Enhance Makefile and CI workflows to support multiple architectures

.gitattributes

@@ -1,10 +1 @@
-*.sh text eol=lf
-Makefile text eol=lf
-*.py text eol=lf
-*.json text eol=lf
-*.sha256 text eol=lf
-*.yml text eol=lf
-*.yaml text eol=lf
-tools/bin/* text eol=lf
-.github/workflows/*.yml text eol=lf
-.github/workflows/*.yaml text eol=lf
+text=auto eol=lf

.github/workflows/check-updates.yml

@@ -0,0 +1,88 @@
+name: check-runtime-updates
+
+on:
+  schedule:
+    - cron: "0 8 * * 1"  # Every Monday at 08:00 UTC
+  workflow_dispatch:
+    inputs:
+      runtime:
+        description: "Runtime ID to check (blank for all)"
+        required: false
+        default: ""
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  check-and-bump:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+
+      - name: Check for upstream updates
+        id: check
+        run: |
+          args=(check --json)
+          if [[ -n "${{ github.event.inputs.runtime }}" ]]; then
+            args+=(--runtime "${{ github.event.inputs.runtime }}")
+          fi
+          output=$(python3 tools/runtime_lib/bump_version.py "${args[@]}")
+          echo "$output"
+
+          # Extract the JSON object (last line of output)
+          json_line=$(echo "$output" | grep -E '^\{' | tail -1)
+          if [[ -z "$json_line" || "$json_line" == "{}" ]]; then
+            echo "outdated=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "outdated=true" >> "$GITHUB_OUTPUT"
+            echo "updates=$json_line" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Bump outdated runtimes
+        if: steps.check.outputs.outdated == 'true'
+        run: |
+          args=(bump-latest)
+          if [[ -n "${{ github.event.inputs.runtime }}" ]]; then
+            args+=(--runtime "${{ github.event.inputs.runtime }}")
+          fi
+          python3 tools/runtime_lib/bump_version.py "${args[@]}"
+
+      - name: Build PR description
+        if: steps.check.outputs.outdated == 'true'
+        id: pr-body
+        run: |
+          body="## Runtime Version Bumps"$'\n\n'
+          body+="The following runtimes were updated to their latest upstream versions:"$'\n\n'
+
+          echo '${{ steps.check.outputs.updates }}' | python3 -c "
+          import json, sys
+          updates = json.load(sys.stdin)
+          for rid, info in sorted(updates.items()):
+              print(f'- **{rid}**: {info[\"current\"]} → {info[\"latest\"]}')
+          " >> "$RUNNER_TEMP/pr_updates.txt"
+          body+=$(cat "$RUNNER_TEMP/pr_updates.txt")
+
+          body+=$'\n\n'"Checksums were fetched from the official upstream release channels."
+          body+=$'\n\n'"## Test Plan"
+          body+=$'\n'"- [ ] CI validates manifests and checksums"
+          body+=$'\n'"- [ ] CI builds all updated runtime packages"
+          body+=$'\n'"- [ ] CI audits updated packages with Trivy"
+
+          # Write to file to preserve newlines
+          echo "$body" > "$RUNNER_TEMP/pr_body.txt"
+
+      - name: Create pull request
+        if: steps.check.outputs.outdated == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore: bump runtime distribution versions"
+          branch: automated/bump-runtime-versions
+          delete-branch: true
+          title: "chore: bump runtime distribution versions"
+          body-path: ${{ runner.temp }}/pr_body.txt
+          labels: dependencies,automated

