feat(ci): use multiple runners for build

[tobiasehlert]

This pull request makes significant improvements to the GitHub Actions workflow for building and publishing Docker images. The main changes include refactoring the build process to use a matrix strategy for multi-architecture builds, introducing a separate manifest job for aggregating per-architecture images, and enhancing image signing and attestation for better security and provenance. Additionally, downstream workflows now correctly reference the manifest job outputs for image digests and versions.

Workflow refactor and multi-arch support:

• The build job now uses a matrix strategy to build images for multiple architectures (linux/amd64, linux/arm64, linux/arm/v7), each on dedicated runners. This enables true multi-arch support and parallelizes the build process. (.github/workflows/build.yml, .github/workflows/build.ymlR17-R40)
• A new manifest job aggregates the digests from all architecture builds, creates and pushes a multi-arch manifest list, and handles signing and attestation centrally. (.github/workflows/build.yml, .github/workflows/build.ymlL38-R263)

Image signing and provenance:

• Image signing, attestation, and verification steps are moved to the manifest job, using Cosign and GitHub OIDC for secure signatures and provenance attestation. This ensures all published images and manifests are cryptographically verifiable. (.github/workflows/build.yml, .github/workflows/build.ymlL38-R263)

Downstream workflow output updates:

• The argocd and helm-chart jobs now reference outputs from the manifest job (instead of the build job) for image digests and versions, ensuring deployments use the correct multi-arch manifest information. (.github/workflows/build.yml, .github/workflows/build.ymlL121-R306)

General workflow improvements:

• Permissions for attestations: write are added to enable build provenance attestation. (.github/workflows/build.yml, .github/workflows/build.ymlR17-R40)
• Docker image tags and metadata actions are updated to use dynamic repository names, improving maintainability and consistency. (.github/workflows/build.yml, .github/workflows/build.ymlL38-R263)

[Copilot]

Pull Request Overview

This PR refactors the GitHub Actions build workflow to use a matrix strategy for multi-architecture Docker builds, enabling parallel builds for different architectures (linux/amd64, linux/arm64, linux/arm/v7) on dedicated runners. The changes introduce a separate manifest job to aggregate per-architecture builds and handle image signing, attestation, and verification centrally.

• Split build process into per-architecture matrix builds and a manifest aggregation job
• Enhanced security with centralized image signing, attestation, and verification using Cosign
• Updated downstream workflows to reference outputs from the manifest job instead of build job

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud