feat: Add native container build step for proxy (#124)

.github/workflows/build-containers.yml

@@ -106,6 +106,7 @@ jobs:
             org.opencontainers.image.created=${{ steps.date.outputs.date }}
           tags: quay.io/reshapr/reshapr-ui:${{env.IMAGE_TAG}},docker.io/reshapr/reshapr-ui:${{env.IMAGE_TAG}}
 
+
       - name: Sign the control plane image with GitHub OIDC Token
         env:
           DIGEST: ${{ steps.build-and-push-ctrl.outputs.digest }}
@@ -127,7 +128,6 @@ jobs:
             images+="${tag}@${DIGEST} "
           done
           cosign sign --new-bundle-format=false --use-signing-config=false --yes ${images}
-
       - name: Sign the web-ui image with GitHub OIDC Token
         env:
           DIGEST: ${{ steps.build-and-push-ui.outputs.digest }}
@@ -137,4 +137,4 @@ jobs:
           for tag in ${TAGS}; do
             images+="${tag}@${DIGEST} "
           done
-          cosign sign --new-bundle-format=false --use-signing-config=false --yes ${images}
+          cosign sign --new-bundle-format=false --use-signing-config=false --yes ${images}

.github/workflows/build-native-containers.yml

@@ -0,0 +1,120 @@
+name: build-native-container-images
+on:
+  workflow_call:
+    inputs:
+      image-tag:
+        description: 'The tag to use for the images'
+        required: true
+        type: string
+
+jobs:
+  build-native-containers:
+    if: github.repository_owner == 'reshaprio' && inputs.image-tag != ''
+    environment: Build
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, ubuntu-24.04-arm ]
+        arch: [ amd64, arm64 ]
+        exclude:
+          - os: ubuntu-latest
+            arch: arm64
+          - os: ubuntu-24.04-arm
+            arch: amd64
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        with:
+          java-version: '25'
+          distribution: 'temurin'
+          architecture: x64
+          cache: maven
+
+      - name: Build Java components
+        run: mvn -B -DskipTests clean install
+
+      - name: Set IMAGE_TAG environment from input
+        run: |
+          set -x
+          echo "IMAGE_TAG=${{ inputs.image-tag }}" >> "$GITHUB_ENV"
+
+      - name: Login to Quay.io and Docker Hub registries
+        run: |
+          echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
+          echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin docker.io
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Build proxy native executable
+        run: mvn -B -DskipTests package -Pnative -Dquarkus.native.container-build=true -pl proxy
+
+      - name: Build and push container image for native proxy
+        id: build-and-push-proxy-native
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: ${{github.workspace}}/proxy
+          sbom: true
+          push: true
+          provenance: mode=max
+          platforms: linux/${{ matrix.arch }}
+          file: proxy/src/main/docker/Dockerfile.native-micro
+          labels: |
+            org.opencontainers.image.revision=${GITHUB_SHA}
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+          tags: quay.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}-${{ matrix.arch }},docker.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}-${{ matrix.arch }}
+
+  manifest-creation:
+    needs: build-native-containers
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+    steps:
+      - name: Set IMAGE_TAG environment from input
+        run: |
+          set -x
+          echo "IMAGE_TAG=${{ inputs.image-tag }}" >> "$GITHUB_ENV"
+
+      - name: Login to Quay.io and Docker Hub registries
+        run: |
+          echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
+          echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin docker.io
+
+      - name: Create docker manifests
+        run: |
+          docker manifest create quay.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }} \
+            -a quay.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}-amd64 \
+            -a quay.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}-arm64
+          docker manifest push quay.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}
+
+          docker manifest create docker.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }} \
+            -a docker.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}-amd64 \
+            -a docker.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}-arm64
+          docker manifest push docker.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+
+      - name: Sign the native proxy images with GitHub OIDC Token
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+          COSIGN_YES: "true"
+          TAGS: quay.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}} docker.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}
+        run: |
+          for tag in ${TAGS}; do
+            cosign sign --new-bundle-format=false --use-signing-config=false --yes ${tag}
+          done

.github/workflows/build-verify.yml

@@ -74,3 +74,16 @@ jobs:
       image-tag: ${{ needs.build-install.outputs.image-tag }}
     secrets: inherit
 
+  native-container-images-build:
+    needs:
+      - build-install
+    if: github.repository_owner == 'reshaprio' && needs.build-install.outputs.package-image == 'true' && github.event_name != 'pull_request'
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+    uses: ./.github/workflows/build-native-containers.yml
+    with:
+      image-tag: ${{ needs.build-install.outputs.image-tag }}
+    secrets: inherit
+