Build arm64 images natively

.github/workflows/release.yml

@@ -61,10 +61,7 @@ jobs:
     strategy:
       matrix:
         go-version: [1.21.x]
-        # Disabling arm64 for now as it takes too long to build Python when running Docker with QEMU.
-        # Once arm64 runners are availble to OSS projects, we can re-enable this.
-        # TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297
-        arch: ["amd64"] # "arm64"
+        arch: ["arm64", "amd64"]
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -86,6 +83,8 @@ jobs:
         with:
           install: true
       - name: Build
+        # We only build the "kitchen sink" image for AMD64 as it's rather large
+        # and we want to steer users to use the single SDK images going forward:
         run: |
           docker build \
             -f docker/pulumi/Dockerfile \
@@ -206,14 +205,15 @@ jobs:
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
       - name: Versioned manifest
         run: |
-          # TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297
           docker manifest create \
             ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }} \
+            ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-arm64 \
             ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-amd64
           docker manifest push ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}
 
           docker manifest create \
             ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot \
+            ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot-arm64 \
             ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot-amd64
           docker manifest push ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot
       - name: Latest manifest
@@ -223,22 +223,21 @@ jobs:
         run: |
           docker manifest create \
             ${{ env.DOCKER_ORG }}/pulumi:latest \
+            ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-arm64 \
             ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-amd64
           docker manifest push ${{ env.DOCKER_ORG }}/pulumi:latest
 
           docker manifest create \
             ${{ env.DOCKER_ORG }}/pulumi:latest-nonroot \
+            ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot-arm64 \
             ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot-amd64
           docker manifest push ${{ env.DOCKER_ORG }}/pulumi:latest-nonroot
   provider-build-environment:
     name: Provider Build Environment image
     strategy:
       matrix:
         go-version: [1.21.1]
-        # Disabling arm64 for now as it takes too long to build Python when running Docker with QEMU.
-        # Once arm64 runners are availble to OSS projects, we can re-enable this.
-        # TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297
-        arch: ["amd64"] # "arm64"
+        arch: ["arm64", "amd64"]
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -265,7 +264,7 @@ jobs:
         run: |
           docker build \
             -f docker/pulumi/Dockerfile \
-            --platform linux/${{ matrix.arch }} \
+            --platform linux/amd64 \
             -t ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-${{ matrix.arch }} \
             --target build-environment \
             --build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \
@@ -337,6 +336,7 @@ jobs:
         run: |
           docker manifest create \
             ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }} \
+            ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-arm64 \
             ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-amd64
       - name: Latest manifest
         if: ${{ github.event.inputs.tag_latest || github.event_name == 'repository_dispatch' }}
@@ -345,6 +345,7 @@ jobs:
         run: |
           docker manifest create \
             ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:latest \
+            ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-arm64 \
             ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}-amd64
           docker manifest push ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:latest
 

.github/workflows/sync-ecr.yml

@@ -49,12 +49,11 @@ jobs:
             --query 'authorizationData.authorizationToken' | \
             tr -d '"' | base64 --decode | cut -d: -f2 | \
             docker login -u AWS --password-stdin https://public.ecr.aws
-      # TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297
-      # - name: Tag ${{ env.PULUMI_VERSION }}-arm64 and push to AWS Public ECR
-      #   run: |
-      #     docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
-      #     docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
-      #     docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
+      - name: Tag ${{ env.PULUMI_VERSION }}-arm64 and push to AWS Public ECR
+        run: |
+          docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
+          docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64 public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
+          docker push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
       - name: Tag ${{ env.PULUMI_VERSION }}-amd64 and push to AWS Public ECR
         run: |
           docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
@@ -63,10 +62,10 @@ jobs:
       - name: Push latest manifest
         if: ${{ github.event.inputs.tag_latest || github.event_name == 'repository_dispatch' }}
         run: |
-          # TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297
           docker manifest create \
             public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest${{ matrix.suffix }} \
-            public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
+            public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 \
+            public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
           docker manifest push public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest${{ matrix.suffix }}
 
   define-debian-matrix:

.github/workflows/sync-ghcr.yml

@@ -39,12 +39,11 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      # TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297
-      # - name: Tag ${{ env.PULUMI_VERSION }}-arm64 and push to GHCR
-      #   run: |
-      #     docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
-      #     docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64 ghcr.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
-      #     docker push ghcr.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
+      - name: Tag ${{ env.PULUMI_VERSION }}-arm64 and push to GHCR
+        run: |
+          docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
+          docker tag docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64 ghcr.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
+          docker push ghcr.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
       - name: Tag ${{ env.PULUMI_VERSION }}-amd64 and push to GHCR
         run: |
           docker pull docker.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
@@ -53,10 +52,10 @@ jobs:
       - name: Push latest manifest to GHCR
         if: ${{ github.event.inputs.tag_latest || github.event_name == 'repository_dispatch' }}
         run: |
-          # TODO: https://github.com/pulumi/pulumi-docker-containers/issues/297
           docker manifest create \
             ghcr.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest${{ matrix.suffix }} \
-            ghcr.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64
+            ghcr.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-amd64 \
+            ghcr.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}-arm64
           docker manifest push ghcr.io/${{ env.DOCKER_USERNAME }}/${{ matrix.image }}:latest${{ matrix.suffix }}
 
   define-debian-matrix:

docker/pulumi/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:12 AS base
+FROM --platform=${BUILDPLATFORM} debian:12 AS base
 
 # These values are passed in by the build system automatically. The options are: arm64, amd64
 # See: https://docs.docker.com/build/building/variables/#pre-defined-build-arguments
@@ -198,7 +198,7 @@ RUN helm repo add stable https://charts.helm.sh/stable && \
 # for more background.
 ########################################################################
 
-FROM base AS build-environment
+FROM --platform=${BUILDPLATFORM} base AS build-environment
 
 ARG TARGETARCH