build: publish multi-arch container images to GHCR on release#2035
build: publish multi-arch container images to GHCR on release#2035waveywaves wants to merge 2 commits into
Conversation
f1d0d48 to
1803a14
Compare
7338c2d to
b5b734a
Compare
|
cc @omar-polo @mathieu-plak gentle nudge for a review |
df9d3ff to
ccb4b20
Compare
|
Hello, and thank you for the PR. A few questions:
|
|
@waveywaves nudge in case you didn't see @brmzkw 's question |
ccb4b20 to
0912f9d
Compare
|
Thanks @brmzkw, and thanks for the nudge @poolpOrg. Sorry I missed this. I've pushed an update addressing the points:
I also validated the updated GoReleaser config with: MAKE_LATEST_RELEASE=true go run github.com/goreleaser/goreleaser/v2@latest checkand tested the Dockerfile's |
Add GoReleaser docker configuration to build and publish container images to ghcr.io/plakarkorp/plakar on tagged releases. Images are built for linux/amd64 and linux/arm64 with a multi-arch manifest. The release workflow gains QEMU, Buildx, and GHCR login steps. A minimal Dockerfile.goreleaser is used by GoReleaser to package the pre-built binary (the existing Dockerfile remains for manual builds). The :latest tag is only pushed for stable releases (tags without hyphens), matching the existing MAKE_LATEST_RELEASE logic. Co-authored-by: Claude <noreply@anthropic.com>
0912f9d to
5396fce
Compare
|
Rebased this on latest I also re-ran the GoReleaser config check locally: MAKE_LATEST_RELEASE=true go run github.com/goreleaser/goreleaser/v2@latest checkGentle nudge for another look when you get a chance. |
|
@brmzkw in a rush I didn't answer your question earlier. Cosign is required in supply chain security to cryptographically verify authenticity, ensure code integrity, and establish provenance for software artifacts. Here is exactly how it works at a glance. Signing: A developer uses a cryptographic key (or a "keyless" method) to create a digital signature for their compiled software or container image. Storage: Cosign pushes this digital signature directly to an Open Container Initiative (OCI) registry (like Docker Hub, GHCR or a private registry) right alongside the software itself. Verification: Before deploying the software, the target system uses the developer’s corresponding public key to verify that the signature matches the software artifact. |
There was a problem hiding this comment.
Pull request overview
Adds automated publishing of multi-architecture container images to GitHub Container Registry (GHCR) as part of the tagged release process, leveraging GoReleaser-built binaries and signing images via keyless cosign.
Changes:
- Add GoReleaser
dockers_v2config to build/push a multi-arch image (linux/amd64,linux/arm64) toghcr.io/plakarkorp/plakar. - Extend the release GitHub Actions workflow to set up QEMU/Buildx, authenticate to GHCR, and sign published images with cosign (OIDC).
- Refactor the Dockerfile to introduce a shared runtime base and a GoReleaser-specific target that copies in the prebuilt binary.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| Dockerfile | Introduces runtime-base and a goreleaser target to package GoReleaser-built binaries while preserving source-build behavior for manual builds. |
| .goreleaser.yml | Adds dockers_v2 configuration to publish a multi-arch image to GHCR with appropriate OCI labels. |
| .github/workflows/release.yml | Updates release workflow to run only on v* tags, enable GHCR publishing, set up multi-arch tooling, and sign images with cosign via OIDC. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Builds on PR #2004 (Dockerfile) to automatically publish container images to GHCR on tagged releases.
Related: #1533
Motivation
The Dockerfile landed in #2004, but there's no CI/CD pipeline to build and publish images. Users who want to run plakar in containers (Docker, Kubernetes, Tekton) currently have to build the image themselves.
Changes
.goreleaser.yml— addsdockers_v2configuration to publish a multi-arch image toghcr.io/plakarkorp/plakarusing GoReleaser's pre-builtplakarbinaries..github/workflows/release.yml— adds QEMU, Docker Buildx, GHCR login, and keyless cosign signing steps. Addspackages: writeandid-token: writepermissions.Dockerfile— reuses the existing Dockerfile by adding agoreleasertarget that copies the pre-built$TARGETPLATFORM/plakarbinary from GoReleaser's build context. The default Dockerfile behavior still performs the full source build for manual/standalone Docker builds.Image tags
On a tagged release like
v1.2.0:ghcr.io/plakarkorp/plakar:v1.2.0(multi-arch manifest)ghcr.io/plakarkorp/plakar:latest(only for stable releases, not pre-releases likev1.2.0-beta)Architectures:
linux/amd64,linux/arm64Signing
Published image tags are signed with cosign using GitHub Actions OIDC keyless signing. No private signing key is stored in the repository; the workflow receives an ephemeral certificate through the GitHub OIDC token.
Example verification:
cosign verify ghcr.io/plakarkorp/plakar:v1.2.0 \ --certificate-identity-regexp 'https://github.com/PlakarKorp/plakar/.*' \ --certificate-oidc-issuer https://token.actions.githubusercontent.comUsage
Notes
:latesttag uses the existingMAKE_LATEST_RELEASElogic — only pushed and signed when the tag has no hyphendockers_v2builds the multi-arch manifest directly, so the public release tags are:<version>and:latestrather than separate architecture-suffixed tagsgoreleasertarget is only for release packaging of GoReleaser's pre-built binary