ROX-29043 Build arm64 versions of CI images for build and test

.github/actions/build-and-push-image/action.yaml

@@ -4,11 +4,14 @@ inputs:
   image-flavor:
     description: A flavor used to tag the apollo-ci image.
     required: true
+  arch:
+    description: Arch for image build (amd64 or arm64)
+    required: true
 runs:
   using: composite
   steps:
-    - name: Build and push image
+    - name: Build and push ${{ inputs.arch }} image
       run: |
         .github/actions/build-and-push-image/build-and-push-image.sh \
-          "${{ inputs.image-flavor }}"
+          "${{ inputs.image-flavor }}" "${{ inputs.arch }}"
       shell: bash

.github/actions/build-and-push-image/build-and-push-image.sh

@@ -4,14 +4,21 @@ set -euo pipefail
 
 build_and_push_image() {
     local image_flavor="$1"
+    local target_arch="$2"
+    local tag_suffix="-${target_arch}"
+
+    if [ -z "${target_arch}" ]; then
+        target_arch="amd64"
+        tag_suffix=""
+    fi
 
     # Login may be required for pulling the base image for building (if used) and to avoid rate limits.
     docker login -u "$QUAY_RHACS_ENG_RW_USERNAME" --password-stdin <<<"$QUAY_RHACS_ENG_RW_PASSWORD" quay.io
 
-    TAG="$(scripts/get_tag.sh "$image_flavor")"
+    TAG="$(scripts/get_tag.sh "$image_flavor")${tag_suffix}"
     IMAGE="quay.io/rhacs-eng/apollo-ci:${TAG}"
 
-    make "$image_flavor"-image
+    make TARGETARCH="$target_arch" "$image_flavor"-image
 
     retry 5 true docker push "${IMAGE}"
 

.github/actions/create-multiarch-manifest/action.yml

@@ -0,0 +1,37 @@
+name: Create and push a multiarch manifest
+description: |
+  This action will create a multiarch manifest and push it to a remote registry.
+
+inputs:
+  base-image:
+    description:
+      The base image to used for the manifest
+    required: true
+  image-flavor:
+    description:
+      The image flavor tag to be used for the manifest
+    required: true
+  suffix:
+    description:
+      Optional suffix for the tags used and the manifest
+    default: ''
+  archs:
+    description:
+      Architectures to be included in the final manifest, separated by a space
+    default: 'amd64 arm64'
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      run: |
+        image_flavor="${{ inputs.image-flavor }}"
+        tag="$(scripts/get_tag.sh ${image_flavor})"
+        read -ra archs <<< "${{ inputs.archs }}"
+        declare -a images=()
+        for arch in "${archs[@]}"; do
+          images+=("${{ inputs.base-image }}:${tag}-${arch}${{ inputs.suffix }}")
+        done
+
+        docker manifest create "${{ inputs.base-image }}:${tag}${{ inputs.suffix }}" "${images[@]}"
+        docker manifest push "${{ inputs.base-image }}:${tag}${{ inputs.suffix }}"
+

.github/workflows/build.yaml

@@ -18,7 +18,15 @@ env:
 jobs:
 
   build-and-push-stackrox-build:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-24.04
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -28,9 +36,18 @@ jobs:
       - uses: ./.github/actions/build-and-push-image
         with:
           image-flavor: "stackrox-build"
+          arch: ${{ matrix.arch }}
 
   build-and-push-stackrox-test:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-24.04
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     needs:
       - build-and-push-stackrox-build
     steps:
@@ -42,7 +59,54 @@ jobs:
       - uses: ./.github/actions/build-and-push-image
         with:
           image-flavor: "stackrox-test"
-
+          arch: ${{ matrix.arch }}
+
+  build-and-push-multiarch:
+    runs-on: ubuntu-latest
+    needs:
+      - build-and-push-stackrox-build
+      - build-and-push-stackrox-test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Login to quay.io/stackrox-io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
+          password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/stackrox-io/apollo-ci
+          image-flavor: stackrox-build
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/stackrox-io/apollo-ci
+          image-flavor: stackrox-test
+
+      - name: Login to quay.io/rhacs-eng
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
+          password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/rhacs-eng/apollo-ci
+          image-flavor: stackrox-build
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/rhacs-eng/apollo-ci
+          image-flavor: stackrox-test
+
   build-and-push-stackrox-ui-test:
     runs-on: ubuntu-latest
     steps:

Makefile

@@ -4,12 +4,22 @@ endif
 QUAY_REPO=rhacs-eng
 
 STACKROX_BUILD_TAG=$(shell scripts/get_tag.sh "stackrox-build")
+TARGETARCH?=amd64
+
+ifeq ($(TARGETARCH),amd64)
+  TARGETARCH_ALT = x86_64
+else ifeq ($(TARGETARCH),arm64)
+  TARGETARCH_ALT = aarch64
+else
+  TARGETARCH_ALT = $(TARGETARCH)
+endif
 
 .PHONY: stackrox-build-image
 stackrox-build-image:
 	$(DOCKER) build \
-		--platform linux/amd64 \
+		--platform linux/$(TARGETARCH) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG) \
+		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG)-$(TARGETARCH) \
 		-f images/stackrox-build.Dockerfile \
 		images/
 
