Add arm64 support to container image builds

.github/aw/actions-lock.json

@@ -150,6 +150,11 @@
       "version": "v3.12.0",
       "sha": "8d2750c68a42422c14e847fe6c8ac0403b4cbd6f"
     },
+    "docker/setup-qemu-action@v3": {
+      "repo": "docker/setup-qemu-action",
+      "version": "v3",
+      "sha": "c7c53464625b32c7a7e944ae62b3e17d2b600130"
+    },
     "erlef/setup-beam@v1": {
       "repo": "erlef/setup-beam",
       "version": "v1.20.4",

.github/workflows/ci.yml

@@ -1773,11 +1773,23 @@ jobs:
       - name: Build Linux binary for Alpine
         run: make build-linux
 
+      - name: Prepare dist directory for Docker build
+        run: |
+          echo "Preparing dist directory structure..."
+          mkdir -p dist
+          cp gh-aw-linux-amd64 dist/linux-amd64
+          cp gh-aw-linux-arm64 dist/linux-arm64
+          echo "✅ dist directory prepared"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Build Alpine Docker image
         run: |
           echo "Building Alpine Docker image..."
-          docker build -t gh-aw-alpine:test \
-            --build-arg BINARY=gh-aw-linux-amd64 \
+          docker buildx build --platform linux/amd64 \
+            -t gh-aw-alpine:test \
+            --load \
             -f Dockerfile .
           echo "✅ Alpine Docker image built successfully"
 
@@ -1852,6 +1864,158 @@ jobs:
         run: |
           rm -rf test-workspace
 
+  alpine-container-test-arm64:
+    name: Alpine Container Test (ARM64)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    concurrency:
+      group: ci-${{ github.ref }}-alpine-container-arm64
+      cancel-in-progress: true
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+
+      - name: Set up Go
+        id: setup-go
+        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Report Go cache status
+        run: |
+          if [ "${{ steps.setup-go.outputs.cache-hit }}" == "true" ]; then
+            echo "✅ Go cache hit" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "⚠️ Go cache miss" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Download dependencies with retry
+        run: |
+          set -e
+          MAX_RETRIES=3
+          RETRY_DELAY=5
+
+          for i in $(seq 1 $MAX_RETRIES); do
+            echo "Attempt $i of $MAX_RETRIES: Downloading Go modules..."
+            if go mod download; then
+              echo "✅ Successfully downloaded Go modules"
+              break
+            else
+              if [ $i -eq $MAX_RETRIES ]; then
+                echo "❌ Failed to download Go modules after $MAX_RETRIES attempts"
+                echo "This may indicate that proxy.golang.org is unreachable"
+                echo "Please check network connectivity or consider vendoring dependencies"
+                exit 1
+              fi
+              echo "⚠️ Download failed, retrying in ${RETRY_DELAY}s..."
+              sleep $RETRY_DELAY
+            fi
+          done
+
+      - name: Verify dependencies
+        run: go mod verify
+
+      - name: Build Linux binary for Alpine
+        run: make build-linux
+
+      - name: Prepare dist directory for Docker build
+        run: |
+          echo "Preparing dist directory structure..."
+          mkdir -p dist
+          cp gh-aw-linux-amd64 dist/linux-amd64
+          cp gh-aw-linux-arm64 dist/linux-arm64
+          echo "✅ dist directory prepared"
+
+      - name: Set up QEMU for ARM64 emulation
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Alpine Docker image (ARM64)
+        run: |
+          echo "Building Alpine Docker image for ARM64..."
+          docker buildx build --platform linux/arm64 \
+            -t gh-aw-alpine:test-arm64 \
+            --load \
+            -f Dockerfile .
+          echo "✅ Alpine Docker image (ARM64) built successfully"
+
+      - name: Test Docker image basic commands (ARM64)
+        run: |
+          echo "Testing Docker image basic commands on ARM64..."
+          docker run --rm --platform linux/arm64 gh-aw-alpine:test-arm64 --version
+          docker run --rm --platform linux/arm64 gh-aw-alpine:test-arm64 --help
+          echo "✅ Basic commands work on ARM64"
+
+      - name: Create test workflow in container
+        run: |
+          echo "Creating test workflow file..."
+          mkdir -p test-workspace/.github/workflows
+          cat > test-workspace/.github/workflows/test-alpine-arm64.md << 'EOF'
+          ---
+          on: push
+          engine: copilot
+          ---
+          # Test Workflow for Alpine Container (ARM64)
+
+          This is a simple test workflow to verify the compile command works correctly in Alpine container on ARM64.
+
+          ## Task
+          Echo hello from Alpine container (ARM64).
+          EOF
+          echo "✅ Test workflow created"
+
+      - name: Run compile through Alpine container (ARM64)
+        run: |
+          echo "Running compile command through Alpine container (ARM64)..."
+          docker run --rm --platform linux/arm64 \
+            -v "$(pwd)/test-workspace:/workspace" \
+            -w /workspace \
+            gh-aw-alpine:test-arm64 compile test-alpine-arm64 --verbose
+
+          echo "✅ Compile command executed on ARM64"
+
+      - name: Verify lock file generation
+        run: |
+          echo "Verifying lock file was generated..."
+          if [ -f "test-workspace/.github/workflows/test-alpine-arm64.lock.yml" ]; then
+            echo "✅ Lock file generated successfully"
+            echo ""
+            echo "Lock file contents:"
+            head -20 test-workspace/.github/workflows/test-alpine-arm64.lock.yml
+          else
+            echo "❌ Lock file not found"
+            ls -la test-workspace/.github/workflows/
+            exit 1
+          fi
+
+      - name: Generate test summary
+        if: always()
+        run: |
+          echo "## Alpine Container Test Results (ARM64)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "This test verifies that:" >> $GITHUB_STEP_SUMMARY
+          echo "1. The Alpine Docker image can be built for ARM64 architecture" >> $GITHUB_STEP_SUMMARY
+          echo "2. The gh-aw binary works correctly in Alpine Linux on ARM64" >> $GITHUB_STEP_SUMMARY
+          echo "3. The compile command can process workflows in the ARM64 container" >> $GITHUB_STEP_SUMMARY
+          echo "4. Lock files are generated correctly on ARM64" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ -f "test-workspace/.github/workflows/test-alpine-arm64.lock.yml" ]; then
+            echo "✅ All ARM64 tests passed successfully" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "❌ Lock file generation failed on ARM64" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Clean up test files
+        if: always()
+        run: |
+          rm -rf test-workspace
+
   safe-outputs-conformance:
     runs-on: ubuntu-latest
     permissions:

