Github-Actions on Man-Youhttps://man-you.ringum.net/tags/github-actions/Recent content in Github-Actions on Man-YouHugo -- gohugo.ioen-usThu, 19 Feb 2026 10:00:00 +0200Multi-arch Docker builds in GitHub Actionshttps://man-you.ringum.net/posts/multi-arch-docker/Thu, 19 Feb 2026 10:00:00 +0200https://man-you.ringum.net/posts/multi-arch-docker/<p>We needed ARM64 containers. Our Python services run on mixed infrastructure: amd64 in CI and some production clusters, arm64 on newer nodes. Building on one arch and emulating the other with QEMU was painfully slow and broke native extensions. So we added proper multi-arch builds to our GitHub Actions CI.</p> <p>It took a week to get right. Then five more fixes over two weeks as each failure mode revealed itself in production. This is what went wrong and how we fixed it.</p> <h2 id="the-setup">The setup</h2> <p>We use reusable workflows in a shared <code>Woosmap/.github</code> repo. Individual service repos call these. A <code>build-helper</code> repo (checked out at runtime) contains the actual logic as a single Node.js action that routes to TypeScript modules based on an <code>action</code> input:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/main.ts</figcaption> <div class="highlight" title="build-helper/src/main.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="k">switch</span> <span class="p">(</span><span class="nx">action</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;build&#39;</span><span class="o">:</span> <span class="k">await</span> <span class="nx">build</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;publish&#39;</span><span class="o">:</span> <span class="k">await</span> <span class="nx">publish</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;release&#39;</span><span class="o">:</span> <span class="k">await</span> <span class="nx">release</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;create_manifest&#39;</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">createManifest</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"> <span class="k">case</span> <span class="s1">&#39;create_release_manifest&#39;</span><span class="o">:</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">createReleaseManifests</span><span class="p">(</span><span class="k">await</span> <span class="nx">get_build_info</span><span class="p">());</span> <span class="k">break</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>The multi-arch matrix is generated dynamically in the workflow:</p> <figure class="code-block-figure"> <figcaption>.github/workflows/sonar_python_bender_build.yml</figcaption> <div class="highlight" title=".github/workflows/sonar_python_bender_build.yml"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">strategy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matrix</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">include</span><span class="p">:</span><span class="w"> </span><span class="l">${{ fromJson(inputs.multi_arch &amp;&amp;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s1">&#39;[{&#34;runner&#34;:&#34;ubuntu-24.04&#34;,&#34;arch&#34;:&#34;amd64&#34;}, </span></span></span><span class="line"><span class="cl"><span class="s1"> {&#34;runner&#34;:&#34;ubuntu-24.04-arm&#34;,&#34;arch&#34;:&#34;arm64&#34;}]&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="l">|| &#39;[{&#34;runner&#34;:&#34;ubuntu-24.04&#34;,&#34;arch&#34;:&#34;amd64&#34;}]&#39;) }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">${{ matrix.runner }}</span></span></span></code></pre></div> </figure> <p>When <code>multi_arch</code> is true, two jobs run in parallel on native runners. No QEMU. An <code>ARCH_SUFFIX</code> environment variable (<code>-amd64</code> or <code>-arm64</code>) drives platform selection downstream:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/build.ts</figcaption> <div class="highlight" title="build-helper/src/build.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kd">function</span> <span class="nx">getPlatformForArch</span><span class="p">()</span><span class="o">:</span> <span class="kt">string</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">archSuffix</span> <span class="o">=</span> <span class="nx">getArchSuffix</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">archSuffix</span> <span class="o">===</span> <span class="s1">&#39;-arm64&#39;</span> <span class="o">?</span> <span class="s1">&#39;linux/arm64&#39;</span> <span class="o">:</span> <span class="s1">&#39;linux/amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>ARM64 jobs skip tests, coverage, and SonarCloud. Only amd64 does those. Build + push only for arm64.</p> <h2 id="problem-1-buildx-attestations">Problem 1: buildx attestations</h2> <p>Buildx 0.10+ defaults to pushing attestation manifests (SBOM, provenance) alongside your image. When you <code>docker push myimage:tag</code>, it doesn&rsquo;t push a plain image, it pushes a <strong>manifest list</strong> containing the image plus attestation layers.