Build arm64 docker images with attestation

[j9ac9k]

Update the CI so that the docker images use provenance attestations for the github container repository. In addition, have the CI generate arm64 images of proj; make both images available through a manifest.

Happy to explain any of the changes.

[kbevers]

Happy to explain any of the changes.

Please. Start with the why.

[j9ac9k]

Happy to explain any of the changes.

Please. Start with the why.

Because @hobu asked me to to start with :)

Having native arm64 is beneficial for a variety of reasons, and using manifests the "correct" platform image will be fetched when doing a docker pull osgeo/proj:latest.

Regarding the attestation, that's a feature that github container registry offers that allows for auditing of the docker images, but it's mostly implemented here because it uses minimal extra complexity in the CI script to get that feature (which maybe some agencies may require in the future if they don't already).

[rouault]

At first sight, this looks reasonable to me. But I see in your fork that there are some issues: https://github.com/j9ac9k/PROJ/actions/runs/17530060616/job/49785809104 . Ideally you would also slighly modify it to test the push parts in your fork

[j9ac9k]

At first sight, this looks reasonable to me. But I see in your fork that there are some issues: https://github.com/j9ac9k/PROJ/actions/runs/17530060616/job/49785809104 . Ideally you would also slighly modify it to test the push parts in your fork

My bad on that; looks like I'm missing some brackets. I'll sort it out as much as I can on my fork, and then update this branch so I don't waste your CI cycles unnecessarily.

[hobu]

Regarding the attestation stuff: PROJ and GDAL are low level core libraries that often have complex system built upon them. Attestations allow the project to authenticate the artifacts we're putting out there and let our users verify they are indeed coming from the project. While nothing significant requires attestation and certificate infrastructure at this time, it is likely that governments and larger institutions may start requiring artifact lineage information before software can be installed.

The GitHub attestation APIs and GitHub Actions make this easy enough to add. BTW, we should also add add attestation to our release tarballs in addition to the Docker images.

[kbevers]

BTW, we should also add add attestation to our release tarballs in addition to the Docker images.

I'll leave that for you to take care of :-)

[github-actions]

The PROJ project highly values your contribution and would love to see this work merged! Unfortunately this PR has not had any activity in the last two months and is being automatically marked as "stale". If you think this pull request should be merged, please check

• that all unit tests are passing

• that all comments by reviewers have been addressed

• that there is enough information for reviewers, in particular

  • link to any issues which this pull request fixes

  • add a description of workflows which this pull request fixes

  • add terminal output examples if applicable

• that you have written unit tests where possible
  In case you should have any uncertainty, please leave a comment and we will be happy to help you proceed with this pull request.
  If there is no further activity on this pull request, it will be closed in a week.