.github/workflows/release.md

@@ -185,18 +185,21 @@ jobs:
           bash scripts/build-release.sh "$RELEASE_TAG"
           echo "✓ Binaries built successfully"
 
+      - name: Set up QEMU for multi-platform builds
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm64
+
       - name: Setup Docker Buildx (pre-validation)
         uses: docker/setup-buildx-action@v3
 
       - name: Build Docker image (validation only)
         uses: docker/build-push-action@v6
         with:
           context: .
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: false
           load: false
-          build-args: |
-            BINARY=dist/linux-amd64
           cache-from: type=gha
 
       - name: Create GitHub release
@@ -287,17 +290,15 @@ jobs:
             type=sha,format=long
             type=raw,value=latest,enable={{is_default_branch}}
 
-      - name: Build and push Docker image (amd64)
+      - name: Build and push Docker image (multi-platform)
         id: build
         uses: docker/build-push-action@v6
         with:
           context: .
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            BINARY=dist/linux-amd64
           cache-from: type=gha
           cache-to: type=gha,mode=max
           sbom: true

Dockerfile

@@ -1,29 +1,38 @@
 # Dockerfile for GitHub Agentic Workflows compiler
 # Provides a minimal container with gh-aw, gh CLI, git, and jq
 
-# Use Alpine for minimal size (official distribution)
-FROM alpine:3.21
+# Use Alpine 3.19 for minimal size (3.20+ removed gh CLI due to Python 3.12 compatibility)
+FROM alpine:3.19
 
 # Install required dependencies
-RUN apk add --no-cache \
+RUN apk update && apk add --no-cache \
     git \
     jq \
     bash \
     curl \
     ca-certificates \
-    github-cli
+    gh
 
-# Accept build argument for binary name (defaults to linux-amd64)
-ARG BINARY=gh-aw-linux-amd64
+# Docker Buildx automatically provides these ARGs for multi-platform builds
+# Expected values: TARGETOS=linux, TARGETARCH=amd64|arm64
+# For local builds without buildx, these must be provided explicitly:
+#   docker build --build-arg TARGETOS=linux --build-arg TARGETARCH=amd64 ...
+# Default to linux/amd64 if not provided
+ARG TARGETOS=linux
+ARG TARGETARCH=amd64
 
 # Create a directory for the binary
 WORKDIR /usr/local/bin
 
-# Copy the gh-aw binary from build context
-COPY ${BINARY} /usr/local/bin/gh-aw
+# Copy the appropriate binary based on target platform
+# TARGETOS=linux, TARGETARCH=amd64 -> dist/linux-amd64
+# TARGETOS=linux, TARGETARCH=arm64 -> dist/linux-arm64
+COPY dist/${TARGETOS}-${TARGETARCH} /usr/local/bin/gh-aw
 
-# Ensure the binary is executable
-RUN chmod +x /usr/local/bin/gh-aw
+# Ensure the binary is executable and verify it exists
+RUN chmod +x /usr/local/bin/gh-aw && \
+    /usr/local/bin/gh-aw --version || \
+    (echo "Error: gh-aw binary not found or not executable" && exit 1)
 
 # Configure git to trust all directories to avoid "dubious ownership" errors
 # This is necessary when the container runs with mounted volumes owned by different users