</p> <p>This is fine if you just pull and run. But we need to stitch arch-specific images into a multi-arch manifest:</p> <figure class="code-block-figure"> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker manifest create myimage:pr_10 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --amend myimage:sha-amd64 <span class="se">\ </span></span></span><span class="line"><span class="cl"> --amend myimage:sha-arm64</span></span></code></pre></div> </figure> <p><code>docker manifest create</code> expects plain images as sources, not manifest lists. When <code>sha-amd64</code> is itself a manifest list (because of attestations), the stitching fails.</p> <p>The fix: disable attestations with <code>BUILDX_NO_DEFAULT_ATTESTATIONS=1</code>.</p> <p>Our first attempt was conditional:</p> <figure class="code-block-figure"> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Broken: empty string &#34;&#34; fails strconv.ParseBool</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">BUILDX_NO_DEFAULT_ATTESTATIONS</span><span class="p">:</span><span class="w"> </span><span class="l">${{ inputs.multi_arch &amp;&amp; &#39;1&#39; || &#39;&#39; }}</span></span></span></code></pre></div> </figure> <p>When <code>multi_arch</code> is false, this evaluates to <code>&quot;&quot;</code>. Buildx tries to parse it as a boolean via Go&rsquo;s <code>strconv.ParseBool</code>, which fails on empty string. This broke <strong>every non-multi-arch build</strong> across the organization.</p> <p>The fix was trivial, always set it to <code>1</code>:</p> <figure class="code-block-figure"> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">BUILDX_NO_DEFAULT_ATTESTATIONS</span><span class="p">:</span><span class="w"> </span><span class="m">1</span></span></span></code></pre></div> </figure> <p>Attestations aren&rsquo;t needed regardless of arch mode. An env var being set to empty is different from not being set at all: a subtle but organization-wide footgun.</p> <h2 id="problem-2-pr-number-resolution">Problem 2: PR number resolution</h2> <p>Each arch job publishes its image with a tag. We need a consistent tag so the manifest step can find both. The original design used <code>pr_X-amd64</code> / <code>pr_X-arm64</code>, where the PR number came from an API call:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/utils.ts (before)</figcaption> <div class="highlight" title="build-helper/src/utils.ts (before)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">get_pr</span><span class="p">()</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">number</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span><span class="nx">data</span>: <span class="kt">commit_prs</span><span class="p">}</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">oktokit</span><span class="p">.</span><span class="nx">rest</span><span class="p">.</span><span class="nx">repos</span><span class="p">.</span><span class="nx">listPullRequestsAssociatedWithCommit</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="nx">owner</span>: <span class="kt">repo</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="nx">repo</span>: <span class="kt">repo</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="nx">commit_sha</span>: <span class="kt">sha</span> </span></span><span class="line"><span class="cl"> <span class="p">})</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">commit_prs</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">===</span> <span class="kc">undefined</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">throw</span> <span class="k">new</span> <span class="nb">Error</span><span class="p">(</span><span class="s1">&#39;Commit has no PR&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">commit_prs</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="kt">number</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>The <code>listPullRequestsAssociatedWithCommit</code> API sometimes returned empty results: race conditions, merge commits, event timing. When it failed, <code>get_publish_tag()</code> silently fell back to the raw SHA:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/utils.ts (silent fallback)</figcaption> <div class="highlight" title="build-helper/src/utils.ts (silent fallback)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">get_publish_tag</span><span class="p">()</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">string</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="sb">`pr_</span><span class="si">${</span><span class="k">await</span> <span class="nx">get_pr</span><span class="p">()</span><span class="si">}</span><span class="sb">`</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s1">&#39;GITHUB_SHA&#39;</span><span class="p">]</span> <span class="o">||</span> <span class="s1">&#39;&#39;</span> <span class="c1">// No warning! </span></span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>The amd64 job would tag as <code>pr_42-amd64</code> (API succeeded), the arm64 job as <code>abc123def</code> (API failed). The manifest step looked for <code>pr_42-arm64</code>, which didn&rsquo;t exist.