.github/workflows/ci.yml

@@ -26,7 +26,7 @@ jobs:
   runtime-checks:
     if: ${{ !(github.event_name == 'pull_request' && github.actor == 'dependabot[bot]') }}
     needs: prepare-matrix
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.prepare-matrix.outputs.matrix) }}
@@ -51,7 +51,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: ${{ env.DOWNLOAD_CACHE_DIR }}
-          key: downloads-${{ runner.os }}-${{ matrix.runtime }}-${{ hashFiles(format('runtimes/{0}/runtime.json', matrix.runtime), format('runtimes/{0}/checksums/**', matrix.runtime)) }}
+          key: downloads-${{ runner.os }}-${{ matrix.runtime }}-${{ matrix.arch }}-${{ hashFiles(format('runtimes/{0}/runtime.json', matrix.runtime), format('runtimes/{0}/checksums/**', matrix.runtime)) }}
       - name: Cache Trivy database
         uses: actions/cache@v5
         with:
@@ -67,17 +67,19 @@ jobs:
         run: |
           bash -n tools/bin/*.sh
       - name: Validate Python sources
-        run: bash tools/bin/check-runtime "${{ matrix.runtime }}"
+        run: bash tools/bin/check-runtime "${{ matrix.runtime }}" "${{ matrix.arch }}"
       - name: Build runtime package
-        run: make build RUNTIME=${{ matrix.runtime }}
+        run: make build RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
       - name: Audit runtime package
-        run: bash tools/bin/audit-runtime "${{ matrix.runtime }}"
+        run: bash tools/bin/audit-runtime "${{ matrix.runtime }}" "${{ matrix.arch }}"
       - name: Build local SAM example
-        run: make local-build RUNTIME=${{ matrix.runtime }}
+        if: matrix.arch == 'x86_64'
+        run: make local-build RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
       - name: Invoke local SAM example
-        run: make local-invoke RUNTIME=${{ matrix.runtime }}
+        if: matrix.arch == 'x86_64'
+        run: make local-invoke RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
       - name: Upload runtime artifact
         uses: actions/upload-artifact@v7
         with:
-          name: ${{ matrix.runtime }}-artifact
-          path: ${{ runner.temp }}/lambda-runtime-monorepo/${{ matrix.runtime }}/artifacts/*.zip
+          name: ${{ matrix.runtime }}-${{ matrix.arch }}-artifact
+          path: ${{ runner.temp }}/lambda-runtime-monorepo/${{ matrix.runtime }}/${{ matrix.arch }}/artifacts/*.zip

.github/workflows/release-runtime.yml

@@ -7,6 +7,10 @@ on:
         description: "Runtime id to publish, or 'all'"
         required: true
         default: "all"
+      arch:
+        description: "Architecture to publish: x86_64, arm64, or 'all'"
+        required: true
+        default: "all"
       publicize:
         description: "Grant public layer permissions after publish"
         required: true
@@ -30,6 +34,7 @@ jobs:
       - id: matrix
         env:
           INPUT_RUNTIME: ${{ github.event.inputs.runtime }}
+          INPUT_ARCH: ${{ github.event.inputs.arch }}
         run: |
           python3 - <<'PY'
           import json
@@ -53,14 +58,37 @@ jobs:
                   raise SystemExit(f"Unknown runtime '{selected}'. Available: {', '.join(runtimes)}")
               runtimes = [selected]
 
-          matrix = json.dumps({"include": [{"runtime": runtime} for runtime in runtimes]})
+          all_archs = ["x86_64", "arm64"]
+          selected_arch = os.environ.get("INPUT_ARCH", "all").strip()
+          if selected_arch and selected_arch != "all":
+              if selected_arch not in all_archs:
+                  raise SystemExit(f"Unknown arch '{selected_arch}'. Available: {', '.join(all_archs)}")
+              archs = [selected_arch]
+          else:
+              archs = all_archs
+
+          arch_runners = {
+              "x86_64": "ubuntu-latest",
+              "arm64": "ubuntu-24.04-arm",
+          }
+          matrix = json.dumps({
+              "include": [
+                  {
+                      "runtime": runtime,
+                      "arch": arch,
+                      "runner": arch_runners.get(arch, "ubuntu-latest"),
+                  }
+                  for runtime in runtimes
+                  for arch in archs
+              ]
+          })
           output_path = Path(os.environ["GITHUB_OUTPUT"])
           output_path.write_text(f"matrix={matrix}\n", encoding="utf-8")
           PY
 
