Build multiarch as push-by-digest on dedicated hosts.

Makefile

@@ -15,11 +15,12 @@ REPO ?= rancher
 PKG ?= github.com/traefik/traefik/v3
 BUILD_META=-build$(shell date +%Y%m%d)
 TAG ?= $(if $(GITHUB_ACTION_TAG),$(GITHUB_ACTION_TAG),v3.5.0$(BUILD_META))
-
 ifeq (,$(filter %$(BUILD_META),$(TAG)))
 $(error TAG needs to end with build metadata: $(BUILD_META))
 endif
 
+BTAG := $(shell echo $(TAG) | sed 's/-build.*//')
+
 .PHONY: image-build
 image-build:
 	docker buildx build \
@@ -27,31 +28,42 @@ image-build:
 		--platform=$(TARGET_PLATFORMS) \
 		--pull \
 		--build-arg PKG=$(PKG) \
-		--build-arg TAG=$(TAG:$(BUILD_META)=) \
+		--build-arg TAG=$(BTAG) \
 		--tag $(REPO)/hardened-traefik:$(TAG) \
-		--load \
-	.
+		--load .
 
-.PHONY: image-push
-image-push:
-		docker buildx build \
+# Note the TAG is just the repo/image when pushing by digest
+.PHONY: image-push-digest
+image-push-digest:
+	docker buildx build \
 		--progress=plain \
 		--platform=$(TARGET_PLATFORMS) \
+		--metadata-file metadata-$(subst /,-,$(TARGET_PLATFORMS)).json \
+		--output type=image,push-by-digest=true,name-canonical=true,push=true \
 		--pull \
 		--build-arg PKG=$(PKG) \
-		--build-arg TAG=$(TAG:$(BUILD_META)=) \
-		--tag $(REPO)/hardened-traefik:$(TAG) \
-		--push \
-	.
+		--build-arg TAG=$(BTAG) \
+		--tag $(REPO)/hardened-traefik .
 
 .PHONY: image-scan
 image-scan:
 	trivy --severity $(SEVERITIES) --no-progress --ignore-unfixed $(REPO)/hardened-traefik:$(TAG)
 
+# Pushes manifests for the provided TARGET_PLATFORMS
+.PHONY: manifest-push
+manifest-push:
+	$(eval AMD64_DIGEST := $(if $(findstring linux/amd64,$(TARGET_PLATFORMS)),$(shell jq -r '.["containerimage.digest"]' metadata-linux-amd64.json),))
+	$(eval ARM64_DIGEST := $(if $(findstring linux/arm64,$(TARGET_PLATFORMS)),$(shell jq -r '.["containerimage.digest"]' metadata-linux-arm64.json),))
+	docker buildx imagetools create \
+		--tag $(REPO)/hardened-traefik:$(TAG) \
+		$(AMD64_DIGEST) \
+		$(ARM64_DIGEST)
+
 .PHONY: log
 log:
 	@echo "TARGET_PLATFORMS=$(TARGET_PLATFORMS)"
-	@echo "TAG=$(TAG:$(BUILD_META)=)"
+	@echo "TAG=$(TAG)"
+	@echo "BTAG=$(BTAG)"
 	@echo "REPO=$(REPO)"
 	@echo "SRC=$(SRC)"
 	@echo "BUILD_META=$(BUILD_META)"

release.yml

@@ -0,0 +1,149 @@
+name: Release
+on:
+  release:
+    types: [published]
+
+env:
+  GITHUB_ACTION_TAG: ${{ github.ref_name }}
+
+jobs:
+  build-amd64-digest:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: "Read secrets"
+      if: github.repository_owner == 'rancher'
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
+
+    # For forks, store docker credentials in GHA secrets
+    - name: Build and push amd64 digest image 
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      with:
+        image: hardened-traefik
+        make-target: image-push-digest
+        platforms: linux/amd64
+        tag: ${{ github.event.release.tag_name }}
+        public-repo: ${{ github.repository_owner }}
+        public-username: ${{ github.repository_owner == 'rancher' && env.DOCKER_USERNAME || secrets.DOCKER_USERNAME }}
+        public-password: ${{ github.repository_owner == 'rancher' && env.DOCKER_PASSWORD || secrets.DOCKER_PASSWORD }}
+        
+        push-to-prime: false
+
+        # prime-repo: rancher
+        # prime-registry: ${{ env.PRIME_REGISTRY }}
+        # prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        # prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+        # push-to-prime: ${{ github.repository_owner == 'rancher' }}
+
+    - name: Upload metadata files
+      uses: actions/upload-artifact@v4
+      with:
+        name: metadata-amd64
+        path: metadata-linux-amd64.json
+        if-no-files-found: error
+        retention-days: 1
+
+  build-arm64-digest:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-24.04-arm
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: "Read secrets"
+      if: github.repository_owner == 'rancher'
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
+          secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
+
+    # For forks, store docker credentials in GHA secrets
+    - name: Build and push arm64 digest image 
+      uses: rancher/ecm-distro-tools/actions/publish-image@master
+      with:
+        image: hardened-traefik
+        make-target: image-push-digest
+        platforms: linux/arm64
+        tag: ${{ github.event.release.tag_name }}
+        public-repo: ${{ github.repository_owner }}
+        public-username: ${{ github.repository_owner == 'rancher' && env.DOCKER_USERNAME || secrets.DOCKER_USERNAME }}
+        public-password: ${{ github.repository_owner == 'rancher' && env.DOCKER_PASSWORD || secrets.DOCKER_PASSWORD }}
+        
+        push-to-prime: false
+
+        # prime-repo: rancher
+        # prime-registry: ${{ env.PRIME_REGISTRY }}
+        # prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+        # prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+        # push-to-prime: ${{ github.repository_owner == 'rancher' }}
+
+    - name: Upload metadata files
+      uses: actions/upload-artifact@v4
+      with:
+        name: metadata-arm64
+        path: metadata-linux-arm64.json
+        if-no-files-found: error
+        retention-days: 1
+
+
+  merge:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    needs:
+      - build-amd64-digest
+      - build-arm64-digest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Download metadata files
+        uses: actions/download-artifact@v4
+        with:
+          pattern: metadata-*
+          merge-multiple: true
+
+      - name: "Read secrets"
+        if: github.repository_owner == 'rancher'
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/${{ github.repository_owner }}/credentials password | DOCKER_PASSWORD ;
+
+      - name: Create manifest list and push
+        id: push-manifest
+        uses: rancher/ecm-distro-tools/actions/publish-image@master
+        with:
+          make-target: manifest-push
+          image: hardened-traefik
+          tag: ${{ github.event.release.tag_name }}
+
+          public-repo: ${{ github.repository_owner }}
+          public-username: ${{ github.repository_owner == 'rancher' && env.DOCKER_USERNAME || secrets.DOCKER_USERNAME }}
+          public-password: ${{ github.repository_owner == 'rancher' && env.DOCKER_PASSWORD || secrets.DOCKER_PASSWORD }}
+          
+          push-to-prime: false
+
+          # prime-repo: rancher
+          # prime-registry: ${{ env.PRIME_REGISTRY }}
+          # prime-username: ${{ env.PRIME_REGISTRY_USERNAME }}
+          # prime-password: ${{ env.PRIME_REGISTRY_PASSWORD }}
+          # push-to-prime: ${{ github.repository_owner == 'rancher' }}
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ github.repository_owner }}/hardened-traefik:${{ github.event.release.tag_name }}