@@ -18,9 +28,11 @@ STACKROX_TEST_TAG=$(shell scripts/get_tag.sh "stackrox-test")
 .PHONY: stackrox-test-image
 stackrox-test-image:
 	$(DOCKER) build \
-		--platform linux/amd64 \
+		--platform linux/$(TARGETARCH) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_TEST_TAG) \
-		--build-arg BASE_TAG=$(STACKROX_BUILD_TAG) \
+		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_TEST_TAG)-$(TARGETARCH) \
+		--build-arg BASE_TAG=$(STACKROX_BUILD_TAG)-$(TARGETARCH) \
+		--build-arg TARGETARCH_ALT=$(TARGETARCH_ALT) \
 		-f images/stackrox-test.Dockerfile \
 		images/
 
@@ -40,7 +52,7 @@ test-cci-export:
 	$(DOCKER) build \
 		--platform linux/amd64 \
 		-t test-cci-export \
-		--build-arg BASE_TAG=$(STACKROX_TEST_TAG) \
+		--build-arg BASE_TAG=$(STACKROX_TEST_TAG)-amd64 \
 		-f images/test.cci-export.Dockerfile \
 		images/
 	$(DOCKER) run \

images/stackrox-build.Dockerfile

@@ -2,6 +2,8 @@
 
 FROM registry.access.redhat.com/ubi8:latest
 
+ARG TARGETARCH
+
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN touch /i-am-rox-ci-image
@@ -56,27 +58,37 @@ RUN dnf update -y && \
     rm -rf /var/cache/dnf /var/cache/yum
 
 ARG GOLANG_VERSION=1.24.4
-ARG GOLANG_SHA256=77e5da33bb72aeaef1ba4418b6fe511bc4d041873cbf82e5aa6318740df98717
-ENV GOPATH /go
-ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-RUN url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz" && \
-    wget --no-verbose -O go.tgz "$url" && \
+ENV GOPATH=/go
+ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
+RUN set -e; case "$TARGETARCH" in \
+        "amd64" ) GOLANG_SHA256="77e5da33bb72aeaef1ba4418b6fe511bc4d041873cbf82e5aa6318740df98717";; \
+        "arm64")  GOLANG_SHA256="d5501ee5aca0f258d5fe9bfaed401958445014495dc115f202d43d5210b45241";; \
+        *) echo "Unsupported $TARGETARCH"; exit 1;; \
+    esac && \
+    wget --no-verbose -O go.tgz "https://dl.google.com/go/go${GOLANG_VERSION}.linux-${TARGETARCH}.tar.gz" && \
     echo "${GOLANG_SHA256} *go.tgz" | sha256sum -c - && \
     tar -C /usr/local -xzf go.tgz && \
     rm go.tgz && \
     mkdir -p "$GOPATH/src" "$GOPATH/bin" && \
     chmod -R 777 "$GOPATH"
 
-ARG FETCH_VERSION=0.3.5
-ARG FETCH_SHA256=8d4d99e903b30dbd24290e9a056a982ea2326a05ded24c63be64df16e7e0d9f0
-RUN wget --no-verbose -O fetch https://github.com/gruntwork-io/fetch/releases/download/v${FETCH_VERSION}/fetch_linux_amd64 && \
+ARG FETCH_VERSION=0.4.6
+RUN set -e; case "$TARGETARCH" in \
+        "amd64" ) FETCH_SHA256="a67ed3141d6deb7e7841f40505cba11eb7a37abbab78374712a42373e7854209";; \
+        "arm64")  FETCH_SHA256="4b9115a1f1a90c7088bff9ffc7d2de3547ef1d21709528e878af09a4c348dea3";; \
+        *) echo "Unsupported $TARGETARCH"; exit 1;; \
+    esac && \
+    wget --no-verbose -O fetch https://github.com/gruntwork-io/fetch/releases/download/v${FETCH_VERSION}/fetch_linux_${TARGETARCH} && \
     echo "${FETCH_SHA256} fetch" | sha256sum -c - && \
     install fetch /usr/bin && \
     rm fetch
 
 ARG OSSLS_VERSION=0.11.1
-ARG OSSLS_SHA256=f1bf3012961c1d90ba307a46263f29025028d35c209b9a65e5c7d502c470c95f
-RUN fetch --repo="https://github.com/stackrox/ossls" --tag="${OSSLS_VERSION}" --release-asset="ossls_linux_amd64" . && \
+RUN set -e; case "$TARGETARCH" in \
+        "amd64" ) OSSLS_SHA256="f1bf3012961c1d90ba307a46263f29025028d35c209b9a65e5c7d502c470c95f";; \
+        *) echo "Unsupported $TARGETARCH, skipping."; exit 0;; \
+    esac && \
+    fetch --repo="https://github.com/stackrox/ossls" --tag="${OSSLS_VERSION}" --release-asset="ossls_linux_amd64" . && \
     echo "${OSSLS_SHA256} *ossls_linux_amd64" | sha256sum -c - && \
     install ossls_linux_amd64 /usr/bin/ossls && \
     rm ossls_linux_amd64 && \