Update GitHub workflows to support multi-platform builds

[NiveditJain]

for API server, dashboard, landing page, and state manager. Added support for linux/amd64 and linux/arm64 platforms in the publish and release workflows.

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Summary by CodeRabbit

• New Features
  • Published multi-architecture container images (linux/amd64 and linux/arm64) for API server, dashboard, landing page, and state manager, enabling native support on ARM64 devices.
• Chores
  • Updated release/publish workflows to build and push multi-arch images.
  • Images now include provenance and SBOM metadata for improved supply chain transparency.

Walkthrough

Added QEMU setup steps and enabled multi-architecture builds across several publish/release workflows; docker/build-push-action@v5 invocations now specify platforms (linux/amd64, linux/arm64) and enable provenance and SBOM generation.

Changes

Cohort / File(s)	Summary of changes
Publish workflows .github/workflows/publish-api-server.yml, .github/workflows/publish-dashboard.yml, .github/workflows/publish-landing-page.yml, .github/workflows/publish-state-mangaer.yml	Added a "Set up QEMU" step using docker/setup-qemu-action@v3 with platforms: arm64; updated docker/build-push-action@v5 "Build and push" step to include platforms: linux/amd64,linux/arm64, provenance: true, and sbom: true.
Release workflows .github/workflows/release-dashboard.yml, .github/workflows/release-state-manager.yml	Inserted "Set up QEMU" step (docker/setup-qemu-action@v3 with platforms: arm64) before buildx setup; updated docker/build-push-action@v5 "Build and push" step to include platforms: linux/amd64,linux/arm64, provenance: true, and sbom: true.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Runner as GitHub Actions Runner
  participant Q as docker/setup-qemu-action@v3
  participant B as docker/build-push-action@v5
  participant R as Container Registry

  Runner->>Q: Run "Set up QEMU" (platforms: arm64)
  Q-->>Runner: QEMU registered for arm64

  Runner->>B: Run "Build and push" (platforms: linux/amd64,linux/arm64, provenance: true, sbom: true)
  rect rgb(230, 245, 255)
    B->>B: Build multi-arch images via buildx
    par amd64
      B-->>Runner: amd64 image artifact
    and arm64
      B-->>Runner: arm64 image artifact
    end
  end
  B->>R: Push images, manifest, provenance, SBOM
  R-->>Runner: Digest / manifest / provenance metadata

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I hopped into CI, tiny paws on the keys,
Set up QEMU, baked two arches with ease.
Carrots packed as manifests, provenance in tow,
SBOM tucked neatly before off they go.
A rabbit’s small build, now ready to show. 🥕

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between eb21cce and 763ed66.

📒 Files selected for processing (6)

• .github/workflows/publish-api-server.yml (2 hunks)
• .github/workflows/publish-dashboard.yml (2 hunks)
• .github/workflows/publish-landing-page.yml (2 hunks)
• .github/workflows/publish-state-mangaer.yml (2 hunks)
• .github/workflows/release-dashboard.yml (2 hunks)
• .github/workflows/release-state-manager.yml (2 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

.github/workflows/release-state-manager.yml (4)

104-112: Add QEMU setup or arm64 builds will fail on amd64 runners.

Multi-arch builds require binfmt emulation. Without docker/setup-qemu-action, linux/arm64 builds on ubuntu-latest (amd64) are likely to error. Add QEMU before Buildx.

Apply this diff to insert QEMU setup just before Buildx:

   - uses: actions/checkout@v4

+  - uses: docker/setup-qemu-action@v3
+
   - uses: docker/setup-buildx-action@v3

---

104-112: Speed up multi-arch builds with registry cache.

Enable BuildKit cache to avoid rebuilding layers for each release and for each platform.

       - name: Build and push
         uses: docker/build-push-action@v5
         with:
           context: ./state-manager
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache
+          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max

---

49-55: Avoid committing a raw encryption key in CI env; generate it ephemerally.