   publish:
     needs: prepare-matrix
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.prepare-matrix.outputs.matrix) }}
@@ -82,7 +110,7 @@ jobs:
         uses: actions/cache@v5
         with:
           path: ${{ env.DOWNLOAD_CACHE_DIR }}
-          key: downloads-${{ runner.os }}-${{ matrix.runtime }}-${{ hashFiles(format('runtimes/{0}/runtime.json', matrix.runtime), format('runtimes/{0}/checksums/**', matrix.runtime)) }}
+          key: downloads-${{ runner.os }}-${{ matrix.runtime }}-${{ matrix.arch }}-${{ hashFiles(format('runtimes/{0}/runtime.json', matrix.runtime), format('runtimes/{0}/checksums/**', matrix.runtime)) }}
       - name: Cache Trivy database
         uses: actions/cache@v5
         with:
@@ -96,21 +124,21 @@ jobs:
           role-to-assume: ${{ secrets.AWS_RELEASE_ROLE_ARN }}
           aws-region: us-east-1
       - name: Build runtime package
-        run: make build RUNTIME=${{ matrix.runtime }}
+        run: make build RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
       - name: Audit runtime package
-        run: bash tools/bin/audit-runtime "${{ matrix.runtime }}"
+        run: bash tools/bin/audit-runtime "${{ matrix.runtime }}" "${{ matrix.arch }}"
       - name: Upload runtime artifact to S3
-        run: make upload RUNTIME=${{ matrix.runtime }}
+        run: make upload RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
       - name: Publish Lambda layer
         if: ${{ github.event.inputs.publicize != 'true' }}
-        run: make publish RUNTIME=${{ matrix.runtime }}
+        run: make publish RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
       - name: Publish and publicize Lambda layer
         if: ${{ github.event.inputs.publicize == 'true' }}
-        run: make publicize RUNTIME=${{ matrix.runtime }}
+        run: make publicize RUNTIME=${{ matrix.runtime }} ARCH=${{ matrix.arch }}
       - name: Summarize latest layer arns
         run: |
           {
-            echo "### ${{ matrix.runtime }}"
-            bash tools/bin/latest-runtime "${{ matrix.runtime }}"
+            echo "### ${{ matrix.runtime }} (${{ matrix.arch }})"
+            bash tools/bin/latest-runtime "${{ matrix.runtime }}" "${{ matrix.arch }}"
             echo
           } >> "$GITHUB_STEP_SUMMARY"

Makefile

@@ -1,13 +1,15 @@
 SHELL=/bin/bash
 
 RUNTIME ?= pypy311
+ARCH ?= x86_64
+ARCHES := x86_64 arm64
 RUNTIMES := $(shell python3 tools/runtime_lib/runtime_manifest.py list)
 LOCAL_AWS_ENV := env -u AWS_PROFILE -u AWS_DEFAULT_PROFILE AWS_ACCESS_KEY_ID=test AWS_SECRET_ACCESS_KEY=test AWS_SESSION_TOKEN=test AWS_REGION=us-east-1
 DEV_BUILD_ENV := BUILD_BEST_EFFORT_AUDIT=0
 
 all: validate-runtimes build
 
-.PHONY: all list-runtimes validate-runtimes check build build-all audit audit-all upload upload-all publish publish-all publicize publicize-all latest latest-all unpublish create-buckets local-build local-invoke clean shell
+.PHONY: all list-runtimes validate-runtimes check build build-all build-all-arches audit audit-all upload upload-all publish publish-all publicize publicize-all latest latest-all unpublish create-buckets local-build local-invoke clean shell check-updates bump bump-latest
 
 list-runtimes:
 	python3 tools/runtime_lib/runtime_manifest.py list
@@ -16,67 +18,83 @@ validate-runtimes:
 	bash tools/bin/validate-runtimes
 
 check:
-	bash tools/bin/check-runtime "$(RUNTIME)"
+	bash tools/bin/check-runtime "$(RUNTIME)" "$(ARCH)"
 
 build: validate-runtimes
-	$(DEV_BUILD_ENV) bash tools/bin/build-runtime "$(RUNTIME)"
+	$(DEV_BUILD_ENV) bash tools/bin/build-runtime "$(RUNTIME)" "$(ARCH)"
 
 build-all: validate-runtimes
 	@for runtime in $(RUNTIMES); do \
-		$(DEV_BUILD_ENV) bash tools/bin/build-runtime "$$runtime"; \
+		$(DEV_BUILD_ENV) bash tools/bin/build-runtime "$$runtime" "$(ARCH)"; \
+	done
+
+build-all-arches: validate-runtimes
+	@for runtime in $(RUNTIMES); do \
+		for arch in $(ARCHES); do \
+			$(DEV_BUILD_ENV) bash tools/bin/build-runtime "$$runtime" "$$arch"; \
+		done; \
 	done
 
 audit:
-	bash tools/bin/audit-runtime "$(RUNTIME)"
+	bash tools/bin/audit-runtime "$(RUNTIME)" "$(ARCH)"
 
 audit-all:
 	@for runtime in $(RUNTIMES); do \
-		bash tools/bin/audit-runtime "$$runtime"; \
+		bash tools/bin/audit-runtime "$$runtime" "$(ARCH)"; \
 	done
 
 upload:
-	bash tools/bin/upload-runtime "$(RUNTIME)"
+	bash tools/bin/upload-runtime "$(RUNTIME)" "$(ARCH)"
 
 upload-all:
 	@for runtime in $(RUNTIMES); do \
-		bash tools/bin/upload-runtime "$$runtime"; \
+		bash tools/bin/upload-runtime "$$runtime" "$(ARCH)"; \
 	done
 
