From c9cc80b2afefd2b3456f6e6aedafdbf43f409bc6 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 16 Feb 2026 10:54:57 +0100 Subject: [PATCH 01/10] Disable provenance/SBOM attestations A recent update probably enabled those and that turned our single-platform container images into manifests. And we cannot manually create the latest manifest if our images are manifests as well. --- .github/workflows/build-and-push.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 14f9e46..71cc224 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -42,6 +42,8 @@ jobs: context: . platforms: linux/${{ matrix.arch }} load: true + provenance: false + sbom: false tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} From 4cee1406b77ec0496c3a8def13aaae068bf9b0b1 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 16 Feb 2026 12:19:34 +0100 Subject: [PATCH 02/10] Update docker/build-push-action to version 6 --- .github/workflows/build-and-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 71cc224..2c93118 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -37,7 +37,7 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . platforms: linux/${{ matrix.arch }} From 93ceaabc074f1b28319bd43c1489ec4396272678 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Tue, 17 Feb 2026 12:04:26 +0100 Subject: [PATCH 03/10] Add verification step for single-platform images --- .github/workflows/build-and-push.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 2c93118..6ed3dd6 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -42,11 +42,32 @@ jobs: context: . platforms: linux/${{ matrix.arch }} load: true - provenance: false - sbom: false tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} + - name: Verify single-platform image + run: | + # Inspect the local image + image_info=$(docker image inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) + + # Check that we got exactly one image (not a manifest list) + image_count=$(echo "$image_info" | jq '. | length') + if [ "$image_count" != "1" ]; then + echo "ERROR: Expected 1 image, found $image_count" + exit 1 + fi + + # Get the architecture + arch=$(echo "$image_info" | jq -r '.[0].Architecture') + os=$(echo "$image_info" | jq -r '.[0].Os') + + echo "✓ Verified: Image is single-platform ($os/$arch)" + + # Verify it matches the expected architecture + if [ "$arch" != "${{ matrix.arch }}" ]; then + echo "ERROR: Architecture mismatch! Expected ${{ matrix.arch }}, got $arch" + exit 1 + fi - name: Test local project env: TOXENV: ${{ matrix.toxenv }} From 6e13b40b426a948beb874d6b59d2c2fa09c02a24 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Tue, 17 Feb 2026 13:41:12 +0100 Subject: [PATCH 04/10] Use manifest inspect in the verification step, not image inspect --- .github/workflows/build-and-push.yml | 29 ++++++++++++---------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 6ed3dd6..737789f 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -47,27 +47,22 @@ jobs: fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} - name: Verify single-platform image run: | - # Inspect the local image - image_info=$(docker image inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) + # Inspect the manifest + manifest=$(docker manifest inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) - # Check that we got exactly one image (not a manifest list) - image_count=$(echo "$image_info" | jq '. | length') - if [ "$image_count" != "1" ]; then - echo "ERROR: Expected 1 image, found $image_count" - exit 1 - fi - - # Get the architecture - arch=$(echo "$image_info" | jq -r '.[0].Architecture') - os=$(echo "$image_info" | jq -r '.[0].Os') + # For single-platform images, manifests should be null + # For multi-platform or images with attestations, manifests is an array + manifests=$(echo "$manifest" | jq '.manifests') - echo "✓ Verified: Image is single-platform ($os/$arch)" - - # Verify it matches the expected architecture - if [ "$arch" != "${{ matrix.arch }}" ]; then - echo "ERROR: Architecture mismatch! Expected ${{ matrix.arch }}, got $arch" + if [ "$manifests" != "null" ]; then + manifest_count=$(echo "$manifests" | jq '. | length') + echo "ERROR: Image has a manifest list with $manifest_count entries (expected null for single-platform)!" + echo "This usually means attestations are enabled or it's a multi-platform image." + echo "$manifests" | jq '.