</p> <p>Two fixes:</p> <p><strong>Read PR number from the event payload</strong>, always available, zero API calls:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/utils.ts (after)</figcaption> <div class="highlight" title="build-helper/src/utils.ts (after)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">get_pr</span><span class="p">()</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">number</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">con</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Context</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">con</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">pull_request</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nx">con</span><span class="p">.</span><span class="nx">payload</span><span class="p">.</span><span class="nx">pull_request</span><span class="p">.</span><span class="kt">number</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="c1">// Fallback for push events only </span></span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="p">{</span><span class="nx">data</span>: <span class="kt">commit_prs</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">oktokit</span><span class="p">.</span><span class="nx">rest</span><span class="p">.</span><span class="nx">repos</span> </span></span><span class="line"><span class="cl"> <span class="p">.</span><span class="nx">listPullRequestsAssociatedWithCommit</span><span class="p">({...})</span> </span></span><span class="line"><span class="cl"> <span class="c1">// ... </span></span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p><strong>Use commit SHA for arch-suffixed images</strong>, the SHA is always the same across parallel jobs:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/publish.ts</figcaption> <div class="highlight" title="build-helper/src/publish.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">export</span> <span class="kr">async</span> <span class="kd">function</span> <span class="nx">docker</span><span class="p">(</span><span class="nx">image</span>: <span class="kt">string</span><span class="p">,</span> <span class="nx">name</span>: <span class="kt">string</span><span class="p">)</span><span class="o">:</span> <span class="nx">Promise</span><span class="p">&lt;</span><span class="nt">void</span><span class="p">&gt;</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">archSuffix</span> <span class="o">=</span> <span class="nx">getArchSuffix</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">sha</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s1">&#39;GITHUB_SHA&#39;</span><span class="p">]</span> <span class="o">||</span> <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="kr">const</span> <span class="nx">tag</span> <span class="o">=</span> <span class="nx">archSuffix</span> <span class="o">?</span> <span class="sb">`</span><span class="si">${</span><span class="nx">sha</span><span class="si">}${</span><span class="nx">archSuffix</span><span class="si">}</span><span class="sb">`</span> <span class="o">:</span> <span class="k">await</span> <span class="nx">get_publish_tag</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="c1">// ... </span></span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <p>The manifest step bridges them:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/manifest.ts</figcaption> <div class="highlight" title="build-helper/src/manifest.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">manifestTag</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">get_publish_tag</span><span class="p">()</span> <span class="c1">// &#34;pr_X&#34; </span></span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">sha</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">[</span><span class="s1">&#39;GITHUB_SHA&#39;</span><span class="p">]</span> <span class="o">||</span> <span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">archTags</span> <span class="o">=</span> <span class="nx">ARCHITECTURES</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">arch</span> <span class="o">=&gt;</span> <span class="sb">`</span><span class="si">${</span><span class="nx">sha</span><span class="si">}</span><span class="sb">-</span><span class="si">${</span><span class="nx">arch</span><span class="si">}</span><span class="sb">`</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="nx">createAndPushManifest</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">manifestTag</span><span class="p">,</span> <span class="nx">archTags</span><span class="p">)</span></span></span></code></pre></div> </figure> <p>So the flow is: <code>{sha}-amd64</code> + <code>{sha}-arm64</code> → manifest <code>pr_X</code>. No API race, no silent fallback.