Build multi platform image & Reorganize Makefiles

.github/actions/build-custom-image/action.yaml

@@ -0,0 +1,54 @@
+name: Build custom image
+inputs:
+  target:
+    required: true
+  image_name:
+    required: true
+  gcp_project_id:
+    required: true
+  gcp_workload_identity_provider:
+    required: true
+  docker_repo:
+    required: false
+  builder:
+    required: true
+runs:
+  using: "composite"
+  steps:
+  - uses: oursky/google-github-actions-auth@v2
+    with:
+      project_id: ${{ inputs.gcp_project_id }}
+      workload_identity_provider: ${{ inputs.gcp_workload_identity_provider }}
+  - uses: oursky/google-github-actions-setup-gcloud@v2
+  - name: Configure docker
+    env:
+      REPO: ${{ inputs.docker_repo }}
+    shell: bash
+    run: |
+      gcloud auth configure-docker "$REPO"
+  - name: Build and Push
+    env:
+      TARGET: ${{ inputs.target }}
+      IMAGE_NAME: ${{ inputs.image_name }}
+      REPO: ${{ inputs.docker_repo }}
+      BUILDER: ${{ inputs.builder }}
+    shell: bash
+    run: |
+      MANIFEST_NAME="./$(uuidgen).json"
+      make -C custombuild build-image \
+        TARGET=$TARGET \
+        BUILD_ARCH=amd64 \
+        OUTPUT="type=image,name=$IMAGE_NAME,push-by-digest=true,name-canonical=true,push=true" \
+        IMAGE_NAME=$IMAGE_NAME \
+        METADATA_FILE=$MANIFEST_NAME \
+        EXTRA_BUILD_OPTS="--ssh=default --builder=container-builder"
+      cat custombuild/$MANIFEST_NAME
+      DIGEST="$(cat custombuild/$MANIFEST_NAME | jq '.["containerimage.digest"]' -r)"
+      make -C custombuild tag-image SOURCE_DIGESTS="$DIGEST" IMAGE_NAME=$IMAGE_NAME
+  - name: docker logout
+    if: ${{ always() }}
+    env:
+      REPO: ${{ inputs.docker_repo }}
+    shell: bash
+    run: |
+      docker logout "$REPO"

.github/actions/build-image/action.yaml

@@ -0,0 +1,65 @@
+name: Build image
+inputs:
+  target:
+    required: true
+  image_name:
+    required: true
+  push_image:
+    required: true
+  build_arch:
+    required: true
+  docker_registry:
+    required: false
+  docker_username:
+    required: false
+  docker_password:
+    required: false
+outputs:
+  image_digest:
+    value: ${{ steps.build_image.outputs.image_digest }}
+runs:
+  using: "composite"
+  steps:
+  - name: Install qemu for multi arch build
+    shell: bash
+    run: docker run --privileged --rm tonistiigi/binfmt --install all
+  - name: Setup container builder
+    shell: bash
+    run: |
+      docker buildx create \
+        --name container-builder \
+        --driver docker-container \
+        --bootstrap --use
+  - name: docker login
+    if: ${{ inputs.push_image == 'true' }}
+    env:
+      DOCKER_USERNAME: ${{ inputs.docker_username }}
+      DOCKER_PASSWORD: ${{ inputs.docker_password }}
+      DOCKER_REGISTRY: ${{ inputs.docker_registry }}
+    shell: bash
+    run: |
+      printf "$DOCKER_PASSWORD" | docker login --password-stdin --username "$DOCKER_USERNAME" $DOCKER_REGISTRY
+  - id: build_image
+    run: |
+      make build-image \
+        BUILD_ARCH=$BUILD_ARCH \
+        OUTPUT=$OUTPUT \
+        TARGET=$TARGET \
+        IMAGE_NAME=$IMAGE_NAME \
+        METADATA_FILE=metadata.json \
+        EXTRA_BUILD_OPTS="--builder=container-builder"
+      DIGEST="$(cat metadata.json | jq '.["containerimage.digest"]' -r)"
+      echo "image_digest=$DIGEST" >> "$GITHUB_OUTPUT"
+    shell: bash
+    env:
+      TARGET: ${{ inputs.target }}
+      IMAGE_NAME: ${{ inputs.image_name }}
+      OUTPUT: ${{ (inputs.push_image == 'true') && 'type=image,name=$$IMAGE_NAME,push-by-digest=true,name-canonical=true,push=true' || ''}}
+      BUILD_ARCH: ${{ inputs.build_arch }}
+  - name: docker logout
+    if: ${{ always() }}
+    env:
+      DOCKER_REGISTRY: ${{ inputs.docker_registry }}
+    shell: bash
+    run: |
+      docker logout $DOCKER_REGISTRY