 publish:
-	bash tools/bin/publish-runtime "$(RUNTIME)"
+	bash tools/bin/publish-runtime "$(RUNTIME)" "$(ARCH)"
 
 publish-all:
 	@for runtime in $(RUNTIMES); do \
-		bash tools/bin/publish-runtime "$$runtime"; \
+		bash tools/bin/publish-runtime "$$runtime" "$(ARCH)"; \
 	done
 
 publicize:
-	bash tools/bin/publish-runtime --publicize "$(RUNTIME)"
+	bash tools/bin/publish-runtime --publicize "$(RUNTIME)" "$(ARCH)"
 
 publicize-all:
 	@for runtime in $(RUNTIMES); do \
-		bash tools/bin/publish-runtime --publicize "$$runtime"; \
+		bash tools/bin/publish-runtime --publicize "$$runtime" "$(ARCH)"; \
 	done
 
 latest:
-	bash tools/bin/latest-runtime "$(RUNTIME)"
+	bash tools/bin/latest-runtime "$(RUNTIME)" "$(ARCH)"
 
 latest-all:
 	@for runtime in $(RUNTIMES); do \
-		bash tools/bin/latest-runtime "$$runtime"; \
+		bash tools/bin/latest-runtime "$$runtime" "$(ARCH)"; \
 	done
 
 unpublish:
-	bash tools/bin/unpublish-runtime "$(VERSION)" "$(RUNTIME)"
+	bash tools/bin/unpublish-runtime "$(VERSION)" "$(RUNTIME)" "$(ARCH)"
 
 create-buckets:
-	bash tools/bin/create-buckets "$(RUNTIME)"
+	bash tools/bin/create-buckets "$(RUNTIME)" "$(ARCH)"
 
 local-build:
-	$(DEV_BUILD_ENV) bash tools/bin/local-build-runtime "$(RUNTIME)"
+	$(DEV_BUILD_ENV) bash tools/bin/local-build-runtime "$(RUNTIME)" "$(ARCH)"
 
 local-invoke:
-	$(LOCAL_AWS_ENV) $(DEV_BUILD_ENV) bash tools/bin/local-invoke-runtime "$(RUNTIME)"
+	$(LOCAL_AWS_ENV) $(DEV_BUILD_ENV) bash tools/bin/local-invoke-runtime "$(RUNTIME)" "$(ARCH)"
+
+check-updates:
+	bash tools/bin/bump-runtime check
+
+bump:
+	bash tools/bin/bump-runtime bump "$(RUNTIME)" "$(VERSION)"
+
+bump-latest:
+	bash tools/bin/bump-runtime bump-latest
 
 clean:
 	bash tools/bin/clean-runtime "$(RUNTIME)"

runtimes/bun13/bootstrap/bootstrap

@@ -0,0 +1,3 @@
+#!/bin/sh
+set -euo pipefail
+exec /opt/bun/bun /var/task/"${_HANDLER}"

runtimes/bun13/checksums/bun.sha256

@@ -0,0 +1,2 @@
+f57bc0187e39623de716ba3a389fda5486b2d7be7131a980ba54dc7b733d2e08  bun-linux-x64.zip
+fa5ecb25cafa8e8f5c87a0f833719d46dd0af0a86c7837d806531212d55636d3  bun-linux-aarch64.zip

runtimes/bun13/examples/sam/Makefile

@@ -0,0 +1,22 @@
+RUNTIME := bun13
+
+package:
+	sam package \
+		--template-file template.yml \
+		--output-template-file packaged.yml \
+		--s3-bucket bun-examples-us-east-1 \
+		--region us-east-1
+
+deploy: package
+	aws cloudformation deploy \
+		--template-file packaged.yml \
+		--stack-name bun-example-sam \
+		--capabilities CAPABILITY_IAM \
+		--parameter-overrides BunLayerArn=$$BUN_LAYER_ARN \
+		--region us-east-1
+
+local-build:
+	$(MAKE) -C ../../../.. local-build RUNTIME=$(RUNTIME)
+
+local-invoke:
+	$(MAKE) -C ../../../.. local-invoke RUNTIME=$(RUNTIME)

runtimes/bun13/examples/sam/events/hello.json

@@ -0,0 +1,3 @@
+{
+  "message": "hello from local sam"
+}

runtimes/bun13/examples/sam/hello/Makefile

@@ -0,0 +1,3 @@
+build-HelloFunction:
+	mkdir -p "$(ARTIFACTS_DIR)"
+	cp -r . "$(ARTIFACTS_DIR)"