ci: use different builders for different archs

[Pitasi]

This PR uses different github action runners for building different architectures (i.e. amd64 cpu for amd64 binaries, arm64 cpu for arm64 binaries, and only linux at this time). This is way faster than using qemu. A wardend build now takes around 5 minutes.

Additionally, every time a tag like vX.Y.Z is pushed, the corresponding wardend binaries are created automatically and the GitHub release is created with those binaries and checksums.

I also enabled the type=gha mode for buildx cache (docs: https://docs.docker.com/build/cache/backends/gha/) but it's very limited by GitHub cache policies. For example, a tag cannot see the cache being made by another tag. So we can't really rely on this.

[coderabbitai]

📝 Walkthrough

Walkthrough

This set of changes updates GitHub Actions workflows to use a new multi-architecture Docker image release workflow, restructures the release process for wardend binaries, modifies Docker build and artifact naming conventions, and simplifies the build logic in the justfile. It introduces a dedicated workflow for building and publishing wardend binaries and removes obsolete or redundant workflows.

Changes

Cohort / File(s)	Change Summary
Workflow Reference Updates .github/workflows/faucet.yml, .github/workflows/wardenkms.yml, .github/workflows/wardend.yaml	Updated the release-dev job in each workflow to reference .github/workflows/release-docker-images.yml instead of .github/workflows/release-dev.yml. Inputs, permissions, and secrets inheritance remain unchanged.
Release Docker Images Workflow .github/workflows/release-docker-images.yml	Renamed and restructured the workflow to support multi-architecture Docker image releases. Split the previous single release-dev job into release-image-amd64 and release-image-arm64 jobs, each with architecture-specific runners and steps. Removed QEMU and caching steps from the AMD64 job; ARM64 job uses a dedicated ARM runner.
Wardend Binary Release Workflow .github/workflows/release-wardend-binaries.yaml	Added a new workflow to build and publish wardend binaries for AMD64 and ARM64. Defines jobs for building on each architecture, uploading artifacts, and publishing release assets with checksums.
Obsolete Workflow Removal .github/workflows/release-wardend.yaml	Deleted the workflow that triggered on published releases and reused the old .github/workflows/release-dev.yml workflow for the wardend app.
Wardend Dockerfile Improvements cmd/wardend/Dockerfile	Improved build stage by copying Go module files before dependency download. Introduced build arguments for OS, architecture, and version; renamed output binary to include these variables. Removed unnecessary package (libvips-dev) from runtime stage. Updated entrypoint to use versioned binary name.
Justfile Build Logic Refactor justfile	Removed release-wardend-binaries target and multi-platform packaging from main release flow. Simplified release-wardend to depend only on Docker image publishing. Updated release-publish-docker target to remove multi-platform flag and switch to GitHub Actions cache. Added release-wardend-binary target for building the binary only.

Sequence Diagram(s)

sequenceDiagram
    participant Workflow as GitHub Actions Workflow
    participant Builder as Build Runner (amd64/arm64)
    participant Registry as GHCR/Release

    Workflow->>Builder: Checkout code
    Workflow->>Builder: Setup runtime, Docker Buildx, just
    Workflow->>Builder: Build Docker image or binary (arch-specific)
    Builder->>Registry: Push Docker image or upload artifact
    Workflow->>Registry: Publish release assets (binaries, checksums)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: use docker buildx gha cache #1632: Refactored justfile to use GitHub Actions cache and relates to similar Docker build cache changes.
• feat: enable multiarch builds for wardend #1240: Introduced multiarch builds and restructured release workflows, directly related to the new multi-architecture workflow changes.
• build: use docker multi-platform builds instead of goreleaser #1621: Transitioned to Docker multi-platform builds and refactored build tooling, aligning with the workflow and Dockerfile changes here.

Suggested labels

wardenkms, test

Suggested reviewers

• jlehtimaki

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci-speed-automate-release

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

cmd/wardend/Dockerfile (1)

19-23: Defaulting WARDEND_VERSION to "unknown" can leak into artefact names

If callers forget to pass the build arg you’ll publish wardend-unknown-linux-amd64, which is hard to trace later.
Consider failing fast when the arg is missing.

 ARG WARDEND_VERSION="unknown"

+# Fail build early if version wasn’t provided
+RUN test "$WARDEND_VERSION" != "unknown" || (echo "WARDEND_VERSION build-arg required" && exit 1)

.github/workflows/release-docker-images.yml (1)

21-55: Duplicate job definitions – use a matrix to DRY things up

release-image-amd64 and release-image-arm64 are identical except for the runner label.
A single job with a two-value matrix (runs-on) would cut the YAML in half and make future tweaks safer.

No functional issue, purely maintainability.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 63a6cd0 and 1fcfe02.

📒 Files selected for processing (8)

• .github/workflows/faucet.yml (1 hunks)
• .github/workflows/release-docker-images.yml (4 hunks)
• .github/workflows/release-wardend-binaries.yaml (1 hunks)
• .github/workflows/release-wardend.yaml (0 hunks)
• .github/workflows/wardend.yaml (1 hunks)
• .github/workflows/wardenkms.yml (1 hunks)
• cmd/wardend/Dockerfile (1 hunks)
• justfile (2 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/release-wardend.yaml

🧰 Additional context used

🧠 Learnings (2)

cmd/wardend/Dockerfile (2)

Learnt from: jlehtimaki
PR: #1240
File: .goreleaser.yaml:171-214
Timestamp: 2025-02-14T08:33:02.071Z
Learning: The --insecure flags in Docker manifest configuration for the wardend project are temporarily required and should not be flagged as an issue in code reviews.

