ci: publish vroom to GHCR and provide a tagged release on GHCR (#576)

aldy505 · web-flow · commit 823b00edcfdf · 2025-06-12T13:56:21.000+01:00
Similar work with these PRs: - getsentry/relay#4532 - getsentry/symbolicator#1635 - getsentry/snuba#6997 - getsentry/sentry#88181 While also trying to provide a solution (or at least an alternative) for this issue: getsentry/self-hosted#3593 ### Legal Boilerplate Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -23,7 +23,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
     - uses: actions/setup-go@v5
@@ -40,7 +40,7 @@ jobs:
   test-vroom:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         fetch-depth: 0
     - uses: actions/setup-go@v5
@@ -49,18 +49,107 @@ jobs:
         cache: false
     - run: make test
 
+  build-image:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-24.04
+            platform: amd64
+          - os: ubuntu-24.04-arm
+            platform: arm64
+    needs:
+      - lint
+      - test-vroom
+    if: github.repository_owner == 'getsentry'
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Build
+        uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.10
+        with:
+          context: .
+          cache-from: ghcr.io/getsentry/vroom:nightly
+          cache-to: type=inline
+          platforms: linux/${{ matrix.platform }}
+          tags: vroom:${{ matrix.platform }}
+          outputs: type=docker,dest=/tmp/vroom-${{ matrix.platform }}.tar
+          push: false
+
+      # NOTE(aldy505): Rather than pushing the individual architecture-specific image to GHCR,
+      # we're uploading the tarball into GHA's artifact store and assemble it later
+      # to create a multiplatform image. This way, we won't be polluting the GHCR image tags
+      # with a bunch of images that are only being used for CI purposes.
+      #
+      # For posterity: If at any chance you need the individual architecture-specific images,
+      # you can set `push: true` and `tags: ghcr.io/getsentry/vroom:${{ github.sha }}-${{ matrix.platform }}` in the above step.
+      - name: Upload Image
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: vroom-${{ matrix.platform }}
+          path: /tmp/vroom-${{ matrix.platform }}.tar
+
+  assemble-image:
+    runs-on: ubuntu-latest
+    needs:
+      - build-image
+    if: ${{ github.event_name != 'pull_request' }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - run: docker login --username '${{ github.actor }}' --password-stdin ghcr.io <<< "$GHCR_TOKEN"
+        env:
+          GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Download amd64 Image
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.2
+        with:
+          name: vroom-amd64
+          path: /tmp
+
+      - name: Load amd64 Image
+        run: docker load --input /tmp/vroom-amd64.tar
+
+      - name: Download arm64 Image
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.2
+        with:
+          name: vroom-arm64
+          path: /tmp
+
+      - name: Load arm64 Image
+        run: docker load --input /tmp/vroom-arm64.tar
+
+      - name: Push to GitHub Container Registry
+        run: |
+          docker tag vroom:amd64 ghcr.io/getsentry/vroom:${{ github.sha }}-amd64
+          docker push ghcr.io/getsentry/vroom:${{ github.sha }}-amd64
+          docker tag vroom:arm64 ghcr.io/getsentry/vroom:${{ github.sha }}-arm64
+          docker push ghcr.io/getsentry/vroom:${{ github.sha }}-arm64
+          docker manifest create \
+            ghcr.io/getsentry/vroom:${{ github.sha }} \
+            ghcr.io/getsentry/vroom:nightly \
+            --amend ghcr.io/getsentry/vroom:${{ github.sha }}-amd64 \
+            --amend ghcr.io/getsentry/vroom:${{ github.sha }}-arm64
+          docker manifest push ghcr.io/getsentry/vroom:${{ github.sha }}
+
   publish-to-dockerhub:
     name: Publish Vroom to DockerHub
     runs-on: ubuntu-latest
     if: ${{ (github.ref_name == 'main') }}
+    needs:
+      - assemble-image
     steps:
       - uses: actions/checkout@v4
-      - timeout-minutes: 20
-        run: until docker pull "us-central1-docker.pkg.dev/sentryio/vroom/vroom:${{ github.sha }}" 2>/dev/null; do sleep 10; done
       - name: Push built docker image
         shell: bash
         run: |
-          IMAGE_URL="us-central1-docker.pkg.dev/sentryio/vroom/vroom:${{ github.sha }}"
+          IMAGE_URL="ghcr.io/getsentry/vroom:${{ github.sha }}"
+          docker pull "$IMAGE_URL"
           docker login --username=sentrybuilder --password ${{ secrets.DOCKER_HUB_RW_TOKEN }}
           # We push 3 tags to Dockerhub:
           # first, the full sha of the commit
diff --git a/.github/workflows/release-ghcr-version-tag.yaml b/.github/workflows/release-ghcr-version-tag.yaml
@@ -0,0 +1,22 @@
+name: Release GHCR Versioned Image
+
+on:
+  release:
+    types: [prereleased, released]
+
+jobs:
+  release-ghcr-version-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Tag release version
+        run: |
+          docker buildx imagetools create --tag \
+           ghcr.io/getsentry/vroom:${{ github.ref_name }} \
+           ghcr.io/getsentry/vroom:${{ github.sha }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -134,6 +134,7 @@
 - Bump x/net package to fix security issue (high severity) ([#555](https://github.com/getsentry/vroom/pull/555))
 - Enforce shorter timeout for chunks download in flamegraph generation ([#557](https://github.com/getsentry/vroom/pull/557))
 - Bump actions/create-github-app-token from 1.11.2 to 1.11.3 ([#559](https://github.com/getsentry/vroom/pull/559))
+- Publish vroom to GHCR and provide a tagged release on GHCR. ([#576](https://github.com/getsentry/vroom/pull/576))
 - Buffer flamegraph candidates to reduce memory usage. ([#583](https://github.com/getsentry/vroom/pull/583))
 - Reduce read jobs buffer to reduce memory usage. ([#584](https://github.com/getsentry/vroom/pull/584))
 
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@ FROM golang:$GOVERSION AS builder
 WORKDIR /src
 COPY . .
 
-RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o . -ldflags="-s -w -X main.release=$(git rev-parse HEAD)" ./cmd/vroom
+RUN CGO_ENABLED=0 go build -o . -ldflags="-s -w -X main.release=$(git rev-parse HEAD)" ./cmd/vroom
 
 FROM debian:bookworm-slim
 
