Use correct platform for container_push pusher binary (#2372)

Summary: Use correct platform for `container_push` pusher binary

I'm not sure why upstream switched this to
[target](bazelbuild/rules_docker@e48c7cc),
but this fails on our current GitHub runners ([build
link](https://github.com/pixie-io/pixie/actions/runs/25715727034/job/75507683014)):
```
Target //k8s/vizier:vizier_images_push up-to-date:
  bazel-bin/k8s/vizier/vizier_images_push
INFO: Elapsed time: 817.792s, Critical Path: 223.45s
INFO: 5492 processes: 430 remote cache hit, 48 internal, 5014 processwrapper-sandbox.
INFO: Build completed successfully, 5492 total actions
INFO:
INFO: Running command line: bazel-bin/k8s/vizier/vizier_images_push
INFO: Streaming build results to: https://app.buildbuddy.io/invocation/27eff3a9-fc64-4408-8ca4-1c57014fb23d
/github/home/.cache/bazel/_bazel_root/56ec069a32c4abebc78228236a835895/execroot/px/bazel-out/k8-opt/bin/k8s/vizier/vizier_images_push.runfiles/px/k8s/vizier/vizier_images_push.0.push: line 31: /github/home/.cache/bazel/_bazel_root/56ec069a32c4abebc78228236a835895/execroot/px/bazel-out/k8-opt/bin/k8s/vizier/vizier_images_push.runfiles/px/../io_bazel_rules_docker/container/go/cmd/pusher/pusher_/pusher: cannot execute binary file: Exec format error
```

Relevant Issues: N/A

Type of change: /kind bugfix

Test Plan: vizier-release job tested with a similar change. I
ccidentally used `cfg = "host"` on the latest build but should have same
effect.

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
GitOrigin-RevId: ce0f158

Author: ddelnano

.github/workflows/cli_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-vm-16cpu-64gb-x86-64
+    runs-on: oracle-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read
@@ -24,7 +24,8 @@ jobs:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
     env:
       ARTIFACT_UPLOAD_LOG: "artifact_uploads.json"
-      MANIFEST_UPDATES: "manifest_updates.json"
+      # When macOS signing is enabled, push-signed-artifacts owns the manifest update.
+      MANIFEST_UPDATES: ${{ vars.ENABLE_MACOS_SIGNING == 'true' && '' || 'manifest_updates.json' }}
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
@@ -41,31 +42,36 @@ jobs:
         # With some kernel configs (eg. COS), podman only works with legacy iptables.
         update-alternatives --set iptables /usr/sbin/iptables-legacy
         update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
-    - name: Login to GHCR
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ github.token }}
     - name: Import GPG key
       env:
         BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
       run: |
         echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
+    - name: Login to GHCR
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
     - name: Build & Push Artifacts
       env:
         REF: ${{ github.event.ref }}
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         BUILD_NUMBER: ${{ github.run_attempt }}
         JOB_NAME: ${{ github.job }}
+        GH_REPO: ${{ github.repository }}
+        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }}
       shell: bash
       run: |
         export TAG_NAME="${REF#*/tags/}"
         mkdir -p "artifacts/"
         export ARTIFACTS_DIR="$(realpath artifacts/)"
         ./ci/save_version_info.sh
         ./ci/cli_build_release.sh
+    # Despite the name, linux-artifacts also contains the unsigned darwin
+    # binaries (cli_darwin_{amd64,arm64}_unsigned). sign-release downloads
+    # this artifact to feed cli_merge_sign.sh.
     - name: Upload Github Artifacts
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
@@ -75,14 +81,101 @@ jobs:
       with:
         name: artifact-upload-log
         path: ${{ env.ARTIFACT_UPLOAD_LOG }}
+    - if: vars.ENABLE_MACOS_SIGNING != 'true'
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+      with:
+        name: manifest-updates
+        path: manifest_updates.json
+  sign-release:
+    name: Sign Release for MacOS
+    if: vars.ENABLE_MACOS_SIGNING == 'true'
+    runs-on: macos-latest
+    needs: build-release
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        fetch-depth: 0
+    - name: Add pwd to git safe dir
+      run: git config --global --add safe.directory `pwd`
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+      with:
+        name: linux-artifacts
+        path: artifacts/
+    - name: Install gon
+      run: brew install Bearer/tap/gon
+    - name: Sign CLI release
+      env:
+        REF: ${{ github.event.ref }}
+        AC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+        KEYCHAIN_PASSWORD: ${{ secrets.APPLE_KEYCHAIN_PASSWORD }}
+        CERT_BASE64: ${{ secrets.APPLE_SIGN_CERT_B64 }}
+        CERT_PASSWORD: ${{ secrets.APPLE_SIGN_CERT_PASSWORD }}
+      shell: bash
+      run: |
+        export CERT_PATH="pixie.cert"
+        echo -n "$CERT_BASE64" | base64 --decode -o "$CERT_PATH"
+        export TAG_NAME="${REF#*/tags/}"
+        export ARTIFACTS_DIR="$(pwd)/artifacts"
+        ./ci/cli_merge_sign.sh
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+      with:
+        name: macos-artifacts
+        path: artifacts/
+  push-signed-artifacts:
+    name: Push Signed Artifacts for MacOS
+    if: vars.ENABLE_MACOS_SIGNING == 'true'
+    runs-on: ubuntu-latest
+    needs: [get-dev-image, sign-release]
+    container:
+      image: ${{ needs.get-dev-image.outputs.image-with-tag }}
+    env:
+      MANIFEST_UPDATES: "manifest_updates.json"
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        fetch-depth: 0
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+      with:
+        name: macos-artifacts
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+      with:
+        name: artifact-upload-log
+    - name: Import GPG key
+      env:
+        BUILDBOT_GPG_KEY_B64: ${{ secrets.BUILDBOT_GPG_KEY_B64 }}
+      run: |
+        echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
+    - name: Add pwd to git safe dir
+      run: |
+        git config --global --add safe.directory `pwd`
+    - name: Upload signed CLI
+      env:
+        REF: ${{ github.event.ref }}
+        BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
+        ARTIFACT_UPLOAD_LOG: "artifact_uploads.json"
+        GH_REPO: ${{ github.repository }}
+      shell: bash
+      run: |
+        export TAG_NAME="${REF#*/tags/}"
+        mkdir -p "artifacts/"
+        export ARTIFACTS_DIR="$(pwd)/artifacts"
+        ./ci/cli_upload_signed.sh
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+      with:
+        name: macos-signed-artifacts
+        path: artifacts/
     - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: manifest-updates
         path: ${{ env.MANIFEST_UPDATES }}
   create-github-release:
     name: Create Release on Github
     runs-on: ubuntu-latest
-    needs: build-release
+    needs: [build-release, push-signed-artifacts]
+    if: |
+      always() &&
+      needs.build-release.result == 'success' &&
+      (needs.push-signed-artifacts.result == 'success' || needs.push-signed-artifacts.result == 'skipped')
     permissions:
       contents: write
     steps:
@@ -107,9 +200,16 @@ jobs:
         gh release create "${TAG_NAME}" "${prerelease[@]}" \
           --title "CLI ${TAG_NAME#release/cli/}" \
           --notes $'Pixie CLI Release:\n'"${changelog}"
-        gh release upload "${TAG_NAME}" linux-artifacts/*
+        shopt -s nullglob
+        upload_paths=(linux-artifacts/*)
+        if [[ -d macos-artifacts ]]; then
+          upload_paths+=(macos-artifacts/*)
+        fi
+        gh release upload "${TAG_NAME}" "${upload_paths[@]}"
   update-gh-artifacts-manifest:
-    runs-on: oracle-vm-16cpu-64gb-x86-64
+    if: |
+      always() && needs.create-github-release.result == 'success'
+    runs-on: oracle-8cpu-32gb-x86-64
     needs: [get-dev-image, create-github-release]
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
@@ -138,8 +238,8 @@ jobs:
       env:
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
       run: |
-        git config --global user.name 'k8sstormcenter-buildbot'
-        git config --global user.email 'info@fusioncore.ai'
+        git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}"
+        git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}"
         git config --global user.signingkey "${BUILDBOT_GPG_KEY_ID}"
         git config --global commit.gpgsign true
     - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0

.github/workflows/cloud_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-vm-16cpu-64gb-x86-64
+    runs-on: oracle-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read
@@ -39,7 +39,11 @@ jobs:
       run: |
         echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
     - name: Login to GHCR
-      run: echo "${{ github.token }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
     - name: Build & Push Artifacts
       env:
         REF: ${{ github.event.ref }}
@@ -49,6 +53,8 @@ jobs:
         COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
         COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
+        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }}
+        GH_REPO: ${{ github.repository }}
       shell: bash
       run: |
         export TAG_NAME="${REF#*/tags/}"
@@ -76,8 +82,7 @@ jobs:
       env:
         REF: ${{ github.event.ref }}
         GH_TOKEN: ${{ secrets.BUILDBOT_GH_API_TOKEN }}
-        OWNER: pixie-io
-        REPO: pixie
+        GH_REPO: ${{ github.repository }}
       shell: bash
       run: |
         export TAG_NAME="${REF#*/tags/}"