.github/workflows/ci-branches.yaml

@@ -0,0 +1,21 @@
+name: CI - Branches
+
+on:
+  push:
+    branches:
+    - '*'
+    - '!gh-pages'
+    tags:
+    - '*'
+
+jobs:
+  checks:
+    uses: ./.github/workflows/run-checks.yaml
+  builds:
+    needs: checks
+    uses: ./.github/workflows/run-builds.yaml
+    secrets: inherit
+  release:
+    needs: builds
+    uses: ./.github/workflows/run-release.yaml
+    secrets: inherit

.github/workflows/ci-prs.yaml

@@ -0,0 +1,20 @@
+name: CI - Pull Requests
+
+on:
+  pull_request:
+    branches:
+    - '*'
+    - '!gh-pages'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  checks:
+    uses: ./.github/workflows/run-checks.yaml
+  builds:
+    needs: checks
+    uses: ./.github/workflows/run-builds.yaml
+    with:
+      amd64-build-only: true

.github/workflows/custom-build.yaml

@@ -42,6 +42,15 @@ jobs:
     if: ${{ github.repository == 'authgear/authgear-server' }}
     steps:
     - uses: actions/checkout@v4
+    - name: Install qemu for multi arch build
+      run: docker run --privileged --rm tonistiigi/binfmt --install all
+    - name: Setup container builder
+      run: |
+        docker buildx create \
+          --name container-builder \
+          --driver docker-container \
+          --bootstrap --use
+
     # https://aran.dev/posts/github-actions-go-private-modules/
     - name: Set up SSH key
       env:
@@ -53,7 +62,25 @@ jobs:
         printf "$AUTHGEAR_PRIVATE_DEPLOY_KEY" | base64 --decode | ssh-add -
         echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV"
         echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> "$GITHUB_ENV"
-    - run: make -C custombuild build-image TARGET=authgearx IMAGE_NAME=authgear-server-custom
+
+    - name: Build and push to HK
+      uses: ./.github/actions/build-custom-image
+      with:
+        target: authgearx
+        image_name: "${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_HK }}/authgear-server"
+        gcp_project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_HK }}
+        gcp_workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_HK }}
+        docker_repo: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_HK }}
+
+    - name: Build and push to US
+      uses: ./.github/actions/build-custom-image
+      with:
+        target: authgearx
+        image_name: "${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_US }}/authgear-server"
+        gcp_project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_US }}
+        gcp_workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_US }}
+        docker_repo: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_US }}
+
     - name: Clean up SSH key
       if: ${{ always() }}
       run: |
@@ -62,45 +89,20 @@ jobs:
         echo "SSH_AUTH_SOCK=" >> "$GITHUB_ENV"
         echo "SSH_AGENT_PID=" >> "$GITHUB_ENV"
 
