From 1c2ef64388d86cad1843a68af8f595916147c191 Mon Sep 17 00:00:00 2001
From: Vaishnav88sk <vaishnavsk8804@gmail.com>
Date: Mon, 25 May 2026 00:03:54 +0530
Subject: [PATCH 1/2] feat: Add native container build step for proxy (#124)

Adds a new step to the GitHub Actions workflow to build a GraalVM native binary for the proxy module utilizing mandrel in a container, and publishes it securely using cosign.

Signed-off-by: Vaishnav88sk <vaishnavsk8804@gmail.com>
---
 .github/workflows/build-containers.yml | 30 ++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index d5badfe..0e2d332 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -106,6 +106,25 @@ jobs:
             org.opencontainers.image.created=${{ steps.date.outputs.date }}
           tags: quay.io/reshapr/reshapr-ui:${{env.IMAGE_TAG}},docker.io/reshapr/reshapr-ui:${{env.IMAGE_TAG}}
 
+      - name: Build proxy native executable
+        run: mvn -B -DskipTests package -Pnative -Dquarkus.native.container-build=true -pl proxy
+
+      - name: Build and push container image for native proxy
+        id: build-and-push-proxy-native
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: ${{github.workspace}}/proxy
+          sbom: true
+          push: true
+          provenance: mode=max
+          platforms: linux/amd64
+          builder: buildx-multi-arch
+          file: proxy/src/main/docker/Dockerfile.native-micro
+          labels: |
+            org.opencontainers.image.revision=${GITHUB_SHA}
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+          tags: quay.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}},docker.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}
+
       - name: Sign the control plane image with GitHub OIDC Token
         env:
           DIGEST: ${{ steps.build-and-push-ctrl.outputs.digest }}
@@ -132,6 +151,17 @@ jobs:
         env:
           DIGEST: ${{ steps.build-and-push-ui.outputs.digest }}
           TAGS: quay.io/reshapr/reshapr-ui:${{env.IMAGE_TAG}} docker.io/reshapr/reshapr-ui:${{env.IMAGE_TAG}}
+        run: |
+          images=""
+          for tag in ${TAGS}; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --new-bundle-format=false --use-signing-config=false --yes ${images}
+
+      - name: Sign the native proxy image with GitHub OIDC Token
+        env:
+          DIGEST: ${{ steps.build-and-push-proxy-native.outputs.digest }}
+          TAGS: quay.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}} docker.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}
         run: |
           images=""
           for tag in ${TAGS}; do

From f3bc92381e512839fa71609dee88c264986c8ae8 Mon Sep 17 00:00:00 2001
From: Vaishnav88sk <vaishnavsk8804@gmail.com>
Date: Tue, 26 May 2026 18:15:29 +0530
Subject: [PATCH 2/2] ci: Implement multi-arch native container builds

Extracts the native proxy build from the standard container build workflow and puts it into a dedicated, parallel workflow that uses matrix builds across native amd64 and arm64 runners to avoid slow QEMU emulation. It builds, pushes, and then stitches them together with a docker manifest.

Signed-off-by: Vaishnav88sk <vaishnavsk8804@gmail.com>
---
 .github/workflows/build-containers.yml        |  30 -----
 .github/workflows/build-native-containers.yml | 120 ++++++++++++++++++
 .github/workflows/build-verify.yml            |  13 ++
 3 files changed, 133 insertions(+), 30 deletions(-)
 create mode 100644 .github/workflows/build-native-containers.yml

diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index 0e2d332..7c0b41f 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -106,24 +106,6 @@ jobs:
             org.opencontainers.image.created=${{ steps.date.outputs.date }}
           tags: quay.io/reshapr/reshapr-ui:${{env.IMAGE_TAG}},docker.io/reshapr/reshapr-ui:${{env.IMAGE_TAG}}
 
-      - name: Build proxy native executable
-        run: mvn -B -DskipTests package -Pnative -Dquarkus.native.container-build=true -pl proxy
-
-      - name: Build and push container image for native proxy
-        id: build-and-push-proxy-native
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: ${{github.workspace}}/proxy
-          sbom: true
-          push: true
-          provenance: mode=max
-          platforms: linux/amd64
-          builder: buildx-multi-arch
-          file: proxy/src/main/docker/Dockerfile.native-micro
-          labels: |
-            org.opencontainers.image.revision=${GITHUB_SHA}
-            org.opencontainers.image.created=${{ steps.date.outputs.date }}
-          tags: quay.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}},docker.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}
 
       - name: Sign the control plane image with GitHub OIDC Token
         env:
@@ -146,7 +128,6 @@ jobs:
             images+="${tag}@${DIGEST} "
           done
           cosign sign --new-bundle-format=false --use-signing-config=false --yes ${images}
-
       - name: Sign the web-ui image with GitHub OIDC Token
         env:
           DIGEST: ${{ steps.build-and-push-ui.outputs.digest }}
@@ -157,14 +138,3 @@ jobs:
             images+="${tag}@${DIGEST} "
           done
           cosign sign --new-bundle-format=false --use-signing-config=false --yes ${images}
-
-      - name: Sign the native proxy image with GitHub OIDC Token
-        env:
-          DIGEST: ${{ steps.build-and-push-proxy-native.outputs.digest }}
-          TAGS: quay.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}} docker.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}
-        run: |
-          images=""
-          for tag in ${TAGS}; do
-            images+="${tag}@${DIGEST} "
-          done
-          cosign sign --new-bundle-format=false --use-signing-config=false --yes ${images}
\ No newline at end of file
diff --git a/.github/workflows/build-native-containers.yml b/.github/workflows/build-native-containers.yml
new file mode 100644
index 0000000..1201032
--- /dev/null
+++ b/.github/workflows/build-native-containers.yml
@@ -0,0 +1,120 @@
+name: build-native-container-images
+on:
+  workflow_call:
+    inputs:
+      image-tag:
+        description: 'The tag to use for the images'
+        required: true
+        type: string
+
+jobs:
+  build-native-containers:
+    if: github.repository_owner == 'reshaprio' && inputs.image-tag != ''
+    environment: Build
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, ubuntu-24.04-arm ]
+        arch: [ amd64, arm64 ]
+        exclude:
+          - os: ubuntu-latest
+            arch: arm64
+          - os: ubuntu-24.04-arm
+            arch: amd64
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
+      - name: Checkout Code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up JDK 25
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        with:
+          java-version: '25'
+          distribution: 'temurin'
+          architecture: x64
+          cache: maven
+
+      - name: Build Java components
+        run: mvn -B -DskipTests clean install
+
+      - name: Set IMAGE_TAG environment from input
+        run: |
+          set -x
+          echo "IMAGE_TAG=${{ inputs.image-tag }}" >> "$GITHUB_ENV"
+
+      - name: Login to Quay.io and Docker Hub registries
+        run: |
+          echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
+          echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin docker.io
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Build proxy native executable
+        run: mvn -B -DskipTests package -Pnative -Dquarkus.native.container-build=true -pl proxy
+
+      - name: Build and push container image for native proxy
+        id: build-and-push-proxy-native
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: ${{github.workspace}}/proxy
+          sbom: true
+          push: true
+          provenance: mode=max
+          platforms: linux/${{ matrix.arch }}
+          file: proxy/src/main/docker/Dockerfile.native-micro
+          labels: |
+            org.opencontainers.image.revision=${GITHUB_SHA}
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+          tags: quay.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}-${{ matrix.arch }},docker.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}-${{ matrix.arch }}
+
+  manifest-creation:
+    needs: build-native-containers
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+    steps:
+      - name: Set IMAGE_TAG environment from input
+        run: |
+          set -x
+          echo "IMAGE_TAG=${{ inputs.image-tag }}" >> "$GITHUB_ENV"
+
+      - name: Login to Quay.io and Docker Hub registries
+        run: |
+          echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
+          echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin docker.io
+
+      - name: Create docker manifests
+        run: |
+          docker manifest create quay.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }} \
+            -a quay.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}-amd64 \
+            -a quay.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}-arm64
+          docker manifest push quay.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}
+
+          docker manifest create docker.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }} \
+            -a docker.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}-amd64 \
+            -a docker.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}-arm64
+          docker manifest push docker.io/reshapr/reshapr-proxy-native:${{ env.IMAGE_TAG }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+
+      - name: Sign the native proxy images with GitHub OIDC Token
+        env:
+          COSIGN_EXPERIMENTAL: "true"
+          COSIGN_YES: "true"
+          TAGS: quay.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}} docker.io/reshapr/reshapr-proxy-native:${{env.IMAGE_TAG}}
+        run: |
+          for tag in ${TAGS}; do
+            cosign sign --new-bundle-format=false --use-signing-config=false --yes ${tag}
+          done
diff --git a/.github/workflows/build-verify.yml b/.github/workflows/build-verify.yml
index 75ef772..8ed4a06 100644
--- a/.github/workflows/build-verify.yml
+++ b/.github/workflows/build-verify.yml
@@ -74,3 +74,16 @@ jobs:
       image-tag: ${{ needs.build-install.outputs.image-tag }}
     secrets: inherit
 
+  native-container-images-build:
+    needs:
+      - build-install
+    if: github.repository_owner == 'reshaprio' && needs.build-install.outputs.package-image == 'true' && github.event_name != 'pull_request'
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+    uses: ./.github/workflows/build-native-containers.yml
+    with:
+      image-tag: ${{ needs.build-install.outputs.image-tag }}
+    secrets: inherit
+