70cc6bda47ff · 2026-03-16T22:51:32.000+01:00
Split the per-architecture workflow so each image is built locally, smoke-tested, and only then pushed to Docker Hub as an architecture-specific tag.

This avoids publishing untested architecture images and keeps the sequence as build-test-push instead of build-push-test.

In the manifest publish job, resolve the source image digests before logging in to Docker Hub, then publish the final multi-arch manifest from those digest references. This reduces authenticated Docker Hub rate-limit failures during manifest assembly.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -99,6 +99,20 @@ jobs:
     steps:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      - name: Resolve architecture image digests
+        id: resolve-digests
+        run: |
+          amd64_digest="$(docker buildx imagetools inspect "${IMAGE_NAME}:${{ matrix.key }}-amd64" --format '{{json .Manifest}}' | jq -r '.digest')"
+          {
+            echo "amd64_ref=${IMAGE_NAME}@${amd64_digest}"
+          } >> "$GITHUB_OUTPUT"
+
+          if echo '${{ toJSON(matrix.platforms) }}' | jq -e '.[] == "linux/arm64"' > /dev/null; then
+            arm64_digest="$(docker buildx imagetools inspect "${IMAGE_NAME}:${{ matrix.key }}-arm64" --format '{{json .Manifest}}' | jq -r '.digest')"
+            {
+              echo "arm64_ref=${IMAGE_NAME}@${arm64_digest}"
+            } >> "$GITHUB_OUTPUT"
+          fi
       - name: Login to Docker Hub
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
         with:
@@ -107,11 +121,11 @@ jobs:
 
       - name: Publish multi-arch manifest
         run: |
-          tags=("${IMAGE_NAME}:${{ matrix.key }}-amd64")
-          if echo '${{ toJSON(matrix.platforms) }}' | jq -e '.[] == "linux/arm64"' > /dev/null; then
-            tags+=("${IMAGE_NAME}:${{ matrix.key }}-arm64")
+          refs=("${{ steps.resolve-digests.outputs.amd64_ref }}")
+          if [[ -n "${{ steps.resolve-digests.outputs.arm64_ref }}" ]]; then
+            refs+=("${{ steps.resolve-digests.outputs.arm64_ref }}")
           fi
-          docker buildx imagetools create --tag "${IMAGE_NAME}:${{ matrix.key }}" "${tags[@]}"
+          docker buildx imagetools create --tag "${IMAGE_NAME}:${{ matrix.key }}" "${refs[@]}"
 
       - name: Add digest to build context
         run: |
