From c8de14c1283c995fb763f69aac122db0de20b169 Mon Sep 17 00:00:00 2001 From: Ognyan Moore Date: Thu, 11 Sep 2025 16:06:58 +0300 Subject: [PATCH 1/2] Add docker attestation Make use of the docker attestation capability when generating images. Furthermore, use ARM64 GHA runners for generating ARM64 images, which is significantly faster. --- .github/workflows/docker.yml | 32 +++++++++++++++++++++++++------- docker/alpine-normal/build.sh | 7 +++---- docker/alpine-small/build.sh | 7 +++---- docker/ubuntu-full/build.sh | 14 ++++++-------- docker/ubuntu-small/build.sh | 7 +++---- 5 files changed, 40 insertions(+), 27 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b2bb8a391bc4..68468dbea4eb 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -13,9 +13,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} cancel-in-progress: true -permissions: - contents: read - jobs: docker_builds: @@ -27,44 +24,65 @@ jobs: - name: alpine-small-amd64 image_name: alpine-small arch: amd64 + gha_image: ubuntu-latest - name: alpine-normal-amd64 image_name: alpine-small arch: amd64 + gha_image: ubuntu-latest - name: ubuntu-small-amd64 image_name: ubuntu-small arch: amd64 + gha_image: ubuntu-latest - name: ubuntu-small-arm64 image_name: ubuntu-small arch: arm64 + gha_image: ubuntu-24.04-arm - name: ubuntu-full-amd64-proprietary-sdks image_name: ubuntu-full arch: amd64 + gha_image: ubuntu-latest - name: ubuntu-full-arm64 image_name: ubuntu-full arch: arm64 + gha_image: ubuntu-24.04-arm name: ${{ matrix.name }} - runs-on: ubuntu-latest + runs-on: ${{ matrix.gha_image }} + permissions: + contents: read + attestations: write + packages: write + id-token: write steps: - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - name: Set up Docker + uses: docker/setup-docker-action@v4 + with: + daemon-config: | + { + "debug": false, + "features": { + "containerd-snapshotter": true + } + } - name: Build shell: bash -l {0} run: | - docker run --rm --privileged linuxkit/binfmt:v0.8 + docker run --rm --platform linux/amd64 --privileged linuxkit/binfmt:v0.8 cd docker/${{ matrix.image_name }} if test "${{ matrix.name }}" = "ubuntu-full-amd64-proprietary-sdks"; then - ./build.sh --platform linux/${{ matrix.arch }} --with-oracle --with-mrsid --with-ecw + ./build.sh --platform linux/${{ matrix.arch }} --with-multi-arch --with-oracle --with-mrsid --with-ecw else - ./build.sh --platform linux/${{ matrix.arch }} + ./build.sh --platform linux/${{ matrix.arch }} --with-muchi-arch fi docker run --rm ghcr.io/osgeo/gdal:${{ matrix.image_name }}-latest-${{ matrix.arch }} gdalinfo --formats docker run --rm ghcr.io/osgeo/gdal:${{ matrix.image_name }}-latest-${{ matrix.arch }} ogrinfo --formats diff --git a/docker/alpine-normal/build.sh b/docker/alpine-normal/build.sh index 99e03adc7bb6..6777fcf4a2c3 100755 --- a/docker/alpine-normal/build.sh +++ b/docker/alpine-normal/build.sh @@ -45,9 +45,8 @@ if test "${HAS_PLATFORM}" = "0" -a "${HAS_RELEASE}" = "0" -a "x${TARGET_IMAGE}" DOCKER_REPO=$(cat /tmp/gdal_docker_repo.txt) docker manifest rm ${DOCKER_REPO}/${TARGET_IMAGE}-latest || /bin/true - docker manifest create ${DOCKER_REPO}/${TARGET_IMAGE}-latest \ - --amend ${DOCKER_REPO}/${TARGET_IMAGE}-latest-amd64 \ - --amend ${DOCKER_REPO}/${TARGET_IMAGE}-latest-arm64 - docker manifest push ${DOCKER_REPO}/${TARGET_IMAGE}-latest + docker buildx imagetools create -t ${DOCKER_REPO}/${TARGET_IMAGE}-latest \ + ${DOCKER_REPO}/${TARGET_IMAGE}-latest-amd64 \ + ${DOCKER_REPO}/${TARGET_IMAGE}-latest-arm64 fi fi diff --git a/docker/alpine-small/build.sh b/docker/alpine-small/build.sh index 23f8fa672942..f16f0a3e686f 100755 --- a/docker/alpine-small/build.sh +++ b/docker/alpine-small/build.sh @@ -45,9 +45,8 @@ if test "${HAS_PLATFORM}" = "0" -a "${HAS_RELEASE}" = "0" -a "x${TARGET_IMAGE}" DOCKER_REPO=$(cat /tmp/gdal_docker_repo.txt) docker manifest rm ${DOCKER_REPO}/${TARGET_IMAGE}-latest || /bin/true - docker manifest create ${DOCKER_REPO}/${TARGET_IMAGE}-latest \ - --amend ${DOCKER_REPO}/${TARGET_IMAGE}-latest-amd64 \ - --amend ${DOCKER_REPO}/${TARGET_IMAGE}-latest-arm64 - docker manifest push ${DOCKER_REPO}/${TARGET_IMAGE}-latest + docker buildx imagetools create -t ${DOCKER_REPO}/${TARGET_IMAGE}-latest \ + ${DOCKER_REPO}/${TARGET_IMAGE}-latest-amd64 \ + ${DOCKER_REPO}/${TARGET_IMAGE}-latest-arm64 fi fi diff --git a/docker/ubuntu-full/build.sh b/docker/ubuntu-full/build.sh index 55ed4b504e2b..5ca61128855f 100755 --- a/docker/ubuntu-full/build.sh +++ b/docker/ubuntu-full/build.sh @@ -45,15 +45,13 @@ if test "${HAS_PLATFORM}" = "0" -a "${HAS_RELEASE}" = "0" -a "x${TARGET_IMAGE}" DOCKER_REPO=$(cat /tmp/gdal_docker_repo.txt) docker manifest rm ${DOCKER_REPO}/${TARGET_IMAGE}-latest || /bin/true - docker manifest create ${DOCKER_REPO}/${TARGET_IMAGE}-latest \ - --amend ${DOCKER_REPO}/${TARGET_IMAGE}-latest-amd64 \ - --amend ${DOCKER_REPO}/${TARGET_IMAGE}-latest-arm64 - docker manifest push ${DOCKER_REPO}/${TARGET_IMAGE}-latest + docker buildx imagetools create -t ${DOCKER_REPO}/${TARGET_IMAGE}-latest \ + ${DOCKER_REPO}/${TARGET_IMAGE}-latest-amd64 \ + ${DOCKER_REPO}/${TARGET_IMAGE}-latest-arm64 docker manifest rm ${DOCKER_REPO}/osgeo/gdal || /bin/true - docker manifest create ${DOCKER_REPO}/osgeo/gdal \ - --amend ${DOCKER_REPO}/osgeo/gdal:ubuntu-full-latest-amd64 \ - --amend ${DOCKER_REPO}/osgeo/gdal:ubuntu-full-latest-arm64 - docker manifest push ${DOCKER_REPO}/osgeo/gdal + docker buildx imagetools create -t ${DOCKER_REPO}/osgeo/gdal \ + ${DOCKER_REPO}/osgeo/gdal:ubuntu-full-latest-amd64 \ + ${DOCKER_REPO}/osgeo/gdal:ubuntu-full-latest-arm64 fi fi diff --git a/docker/ubuntu-small/build.sh b/docker/ubuntu-small/build.sh index d0650cd0965f..4cb1ddd2babc 100755 --- a/docker/ubuntu-small/build.sh +++ b/docker/ubuntu-small/build.sh @@ -45,9 +45,8 @@ if test "${HAS_PLATFORM}" = "0" -a "${HAS_RELEASE}" = "0" -a "x${TARGET_IMAGE}" DOCKER_REPO=$(cat /tmp/gdal_docker_repo.txt) docker manifest rm ${DOCKER_REPO}/${TARGET_IMAGE}-latest || /bin/true - docker manifest create ${DOCKER_REPO}/${TARGET_IMAGE}-latest \ - --amend ${DOCKER_REPO}/${TARGET_IMAGE}-latest-amd64 \ - --amend ${DOCKER_REPO}/${TARGET_IMAGE}-latest-arm64 - docker manifest push ${DOCKER_REPO}/${TARGET_IMAGE}-latest + docker buildx imagetools create -t ${DOCKER_REPO}/${TARGET_IMAGE}-latest \ + ${DOCKER_REPO}/${TARGET_IMAGE}-latest-amd64 \ + ${DOCKER_REPO}/${TARGET_IMAGE}-latest-arm64 fi fi From 6b90643b81e5f26e329bebd7c2513579054a18b3 Mon Sep 17 00:00:00 2001 From: Ogi Moore Date: Thu, 11 Sep 2025 16:30:10 +0300 Subject: [PATCH 2/2] Update .github/workflows/docker.yml I cannot type. Co-authored-by: Even Rouault --- .github/workflows/docker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 68468dbea4eb..0d92d0d1d5f1 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -82,7 +82,7 @@ jobs: if test "${{ matrix.name }}" = "ubuntu-full-amd64-proprietary-sdks"; then ./build.sh --platform linux/${{ matrix.arch }} --with-multi-arch --with-oracle --with-mrsid --with-ecw else - ./build.sh --platform linux/${{ matrix.arch }} --with-muchi-arch + ./build.sh --platform linux/${{ matrix.arch }} --with-multi-arch fi docker run --rm ghcr.io/osgeo/gdal:${{ matrix.image_name }}-latest-${{ matrix.arch }} gdalinfo --formats docker run --rm ghcr.io/osgeo/gdal:${{ matrix.image_name }}-latest-${{ matrix.arch }} ogrinfo --formats