apunkt/webclaw
1
0
Fork 0
mirror of https://github.com/0xMassi/webclaw.git synced 2026-06-26 03:18:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

ci(release): build the Docker image in one multi-platform pass

Browse source 
The per-arch build + 'imagetools create' combine failed at the manifest
step with 'v0.6.9-arm64: not found' — buildx's default provenance/SBOM
attestations turn each per-arch tag into an index, and assembling them
races GHCR's read-after-write. Replace it with a single
'docker buildx build --platform linux/amd64,linux/arm64 --push'
(attestations off) so one manifest list is pushed atomically. Dockerfile.ci
now selects binaries by TARGETARCH. Adds a workflow_dispatch path to
re-publish an existing tag's image without rebuilding binaries or bumping
the version.
This commit is contained in:
Valerio 2026-06-10 15:54:28 +02:00
parent be64409d62
commit 8015de7db5
2 changed files with 55 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

77
.github/workflows/release.yml vendored
View file

@ -3,6 +3,15 @@ name: Release
on: on:
push: push:
tags: ["v*"] tags: ["v*"]
# Manual re-publish of the Docker image for an existing release, without
# rebuilding binaries or cutting a new version. Runs only the docker (+
# homebrew) jobs against the given tag's already-published release assets.
workflow_dispatch:
inputs:
tag:
description: "Existing release tag to (re)build + push the Docker image for, e.g. v0.6.9"
required: true
type: string
permissions: permissions:
contents: read contents: read
@ -12,6 +21,9 @@ env:
jobs: jobs:
build: build:
# Binaries are only built when a tag is pushed. A manual dispatch reuses
# the existing release's binaries, so it skips this job entirely.
if: github.event_name == 'push'
permissions: permissions:
contents: read contents: read
name: Build ${{ matrix.target }} name: Build ${{ matrix.target }}
@ -105,6 +117,7 @@ jobs:
release: release:
name: Release name: Release
if: github.event_name == 'push'
needs: build needs: build
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
@ -137,6 +150,10 @@ jobs:
docker: docker:
name: Docker name: Docker
needs: release needs: release
# Runs after a successful release on tag push, or standalone via
# workflow_dispatch to (re)publish an existing tag's image. `always()` lets
# it run even though `release` is skipped on a manual dispatch.
if: ${{ always() && (github.event_name == 'workflow_dispatch' || needs.release.result == 'success') }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
@ -156,52 +173,48 @@ jobs:
username: ${{ github.actor }} username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
# Download pre-built binaries for both architectures # The pushed tag, or the workflow_dispatch input for a manual re-publish.
- name: Resolve tag
id: tag
run: echo "tag=${{ github.event.inputs.tag || github.ref_name }}" >> "$GITHUB_OUTPUT"
# Download pre-built binaries into TARGETARCH-named dirs (amd64/arm64) so
# a single multi-platform build picks the matching binary per platform.
- name: Download release binaries - name: Download release binaries
run: | run: |
tag="${GITHUB_REF#refs/tags/}" tag="${{ steps.tag.outputs.tag }}"
declare -A arch=( [x86_64-unknown-linux-gnu]=amd64 [aarch64-unknown-linux-gnu]=arm64 )
for target in x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu; do for target in x86_64-unknown-linux-gnu aarch64-unknown-linux-gnu; do
dir="webclaw-${tag}-${target}" dir="webclaw-${tag}-${target}"
curl -sSL "https://github.com/0xMassi/webclaw/releases/download/${tag}/${dir}.tar.gz" -o "${target}.tar.gz" curl -sSL "https://github.com/0xMassi/webclaw/releases/download/${tag}/${dir}.tar.gz" -o "${target}.tar.gz"
tar xzf "${target}.tar.gz" tar xzf "${target}.tar.gz"
mkdir -p "binaries-${target}" a="${arch[$target]}"
cp "${dir}/webclaw" "binaries-${target}/webclaw" mkdir -p "binaries-${a}"
cp "${dir}/webclaw-mcp" "binaries-${target}/webclaw-mcp" cp "${dir}/webclaw" "${dir}/webclaw-mcp" "${dir}/webclaw-server" "binaries-${a}/"
cp "${dir}/webclaw-server" "binaries-${target}/webclaw-server" chmod +x "binaries-${a}"/*
chmod +x "binaries-${target}"/*
done done
ls -laR binaries-*/ ls -laR binaries-*/
# Build each arch with buildx (the docker-container driver from # One atomic multi-platform build + push. buildx assembles a single
# setup-buildx-action), pushing straight to the registry. Plain # manifest list and pushes it in one shot, so there is no separate
# `docker build --push` uses the legacy docker driver, whose GHCR push # `imagetools create` step to race GHCR's read-after-write (that is what
# path intermittently fails with "ERROR: unknown blob"; buildx's registry # failed before: "v0.6.9-arm64: not found"). Provenance/SBOM attestations
# exporter does not. The multi-arch list is then assembled registry-side # are disabled so each platform entry stays a plain image manifest.
# with `imagetools create` (no local manifest store, so no blob races).
- name: Build and push - name: Build and push
run: | run: |
tag="${GITHUB_REF#refs/tags/}" tag="${{ steps.tag.outputs.tag }}"
docker buildx build -f Dockerfile.ci \
# amd64 --platform linux/amd64,linux/arm64 \
docker buildx build -f Dockerfile.ci --build-arg BINARY_DIR=binaries-x86_64-unknown-linux-gnu \ --provenance=false --sbom=false \
--platform linux/amd64 -t ghcr.io/0xmassi/webclaw:${tag}-amd64 --push . -t "ghcr.io/0xmassi/webclaw:${tag}" \
-t ghcr.io/0xmassi/webclaw:latest \
# arm64 --push .
docker buildx build -f Dockerfile.ci --build-arg BINARY_DIR=binaries-aarch64-unknown-linux-gnu \
--platform linux/arm64 -t ghcr.io/0xmassi/webclaw:${tag}-arm64 --push .
# Multi-arch manifest list, assembled from the already-pushed per-arch tags
docker buildx imagetools create -t ghcr.io/0xmassi/webclaw:${tag} \
ghcr.io/0xmassi/webclaw:${tag}-amd64 \
ghcr.io/0xmassi/webclaw:${tag}-arm64
docker buildx imagetools create -t ghcr.io/0xmassi/webclaw:latest \
ghcr.io/0xmassi/webclaw:${tag}-amd64 \
ghcr.io/0xmassi/webclaw:${tag}-arm64
homebrew: homebrew:
name: Update Homebrew name: Update Homebrew
needs: [release, docker] needs: [release, docker]
# Runs once Docker succeeds, on both tag push and manual re-publish.
if: ${{ always() && needs.docker.result == 'success' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
@ -210,7 +223,7 @@ jobs:
env: env:
COMMITTER_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }} COMMITTER_TOKEN: ${{ secrets.HOMEBREW_TAP_TOKEN }}
run: | run: |
tag="${GITHUB_REF#refs/tags/}" tag="${{ github.event.inputs.tag || github.ref_name }}"
base="https://github.com/0xMassi/webclaw/releases/download/${tag}" base="https://github.com/0xMassi/webclaw/releases/download/${tag}"
# Download all tarballs (Linux + macOS) and compute SHAs # Download all tarballs (Linux + macOS) and compute SHAs

