From a75a6be41146d393988ef8c67bc6c621ccd8eee9 Mon Sep 17 00:00:00 2001 From: Kevalkumar Date: Wed, 10 Jun 2026 22:34:10 +0530 Subject: [PATCH 1/7] Enhance Docker workflow to support ARM64 multi-arch builds and add Trivy scan for ARM64 images --- .github/workflows/docker-publish.yml | 37 ++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 234986cd..cc38a795 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -7,6 +7,11 @@ name: Docker on: workflow_dispatch: + inputs: + build_arm64: + description: 'Build and publish ARM64 image (multi-arch manifest)' + type: boolean + default: false push: branches: - 'develop' @@ -44,12 +49,30 @@ jobs: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + # Set up QEMU for ARM64 cross-compilation on AMD64 runners + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache # https://github.com/docker/setup-buildx-action - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + # ARM64 is included for release branches, version tags, and manual trigger. + # Develop and hotfix branches build AMD64 only to avoid QEMU slowdown. + - name: Determine build platforms + id: platforms + run: | + PLATFORMS="linux/amd64" + if [[ "${{ github.ref }}" == refs/heads/release/* ]] || \ + [[ "${{ github.ref }}" == refs/tags/v* ]] || \ + [[ "${{ inputs.build_arm64 }}" == "true" ]]; then + PLATFORMS="linux/amd64,linux/arm64" + fi + echo "platforms=$PLATFORMS" >> $GITHUB_OUTPUT + echo "include_arm64=$([ "$PLATFORMS" = "linux/amd64,linux/arm64" ] && echo 'true' || echo 'false')" >> $GITHUB_OUTPUT + # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} @@ -89,6 +112,7 @@ jobs: provenance: mode=max context: ${{ env.BUILD_CONTEXT }} file: ${{ env.DOCKERFILE_PATH }} + platforms: ${{ steps.platforms.outputs.platforms }} push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} @@ -126,6 +150,19 @@ jobs: image-ref: ${{ steps.highest-priority-tag.outputs.value }} skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a separate SBOM for easier vulnerability management and because trivy misses important fields + # Scan ARM64 image separately when a multi-arch build was produced + - name: Run Trivy scan for ARM64 image + if: ${{ github.event_name != 'pull_request' && steps.platforms.outputs.include_arm64 == 'true' }} + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 + env: + TRIVY_PLATFORM: linux/arm64 + with: + scan-type: 'image' + format: 'cyclonedx' + output: 'sbom-output/sbom_container_arm64.cyclonedx.json' + image-ref: ${{ steps.highest-priority-tag.outputs.value }} + skip-dirs: '/App' + - name: Upload trivy/container AND application SBOMs as a Github artifact if: ${{ github.event_name != 'pull_request' }} uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 From a02ff86bf0ae67e8d468a274999221275f67f97c Mon Sep 17 00:00:00 2001 From: Kevalkumar Date: Wed, 10 Jun 2026 22:37:15 +0530 Subject: [PATCH 2/7] Update QEMU setup action to use specific version for ARM64 cross-compilation --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index cc38a795..5679c7af 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -51,7 +51,7 @@ jobs: # Set up QEMU for ARM64 cross-compilation on AMD64 runners - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache From 06913ad7804d9e60c151ca088c02d0df0795496b Mon Sep 17 00:00:00 2001 From: Kevalkumar Date: Thu, 11 Jun 2026 13:01:11 +0530 Subject: [PATCH 3/7] Enhance Docker workflow to include ARM64 builds for main, develop, and hotfix branches --- .github/workflows/docker-publish.