.github/workflows/build-and-push-runners.yaml

name: Multiplatform Build with Runners

on:
  push:

jobs:
  armbuild:
    runs-on: [linux-arm-for-testing]
    permissions: 
      id-token: write
      attestations: write
      content: read
    outputs:
      digest: ${{ steps.build.outputs.digest }}
    steps:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - 
        name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
        with:
          images: |
            amouat/images-bite-back-arm-runner-${{ github.RUN_ID }}
          labels: |
            org.opencontainers.image.description=Images Bite Back Demo Arm Runner
      -
        id: build
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          file: Dockerfile
          platforms: linux/arm64
          push: true
          sbom: true
          provenance: mode=max
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      -
        name: Attest
        uses: actions/attest-build-provenance@92c65d2898f1f53cfdc910b962cecff86e7f8fcc # v1
        id: attest
        with:
          subject-name: index.docker.io/${{ vars.DOCKERHUB_USER }}/images-bite-back-arm-runner-${{ github.RUN_ID }}
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true
      - 
        name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build.outputs.digest }}
          TAGS: ${{ steps.meta.outputs.tags }}
        run: |
          images=""
          for tag in ${TAGS}; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes ${images}

  x86build:
    runs-on: [ubuntu-latest-2-cores-testing]
    outputs:
      digest: ${{ steps.build.outputs.digest }}
    permissions: 
      id-token: write 
      attestations: write
      content:read
    steps:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - 
        name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5
        with:
          images: |
            amouat/images-bite-back-x86-runner-${{ github.RUN_ID }}
          labels: |
            org.opencontainers.image.description=Images Bite Back Demo Arm Runner
      -
        id: build
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          file: Dockerfile
          platforms: linux/amd64
          push: true
          sbom: true
          provenance: mode=max
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
      -
        name: Attest
        uses: actions/attest-build-provenance@92c65d2898f1f53cfdc910b962cecff86e7f8fcc # v1
        id: attest
        with:
          subject-name: index.docker.io/${{ vars.DOCKERHUB_USER }}/images-bite-back-x86-runner-${{ github.RUN_ID }}
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true
      - 
        name: Sign the images with GitHub OIDC Token
        env:
          DIGEST: ${{ steps.build.outputs.digest }}
          TAGS: ${{ steps.meta.outputs.tags }}
        run: |
          images=""
          for tag in ${TAGS}; do
            images+="${tag}@${DIGEST} "
          done
          cosign sign --yes ${images}

  manifest:
    permissions: # needed for signing and attestations
     id-token: write # write seems weird, but it is correct per docs
     attestations: write
    needs: [x86build, armbuild]
    runs-on: ubuntu-latest
    steps:
      -
        name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USER }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - 
        name: Install crane
        uses: imjasonh/setup-crane@v0.4
      -
        name: Create and Push Multi-Platform Manifest
        run: |
          X86DIGEST=$(crane digest --platform linux/amd64 amouat/images-bite-back@${{ needs.x86build.outputs.digest }})
          ARMDIGEST=$(crane digest --platform linux/arm64 amouat/images-bite-back@${{ needs.armbuild.outputs.digest }})
          docker manifest create amouat/images-bite-back:multiplatorm-${{ github.RUN_ID }} \
            amouat/images-bite-back@$X86DIGEST \
            amouat/images-bite-back@$ARMDIGEST
          docker manifest push amouat/images-bite-back:multiplatorm-${{ github.RUN_ID }}