ci: multi arch builds and publish images to both repos (#9)

skunxicat · web-flow · commit e6cf73508828 · 2025-07-28T21:01:41.000+02:00
* chore: image metadata added
* ci: multi arch build and publish to both repos
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
@@ -31,15 +31,24 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GHCR_PAT }}
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - name: Log in to Public ECR
+        run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
       - name: Build and push base
         run: |
           echo "${{ secrets.GHCR_PAT }}" > github_token
           docker buildx build \
-            --platform linux/arm64 \
+            --platform linux/arm64,linux/amd64 \
             --provenance=false \
             --secret id=github_token,src=github_token \
             --target base \
             --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:base \
+            --tag public.ecr.aws/j5r7n1v7/lambda-shell-runtime:base \
             --push \
             .
         env:
@@ -99,15 +108,35 @@ jobs:
             echo "SHOULD_RELEASE=false" >> $GITHUB_ENV
           fi
           echo "Detected VERSION: $VERSION"
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
       - name: Log in to GHCR
         run: echo "${{ secrets.GHCR_PAT }}" | docker login ghcr.io -u skunxicat --password-stdin
+      - name: Log in to Public ECR
+        run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
       - name: Build and push images
         run: |
           echo "${{ secrets.GHCR_PAT }}" > github_token
           export GITHUB_TOKEN="${{ secrets.GHCR_PAT }}"
           
-          # Build and push all variants
-          make push VERSION="$VERSION" REGISTRY="ghcr.io/${{ github.repository_owner }}"
+          # Build and push to both registries
+          ./build-enhanced --push --ghcr --public-ecr --platform linux/arm64,linux/amd64 tiny micro full
+          
+          # Also tag latest for main branch releases
+          if [ "${{ github.ref_name }}" = "main" ] && [ "$SHOULD_RELEASE" = "true" ]; then
+            for VARIANT in tiny micro full; do
+              docker buildx imagetools create \
+                ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:$VARIANT \
+                --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:$VARIANT-latest
+              docker buildx imagetools create \
+                public.ecr.aws/j5r7n1v7/lambda-shell-runtime:$VARIANT \
+                --tag public.ecr.aws/j5r7n1v7/lambda-shell-runtime:$VARIANT-latest
+            done
+          fi
         shell: bash
       - name: Create release
         if: env.SHOULD_RELEASE == 'true'
diff --git a/.github/workflows/build-installers.yml b/.github/workflows/build-installers.yml
@@ -24,12 +24,20 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GHCR_PAT }}
+      - name: Log in to Public ECR
+        run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
           
       - name: Build and push installers
         run: |
@@ -39,6 +47,7 @@ jobs:
             --provenance=false \
             --target awscurl-installer \
             --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:awscurl-installer \
+            --tag public.ecr.aws/j5r7n1v7/lambda-shell-runtime:awscurl-installer \
             --push \
             -f - . << 'EOF'
           FROM public.ecr.aws/lambda/provided:al2023 AS awscurl-installer
@@ -55,6 +64,7 @@ jobs:
             --provenance=false \
             --target awscli-installer \
             --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:awscli-installer \
+            --tag public.ecr.aws/j5r7n1v7/lambda-shell-runtime:awscli-installer \
             --push \
             -f - . << 'EOF'
           FROM public.ecr.aws/lambda/provided:al2023 AS awscli-installer
diff --git a/Dockerfile b/Dockerfile
@@ -41,6 +41,14 @@ COPY task/handler.sh handler.sh
 
 LABEL org.opencontainers.image.source="https://github.com/ql4b/lambda-shell-runtime"
 LABEL org.opencontainers.image.version="${VERSION}"
+LABEL org.opencontainers.image.title="Lambda Shell Runtime"
+LABEL org.opencontainers.image.description="Custom AWS Lambda runtime for executing Bash functions as serverless applications"
+LABEL org.opencontainers.image.url="https://github.com/ql4b/lambda-shell-runtime"
+LABEL org.opencontainers.image.documentation="https://github.com/ql4b/lambda-shell-runtime#readme"
+LABEL org.opencontainers.image.vendor="QL4B"
+LABEL org.opencontainers.image.licenses="MIT"
+LABEL org.opencontainers.image.authors="QL4B <https://github.com/ql4b>"
+LABEL maintainer="QL4B <https://github.com/ql4b>"
 
 # tiny: add lambda helper functions
 FROM ghcr.io/ql4b/lambda-shell-runtime:base AS tiny
diff --git a/build-enhanced b/build-enhanced
@@ -0,0 +1,93 @@
+#!/bin/sh
+
+set -e
+
+# Default config
+PLATFORM="linux/arm64"
+MODE="--load"
+TAG="lambda-shell-runtime"
+VERSION="${VERSION:-develop}"
+VARIANTS="base tiny micro full"
+REGISTRIES=""
+
+# Parse arguments
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --platform)
+      PLATFORM="$2"
+      shift 2
+      ;;
+    --tag)
+      TAG="$2"
+      shift 2
+      ;;
+    --push)
+      MODE="--push"
+      shift
+      ;;
+    --load)
+      MODE="--load"
+      shift
+      ;;
+    --registry)
+      REGISTRIES="$REGISTRIES $2"
+      shift 2
+      ;;
+    --ghcr)
+      REGISTRIES="$REGISTRIES ghcr.io/ql4b"
+      shift
+      ;;
+    --public-ecr)
+      REGISTRIES="$REGISTRIES public.ecr.aws/j5r7n1v7"
+      shift
+      ;;
+    *)
+      # Remaining arguments are variants
+      VARIANTS="$*"
+      break
+      ;;
+  esac
+done
+
+for VARIANT in $VARIANTS; do
+  DOCKERFILE="./Dockerfile"
+  TARGET="$VARIANT"
+
+  [ "$VARIANT" = "base" ] && TARGET="base"
+
+  echo "Building $VARIANT ($DOCKERFILE) with platform $PLATFORM..."
+  
+  # Build tags
+  if [ "$MODE" = "--push" ] && [ -n "$REGISTRIES" ]; then
+    # For push mode, only use registry tags
+    TAGS=""
+    for REGISTRY in $REGISTRIES; do
+      TAGS="$TAGS --tag $REGISTRY/$TAG:$VARIANT"
+      if [ -n "$VERSION" ]; then
+        TAGS="$TAGS --tag $REGISTRY/$TAG:$VARIANT-$VERSION"
+      fi
+    done
+  else
+    # For load mode, use local tags
+    TAGS="--tag $TAG:$VARIANT"
+    if [ -n "$VERSION" ]; then
+      TAGS="$TAGS --tag $TAG:$VARIANT-$VERSION"
+    fi
+  fi
+  
+  docker buildx build \
+    --platform "$PLATFORM" \
+    --provenance=false \
+    --secret id=github_token,env=GITHUB_TOKEN \
+    $TAGS \
+    --file "$DOCKERFILE" \
+    ${TARGET:+--target "$TARGET"} \
+    $MODE \
+    .
+
+  # Only do local tagging for --load mode if version wasn't already tagged
+  if [ -n "$VERSION" ] && [ "$MODE" = "--load" ]; then
+    echo "Tagging $TAG:$VARIANT-$VERSION"
+    docker tag $TAG:$VARIANT $TAG:$VARIANT-$VERSION
+  fi
+done
