Build multiarch images on native GitHub runners

.github/workflows/image.yaml

@@ -24,26 +24,21 @@ on:
 
 jobs:
   build-image:
-    runs-on: linux-amd64-cpu4
+    strategy:
+      matrix:
+        arch:
+          - amd64
+          - arm64
+        dist: [distroless]
+    runs-on: linux-${{ matrix.arch }}-cpu4
     permissions:
       contents: read
       id-token: write
       packages: write
-    strategy:
-      matrix:
-        dist: [ubi9]
     steps:
       - uses: actions/checkout@v5
         name: Check out code
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-        with:
-          image: tonistiigi/binfmt:master
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -56,10 +51,32 @@ jobs:
       - name: Build image
         env:
           IMAGE_NAME: ghcr.io/nvidia/k8s-driver-manager
-          VERSION: ${{ inputs.version }}
+          VERSION: ${{ inputs.version }}-${{ matrix.arch }}
           PUSH_ON_BUILD: "true"
-          BUILD_MULTI_ARCH_IMAGES: "true"
           GOPROXY: ${{ steps.setup-go-proxy.outputs.goproxy-url }}
+          DOCKER_BUILD_PLATFORM_OPTIONS: "--platform=linux/${{ matrix.arch }}"
         run: |
           echo "${VERSION}"
           make -f deployments/container/Makefile build-${{ matrix.dist }}
+
+  create-manifest:
+    needs: build-image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+        name: Check out code
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Manifest
+        env:
+          MULTIARCH_IMAGE: ghcr.io/nvidia/k8s-driver-manager:${{ inputs.version }}
+        run: |
+          docker manifest create \
+            ${MULTIARCH_IMAGE} \
+            ghcr.io/nvidia/k8s-driver-manager:${{ inputs.version }}-amd64 \
+            ghcr.io/nvidia/k8s-driver-manager:${{ inputs.version }}-arm64
+          docker manifest push ${MULTIARCH_IMAGE}

deployments/container/Makefile

@@ -14,10 +14,6 @@
 
 BUILD_MULTI_ARCH_IMAGES ?= no
 DOCKER ?= docker
-BUILDX =
-ifeq ($(BUILD_MULTI_ARCH_IMAGES),true)
-BUILDX = buildx
-endif
 
 ##### Global variables #####
 include $(CURDIR)/versions.mk
@@ -38,8 +34,8 @@ OUT_IMAGE_VERSION ?= $(IMAGE_VERSION)
 OUT_IMAGE = $(OUT_IMAGE_NAME):$(OUT_IMAGE_VERSION)
 
 ##### Public rules #####
-DISTRIBUTIONS := ubi9
-DEFAULT_PUSH_TARGET := ubi9
+DISTRIBUTIONS := distroless
+DEFAULT_PUSH_TARGET := distroless
 
 PUSH_TARGETS := $(patsubst %, push-%, $(DISTRIBUTIONS))
 BUILD_TARGETS := $(patsubst %, build-%, $(DISTRIBUTIONS))
@@ -53,24 +49,30 @@ else
 include $(CURDIR)/deployments/container/multi-arch.mk
 endif
 
+# Both distroless and build-distroless trigger a build of the relevant image
+$(DISTRIBUTIONS): %: build-%
+
 build-%: DOCKERFILE_SUFFIX = $(*)
 build-%: DOCKERFILE = $(CURDIR)/deployments/container/Dockerfile.$(DOCKERFILE_SUFFIX)
-
-# Both ubi9 and build-ubi9 trigger a build of the relevant image
-$(DISTRIBUTIONS): %: build-%
 $(BUILD_TARGETS): build-%:
-	DOCKER_BUILDKIT=1 \
-		$(DOCKER) $(BUILDX) build --pull \
-			$(DOCKER_BUILD_OPTIONS) \
-			$(DOCKER_BUILD_PLATFORM_OPTIONS) \
-			--tag $(IMAGE) \
-			--build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
-			--build-arg VERSION="$(VERSION)" \
-			--build-arg GIT_COMMIT="$(GIT_COMMIT)" \
-			--build-arg CVE_UPDATES="$(CVE_UPDATES)" \
-			--build-arg GOPROXY="$(GOPROXY)" \
-			--file $(DOCKERFILE) \
-			$(CURDIR)
+	$(DOCKER) build --pull \
+		$(DOCKER_BUILD_OPTIONS) \
+		$(DOCKER_BUILD_PLATFORM_OPTIONS) \
+		--tag $(IMAGE) \
+		--build-arg GOLANG_VERSION="$(GOLANG_VERSION)" \
+		--build-arg VERSION="$(VERSION)" \
+		--build-arg GIT_COMMIT="$(GIT_COMMIT)" \
+		--build-arg CVE_UPDATES="$(CVE_UPDATES)" \
+		--build-arg GOPROXY="$(GOPROXY)" \
+		--file $(DOCKERFILE) \
+		$(CURDIR)
+ifeq ($(PUSH_ON_BUILD),true)
+	$(DOCKER) push "$(IMAGE)"
+endif
+
+# Handle the default build target.
+.PHONY: build
+build: $(DEFAULT_PUSH_TARGET)
 
 .PHONY: bump-commit
 BUMP_COMMIT := Bump to version $(VERSION)

deployments/container/multi-arch.mk

@@ -15,7 +15,7 @@
 PUSH_ON_BUILD ?= false
 ATTACH_ATTESTATIONS ?= false
 DOCKER_BUILD_OPTIONS = --output=type=image,push=$(PUSH_ON_BUILD) --provenance=$(ATTACH_ATTESTATIONS) --sbom=$(ATTACH_ATTESTATIONS)
-DOCKER_BUILD_PLATFORM_OPTIONS = --platform=linux/amd64,linux/arm64
+DOCKER_BUILD_PLATFORM_OPTIONS ?= --platform=linux/amd64,linux/arm64
 
 REGCTL ?= regctl
 $(PUSH_TARGETS): push-%:

deployments/container/native-only.mk

@@ -12,7 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-DOCKER_BUILD_PLATFORM_OPTIONS = --platform=linux/amd64
+PUSH_ON_BUILD ?= false
+DOCKER_BUILD_PLATFORM_OPTIONS ?= --platform=linux/amd64
 
 $(PUSH_TARGETS): push-%:
 	$(DOCKER) tag "$(IMAGE)" "$(OUT_IMAGE)"