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 5679c7af..ff8f8939 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -14,6 +14,7 @@ on: default: false push: branches: + - 'main' - 'develop' - 'release/**' - 'hotfix/**' @@ -59,13 +60,16 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - # ARM64 is included for release branches, version tags, and manual trigger. - # Develop and hotfix branches build AMD64 only to avoid QEMU slowdown. + # ARM64 is included for main, develop, hotfix, release branches, version tags, and manual trigger. + # Pull requests (e.g. feature → develop) build AMD64 only; ARM64 is built on merge (push event). - name: Determine build platforms id: platforms run: | PLATFORMS="linux/amd64" - if [[ "${{ github.ref }}" == refs/heads/release/* ]] || \ + if [[ "${{ github.ref }}" == refs/heads/main ]] || \ + [[ "${{ github.ref }}" == refs/heads/develop ]] || \ + [[ "${{ github.ref }}" == refs/heads/hotfix/* ]] || \ + [[ "${{ github.ref }}" == refs/heads/release/* ]] || \ [[ "${{ github.ref }}" == refs/tags/v* ]] || \ [[ "${{ inputs.build_arm64 }}" == "true" ]]; then PLATFORMS="linux/amd64,linux/arm64" From 70de2f2bc697bc28b47e9fc5d5d6ad4ccb7774d6 Mon Sep 17 00:00:00 2001 From: Kevalkumar Ghelani Date: Thu, 18 Jun 2026 14:56:55 +0530 Subject: [PATCH 4/7] Update .github/workflows/docker-publish.yml Co-authored-by: Philip Schey <147830298+mm-psy@users.noreply.github.com> --- .github/workflows/docker-publish.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index f8b88679..92224468 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -147,6 +147,8 @@ jobs: - name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container if: ${{ github.event_name != 'pull_request' }} uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 + env: + TRIVY_PLATFORM: linux/arm64 with: scan-type: 'image' format: 'cyclonedx' From ef7441a74833cc5788bd36b252168bd64d895d3b Mon Sep 17 00:00:00 2001 From: Kevalkumar Ghelani Date: Thu, 18 Jun 2026 14:57:05 +0530 Subject: [PATCH 5/7] Update .github/workflows/docker-publish.yml Co-authored-by: Philip Schey <147830298+mm-psy@users.noreply.github.com> --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 92224468..dda5420f 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -152,7 +152,7 @@ jobs: with: scan-type: 'image' format: 'cyclonedx' - output: 'sbom-output/sbom_container.cyclonedx.json' + output: 'sbom-output/sbom_container.cyclonedx_amd64.json' image-ref: ${{ steps.highest-priority-tag.outputs.value }} skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a separate SBOM for easier vulnerability management and because trivy misses important fields From ec147e14ea45bca18d9396dec31d5d05409da7e7 Mon Sep 17 00:00:00 2001 From: Kevalkumar Ghelani Date: Thu, 18 Jun 2026 15:24:03 +0530 Subject: [PATCH 6/7] Update .github/workflows/docker-publish.yml Co-authored-by: Philip Schey <147830298+mm-psy@users.noreply.github.com> --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index dda5420f..bba0401f 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -148,7 +148,7 @@ jobs: if: ${{ github.event_name != 'pull_request' }} uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # 0.36.0 env: - TRIVY_PLATFORM: linux/arm64 + TRIVY_PLATFORM: linux/amd64 with: scan-type: 'image' format: 'cyclonedx' From 949fc666aa9c554a1892f64657af7a2b7936bcc7 Mon Sep 17 00:00:00 2001 From: Kevalkumar Ghelani Date: Thu, 18 Jun 2026 15:24:12 +0530 Subject: [PATCH 7/7] Update .github/workflows/docker-publish.yml Co-authored-by: Philip Schey <147830298+mm-psy@users.noreply.github.com> --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index bba0401f..717d9e77 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -152,7 +152,7 @@ jobs: with: scan-type: 'image' format: 'cyclonedx' - output: 'sbom-output/sbom_container.cyclonedx_amd64.json' + output: 'sbom-output/sbom_container_amd64.cyclonedx.json' image-ref: ${{ steps.highest-priority-tag.outputs.value }} skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a separate SBOM for easier vulnerability management and because trivy misses important fields