Learnt from: backsapc
PR: #810
File: cmd/wardenkms/wardenkms.go:45-50
Timestamp: 2024-10-24T13:01:55.558Z
Learning: In the cmd/wardenkms/wardenkms.go file and the codebase, use Grpc instead of GRPC for acronym casing in type names, such as GrpcNodeConfig and GrpcNodeConfigDecoder, even though Go naming conventions suggest capitalizing acronyms.

justfile (1)

Learnt from: jlehtimaki
PR: #1240
File: .goreleaser.yaml:171-214
Timestamp: 2025-02-14T08:33:02.071Z
Learning: The --insecure flags in Docker manifest configuration for the wardend project are temporarily required and should not be flagged as an issue in code reviews.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: lint
• GitHub Check: lint
• GitHub Check: test
• GitHub Check: test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)

🔇 Additional comments (17)

.github/workflows/wardend.yaml (1)

65-68: Workflow reference updated correctly – no further action needed

The switch to ./.github/workflows/release-docker-images.yml looks correct and keeps the app_name input intact.
No issues spotted here.

.github/workflows/wardenkms.yml (1)

60-63: Consistent migration to the new reusable workflow

The job now delegates to release-docker-images.yml, matching the other apps. Implementation looks sound.

.github/workflows/faucet.yml (1)

66-69: Release job correctly re-pointed

Reference, inputs and permissions all line up with the new multi-arch workflow. Nothing to change.

cmd/wardend/Dockerfile (2)

8-12: 👍 Efficient dependency caching introduced

Copying only go.mod / go.sum and running go mod download under a cache mount speeds up cold builds. Looks good.

---

22-23: Minor: binary stage is unused by subsequent stages

Only the runtime stage is referenced (COPY --from=build).
If the binary artefact is consumed outside the Docker build (e.g. by just release-wardend-binary), ignore this. Otherwise, consider deleting the binary stage or referencing it explicitly to avoid dead weight.

.github/workflows/release-docker-images.yml (1)

56-89: Ensure the ubuntu-24.04-arm runner is available in your org

Self-hosted and GH-hosted ARM64 runners use different labels across organisations. Verify that this exact label exists to avoid silent queue timeouts.

.github/workflows/release-wardend-binaries.yaml (6)

4-7: LGTM: Clean trigger configuration

The workflow correctly triggers on semantic version tags, which aligns with the PR objective of automating releases for version tags.

---

9-10: LGTM: Appropriate permissions

The contents: write permission is correctly scoped for uploading release assets.

---

13-41: LGTM: Well-structured amd64 build job

The build job follows GitHub Actions best practices with proper checkout, setup steps, and artifact upload. The use of fetch-depth: 0 ensures full git history for version tagging.

---

42-70: LGTM: Consistent arm64 build job

The ARM64 build job maintains consistency with the AMD64 job, using the appropriate ubuntu-24.04-arm runner for native ARM64 builds as mentioned in the PR objectives.

---

89-95: LGTM: Comprehensive release asset upload

The release publishing correctly uploads both binaries and checksums using the established softprops/action-gh-release action.

---

81-88: Checksum generation directory assumptions are valid
We confirmed that the release-wardend-binary just target always outputs its binaries into dist/ (via --output dist .), which are then uploaded in the build jobs as artifacts named binary-amd64 and binary-arm64 (path dist/*). The download step recreates those subdirectories under artifacts/, so the checksum step can reliably cd into artifacts/binary-amd64 and artifacts/binary-arm64 and run sha256sum. No changes required.

justfile (5)

40-40: LGTM: Simplified release target

The simplified release-wardend target appropriately focuses on Docker image publishing, delegating binary builds to the separate workflow.

---

64-64: LGTM: Disabled provenance and SBOM for compatibility

Disabling provenance and SBOM generation is appropriate for binary-focused builds and avoids potential compatibility issues with older Docker clients.

---

69-81: LGTM: Well-designed binary build target

The new release-wardend-binary target properly:

• Cleans the output directory
• Uses the binary build stage
• Includes the new WARDEND_VERSION argument
• Applies GitHub Actions caching
• Outputs to the expected dist directory

---

76-76: WARDEND_VERSION build argument usage confirmed

The cmd/wardend/Dockerfile correctly declares and uses WARDEND_VERSION for naming the output binary:

• Defines ARG WARDEND_VERSION="unknown"
• Uses it in COPY --from=build /dist/wardend /wardend-$WARDEND_VERSION-$TARGETOS-$TARGETARCH
• Sets ENTRYPOINT ["/wardend-$WARDEND_VERSION-$TARGETOS-$TARGETARCH"]

No changes required.

---

63-67: Investigate GitHub Actions type=gha cache limitations

The current invocation in justfile (lines 63–67) uses

--cache-from type=gha --cache-to type=gha,mode=max

Note that:

• GitHub Actions caches are scoped per workflow and generally include branch/tag in the cache key.
• There is no automatic cross-tag or cross-workflow sharing with type=gha.
• Cache size (5 GB) and retention (7–90 days) may also lead to misses.

If you require reuse of layers across different image tags or workflows, consider:

• Retaining type=gha for single-tag builds but accepting isolated caches,
• Or switching to a registry-based cache (type=registry) or custom cache keys to enable cross-tag downloads.

File needing your review:

• justfile (lines 63–67)