</p> <h2 id="problem-3-deploy-ordering">Problem 3: deploy ordering</h2> <p>The Leela admin service deploys on every PR build. It was wired inline in the build job:</p> <figure class="code-block-figure"> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl">- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">matrix.arch == &#39;amd64&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">./helper/.github/actions/deploy</span></span></span></code></pre></div> </figure> <p>Problem: in multi-arch mode, the deploy step ran before the manifest existed. It tried to pull <code>pr_X</code>, which only gets created in a separate <code>create_manifest</code> job that depends on both arch builds completing.</p> <p>The fix adds a separate downstream job for multi-arch deploys:</p> <figure class="code-block-figure"> <figcaption>.github/workflows/sonar_python_bender_build.yml</figcaption> <div class="highlight" title=".github/workflows/sonar_python_bender_build.yml"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Inline deploy only for single-arch</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">matrix.arch == &#39;amd64&#39; &amp;&amp; !inputs.multi_arch</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">./helper/.github/actions/deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="c"># Multi-arch: deploy after manifest is ready</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">pr_deploy</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">if</span><span class="p">:</span><span class="w"> </span><span class="l">inputs.multi_arch</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">needs</span><span class="p">:</span><span class="w"> </span><span class="l">create_manifest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-24.04</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Deploy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">./helper/.github/actions/deploy</span></span></span></code></pre></div> </figure> <p>Same pattern for the release workflow: deploy only after <code>create_release_manifest</code> completes.</p> <h2 id="problem-4-release-version-calculation">Problem 4: release version calculation</h2> <p>The <code>createReleaseManifests</code> function creates the multi-arch manifest for release tags. It originally called <code>get_split_version_tag()</code> to determine the version:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/release.ts (before)</figcaption> <div class="highlight" title="build-helper/src/release.ts (before)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">tag</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">get_split_version_tag</span><span class="p">()</span> <span class="c1">// Fetches latest release, bumps version </span></span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">version</span> <span class="o">=</span> <span class="sb">`</span><span class="si">${</span><span class="nx">tag</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="si">}</span><span class="sb">.</span><span class="si">${</span><span class="nx">tag</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="si">}</span><span class="sb">.</span><span class="si">${</span><span class="nx">tag</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span><span class="si">}</span><span class="sb">`</span></span></span></code></pre></div> </figure> <p><code>get_split_version_tag()</code> fetches the latest GitHub release and bumps the version based on PR labels. But <code>createReleaseManifests</code> runs <strong>after</strong> the release jobs complete. The release already happened. So <code>get_latest_tag()</code> now returns <code>v5.5.3</code> (the new release), and bumping it gives <code>v5.5.4</code>, which doesn&rsquo;t exist as a tag.</p> <p>The fix: just use <code>get_latest_tag()</code> directly.</p> <figure class="code-block-figure"> <figcaption>build-helper/src/release.ts (after)</figcaption> <div class="highlight" title="build-helper/src/release.ts (after)"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">version</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">get_latest_tag</span><span class="p">()</span> </span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">parts</span> <span class="o">=</span> <span class="nx">version</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="s1">&#39;.&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">archTags</span> <span class="o">=</span> <span class="nx">ARCHITECTURES</span><span class="p">.