ci(docker): publish multi-arch image with native runners (#1768)

* ci(docker): build linux/arm64 on a native runner instead of qemu

The publish workflow has been broken since the Node 24 bump (#1767). The
arm64 leg ran under qemu-user on the amd64 runner and crashed with
SIGILL (exit 132) inside `npm ci` - V8 13's JIT emits Arm v8.x
instructions that the runner's binfmt qemu cannot decode.

Switch to the docker/build-push-action multi-platform pattern:
  - Matrix per architecture, each on its native runner. amd64 stays on
    `ubuntu-latest`; arm64 moves to the free `ubuntu-24.04-arm` runner
    GitHub now provides for public repos. Both per-arch jobs push
    blob-only `push-by-digest` images so they never compete for shared
    tags.
  - A `merge` job downloads both digests and stitches them into the
    `:latest` and `:<sha>` manifest list with `docker buildx imagetools
    create`, reproducing the previous tag set.

Also add per-arch GHA cache scopes so the two legs do not invalidate
each other.

Temporarily includes `chore/native-arm-publish` in the push trigger so
the workflow can be validated end-to-end before the entry is removed
and the change is opened for review.

* ci(docker): drop temp branch trigger and keep raw SHA tag format

Validation run on chore/native-arm-publish (run 24660044323) succeeded
end-to-end - both per-arch builds passed on their native runners and the
merge job pushed the manifest list to Docker Hub. Remove the temporary
push trigger so the workflow only runs on master, and override the
metadata-action sha prefix so the SHA tag stays bare (matching the
previous github.sha tag format).

* ci(docker): pin docker/* actions to commit SHAs

SonarCloud's githubactions:S7637 ("Use full commit SHA hash for this
dependency") flagged the three docker/* uses in the new merge job
introduced by this PR. Pin all docker/setup-buildx-action,
docker/login-action, docker/metadata-action, and docker/build-push-action
invocations in both the build matrix and the merge job to their resolved
commit SHAs (with the version comment preserved for human readability),
matching the cypress-io/github-action pinning style #1767 already
established in build.yaml. The actions/* invocations stay on tags - S7637
exempts the first-party github-maintained actions.

Author: confuser

.github/workflows/deploy_docker.yaml

@@ -6,40 +6,119 @@ on:
       - master
 
 jobs:
-  push_to_registry:
-    name: Push Docker image to Docker Hub
-    runs-on: ubuntu-latest
+  # Build each platform on its own native runner. Building linux/arm64 under
+  # qemu-user on an amd64 runner has been broken since the Node 24 bump
+  # (qemu raises SIGILL on Arm v8.x instructions emitted by V8's JIT, exit
+  # 132). GitHub provides free `ubuntu-24.04-arm` runners for public repos,
+  # so we can build natively on each arch and stitch the results together
+  # into a manifest list in the merge job below. Pattern lifted from the
+  # docker/build-push-action multi-platform docs.
+  build:
+    name: Build ${{ matrix.platform }}
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            arch: amd64
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            arch: arm64
     steps:
       - name: Check out the repo
         uses: actions/checkout@v6
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Extract metadata (tags, labels) for Docker
+      - name: Extract metadata (labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: banmanagement/webui
 
-      - name: Build and push multi-platform Docker image
-        uses: docker/build-push-action@v6
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            banmanagement/webui:${{ github.sha }}
-            banmanagement/webui:latest
+          platforms: ${{ matrix.platform }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          # push-by-digest avoids touching shared tags from per-arch jobs;
+          # the merge job below produces the actual `:latest` / `:<sha>`
+          # manifest list referencing both digests.
+          outputs: type=image,name=banmanagement/webui,push-by-digest=true,name-canonical=true,push=true
+          # Per-arch cache scope so amd64 and arm64 do not stomp on each
+          # other's layer caches.
+          cache-from: type=gha,scope=${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest='${{ steps.build.outputs.digest }}'
+          # The digest output is `sha256:<hex>`; the merge job wants just
+          # the hex (and to find the file in /tmp/digests).
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    name: Merge into manifest
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract metadata (tags) for Docker
+        id: meta
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        with:
+          images: banmanagement/webui
+          # Reproduce the previous workflow's tag set verbatim:
+          #   - `latest` on default branch
+          #   - the full commit SHA with no `sha-` prefix (the previous
+          #     workflow used `${{ github.sha }}` directly)
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=sha,format=long,prefix=
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create \
+            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'banmanagement/webui@sha256:%s ' *)
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect \
+            "banmanagement/webui:$(jq -r '.tags[0] | split(":")[1]' <<< "$DOCKER_METADATA_OUTPUT_JSON")"