17
Dockerfile.ci
View file

@ -1,7 +1,6 @@
# Slim runtime image — uses pre-built binaries from the release. # Slim runtime image — uses pre-built binaries from the release.
# The full Dockerfile (multi-stage Rust build) is for local development. # The full Dockerfile (multi-stage Rust build) is for local development.
# CI uses this to avoid 60+ min QEMU cross-compilation. # CI uses this to avoid 60+ min QEMU cross-compilation.
ARG BINARY_DIR=binaries
FROM ubuntu:24.04 FROM ubuntu:24.04
@ -10,10 +9,13 @@ FROM ubuntu:24.04
# CI runners and breaks the multi-arch release build. No build-time network. # CI runners and breaks the multi-arch release build. No build-time network.
COPY --from=gcr.io/distroless/static-debian12 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=gcr.io/distroless/static-debian12 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ARG BINARY_DIR # TARGETARCH (amd64 / arm64) is provided automatically by buildx for each
COPY ${BINARY_DIR}/webclaw /usr/local/bin/webclaw # target platform, so one multi-platform build copies the matching binaries.
COPY ${BINARY_DIR}/webclaw-mcp /usr/local/bin/webclaw-mcp # The release workflow stages them in binaries-amd64 / binaries-arm64.
COPY ${BINARY_DIR}/webclaw-server /usr/local/bin/webclaw-server ARG TARGETARCH
COPY binaries-${TARGETARCH}/webclaw /usr/local/bin/webclaw
COPY binaries-${TARGETARCH}/webclaw-mcp /usr/local/bin/webclaw-mcp
COPY binaries-${TARGETARCH}/webclaw-server /usr/local/bin/webclaw-server
# Default REST API port when running `webclaw-server` inside the container. # Default REST API port when running `webclaw-server` inside the container.
EXPOSE 3000 EXPOSE 3000
@ -25,8 +27,9 @@ ENV WEBCLAW_HOST=0.0.0.0
# Entrypoint shim: forwards webclaw args/URL to the binary, but exec's other # Entrypoint shim: forwards webclaw args/URL to the binary, but exec's other
# commands directly so this image can be used as a FROM base with custom CMD. # commands directly so this image can be used as a FROM base with custom CMD.
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh # `--chmod` sets the bit at copy time so the build needs no in-container `RUN`
RUN chmod +x /usr/local/bin/docker-entrypoint.sh # (and thus no QEMU emulation for the arm64 platform).
COPY --chmod=755 docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["docker-entrypoint.sh"] ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["webclaw", "--help"] CMD ["webclaw", "--help"]