-    - uses: oursky/google-github-actions-auth@v2
-      with:
-        project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_HK }}
-        workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_HK }}
-    - uses: oursky/google-github-actions-setup-gcloud@v2
-    - name: Configure docker
-      env:
-        REPO: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_HK }}
-      run: |
-        gcloud auth configure-docker "$REPO"
-    - name: Push to HK
-      env:
-        REPO_PREFIX: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_HK }}
-      run: |
-        make -C custombuild tag-image IMAGE_NAME=authgear-server-custom REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-server"
-        make -C custombuild push-image REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-server" || docker logout "$REPO"
-
-    - uses: oursky/google-github-actions-auth@v2
-      with:
-        project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_US }}
-        workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_US }}
-    - uses: oursky/google-github-actions-setup-gcloud@v2
-    - name: Configure docker
-      env:
-        REPO: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_US }}
-      run: |
-        gcloud auth configure-docker "$REPO"
-    - name: Push to US
-      env:
-        REPO_PREFIX: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_US }}
-      run: |
-        make -C custombuild tag-image IMAGE_NAME=authgear-server-custom REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-server"
-        make -C custombuild push-image REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-server" || docker logout "$REPO"
-
   portal-image-custom:
     runs-on: ubuntu-24.04
     if: ${{ github.repository == 'authgear/authgear-server' }}
     steps:
     - uses: actions/checkout@v4
+    - name: Install qemu for multi arch build
+      run: docker run --privileged --rm tonistiigi/binfmt --install all
+    - name: Setup container builder
+      run: |
+        docker buildx create \
+          --name container-builder \
+          --driver docker-container \
+          --bootstrap --use
+
     # https://aran.dev/posts/github-actions-go-private-modules/
     - name: Set up SSH key
       env:
@@ -112,45 +114,29 @@ jobs:
         printf "$AUTHGEAR_PRIVATE_DEPLOY_KEY" | base64 --decode | ssh-add -
         echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> "$GITHUB_ENV"
         echo "SSH_AGENT_PID=$SSH_AGENT_PID" >> "$GITHUB_ENV"
-    - run: make -C custombuild build-image TARGET=portalx IMAGE_NAME=authgear-portal-custom
+
+    - name: Build and push to HK
+      uses: ./.github/actions/build-custom-image
+      with:
+        target: portalx
+        image_name: "${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_HK }}/authgear-portal"
+        gcp_project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_HK }}
+        gcp_workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_HK }}
+        docker_repo: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_HK }}
+
+    - name: Build and push to US
+      uses: ./.github/actions/build-custom-image
+      with:
+        target: portalx
+        image_name: "${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_US }}/authgear-portal"
+        gcp_project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_US }}
+        gcp_workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_US }}
+        docker_repo: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_US }}
+
     - name: Clean up SSH key
       if: ${{ always() }}
       run: |
         ssh-add -D
         ssh-agent -k
         echo "SSH_AUTH_SOCK=" >> "$GITHUB_ENV"
         echo "SSH_AGENT_PID=" >> "$GITHUB_ENV"
-
-    - uses: oursky/google-github-actions-auth@v2
-      with:
-        project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_HK }}
-        workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_HK }}
-    - uses: oursky/google-github-actions-setup-gcloud@v2
-    - name: Configure docker
-      env:
-        REPO: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_HK }}
-      run: |
-        gcloud auth configure-docker "$REPO"
-    - name: Push to HK
-      env:
-        REPO_PREFIX: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_HK }}
-      run: |
-        make -C custombuild tag-image IMAGE_NAME=authgear-portal-custom REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-portal"
-        make -C custombuild push-image REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-portal" || docker logout "$REPO"
-
-    - uses: oursky/google-github-actions-auth@v2
-      with:
-        project_id: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_PROJECT_ID_US }}
-        workload_identity_provider: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_GOOGLE_WORKLOAD_IDENTITY_PROVIDER_US }}
-    - uses: oursky/google-github-actions-setup-gcloud@v2
-    - name: Configure docker
-      env:
-        REPO: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_US }}
-      run: |
-        gcloud auth configure-docker "$REPO"
-    - name: Push to US
-      env:
-        REPO_PREFIX: ${{ secrets.AUTHGEAR_CUSTOM_BUILD_REPO_PREFIX_US }}
-      run: |
-        make -C custombuild tag-image IMAGE_NAME=authgear-portal-custom REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-portal"
-        make -C custombuild push-image REMOTE_IMAGE_NAME="$REPO_PREFIX/authgear-portal" || docker logout "$REPO"