Skip to content

build(goreleaser): publish multi-arch (arm64) osv-scanner-action image#2888

Open
skialpine wants to merge 1 commit into
google:mainfrom
skialpine:feat/arm64-action-image
Open

build(goreleaser): publish multi-arch (arm64) osv-scanner-action image#2888
skialpine wants to merge 1 commit into
google:mainfrom
skialpine:feat/arm64-action-image

Conversation

@skialpine

Copy link
Copy Markdown

Problem

ghcr.io/google/osv-scanner-action is published amd64-only. On linux/arm64 GitHub-hosted runners — now GA for public and private repositories — the google/osv-scanner-action action fails to start:

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
exec /bin/bash: exec format error

This forces users onto x86 runners or a hand-rolled binary install just to run the dependency scan.

Fix

Mirror the multi-arch setup already used for the osv-scanner scanner image, applied to the osv-scanner-action image:

  • build the osv-scanner-action and osv-reporter binaries for linux/arm64 in addition to linux/amd64;
  • build an arm64 osv-scanner-action image (the existing amd64 image is suffixed -amd64, matching the scanner image convention);
  • combine the two arches under :{{ .Tag }} and :v{{ .Major }} via docker_manifests, so the public tags become multi-arch manifests.

No Dockerfile change is needed — goreleaser-action.dockerfile copies the goreleaser-provided per-arch binary, and the base golang/alpine images are already multi-arch.

Net diff: +32 / -3 in .goreleaser.yml.

Testing

goreleaser check passes on the modified config. I don't have access to the tagged-release pipeline that publishes to GHCR, so the real multi-arch manifest is produced by your release job — happy to adjust if a maintainer wants to dry-run goreleaser release --snapshot against it first.

The `ghcr.io/google/osv-scanner-action` image is published amd64-only, so
the `google/osv-scanner-action` action fails on linux/arm64 GitHub-hosted
runners (now GA for public + private repos) with "exec format error".

Mirror the multi-arch setup already used for the `osv-scanner` scanner
image:
- build the `osv-scanner-action` and `osv-reporter` binaries for
  linux/arm64 in addition to linux/amd64,
- build an arm64 `osv-scanner-action` image (suffix the existing amd64
  image with `-amd64`),
- combine them under `:{{ .Tag }}` / `:v{{ .Major }}` docker_manifests.

No Dockerfile change needed — goreleaser-action.dockerfile copies the
goreleaser-provided per-arch binary. `goreleaser check` passes.
@google-cla

google-cla Bot commented Jun 15, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant