ci: use arm runners when available

[fzipi]

what

• use arm runners when building the arm version

why

• GH has support for ARM runners now
• Check more platforms when building

Summary by CodeRabbit

Release Notes

• Chores
  • Enhanced multi-platform build infrastructure with dynamic runner selection and platform-specific image generation for Docker builds.
  • Added automated integrity verification for configuration files in the build workflow.

[coderabbitai]

Warning

Rate limit exceeded

@fzipi has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 58 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: eefff62c-fe32-4120-b5eb-9f66b86a4754

📥 Commits

Reviewing files that changed from the base of the PR and between 10bc6e4 and c22f4c6.

📒 Files selected for processing (1)

• .github/workflows/verifyimage.yml

📝 Walkthrough

Walkthrough

Both .github/workflows/publish.yml and .github/workflows/verifyimage.yml are updated to propagate Docker platform targets through the build matrix. Matrix generation now includes a platforms field, runner selection becomes conditional on platform type (ARM-specific runners for linux/arm*, standard for others), and bake configurations use the matrix platform value instead of defaults. The verify workflow adds modsecurity checksum validation in the prepare phase.

Changes

Platform-Aware Docker Build Matrix

Layer / File(s)	Summary
Publish workflow platform matrix and image signing .github/workflows/publish.yml	Matrix generation includes platforms field and conditionally selects ubuntu-24.04-arm for ARM platforms; Docker bake receives platform via *.platform configuration; build artifacts are signed using cosign.
Verify workflow platform matrix, validation, and platform-specific builds .github/workflows/verifyimage.yml	Matrix generation includes platforms field; prepare job downloads and validates modsecurity.conf-recommended checksum; runner conditionally selects ARM image for ARM platforms; Docker bake verification uses dynamic ${{ matrix.platforms }} instead of hard-coded linux/amd64.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• theseion

Poem

🐰 Platforms dance in the matrix now,
ARM and x86 take their bow,
From prepare to bake, each step aligned,
The checksums verified, the builds refined,
With cosign sealing the trusted kind! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: use arm runners when available' directly summarizes the main change: updating CI workflows to use ARM runners for ARM platform builds.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/use-arm-when-available

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/verifyimage.yml:
- Line 37: The "Install go-ftw" step currently hardcodes
ftw_2.1.0_linux_amd64.tar.gz; make the download architecture-aware by selecting
ftw_2.1.0_linux_arm64.tar.gz when running on ARM (e.g., when matrix.platforms
contains "arm" or using runner.arch/startsWith(matrix.platforms,'linux/arm'))
and ftw_2.1.0_linux_amd64.tar.gz otherwise. Update the step that constructs the
download URL (the "Install go-ftw" step and any variable like the tarball name
or URL) to use this conditional so ARM runners get ftw_2.1.0_linux_arm64.tar.gz
while x86 keeps ftw_2.1.0_linux_amd64.tar.gz.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 56e0c01d-07c5-46ed-a61e-45e82efb6d5d

📥 Commits

Reviewing files that changed from the base of the PR and between 9df7fe7 and 10bc6e4.

📒 Files selected for processing (2)

• .github/workflows/publish.yml
• .github/workflows/verifyimage.yml