[] | {platform: .platform, digest: .digest, annotations: .annotations}' exit 1 fi + + echo "✓ Verified: Image is single-platform (manifests: null)" - name: Test local project env: TOXENV: ${{ matrix.toxenv }} From 4a38b1e578f09a80d7aa9e7e21ed0529bcbfb18a Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Wed, 18 Feb 2026 08:09:22 +0100 Subject: [PATCH 05/10] Disable provenance and sbom attestations again --- .github/workflows/build-and-push.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 737789f..bc59139 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -41,6 +41,8 @@ jobs: with: context: . platforms: linux/${{ matrix.arch }} + provenance: false + sbom: false load: true tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} @@ -98,6 +100,8 @@ jobs: with: context: . platforms: linux/${{ matrix.arch }} + provenance: false + sbom: false push: true tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} From fd358ef6c9805108f7755be697e74e1aa247891b Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Thu, 19 Feb 2026 13:04:51 +0100 Subject: [PATCH 06/10] fixup --- .github/workflows/build-and-push.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index bc59139..df1a9f4 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -43,7 +43,7 @@ jobs: platforms: linux/${{ matrix.arch }} provenance: false sbom: false - load: true + outputs: type=docker tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} @@ -95,7 +95,7 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Push to Dockerhub - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' with: context: . From ccc85a78864be6be2222d489bc19719e6b876d38 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Thu, 19 Feb 2026 15:33:38 +0100 Subject: [PATCH 07/10] fixup --- .github/workflows/build-and-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index df1a9f4..897e44d 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -43,7 +43,7 @@ jobs: platforms: linux/${{ matrix.arch }} provenance: false sbom: false - outputs: type=docker + outputs: type=docker,oci-mediatypes=false tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} From a3a523f5b6cc4b0ea471b6d97a69b69555080629 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Fri, 20 Feb 2026 10:34:20 +0100 Subject: [PATCH 08/10] fixup --- .github/workflows/build-and-push.yml | 29 +++++++++------------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 897e44d..94c7775 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -37,16 +37,12 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Build - uses: docker/build-push-action@v6 - with: - context: . - platforms: linux/${{ matrix.arch }} - provenance: false - sbom: false - outputs: type=docker,oci-mediatypes=false - tags: | - fedorapython/fedora-python-tox:${{ matrix.arch }} - fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} + run: | + docker build \ + --platform linux/${{ matrix.arch }} \ + -t fedorapython/fedora-python-tox:${{ matrix.arch }} \ + -t fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} \ + . - name: Verify single-platform image run: | # Inspect the manifest @@ -95,17 +91,10 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Push to Dockerhub - uses: docker/build-push-action@v6 if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - with: - context: . - platforms: linux/${{ matrix.arch }} - provenance: false - sbom: false - push: true - tags: | - fedorapython/fedora-python-tox:${{ matrix.arch }} - fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} + run: | + docker push fedorapython/fedora-python-tox:${{ matrix.arch }} + docker push fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} description_update: name: 'Update Dockerhub description' From c8c381baa6c7b2056a47e43ed404b95935958ae7 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Fri, 20 Feb 2026 12:43:20 +0100 Subject: [PATCH 09/10] fixup --- .github/workflows/build-and-push.