ci: parallel arm64/amd64 builds with manifest merge

.github/workflows/build.yml

@@ -16,13 +16,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
     - name: Set up Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
       with:
         python-version: ${{ env.PYTHON_VERSION }}
 
+    - name: Install system dependencies
+      run: sudo apt-get update && sudo apt-get install -y --no-install-recommends libldap2-dev libsasl2-dev
+
     - name: Install dependencies for coverage
       run: |
         cd dns-server && pip install -r requirements.txt pytest pytest-cov
@@ -35,7 +38,7 @@ jobs:
           --cov-fail-under=98 -v --tb=short || true
 
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238  # v4
+      uses: codecov/codecov-action@3f20e214133d0983f9a10f3d63b0faf9241a3daa  # v6
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         files: ./coverage.xml
@@ -55,7 +58,7 @@ jobs:
     needs: build-and-test
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
     - name: Build unified Docker image - DNS Server
       run: |
@@ -84,10 +87,10 @@ jobs:
       contents: read
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
     - name: Set up Python for bandit
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
       with:
         python-version: ${{ env.PYTHON_VERSION }}
 

.github/workflows/cron.yml

@@ -9,49 +9,113 @@ env:
   REPO: squawk
 
 jobs:
-  push_to_registries:
-    name: Push Docker image to multiple registries
+  build-platform:
+    name: Build Docker image for ${{ matrix.platform }}
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        platform: [linux/amd64, linux/arm64]
     permissions:
       packages: write
       contents: read
     steps:
       - name: Check out the repo
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9b11de45568b7b44d28e85c0b8e7  # v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebba01cdb9b2d9a7ac3b0c11b09  # v3
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf5ca  # v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Log in to the Container registry
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf5ca  # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
-        with:
-          images: |
-            penguintechinc/${{ env.REPO }}
-            ghcr.io/${{ github.repository }}
+      - name: Extract platform tag
+        id: platform_tag
+        run: |
+          PLATFORM_TAG=$(echo ${{ matrix.platform }} | sed 's/linux\///')
+          echo "tag=$PLATFORM_TAG" >> $GITHUB_OUTPUT
 
-      - name: Build and push Docker images
-        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+      - name: Build Docker image for ${{ matrix.platform }}
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8  # v6
         with:
           context: .
+          platforms: ${{ matrix.platform }}
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            penguintechinc/${{ env.REPO }}:cron-${{ steps.platform_tag.outputs.tag }}
+            ghcr.io/${{ github.repository }}:cron-${{ steps.platform_tag.outputs.tag }}
+          cache-from: type=gha,scope=${{ matrix.platform }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.platform }}
 
-      - name: Build and push Docker images to static tags
-        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+      - name: Build Docker image with static tags for ${{ matrix.platform }}
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8  # v6
         with:
           context: .
+          platforms: ${{ matrix.platform }}
           push: true
-          tags: ghcr.io/penguintechinc/${{ env.REPO }}:latest, ghcr.io/penguintechinc/${{ env.REPO }}:nightly, penguintechinc/${{ env.REPO }}:latest
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            ghcr.io/penguintechinc/${{ env.REPO }}:latest-${{ steps.platform_tag.outputs.tag }}
+            ghcr.io/penguintechinc/${{ env.REPO }}:nightly-${{ steps.platform_tag.outputs.tag }}
+            penguintechinc/${{ env.REPO }}:latest-${{ steps.platform_tag.outputs.tag }}
+          cache-from: type=gha,scope=${{ matrix.platform }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.platform }}
+
+  merge-manifests:
+    name: Merge Docker manifests
+    runs-on: ubuntu-latest
+    needs: build-platform
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf5ca  # v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf5ca  # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebba01cdb9b2d9a7ac3b0c11b09  # v3
+
+      - name: Merge manifests for cron tags
+        run: |
+          docker buildx imagetools create -t penguintechinc/${{ env.REPO }}:cron \
+            penguintechinc/${{ env.REPO }}:cron-amd64 \
+            penguintechinc/${{ env.REPO }}:cron-arm64
+          docker buildx imagetools create -t ghcr.io/${{ github.repository }}:cron \
+            ghcr.io/${{ github.repository }}:cron-amd64 \
+            ghcr.io/${{ github.repository }}:cron-arm64
+
+      - name: Merge manifests for latest/nightly tags
+        run: |
+          docker buildx imagetools create -t ghcr.io/penguintechinc/${{ env.REPO }}:latest \
+            ghcr.io/penguintechinc/${{ env.REPO }}:latest-amd64 \
+            ghcr.io/penguintechinc/${{ env.REPO }}:latest-arm64
+          docker buildx imagetools create -t ghcr.io/penguintechinc/${{ env.REPO }}:nightly \
+            ghcr.io/penguintechinc/${{ env.REPO }}:nightly-amd64 \
+            ghcr.io/penguintechinc/${{ env.REPO }}:nightly-arm64
+          docker buildx imagetools create -t penguintechinc/${{ env.REPO }}:latest \
+            penguintechinc/${{ env.REPO }}:latest-amd64 \
+            penguintechinc/${{ env.REPO }}:latest-arm64