arm64: Publish arm64 builds for releases #11965
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DryRun Security SummaryThe pull request updates GitHub Actions workflows and a Dockerfile to improve platform support and security, addressing potential risks related to input validation, secret management, and sensitive information exposure. Expand for full summaryThe PR modifies multiple GitHub Actions workflows and a Dockerfile, focusing on platform flexibility, multi-architecture support, and workflow optimization. Security findings include: 1) Potential platform input injection risk in build-docker-images-for-testing.yml, 2) Workflow input validation concerns in release-3-master-into-dev.yml, 3) Temporary hardcoded secret key in Dockerfile.nginx-alpine that should be replaced in production, and 4) Potential sensitive information exposure through debug logging in some workflows. |
valentijnscholten
changed the title
Maffooch
approved these changes
Mar 7, 2025
hblankenship
approved these changes
Mar 11, 2025
dogboat
approved these changes
Mar 11, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR (Finally) adds
arm64builds to our releases. Users can now happily deploy on AWSt4gor GCPC4Abased clusters.The PR is a little more complex because some Python wheels just wouldn't compile under
Qemu. So we are building the images on a nativearm64runner. After that we have to merge the container digests to create a multiplatform index difest for Docker Hub. In the end it's better to have a native build anyway!Changes in this PR:
andarm64`. By not combining it in the innter strategy loop we run the inner strategy on different runners via a parameter.linux/amd64andlinux/arm64which are more recognizable.Please note tags can no longer be set on the build and push step, but are set on the index digest after/while merging the container manifests.
Test results
I did testing in my own fork and deployed the builds on a
t4gin AWS. You can try yourself by using:valentijnscholten/defectdojo-nginx:2.44.0-dev-valentijnvalentijnscholten/defectdojo-django:2.44.0-dev-valentijnOne way to test this PR at release time is by NOT merging it yet, but selecting the
arm64-unit-testsbranch as the source for the workflow definitions. This way the release will still be performed as normal, but it will use the new workflows. If something goes wrong, we can rerun/continue using the old workflows frommasteras usual.Documentation
The release process steps are still the same.
I am happy to perform the next release and/or be on standby during the next release to fix any issues that may arise.