- Split single QEMU-based multi-platform build into parallel jobs on
native runners (ubuntu-latest for amd64, ubuntu-24.04-arm for arm64)
to fix Illegal instruction crash during npm install
- Add permissions block with contents:write to fix 403 error when
creating git tags via github-tag-action
- Move version check logic to setup job with outputs so build jobs
can be skipped when there is nothing to do
- Remove docker/metadata-action in favor of inline labels
- Compute BUILD_DATE in setup job and pass as output (not shell eval
in YAML)
* CI: Split into native per-arch build jobs to fix QEMU arm64 crash
The arm64 build was failing with 'Illegal instruction (core dumped)'
during npm install because QEMU user-mode emulation doesn't support
all arm64 instructions used by newer Node.js versions.
Split the single multi-platform build job into:
- setup: determines tags, webapp version (shared via outputs)
- build-amd64: builds on ubuntu-latest natively
- build-arm64: builds on ubuntu-24.04-arm natively (no QEMU)
- manifest: merges per-arch digests into multi-arch manifest
- comment: posts PR test instructions
Both architectures get independent Trivy scans. The amd64 and arm64
builds run in parallel so total build time should be similar or faster.
Also pins Trivy CLI to v0.69.3 to work around deleted release assets
from the Trivy supply chain attack (aquasecurity/trivy#10265).
* Address review feedback: fix BUILD_DATE, add permissions, add event fallback
- Compute BUILD_DATE in setup job and pass as output instead of using
$(date) in build-args YAML which is not evaluated at runtime
- Add explicit permissions block (contents:read, packages:write,
pull-requests:write) to limit GITHUB_TOKEN scope
- Add else fallback in tag strategy for unsupported event types
* Bump Alpine base image from 3.22.2 to 3.23.3 to clear Trivy CVEs
* Fix Trivy CVEs: upgrade systeminformation to 5.31.0 and zlib to >=1.3.2
- systeminformation 5.27.1->5.31.0: fixes CVE-2025-68154, CVE-2026-26280,
CVE-2026-26318 (command injection vulnerabilities)
- zlib 1.3.1-r2->1.3.2: fixes CVE-2026-22184 (buffer overflow in untgz)
The systeminformation fix overrides the version pinned by the webapp
upstream (5.27.10) until that repo is updated.
* Fix zlib upgrade: use apk --upgrade to ensure CVE-2026-22184 is resolved
The previous 'apk add zlib>=1.3.2' wasn't upgrading zlib because it
was already installed as a transitive dependency. Use --upgrade flag
to force apk to pull the latest available version (1.3.2-r0).
* Fix Trivy arm64 scan: set TRIVY_PLATFORM to match image architecture
Trivy defaults to linux/amd64 when resolving remote image digests.
On the arm64 build job, the pushed digest is a single-platform arm64
image, so Trivy fails with 'no child with platform linux/amd64'.
Setting TRIVY_PLATFORM=linux/arm64 resolves this.
Trivy releases v0.27.0-v0.69.1 were deleted as part of a supply chain
attack on 2026-03-01 (aquasecurity/trivy#10265). Pin the CLI version
explicitly so the action does not try to download missing assets.
Replace alphabetical tag selection with version-aware filtering to properly
identify the latest nbxyz version tag instead of selecting SHA hashes.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