The hard-coded SECRETS_ENCRYPTION_KEY is sensitive material in plaintext logs/config. Generate a random key per run and pass it via $GITHUB_ENV.

-      - name: Run full test suite with coverage
+      - name: Generate ephemeral encryption key
+        run: echo "SECRETS_ENCRYPTION_KEY=$(openssl rand -base64 32)" >> $GITHUB_ENV
+
+      - name: Run full test suite with coverage
         working-directory: state-manager
         env:
           MONGO_URI: mongodb://admin:password@localhost:27017
           MONGO_DATABASE_NAME: test_exosphere_state_manager
           STATE_MANAGER_SECRET: test-secret-key
-          SECRETS_ENCRYPTION_KEY: YTzpUlBGLSwm-3yKJRJTZnb0_aQuQQHyz64s8qAERVU=
+          SECRETS_ENCRYPTION_KEY: ${{ env.SECRETS_ENCRYPTION_KEY }}
         run: |
           uv run pytest tests/ --cov=app --cov-report=xml --cov-report=term-missing --cov-report=html -v --junitxml=full-pytest-report.xml

---

83-96: Optional hardening: pin actions to commit SHAs and enable provenance/SBOM.

For supply-chain hygiene, pin actions to immutable SHAs and emit attestations/SBOM with buildx.

Example (showing pattern only):

• actions/checkout@v4 → actions/checkout@
• docker/build-push-action@v5 with:

         uses: docker/build-push-action@v5
         with:
           context: ./state-manager
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          provenance: mode=max
+          sbom: true

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d3cdb84 and eb21cce.

📒 Files selected for processing (6)

• .github/workflows/publish-api-server.yml (1 hunks)
• .github/workflows/publish-dashboard.yml (1 hunks)
• .github/workflows/publish-landing-page.yml (1 hunks)
• .github/workflows/publish-state-mangaer.yml (1 hunks)
• .github/workflows/release-dashboard.yml (1 hunks)
• .github/workflows/release-state-manager.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/release-state-manager.yml (1)

104-112: No changes needed: Dockerfile uses multi-arch official Python base
The only Dockerfile in state-manager uses FROM python:3.12-slim-bookworm, which is an official multi-architecture image, and there are no hard-coded architecture pins.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Set up QEMU to support the new arm64 target.

docker/setup-qemu-action@v3 is needed for cross-arch builds on GitHub-hosted runners.

Insert before buildx:

- uses: docker/setup-qemu-action@v3
  with:
    platforms: arm64

Also verify the Dockerfile bases are multi-arch (e.g., node, python, alpine) and respect TARGETARCH.

---

🏁 Script executed:

#!/bin/bash
# Search for QEMU setup action
grep -R "setup-qemu-action" -n .github/workflows/publish-api-server.yml || echo "No setup-qemu-action found."
# Search for docker build-push-action usage
grep -R "docker/build-push-action" -n .github/workflows/publish-api-server.yml || echo "No build-push-action usage found."
# Show context around platforms specification
grep -R -n -C3 "platforms:" .github/workflows/publish-api-server.yml

Length of output: 561

---

Set up QEMU for ARM64 before building
Insert before the build-and-push step in .github/workflows/publish-api-server.yml:

- uses: docker/setup-qemu-action@v3
  with:
    platforms: arm64

This action must precede any buildx or build-push steps to install QEMU emulators for cross-architecture builds (github.com)
Validate your Dockerfile base images are multi-arch and use TARGETARCH for architecture-specific logic.

🤖 Prompt for AI Agents

In .github/workflows/publish-api-server.yml around line 56, the workflow enables
linux/arm64 as a target platform but does not set up QEMU beforehand; insert a
step using docker/setup-qemu-action@v3 with platforms: arm64 immediately before
any buildx or build-and-push steps to install QEMU emulators for
cross-architecture builds, ensure this new step precedes buildx usage, and
verify your Dockerfile base images are multi-arch and any architecture-specific
logic uses the TARGETARCH build arg or similar to select correct assets.