.github/workflows/filename_linter.yaml

@@ -0,0 +1,27 @@
+---
+name: 'filename-linter'
+on:
+  pull_request:
+permissions:
+  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.event.pull_request.number || github.run_id }}
+  cancel-in-progress: true
+jobs:
+  check-files-changed:
+    permissions:
+      contents: read
+      pull-requests: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36  # v3.0.2
+      id: changes
+      with:
+        filters: |
+          private:
+          - '**/*private*/**'
+          - '**/*private*'
+    - name: Fail on private
+      if: ${{ steps.changes.outputs.private == 'true' }}
+      run: echo "This repo disallows dirnames or filenames with 'private' in it." && exit 1

.github/workflows/operator_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-vm-16cpu-64gb-x86-64
+    runs-on: oracle-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read
@@ -42,7 +42,11 @@ jobs:
       run: |
         echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
     - name: Login to GHCR
-      run: echo "${{ github.token }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
     - name: Build & Push Artifacts
       env:
         REF: ${{ github.event.ref }}
@@ -52,6 +56,7 @@ jobs:
         COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
         GH_REPO: ${{ github.repository }}
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
+        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }}
       shell: bash
       run: |
         export TAG_NAME="${REF#*/tags/}"
@@ -120,8 +125,8 @@ jobs:
       env:
         GIT_SSH_COMMAND: "ssh -i /tmp/ssh.key"
       run: |
-        git config --global user.name 'k8sstormcenter-buildbot'
-        git config --global user.email 'info@fusioncore.ai'
+        git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}"
+        git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}"
     - name: Push Helm YAML to gh-pages
       shell: bash
       env:
@@ -135,7 +140,7 @@ jobs:
         git commit -s -m "Release Helm chart ${VERSION}"
         git push origin "gh-pages"
   update-gh-artifacts-manifest:
-    runs-on: oracle-vm-16cpu-64gb-x86-64
+    runs-on: oracle-8cpu-32gb-x86-64
     needs: [get-dev-image, create-github-release]
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
@@ -164,8 +169,8 @@ jobs:
       env:
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
       run: |
-        git config --global user.name 'k8sstormcenter-buildbot'
-        git config --global user.email 'info@fusioncore.ai'
+        git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}"
+        git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}"
         git config --global user.signingkey "${BUILDBOT_GPG_KEY_ID}"
         git config --global commit.gpgsign true
     - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0

.github/workflows/vizier_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-vm-16cpu-64gb-x86-64
+    runs-on: oracle-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read
@@ -42,7 +42,11 @@ jobs:
       run: |
         echo "${BUILDBOT_GPG_KEY_B64}" | base64 --decode | gpg --no-tty --batch --import
     - name: Login to GHCR
-      run: echo "${{ github.token }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3.7.0
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ github.token }}
     - name: Build & Push Artifacts
       env:
         REF: ${{ github.event.ref }}
@@ -52,6 +56,7 @@ jobs:
         COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
         GH_REPO: ${{ github.repository }}
+        IMAGE_REPO: ${{ vars.IMAGE_REPO || 'ghcr.io/pixie-io' }}
       shell: bash
       run: |
         export TAG_NAME="${REF#*/tags/}"
@@ -120,8 +125,8 @@ jobs:
       env:
         GIT_SSH_COMMAND: "ssh -i /tmp/ssh.key"
       run: |
-        git config --global user.name 'k8sstormcenter-buildbot'
-        git config --global user.email 'info@fusioncore.ai'
+        git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}"
+        git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}"
     - name: Push Helm YAML to gh-pages
       shell: bash
       env:
@@ -135,7 +140,7 @@ jobs:
         git commit -s -m "Release Helm chart Vizier ${VERSION}"
         git push origin "gh-pages"
   update-gh-artifacts-manifest:
-    runs-on: oracle-vm-16cpu-64gb-x86-64
+    runs-on: oracle-8cpu-32gb-x86-64
     needs: [get-dev-image, create-github-release]
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
@@ -164,8 +169,8 @@ jobs:
       env:
         BUILDBOT_GPG_KEY_ID: ${{ secrets.BUILDBOT_GPG_KEY_ID }}
       run: |
-        git config --global user.name 'k8sstormcenter-buildbot'
-        git config --global user.email 'info@fusioncore.ai'
+        git config --global user.name "${{ vars.BUILDBOT_NAME || 'pixie-io-buildbot' }}"
+        git config --global user.email "${{ vars.BUILDBOT_EMAIL || 'build@pixielabs.ai' }}"
         git config --global user.signingkey "${BUILDBOT_GPG_KEY_ID}"
         git config --global commit.gpgsign true
     - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0