From c657a123dfa1dda6139c777544aab7fc8f70112f Mon Sep 17 00:00:00 2001
From: WorkClub Automation <automation@workclub.local>
Date: Sun, 8 Mar 2026 15:39:39 +0100
Subject: [PATCH] feat(cd): add multi-arch Docker build support (AMD64 + ARM64)

Add Docker Buildx support to build images for both linux/amd64 and linux/arm64 architectures using a single workflow. This enables deployment to ARM-based systems (e.g., Raspberry Pi, Apple Silicon) without separate builds.

Changes:
- Add Docker Buildx setup step to both backend and frontend jobs
- Replace single-arch 'docker build' with multi-arch 'docker buildx build'
- Configure '--platform linux/amd64,linux/arm64' for both architectures
- Consolidate tag and push operations into single buildx command
- Update evidence capture to include platform information
- Update release summary to indicate multi-arch images

Images will now be published as manifest lists containing both AMD64 and ARM64 variants under the same tags.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
---
 .gitea/workflows/cd-bootstrap.yml | 63 ++++++++++++++-----------------
 1 file changed, 28 insertions(+), 35 deletions(-)

diff --git a/.gitea/workflows/cd-bootstrap.yml b/.gitea/workflows/cd-bootstrap.yml
index 9e3aaa5..17f45d6 100644
--- a/.gitea/workflows/cd-bootstrap.yml
+++ b/.gitea/workflows/cd-bootstrap.yml
@@ -88,37 +88,33 @@ jobs:
           echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_HOST }} \
             --username "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
       
-      - name: Build backend image
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      
+      - name: Build and push backend multi-arch image
         working-directory: ./backend
         run: |
-          docker build \
-            -t ${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }} \
+          docker buildx build \
+            --platform linux/amd64,linux/arm64 \
+            --tag ${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }} \
+            --tag ${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:sha-${{ needs.prepare.outputs.image_sha }} \
+            --push \
             -f Dockerfile \
             .
       
-      - name: Tag with commit SHA
-        run: |
-          docker tag \
-            ${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }} \
-            ${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:sha-${{ needs.prepare.outputs.image_sha }}
-      
-      - name: Push images to registry
-        run: |
-          docker push ${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }}
-          docker push ${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:sha-${{ needs.prepare.outputs.image_sha }}
-      
-      - name: Capture push evidence
+      - name: Capture push evidence (multi-arch)
         run: |
           mkdir -p .sisyphus/evidence
           cat > .sisyphus/evidence/task-31-backend-push.json <<EOF
            {
-             "scenario": "backend_image_push",
+             "scenario": "backend_image_push_multiarch",
              "result": "success",
              "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
              "details": {
                "image": "${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}",
                "version_tag": "${{ needs.prepare.outputs.image_tag }}",
                "sha_tag": "sha-${{ needs.prepare.outputs.image_sha }}",
+               "platforms": "linux/amd64,linux/arm64",
                "registry": "${{ env.REGISTRY_HOST }}"
              }
            }
@@ -147,37 +143,33 @@ jobs:
           echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ env.REGISTRY_HOST }} \
             --username "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
       
-      - name: Build frontend image
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      
+      - name: Build and push frontend multi-arch image
         working-directory: ./frontend
         run: |
-          docker build \
-            -t ${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }} \
+          docker buildx build \
+            --platform linux/amd64,linux/arm64 \
+            --tag ${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }} \
+            --tag ${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:sha-${{ needs.prepare.outputs.image_sha }} \
+            --push \
             -f Dockerfile \
             .
       
-      - name: Tag with commit SHA
-        run: |
-          docker tag \
-            ${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }} \
-            ${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:sha-${{ needs.prepare.outputs.image_sha }}
-      
-      - name: Push images to registry
-        run: |
-          docker push ${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }}
-          docker push ${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:sha-${{ needs.prepare.outputs.image_sha }}
-      
-      - name: Capture push evidence
+      - name: Capture push evidence (multi-arch)
         run: |
           mkdir -p .sisyphus/evidence
           cat > .sisyphus/evidence/task-32-frontend-push.json <<EOF
            {
-             "scenario": "frontend_image_push",
+             "scenario": "frontend_image_push_multiarch",
              "result": "success",
              "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
              "details": {
                "image": "${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}",
                "version_tag": "${{ needs.prepare.outputs.image_tag }}",
                "sha_tag": "sha-${{ needs.prepare.outputs.image_sha }}",
+               "platforms": "linux/amd64,linux/arm64",
                "registry": "${{ env.REGISTRY_HOST }}"
              }
            }
@@ -210,6 +202,7 @@ jobs:
             "frontend_image": "${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }}",
             "backend_job_conclusion": "${{ needs.backend-image.result }}",
             "frontend_job_conclusion": "${{ needs.frontend-image.result }}",
+            "build_platforms": "linux/amd64,linux/arm64",
             "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)"
           }
           EOF
@@ -228,10 +221,10 @@ jobs:
           echo "**Release Tag:** ${{ needs.prepare.outputs.image_tag }}" >> $GITHUB_STEP_SUMMARY
           echo "**Commit SHA:** ${{ needs.prepare.outputs.image_sha }}" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-          echo "### Published Images" >> $GITHUB_STEP_SUMMARY
-          echo "- **Backend:** \`${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "### Published Multi-Arch Images" >> $GITHUB_STEP_SUMMARY
+          echo "- **Backend:** \`${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }}\` (linux/amd64, linux/arm64)" >> $GITHUB_STEP_SUMMARY
           echo "- **Backend SHA:** \`${{ env.REGISTRY_HOST }}/${{ env.BACKEND_IMAGE }}:sha-${{ needs.prepare.outputs.image_sha }}\`" >> $GITHUB_STEP_SUMMARY
-          echo "- **Frontend:** \`${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Frontend:** \`${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:${{ needs.prepare.outputs.image_tag }}\` (linux/amd64, linux/arm64)" >> $GITHUB_STEP_SUMMARY
           echo "- **Frontend SHA:** \`${{ env.REGISTRY_HOST }}/${{ env.FRONTEND_IMAGE }}:sha-${{ needs.prepare.outputs.image_sha }}\`" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### Job Results" >> $GITHUB_STEP_SUMMARY