</span><span class="nx">map</span><span class="p">(</span><span class="nx">arch</span> <span class="o">=&gt;</span> <span class="sb">`</span><span class="si">${</span><span class="nx">version</span><span class="si">}</span><span class="sb">-</span><span class="si">${</span><span class="nx">arch</span><span class="si">}</span><span class="sb">`</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="nx">createAndPushManifest</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">version</span><span class="p">,</span> <span class="nx">archTags</span><span class="p">)</span> <span class="c1">// v1.2.3 </span></span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="nx">createAndPushManifest</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="sb">`</span><span class="si">${</span><span class="nx">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="si">}</span><span class="sb">.</span><span class="si">${</span><span class="nx">parts</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="si">}</span><span class="sb">`</span><span class="p">,</span> <span class="nx">archTags</span><span class="p">)</span> <span class="c1">// v1.2 </span></span></span><span class="line"><span class="cl"><span class="k">await</span> <span class="nx">createAndPushManifest</span><span class="p">(</span><span class="nx">name</span><span class="p">,</span> <span class="nx">parts</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="nx">archTags</span><span class="p">)</span> <span class="c1">// v1 </span></span></span></code></pre></div> </figure> <p>Three manifest tags per release. Semver consumers can pin to major, minor, or patch.</p> <h2 id="the-full-tagging-flow">The full tagging flow</h2> <p>After all the fixes, the image lifecycle looks like this:</p> <figure class="code-block-figure"> <pre tabindex="0"><code>PR Build: {sha}-amd64, {sha}-arm64 → manifest: pr_X Release (per-arch): pull pr_X (Docker resolves correct arch) push v1.2.3-amd64, v1.2.3-arm64 Release Manifests: v1.2.3-amd64 + v1.2.3-arm64 → manifests: v1.2.3, v1.2, v1</code></pre> </figure> <p>Only the amd64 job creates the GitHub release to avoid duplicates:</p> <figure class="code-block-figure"> <figcaption>build-helper/src/release.ts</figcaption> <div class="highlight" title="build-helper/src/release.ts"><pre tabindex="0" class="chroma"><code class="language-typescript" data-lang="typescript"><span class="line"><span class="cl"><span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">archSuffix</span> <span class="o">||</span> <span class="nx">archSuffix</span> <span class="o">===</span> <span class="s1">&#39;-amd64&#39;</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">await</span> <span class="nx">create_release</span><span class="p">(</span><span class="nx">version</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="k">else</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">core</span><span class="p">.</span><span class="nx">info</span><span class="p">(</span><span class="sb">`Skipping GitHub release creation on </span><span class="si">${</span><span class="nx">archSuffix</span><span class="si">}</span><span class="sb"> build`</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">}</span></span></span></code></pre></div> </figure> <h2 id="timeline">Timeline</h2> <ol> <li><strong>Feb 4</strong>: Initial multi-arch support. Matrix strategy, arch suffix, manifest creation.</li> <li><strong>Feb 5</strong>: Deploy ordering fix. Leela deploying before manifests existed.</li> <li><strong>Feb 16</strong>: Same fix for the release/merge workflow.</li> <li><strong>Feb 17</strong>: <code>BUILDX_NO_DEFAULT_ATTESTATIONS</code> to fix attestation-poisoned manifests.</li> <li><strong>Feb 18</strong>: SHA-based arch tagging + PR number from event payload.</li> <li><strong>Feb 19</strong>: <code>BUILDX_NO_DEFAULT_ATTESTATIONS</code> empty string crash fix.</li> <li><strong>Feb 19</strong>: <code>get_latest_tag()</code> instead of <code>get_split_version_tag()</code> in release manifests.</li> </ol> <p>Five fixes in two weeks after the initial rollout. Each one discovered in production by a different failure mode.</p> <h2 id="what-id-do-differently">What I&rsquo;d do differently</h2> <p><strong>Test the non-multi-arch path.</strong> The empty string <code>strconv.ParseBool</code> crash only affected repos that hadn&rsquo;t opted into multi-arch. We tested the new feature, not the old path.</p> <p><strong>Use SHA tags from the start.</strong> The PR-number-based approach was elegant but fragile. The SHA is always consistent across parallel jobs, no API calls, no race conditions.</p> <p><strong>Make the manifest step a required downstream job.</strong> The deploy-before-manifest problem was obvious in retrospect. Any step that depends on a multi-arch manifest should be in a job that <code>needs:</code> the manifest creation job. No exceptions, no &ldquo;it works for single-arch&rdquo; shortcuts.</p> <p>Docker&rsquo;s multi-arch story is good once it works. Getting there from a single-arch CI that evolved organically over years is where the pain lives. Every assumption about &ldquo;one build produces one image&rdquo; breaks in interesting ways.</p>