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 94c7775..e178d13 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -37,6 +37,8 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Build + env: + DOCKER_BUILDKIT: 0 run: | docker build \ --platform linux/${{ matrix.arch }} \ From 534ca25994f8937051b352bf604c6e37d0e112d7 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 23 Feb 2026 10:47:52 +0100 Subject: [PATCH 10/10] fixup --- .github/workflows/build-and-push.yml | 168 +++++++++++++-------------- 1 file changed, 81 insertions(+), 87 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index e178d13..51044b9 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -15,8 +15,8 @@ env: FEDORA_VERSION: 42 jobs: - build-and-push: - name: Build, test and push + build-and-test: + name: Build and test ${{ matrix.arch }} runs-on: ubuntu-latest strategy: matrix: @@ -31,128 +31,122 @@ jobs: toxenv: py39,py310,py312 steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: submodules: true + - name: Set up QEMU - uses: docker/setup-qemu-action@v1 - - name: Build - env: - DOCKER_BUILDKIT: 0 - run: | - docker build \ - --platform linux/${{ matrix.arch }} \ - -t fedorapython/fedora-python-tox:${{ matrix.arch }} \ - -t fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} \ - . - - name: Verify single-platform image - run: | - # Inspect the manifest - manifest=$(docker manifest inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) - - # For single-platform images, manifests should be null - # For multi-platform or images with attestations, manifests is an array - manifests=$(echo "$manifest" | jq '.manifests') - - if [ "$manifests" != "null" ]; then - manifest_count=$(echo "$manifests" | jq '. | length') - echo "ERROR: Image has a manifest list with $manifest_count entries (expected null for single-platform)!" - echo "This usually means attestations are enabled or it's a multi-platform image." - echo "$manifests" | jq '.[] | {platform: .platform, digest: .digest, annotations: .annotations}' - exit 1 - fi - - echo "✓ Verified: Image is single-platform (manifests: null)" + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build image for testing + uses: docker/build-push-action@v6 + with: + context: . + platforms: linux/${{ matrix.arch }} + load: true + tags: | + fedorapython/fedora-python-tox:test-${{ matrix.arch }} + - name: Test local project env: TOXENV: ${{ matrix.toxenv }} run: | - docker run --rm --platform linux/${{ matrix.arch }} -v $PWD/example_project:/src -w /src -e TOXENV fedorapython/fedora-python-tox:${{ matrix.arch }} + docker run --rm --platform linux/${{ matrix.arch }} -v $PWD/example_project:/src -w /src -e TOXENV fedorapython/fedora-python-tox:test-${{ matrix.arch }} + - name: Test remote project env: TOXENV: ${{ matrix.toxenv }} run: | - docker run --rm --platform linux/${{ matrix.arch }} -e TOXENV -e GIT_URL=https://github.com/frenzymadness/python-tox-example.git fedorapython/fedora-python-tox:${{ matrix.arch }} + docker run --rm --platform linux/${{ matrix.arch }} -e TOXENV -e GIT_URL=https://github.com/frenzymadness/python-tox-example.git fedorapython/fedora-python-tox:test-${{ matrix.arch }} + - name: Test parallel run env: TOXENV: ${{ matrix.toxenv }} run: | - docker run --rm --platform linux/${{ matrix.arch }} -v $PWD/example_project:/src -w /src -e TOXENV -e TOX_PARAMS="-p auto" fedorapython/fedora-python-tox:${{ matrix.arch }} + docker run --rm --platform linux/${{ matrix.arch }} -v $PWD/example_project:/src -w /src -e TOXENV -e TOX_PARAMS="-p auto" fedorapython/fedora-python-tox:test-${{ matrix.arch }} + - name: Test dnf install and wheel build env: TOXENV: ${{ matrix.toxenv }} run: | - docker run --rm --platform linux/${{ matrix.arch }} -e DNF_INSTALL="libffi-devel 'pkgconfig(libgit2) >= 1.9' /usr/bin/cowsay" fedorapython/fedora-python-tox:${{ matrix.arch }} sh -c "/run_tests.sh; pip install -I --no-deps --compile --no-binary :all: cffi pygit2~=1.17.0 && cowsay DONE" + docker run --rm --platform linux/${{ matrix.arch }} -e DNF_INSTALL="libffi-devel 'pkgconfig(libgit2) >= 1.9' /usr/bin/cowsay" fedorapython/fedora-python-tox:test-${{ matrix.arch }} sh -c "/run_tests.sh; pip install -I --no-deps --compile --no-binary :all: cffi pygit2~=1.17.0 && cowsay DONE" + - name: Test external project with WORKDIR run: | - docker run --rm --platform linux/${{ matrix.arch }} -e TOXENV=py3 -e GIT_URL=https://github.com/frenzymadness/nflxprofile.git -e WORKDIR=python fedorapython/fedora-python-tox:${{ matrix.arch }} + docker run --rm --platform linux/${{ matrix.arch }} -e TOXENV=py3 -e GIT_URL=https://github.com/frenzymadness/nflxprofile.git -e WORKDIR=python fedorapython/fedora-python-tox:test-${{ matrix.arch }} + - name: Login to DockerHub - uses: docker/login-action@v1 if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Push to Dockerhub + + - name: Build and push platform-specific images if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + uses: docker/build-push-action@v6 + with: + context: . + platforms: linux/${{ matrix.arch }} + push: true + tags: | + fedorapython/fedora-python-tox:${{ matrix.arch }} + fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} + + release: + name: Create multi-platform manifests + if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + needs: build-and-test + runs-on: ubuntu-latest + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Create and push multi-platform manifest for :latest + run: | + docker buildx imagetools create -t fedorapython/fedora-python-tox:latest \ + fedorapython/fedora-python-tox:amd64 \ + fedorapython/fedora-python-tox:arm64 \ + fedorapython/fedora-python-tox:ppc64le \ + fedorapython/fedora-python-tox:s390x + + - name: Create and push multi-platform manifest for :f${{ env.FEDORA_VERSION }} + run: | + docker buildx imagetools create -t fedorapython/fedora-python-tox:f${{ env.FEDORA_VERSION }} \ + fedorapython/fedora-python-tox:amd64-f${{ env.FEDORA_VERSION }} \ + fedorapython/fedora-python-tox:arm64-f${{ env.FEDORA_VERSION }} \ + fedorapython/fedora-python-tox:ppc64le-f${{ env.FEDORA_VERSION }} \ + fedorapython/fedora-python-tox:s390x-f${{ env.FEDORA_VERSION }} + + - name: Verify :latest manifest + run: | + docker buildx imagetools inspect fedorapython/fedora-python-tox:latest + + - name: Verify :f${{ env.FEDORA_VERSION }} manifest run: | - docker push fedorapython/fedora-python-tox:${{ matrix.arch }} - docker push fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} + docker buildx imagetools inspect fedorapython/fedora-python-tox:f${{ env.FEDORA_VERSION }} description_update: - name: 'Update Dockerhub description' + name: Update Dockerhub description if: github.event_name == 'push' - needs: build-and-push + needs: release runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - - name: 'Update Dockerhub description' + + - name: Update Dockerhub description uses: peter-evans/dockerhub-description@v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} repository: fedorapython/fedora-python-tox - - release: - name: 'Update and test manifests' - if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - needs: build-and-push - runs-on: ubuntu-latest - steps: - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Pull all images - run: > - for arch in amd64 arm64 ppc64le s390x; do - docker pull fedorapython/fedora-python-tox:$arch; - docker pull fedorapython/fedora-python-tox:${arch}-f${{ env.FEDORA_VERSION }}; - done - - name: Create and push manifest for the :latest tag - env: - DOCKER_CLI_EXPERIMENTAL: enabled - run: > - docker manifest create fedorapython/fedora-python-tox:latest - fedorapython/fedora-python-tox:amd64 - fedorapython/fedora-python-tox:arm64 - fedorapython/fedora-python-tox:ppc64le - fedorapython/fedora-python-tox:s390x; - docker manifest push fedorapython/fedora-python-tox:latest; - - name: Test the latest manifest - run: | - docker manifest inspect fedorapython/fedora-python-tox:latest | grep '"architecture":' | grep -Ez '(.*(amd64|arm64|ppc64le|s390x).*){4}' - - name: Create and push manifest for the versioned tag - env: - DOCKER_CLI_EXPERIMENTAL: enabled - run: > - docker manifest create fedorapython/fedora-python-tox:f${{ env.FEDORA_VERSION }} - fedorapython/fedora-python-tox:amd64-f${{ env.FEDORA_VERSION }} - fedorapython/fedora-python-tox:arm64-f${{ env.FEDORA_VERSION }} - fedorapython/fedora-python-tox:ppc64le-f${{ env.FEDORA_VERSION }} - fedorapython/fedora-python-tox:s390x-f${{ env.FEDORA_VERSION }}; - docker manifest push fedorapython/fedora-python-tox:f${{ env.FEDORA_VERSION }}; - - name: Test the versioned manifest - run: | - docker manifest inspect fedorapython/fedora-python-tox:f${{ env.FEDORA_VERSION }} | grep '"architecture":' | grep -Ez '(.*(amd64|arm64|ppc64le|s390x).*){4}'