separate builds for arm64 and amd64 to provider proper build args

Author: dminnear-rh

.github/workflows/docker-publish.yml

@@ -66,20 +66,55 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ matrix.image.name }}
 
-      # Build and push Docker image with Buildx
-      # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        id: build-and-push
+      # Build amd64 image (no push)
+      - name: Build amd64 Docker image
+        id: build-amd64
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           file: Containerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
+          platforms: linux/amd64
+          push: false
+          tags: ${{ steps.meta.outputs.tags }}-amd64
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          build-args: |
+            TARGETARCH=amd64
+            ALTTARGETARCH=x86_64
+            OPTTARGETARCH=
+            EXTRARPMS=
+
+      # Build arm64 image (no push)
+      - name: Build arm64 Docker image
+        id: build-arm64
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: Containerfile
+          platforms: linux/arm64
+          push: false
+          tags: ${{ steps.meta.outputs.tags }}-arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            TARGETARCH=arm64
+            ALTTARGETARCH=aarch64
+            OPTTARGETARCH=arm64-
+            EXTRARPMS=gcc python3-devel glibc-devel libxcrypt-devel
+
+      # Push combined multi-arch manifest as single tag
+      - name: Push multi-arch manifest
+        id: manifest
+        run: |
+          docker buildx imagetools create \
+            --tag ${{ steps.meta.outputs.tags }} \
+            ${{ steps.meta.outputs.tags }}-amd64 \
+            ${{ steps.meta.outputs.tags }}-arm64
+          # Get the digest of the created manifest
+          DIGEST=$(docker buildx imagetools inspect ${{ steps.meta.outputs.tags }} --format '{{.Manifest.Digest}}')
+          echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
 
       # Sign the resulting Docker image digest.
       # This will only write to the public Rekor transparency log when the Docker
@@ -90,7 +125,7 @@ jobs:
         env:
           # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
           TAGS: ${{ steps.meta.outputs.tags }}
-          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+          DIGEST: ${{ steps.manifest.outputs.digest }}
         # This step uses the identity token to provision an ephemeral certificate
         # against the sigstore community Fulcio instance.
         run: echo "${TAGS}" | xargs -I "{}" cosign sign --yes "{}@${DIGEST}"