fix: Multi arch. docker images and binary mismatch

[tirumerla]

Summary

• Remove outdated digests
• Add CI test to verify image arch and binary artifact arch.
• Allow multi platform builds using qemu

Fixes #380

Summary by CodeRabbit

• New Features

  • Added multi-architecture support (amd64 and arm64) for container builds and validation.

• Chores

  • Enhanced CI/CD pipelines with automated architecture detection and validation.
  • Optimized production build configurations for improved performance.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The pull request adds multi-architecture (amd64 and arm64) build support to CI/CD pipelines and Dockerfiles. QEMU setup is added to workflows, separate build steps for each architecture are introduced in CI with validation, and Dockerfile build constraints are simplified by removing platform directives and image digests.

Changes

Cohort / File(s)	Summary
CI Workflow Multi-Arch Setup .github/workflows/ci.yaml	Added QEMU setup for multi-arch support; split "Build local container" into separate "Build x86 local container" (amd64) and "Build arm64 local container" (linux/arm64) steps with corresponding tag suffixes; introduced "Test image and binary architectures" step to validate architecture consistency for both platforms.
Release Workflow QEMU Setup .github/workflows/release-docker.yml	Added "Setup QEMU" step using docker/setup-qemu-action before Docker Buildx to enable multi-arch builds.
Dockerfile Simplifications Dockerfile.development, Dockerfile.production	Removed --platform=${BUILDPLATFORM} directives from FROM statements and SHA256 digest pinning in Chainguard image references. Dockerfile.production also added --profile release flag to cargo install for optimization.

Sequence Diagram(s)

sequenceDiagram
    participant CI as CI Workflow
    participant QEMU
    participant Build as Build Steps
    participant Test as Validation
    participant Scan as Image Scan

    CI->>QEMU: Setup QEMU (amd64, arm64)
    QEMU-->>CI: Ready
    
    par Build Phase
        CI->>Build: Build x86 container (-amd64 tag)
        Build-->>CI: amd64 image ready
        CI->>Build: Build arm64 container (-arm64 tag)
        Build-->>CI: arm64 image ready
    end
    
    CI->>Test: Test image & binary architectures
    Test->>Test: Verify amd64 arch consistency
    Test->>Test: Verify arm64 arch consistency
    alt Mismatch detected
        Test-->>CI: ❌ Validation failed
    else Success
        Test-->>CI: ✓ All architectures valid
    end
    
    CI->>Scan: Scan validated images
    Scan-->>CI: Scan complete

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

The changes span multiple workflow files and Dockerfiles with a mix of new conditional logic (architecture validation step) and straightforward simplifications (removing platform directives). The multi-arch validation logic requires careful review, but the alterations are localized and follow a consistent pattern.

Poem

🐰✨ Multi-arch dreams now come true,
QEMU builds for both old and new,
arm64, amd64, standing side-by-side,
Cross-platform harmony, our CI guide! 🏗️

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description includes a Summary section with clear bullet points explaining the three main changes and provides a reference to the related issue (Fixes #380), which aligns with the template requirements. However, the description is missing two significant structural sections required by the template: the "Testing Process" section and the "Checklist" section. While the PR summary is on-topic and directly addresses the PR objectives, the absence of these key template sections means the description does not follow the specified structure, leaving gaps about how the changes were tested and whether applicable tasks from the checklist were completed.	The author should add the missing "Testing Process" section describing how the changes were tested (the CI additions appear to be part of the solution, but explicit documentation of testing is needed) and include the "Checklist" section with checked boxes or explanations for each item that applies to this pull request. For infrastructure and CI/CD changes, some checklist items like unit tests or documentation updates may not apply, but they should still be explicitly addressed rather than omitted entirely.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "fix: Multi arch. docker images and binary mismatch" directly relates to the main changes in the changeset. The modifications add QEMU setup for multi-architecture support, remove platform-specific constraints from Dockerfiles, and introduce CI validation for architecture consistency between images and binaries. The title is concise, specific, and accurately summarizes the core objective of fixing architecture mismatches across platforms.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a6a06f6 and 05d0663.

📒 Files selected for processing (4)

• .github/workflows/ci.yaml (1 hunks)
• .github/workflows/release-docker.yml (1 hunks)
• Dockerfile.development (2 hunks)
• Dockerfile.production (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: boostsecurity - boostsecurityio/semgrep-pro
• GitHub Check: clippy
• GitHub Check: test
• GitHub Check: msrv
• GitHub Check: Redirect rules - openzeppelin-monitor
• GitHub Check: Header rules - openzeppelin-monitor
• GitHub Check: Pages changed - openzeppelin-monitor
• GitHub Check: Analyze (rust)
• GitHub Check: semgrep/ci

🔇 Additional comments (6)

Dockerfile.production (2)

2-2: Platform directives removed to enable multi-arch builds; verify digest strategy.

Removing --platform=${BUILDPLATFORM} is correct for QEMU-based cross-platform builds, as this directive forces the build to use the host platform and blocks cross-compilation. However, removing image digests (@sha256:...) may impact reproducibility. The PR objectives indicate these are outdated, but ensure your reproducibility strategy is captured elsewhere (e.g., lock files, SBOMs generated in CI).

Also applies to: 15-15

---

12-12: Optimization: --profile release added during binary build.

The addition of --profile release increases optimization during the cargo install phase, which will improve runtime performance of the binary.

.github/workflows/release-docker.yml (1)

67-70: QEMU setup correctly positioned before Buildx.

The QEMU setup step with correct platform specification (linux/amd64,linux/arm64) is properly ordered before the Buildx setup, enabling multi-platform image builds on the GitHub Actions runner.

Dockerfile.development (1)

2-2: Consistent removal of platform directives mirrors production Dockerfile.

The removal of --platform=${BUILDPLATFORM} from both base images aligns with the production Dockerfile changes and supports the multi-platform build strategy.

Also applies to: 17-17

.github/workflows/ci.yaml (2)

245-248: QEMU setup correct; separate arch builds enable validation.

QEMU setup with proper platform specification precedes Buildx, and separate build steps for amd64 and arm64 with explicit tags enable downstream architecture validation.

---

302-307: Clarify: Scan step uses untagged image reference.

The scan step at line 305 references openzeppelin-monitor-dev:${{ github.sha }} without an architecture tag (compare to the explicit -amd64 and -arm64 tags from the build steps). Verify this is intentional (e.g., if the tag without suffix resolves to amd64 by default) or if the step should specify which architecture image to scan.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.5%. Comparing base (a6a06f6) to head (33d7d1c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main    #382   +/-   ##
=====================================
  Coverage   96.5%   96.5%           
=====================================
  Files         76      76           
  Lines      27116   27116           
=====================================
  Hits       26177   26177           
  Misses       939     939           

Flag	Coverage Δ
integration	60.9% <ø> (ø)
properties	29.6% <ø> (ø)
unittests	87.0% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[son-oz]

I'd like to keep the pinned hash and add docker ecosystem to dependabot, I think I can add it in another PR then.