build: switch to buildah

.github/workflows/docker-publish.yml

@@ -16,36 +16,79 @@ on:
         value: https://ghcr.io/${{ github.repository }}
 
 env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-  BINARY_NAME: ${{ github.event.repository.name }}
+  IMAGE_REGISTRY: ghcr.io
+  IMAGE_NAMESPACE: ${{ github.repository_owner }}
+  IMAGE_NAME: ${{ github.event.repository.name }}
+
 
   # renovate: datasource=github-releases depName=docker/buildx
   BUILDX_VERSION: v0.16.2
 
 jobs:
-  build:
+  env:
+    # release-please によるコミットの時は workflow_call でのみ実行する
     if: ${{ !( github.workflow == 'build' && startsWith(github.event.head_commit.message, 'release:') && github.event.head_commit.author.name == 'github-actions[bot]' ) }}
+    runs-on: ubuntu-latest
+    outputs:
+      BINARY_NAME: ${{ steps.meta.outputs.BINARY_NAME }}
+      IMAGE_NAMESPACE: ${{ steps.lowercase.outputs.IMAGE_NAMESPACE }}
+      PUSH: ${{ github.event_name != 'pull_request' && github.ref_name == github.event.repository.default_branch }}
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - id: meta
+        run: |
+          echo "BINARY_NAME=$(cargo metadata --offline --no-deps --format-version=1 | jq -r '.packages[].name')" >> $GITHUB_OUTPUT
+      - id: lowercase
+        run: |
+          image_namespace='${{ env.IMAGE_NAMESPACE }}'
+          echo "IMAGE_NAMESPACE=${image_namespace@L}" >> $GITHUB_OUTPUT
+  meta:
+    needs: [env]
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.meta.outputs.version}}
+      tags: ${{ steps.meta.outputs.tags }}
+      labels: ${{ steps.meta.outputs.labels }}
+      json: ${{ steps.meta.outputs.json }}
+    steps:
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          images: ${{ needs.env.outputs.REGISTRY_IMAGE }}
+          tags: |
+            type=semver,pattern={{version}},value=${{ inputs.tag-name }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ inputs.tag-name }}
+            type=semver,pattern={{major}},value=${{ inputs.tag-name }}
+            type=edge
+            type=ref,event=branch
+
+  build:
+    needs: [env]
     permissions:
       contents: write
     strategy:
       fail-fast: false
       matrix:
-        target: [aarch64-unknown-linux-gnu, aarch64-unknown-linux-musl]
-        use-cross: [true]
         include:
+          - target: aarch64-unknown-linux-gnu
+            use-cross: true
+          - platform: linux/arm64
+            target: aarch64-unknown-linux-musl
+            use-cross: true
           - target: x86_64-unknown-linux-gnu
             use-cross: false
-          - target: x86_64-unknown-linux-musl
+          - platform: linux/amd64
+            target: x86_64-unknown-linux-musl
             use-cross: false
-          - os: macos-latest
-            target: aarch64-apple-darwin
-          - os: macos-latest
-            target: x86_64-apple-darwin
-          - os: windows-latest
-            target: x86_64-pc-windows-msvc
-          - os: windows-latest
-            target: x86_64-pc-windows-gnu
+        #  - os: macos-latest
+        #    target: aarch64-apple-darwin
+        #  - os: macos-latest
+        #    target: x86_64-apple-darwin
+        #  - os: windows-latest
+        #    target: x86_64-pc-windows-msvc
+        #  - os: windows-latest
+        #    target: x86_64-pc-windows-gnu
     runs-on: ${{ matrix.os || 'ubuntu-latest'}}
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -72,77 +115,96 @@ jobs:
         with:
           tool: cross
       - run: mkdir dist
-      - run: ${{ (!matrix.os && matrix.use-cross) && 'cross' || 'cargo' }} rustc --locked --release --target=${{ matrix.target }} -- --emit=link=dist/binary
+      - run: ${{ (!matrix.os && matrix.use-cross) && 'cross' || 'cargo' }} rustc --locked --release --target=${{ matrix.target }} -- --emit=link=dist/${{ needs.env.outputs.BINARY_NAME }}
       - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: ${{ matrix.target }}
           path: |
-            dist/binary
-            dist/binary.exe
+            dist/${{ needs.env.outputs.BINARY_NAME }}
+            dist/${{ needs.env.outputs.BINARY_NAME }}.exe
+      - id: build_image
+        if: ${{ needs.env.outputs.PUSH && matrix.platform }}
+        name: Build Image
+        uses: redhat-actions/buildah-build@v2
+        with:
