Skip to content

ci(docker): add multi-arch builds, provenance, and SBOM#133

Merged
steilerDev merged 1 commit into
betafrom
ci/multi-arch-docker
Feb 19, 2026
Merged

ci(docker): add multi-arch builds, provenance, and SBOM#133
steilerDev merged 1 commit into
betafrom
ci/multi-arch-docker

Conversation

@steilerDev
Copy link
Copy Markdown
Owner

@steilerDev steilerDev commented Feb 19, 2026

Summary

  • Build Docker images for linux/amd64 + linux/arm64 via QEMU emulation, so ARM users (Apple Silicon, Raspberry Pi, ARM cloud) can run the published image natively
  • Attach SLSA provenance (mode=max) and SBOM attestations to every published image for supply chain transparency
  • Add GitHub Actions build cache (type=gha) to speed up repeated builds (arm64 under QEMU is slow without caching)
  • Add id-token: write permission to enable signed Sigstore provenance

Changes

Only .github/workflows/release.yml (Docker job) is modified:

  1. Added id-token: write permission
  2. Added QEMU setup step before Buildx
  3. Added platforms, provenance, sbom, cache-from, cache-to to build-push-action

CI workflow (ci.yml) is unchanged — it stays amd64-only for speed.

Risk: DHI base image arm64 support

The dhi.io/node:24-alpine3.23 base images must publish arm64 manifests. If they don't, the arm64 build leg will fail. The first CI run will confirm — fallback is switching to official node:24-alpine images.

Verification

After the first release:

docker manifest inspect steilerdev/cornerstone:<version>
docker buildx imagetools inspect steilerdev/cornerstone:<version> --format '{{ json .Provenance }}'
docker buildx imagetools inspect steilerdev/cornerstone:<version> --format '{{ json .SBOM }}'

Test plan

  • CI quality gates pass (no code changes, only workflow YAML)
  • First beta release after merge produces a multi-arch manifest with amd64 + arm64 entries
  • Provenance and SBOM attestations are attached to the published image
  • arm64 image runs correctly on Apple Silicon (docker run --rm steilerdev/cornerstone:<version>)

🤖 Generated with Claude Code

@claude
ci(docker): add multi-arch builds, provenance attestations, and SBOM
777432c 
Enable linux/arm64 builds alongside linux/amd64 via QEMU emulation so
users on Apple Silicon, Raspberry Pi, and ARM cloud instances can run
the published image natively.

Attach SLSA provenance (mode=max) and SBOM attestations to every
published image for supply chain transparency. Add GHA build cache
to mitigate the slower arm64 emulation builds.

Co-Authored-By: Claude orchestrator (Opus 4.6) <noreply@anthropic.com>
@steilerDev steilerDev merged commit f4524be into beta Feb 19, 2026
4 checks passed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 19, 2026

🎉 This PR is included in version 1.8.0-beta.24 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@steilerDev steilerDev deleted the ci/multi-arch-docker branch February 19, 2026 20:39
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 19, 2026

🎉 This PR is included in version 1.8.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@steilerDev steilerDev mentioned this pull request Feb 23, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steilerDev @claude