ci: unify PR workflows and fix multiarch images (#63)

Author: tembleking

.github/workflows/publish.yaml

@@ -63,11 +63,14 @@ jobs:
       contents: read
       packages: write
     strategy:
+      max-parallel: 1
       matrix:
         include:
           - arch: amd64
+            platform: linux/amd64
             nix_package: sysdig-mcp-server-image-amd64
           - arch: arm64
+            platform: linux/arm64
             nix_package: sysdig-mcp-server-image-aarch64
     steps:
       - name: Check out the repo
@@ -88,20 +91,37 @@ jobs:
       - name: Build image
         run: nix build .#${{ matrix.nix_package }} -o result
 
+      - name: Convert to OCI layout
+        run: |
+          skopeo copy docker-archive:result oci:/tmp/oci-image:latest
+          echo "FROM base" > /tmp/Dockerfile.push
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log in to GitHub Container Registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u "${{ github.actor }}" --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push image by digest
         id: push
-        env:
-          REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
+        uses: docker/build-push-action@v6
+        with:
+          file: /tmp/Dockerfile.push
+          build-contexts: |
+            base=oci-layout:///tmp/oci-image
+          platforms: ${{ matrix.platform }}
+          provenance: false
+          outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
         run: |
-          skopeo copy --digestfile /tmp/digest \
-            docker-archive:result \
-            docker://$REGISTRY --format oci
-
           mkdir -p /tmp/digests
-          cp /tmp/digest /tmp/digests/${{ matrix.arch }}
+          digest="${{ steps.push.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
 
       - name: Upload digest
         uses: actions/upload-artifact@v5
@@ -144,10 +164,10 @@ jobs:
         working-directory: /tmp/digests
         run: |
           docker buildx imagetools create --tag $REGISTRY:${VERSION} \
-            $(printf "$REGISTRY@%s " $(cat *))
+            $(printf "$REGISTRY@sha256:%s " *)
 
           docker buildx imagetools create --tag $REGISTRY:latest \
-            $(printf "$REGISTRY@%s " $(cat *))
+            $(printf "$REGISTRY@sha256:%s " *)
 
       - name: Inspect image
         env:

.github/workflows/pull-request-ci.yaml

@@ -0,0 +1,188 @@
+---
+name: Pull Request CI
+
+on:
+  pull_request:
+    branches:
+      - main
+      - master
+  workflow_call:
+  workflow_dispatch:
+
+concurrency:
+  group: "pr-ci-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
+  cancel-in-progress: true
+
+jobs:
+  build-and-test:
+    name: Build and Test
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: nix develop --command bash {0}
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v5
+
+      - name: Install Nix
+        # Pinned to v21 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
+        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
+      - name: Enable Nix cache
+        # Pinned to v13 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
+        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        with:
+          use-flakehub: false
+
+      - name: Build
+        run: go build ./...
+
+      - name: Run Checks
+        run: just check
+        env:
+          SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }}
+          SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }}
+
+  test-image:
+    name: Test Image (${{ matrix.arch }})
+    runs-on: ubuntu-latest
+    needs: [build-and-test]
+    defaults:
+      run:
+        shell: nix develop --command bash {0}
+    permissions:
+      contents: read # required for actions/checkout
+      packages: write # required for pushing to GHCR
+    strategy:
+      max-parallel: 1
+      matrix:
+        include:
+          - arch: amd64
+            platform: linux/amd64
+            nix_package: sysdig-mcp-server-image-amd64
+          - arch: arm64
+            platform: linux/arm64
+            nix_package: sysdig-mcp-server-image-aarch64
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.sha }}
+          fetch-depth: "0"
+
+      - name: Install Nix
+        # Pinned to v21 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
+        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
+      - name: Enable Nix cache
+        # Pinned to v13 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
+        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        with:
+          use-flakehub: false
+
+      - name: Build image
+        run: nix build .#${{ matrix.nix_package }} -o result
+
+      - name: Load image
+        id: load
+        run: |
+          IMAGE_TAG=$(docker load < result | sed -n 's/Loaded image: //p')
+          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Test image
+        if: matrix.arch == 'amd64'
+        run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server"
+
+      - name: Scan Docker image
+        uses: sysdiglabs/scan-action@v6
+        with:
+          image-tag: ${{ steps.load.outputs.image_tag }}
+          sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }}
+          sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }}
+          stop-on-failed-policy-eval: true
+          stop-on-processing-error: true
+
+      - name: Convert to OCI layout
+        run: |
+          skopeo copy docker-archive:result oci:/tmp/oci-image:latest
+          echo "FROM base" > /tmp/Dockerfile.push
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push image by digest
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          file: /tmp/Dockerfile.push
+          build-contexts: |
+            base=oci-layout:///tmp/oci-image
+          platforms: ${{ matrix.platform }}
+          provenance: false
+          outputs: type=image,name=ghcr.io/sysdiglabs/sysdig-mcp-server,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.push.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v5
+        with:
+          name: digests-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  push-pr-image:
+    name: Push PR image to GitHub Packages
+    runs-on: ubuntu-latest
+    needs: [test-image]
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      packages: write
+    env:
+      REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v6
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create manifest list and push
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create --tag $REGISTRY:pr-${PR_NUMBER} \
+            $(printf "$REGISTRY@sha256:%s " *)
+
+      - name: Inspect image
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: docker buildx imagetools inspect $REGISTRY:pr-${PR_NUMBER}

.github/workflows/test.yaml

@@ -1,7 +1,7 @@
 { buildGo124Module, versionCheckHook }:
 buildGo124Module (finalAttrs: {
   pname = "sysdig-mcp-server";
-  version = "1.0.1";
+  version = "1.0.2";
   src = ./.;
   # This hash is automatically re-calculated with `just rehash-package-nix`. This is automatically called as well by `just update`.
   vendorHash = "sha256-qMgFlDqzmtpxNOFCX9TsE4sjz0ZdvTJ5Q5IpA8lzG8g=";