From 270c55d70253308cf0039f560e89f577aaacb0e4 Mon Sep 17 00:00:00 2001
From: Andy Carlson <2yinyang2@gmail.com>
Date: Sun, 22 Feb 2026 20:21:12 +0100
Subject: [PATCH] non-multi-arch images now fail with clear error

---
 internal/worker/worker.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/internal/worker/worker.go b/internal/worker/worker.go
index d60e49d..0fc6320 100644
--- a/internal/worker/worker.go
+++ b/internal/worker/worker.go
@@ -381,6 +381,22 @@ func (w *Worker) pullImage(ctx context.Context, imageName string, authStr string
 	if _, err = io.Copy(io.Discard, reader); err != nil {
 		return fmt.Errorf("failed to read image pull output: %w", err)
 	}
+
+	// Verify the pulled image matches the host platform. Docker may pull an image for a different
+	// architecture then what is specified in image.PullOptions.Platform
+	// See: https://github.com/moby/moby/pull/42325
+	inspect, err := w.dockerClient.ImageInspect(ctx, imageName)
+	if err != nil {
+		return fmt.Errorf("failed to inspect pulled image %s: %w", imageName, err)
+	}
+	imagePlatform := fmt.Sprintf("%s/%s", inspect.Os, inspect.Architecture)
+	if imagePlatform != w.platform {
+		return fmt.Errorf(
+			"image %s is for platform %s, but this worker requires %s",
+			imageName, imagePlatform, w.platform,
+		)
+	}
+
 	log.Infof(ctx, "Successfully pulled image: %s", imageName)
 	return nil
 }