fix: Multi arch. docker images and binary mismatch (#382)

* fix: Multi arch. docker images and binary mismatch

* fix: Increase timeout and adjust docker scan image

* fix: Comment out arm64 image build

* fix: Pin base images to latest sha256 digest

Author: tirumerla

.github/workflows/ci.yaml

@@ -230,7 +230,7 @@ jobs:
           fail_ci_if_error: false
   docker-scan:
     runs-on: ubuntu-latest
-    timeout-minutes: 20
+    timeout-minutes: 45
     needs: [changed_files, ci]
     if: |
       ${{ github.event.pull_request.draft == false && needs.changed_files.outputs.changed-docker-files == 'true' }}
@@ -242,23 +242,68 @@ jobs:
           egress-policy: audit
       - name: Checkout Code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@e77e8065d9f7ec6abdd9838668cd7b43924dd64d # main
+        with:
+          platforms: linux/amd64,linux/arm64
       - name: Prepare
         id: init
         uses: ./.github/actions/prepare
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-      - name: Build local container
+      - name: Build x86 local container
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          tags: openzeppelin-monitor-dev:${{ github.sha }}
+          tags: openzeppelin-monitor-dev:${{ github.sha }}-amd64
           push: false
           load: true
           file: Dockerfile.development
           platforms: linux/amd64
+      # - name: Build arm64 local container
+      #   uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
+      #   with:
+      #     tags: openzeppelin-monitor-dev:${{ github.sha }}-arm64
+      #     push: false
+      #     load: true
+      #     file: Dockerfile.development
+      #     platforms: linux/arm64
+      - name: Test image and binary architectures
+        run: |
+          set -euo pipefail
+          # platforms=("amd64" "arm64")
+          platforms=("amd64")
+          for platform in "${platforms[@]}"; do
+            image_tag="openzeppelin-monitor-dev:${{ github.sha }}-${platform}"
+            echo ">>>>>>>>Inspecting $platform<<<<<<<<"
+            image_arch=$(docker image inspect $image_tag --format '{{.Architecture}}')
+            binary_info=$(docker run --rm --platform linux/$platform --entrypoint sh $image_tag -c \
+              "apk add --no-cache file >/dev/null && file openzeppelin-monitor")
+            echo ">>>>>>>>Binary info: $binary_info<<<<<<<<"
+
+            # Determine binary architecture
+            case "$binary_info" in
+              *"ARM aarch64"*)
+                binary_arch="arm64"
+                ;;
+              *"x86-64"*)
+                binary_arch="amd64"
+                ;;
+              *)
+                echo "Unknown binary architecture: $binary_info........."
+                exit 1
+                ;;
+            esac
+            echo ">>>>>>>>Image arch: $image_arch | Binary arch: $binary_arch<<<<<<<<"
+            if [ "$image_arch" != "$binary_arch" ]; then
+              echo ">>>>>>>Architecture mismatch: Image=$image_arch Binary=$binary_arch<<<<<<<"
+              exit 1
+            fi
+            echo ">>>>>>>Architecture match for $platform<<<<<<<<"
+          done
       - name: Scan image
         uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0
         with:
-          image: openzeppelin-monitor-dev:${{ github.sha }}
+          image: openzeppelin-monitor-dev:${{ github.sha }}-amd64
           fail-build: true
           severity-cutoff: high
           output-format: table

.github/workflows/release-docker.yml

@@ -64,6 +64,10 @@ jobs:
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PAT }}
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@e77e8065d9f7ec6abdd9838668cd7b43924dd64d # main
+        with:
+          platforms: linux/amd64,linux/arm64
       - name: Set Up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - name: Build Docker image

Dockerfile.development

@@ -1,5 +1,5 @@
-# Base image
-FROM --platform=${BUILDPLATFORM} cgr.dev/chainguard/rust:latest-dev@sha256:faf49718aaa95c798ed1dfdf3e4edee2cdbc3790c8994705ca6ef35972128459 AS base
+# Base image with latest-dev tag digest
+FROM cgr.dev/chainguard/rust@sha256:74aa2608956c114e507dfde8fe31b1e4d42157dad67c29e06337680dedd940e9 AS base
 
 WORKDIR /usr/app
 
@@ -13,8 +13,8 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/app/target \
     RUST_BACKTRACE=1 cargo install --root /usr/app --path . --debug --locked
 
-# Wolfi image
-FROM --platform=${BUILDPLATFORM} cgr.dev/chainguard/wolfi-base:latest
+# Wolfi image with latest tag digest
+FROM cgr.dev/chainguard/wolfi-base@sha256:9608820b6ea4da8bcf16989dac37a280f8f1fa0022efc45b5ed4b1ac1f634a79
 
 ARG version=3.12
 

Dockerfile.production

@@ -1,5 +1,5 @@
-# Base image
-FROM --platform=${BUILDPLATFORM} cgr.dev/chainguard/rust:latest-dev@sha256:faf49718aaa95c798ed1dfdf3e4edee2cdbc3790c8994705ca6ef35972128459 AS base
+# Base image with latest-dev tag digest
+FROM cgr.dev/chainguard/rust@sha256:74aa2608956c114e507dfde8fe31b1e4d42157dad67c29e06337680dedd940e9 AS base
 
 WORKDIR /usr/app
 
@@ -9,10 +9,10 @@ RUN apk update && apk add openssl-dev
 COPY . .
 RUN --mount=type=cache,target=/usr/local/cargo/registry \
     --mount=type=cache,target=/app/target \
-    cargo install --root /usr/app --path . --locked
+    cargo install --root /usr/app --path . --profile release --locked
 
-# Wolfi image
-FROM --platform=${BUILDPLATFORM} cgr.dev/chainguard/wolfi-base
+# Wolfi image with latest tag digest
+FROM cgr.dev/chainguard/wolfi-base@sha256:9608820b6ea4da8bcf16989dac37a280f8f1fa0022efc45b5ed4b1ac1f634a79
 
 ARG version=3.12