+          platforms: ${{ matrix.platform }}
+          base-image: scratch
+          image: ${{ env.IMAGE_NAME }}
+          tags: tmp
+          content: |
+            dist/${{ needs.env.outputs.BINARY_NAME }}
+          entrypoint: ./${{ needs.env.outputs.BINARY_NAME }}
+          oci: true
+      - id: push
+        if: ${{ steps.build_image.conclusion == 'success' }}
+        name: Push To GHCR
+        uses: redhat-actions/push-to-registry@v2
+        with:
+          image: ${{ env.IMAGE_NAME }}
+          tags: ${{ steps.build_image.outputs.tags }}
+          registry: ${{ env.IMAGE_REGISTRY }}/${{ needs.env.outputs.IMAGE_NAMESPACE }}
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - id: export-digest
+        if: ${{ steps.push.conclusion == 'success' }}
+        name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.push.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+      - if: ${{ steps.export-digest.conclusion == 'success' }}
+        name: Upload digest
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+        with:
+          name: digests-${{ matrix.target }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
       - name: Upload to release
         if: ${{ inputs.tag-name }}
         working-directory: dist/
         run: |
-          if [ -e binary.exe ]; then
-            filename="${{ env.BINARY_NAME }}-${{ inputs.tag-name }}-${{ matrix.target }}.exe"
-            mv binary.exe "$filename"
+          if [ -e ${{ needs.env.outputs.BINARY_NAME }}.exe ]; then
+            filename="${{ needs.env.outputs.BINARY_NAME }}-${{ inputs.tag-name }}-${{ matrix.target }}.exe"
+            mv ${{ needs.env.outputs.BINARY_NAME }}.exe "$filename"
             gh release upload ${{ inputs.tag-name }} "$filename"#${{ matrix.target }} --clobber
           else
-            filename="${{ env.BINARY_NAME }}-${{ inputs.tag-name }}-${{ matrix.target }}"
-            mv binary "$filename"
+            filename="${{ needs.env.outputs.BINARY_NAME }}-${{ inputs.tag-name }}-${{ matrix.target }}"
+            mv ${{ needs.env.outputs.BINARY_NAME }} "$filename"
             gh release upload ${{ inputs.tag-name }} "$filename"#${{ matrix.target }} --clobber
           fi
-  docker:
-    needs: build
+
+  merge:
     permissions:
       packages: write
-    runs-on: 'ubuntu-latest'
-    outputs:
-      image_tags: ${{ steps.meta.outputs.tags }}
-    env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      GH_REPO: ${{ github.repository }}
+    needs: [env, meta, build]
+    if: ${{ fromJson(needs.env.outputs.PUSH) }}
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          sparse-checkout: |
-            .github/files/build/Dockerfile
-          sparse-checkout-cone-mode: false
-      - name: Download build artifact
+      - name: Download digests
         uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
-          path: artifact
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
-        with:
-          version: ${{ env.BUILDX_VERSION }}
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
       - name: Log in to the Container registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ env.IMAGE_REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=semver,pattern={{version}},value=${{ inputs.tag-name }}
-            type=semver,pattern={{major}}.{{minor}},value=${{ inputs.tag-name }}
-            type=semver,pattern={{major}},value=${{ inputs.tag-name }},enable=${{ !(startsWith(github.ref, 'refs/tags/v0.') || startsWith(inputs.tag-name, 'v0.')) }}
-            type=edge
-            type=ref,event=branch
-            type=sha
-      - name: Build and push Docker image
-        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
-        with:
-          context: .
-          file: .github/files/build/Dockerfile
-          platforms: darwin/amd64,darwin/arm64,linux/amd64,linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        env:
+          DOCKER_METADATA_OUTPUT_JSON: ${{ needs.meta.outputs.json }}
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+          $(printf '${{ env.IMAGE_REGISTRY }}/${{ needs.env.outputs.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.IMAGE_REGISTRY }}/${{ needs.env.outputs.IMAGE_NAMESPACE }}/${{ env.IMAGE_NAME }}:${{ needs.meta.outputs.version }}