ci: add darwin/arm64 target + artifact attestations

[nayrosk]

• release.yml build matrix: all 4 mandatory targets (linux/amd64, linux/arm64, darwin/amd64, darwin/arm64) with fail-fast: false
• new attest-binaries job: SBOM via anchore/sbom-action@v0, provenance via actions/attest-build-provenance@v4, sbom attestation via actions/attest-sbom@v4
• docker job: multi-arch (linux/amd64, linux/arm64) + QEMU + provenance attestation on GHCR image push
• ci.yml docker job: multi-arch build (no push, no attestation)
• release job gated on attest-binaries completion

Closes #32

Summary by CodeRabbit

• New Features

  • Extended platform support: Binaries now available for ARM64 Linux and macOS, and additional macOS x86_64 configurations.

• Chores

  • Enhanced build security with cryptographic attestations for artifacts and container images.
  • Added Software Bill of Materials (SBOM) generation for improved transparency.

[coderabbitai]

Warning

Rate limit exceeded

@nayrosk has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 53 minutes and 3 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 53 minutes and 3 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 880e527e-983a-49eb-9775-de6a4a0d0049

📥 Commits

Reviewing files that changed from the base of the PR and between 1aeca73 and a3769a7.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

📝 Walkthrough

Walkthrough

The CI/CD workflows are expanded to support multi-architecture builds (Linux and Darwin on amd64/arm64) and include provenance attestation capabilities. The ci.yml adds QEMU support and multi-arch Docker builds, while release.yml introduces attestation jobs for binaries and container images using GitHub's native attestation actions.

Changes

Cohort / File(s)

Summary

CI/CD Workflow Enhancements .github/workflows/ci.yml, .github/workflows/release.yml

Updated build matrices to explicitly include linux/amd64, linux/arm64, darwin/amd64, and darwin/arm64 targets. Added QEMU setup and multi-arch Docker platform support (linux/amd64,linux/arm64). Enhanced release.yml with new workflow permissions (id-token: write, attestations: write), new attest-binaries job for SLSA provenance and SBOM attestations, and Docker image attestation step using build digest output.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 With arms and architectures, we build so grand,
From amd64 to arm64 across the land,
Attestations signed, provenance so true,
Darwin and Linux, now both in our crew,
Security blessed with each artifact made! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding darwin/arm64 target support and artifact attestations to CI workflows.
Linked Issues check	✅ Passed	The PR implements all core objectives from issue #32: expanded build matrix to four targets, SBOM/provenance attestations, multi-arch Docker builds, updated permissions, and proper job dependencies.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue requirements: workflow matrix expansions, attestation job additions, and Docker multi-arch configurations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/ci-attestations-arm64

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 143-146: The release job currently depends on the docker job via
the needs: [build, docker, attest-binaries] declaration; remove "docker" from
the needs array in the release job so the job only depends on build and
attest-binaries (i.e., change needs to [build, attest-binaries]) so GitHub
Release is not blocked by a failing docker job, or alternatively implement an
explicit conditional/optional gating (e.g., separate workflow or conditional
step) if you intentionally want the image push to be non-blocking but still
attempted.
- Around line 53-82: The attest-binaries job includes an unnecessary
actions/checkout@v6 step and currently generates one SBOM for the entire
artifacts/ directory which is then attested against multiple subjects; remove
the actions/checkout step from the attest-binaries job to speed the workflow,
and either (A) keep the current anchore/sbom-action usage if a single
multi-artifact SBOM is intended or (B) change the SBOM generation to produce
per-subject SBOMs and invoke anchore/sbom-action (or loop) per
artifacts/pebblify-* before calling actions/attest-sbom for each corresponding
sbom, updating subject-path and sbom-path to match each binary; key symbols to
edit: job name "attest-binaries", the "uses: actions/checkout@v6" step, the
"uses: anchore/sbom-action@v0" step with "path: artifacts/", and the "uses:
actions/attest-sbom@v4" step with "subject-path: artifacts/pebblify-*" and
"sbom-path: sbom.spdx.json".
- Around line 7-11: Current workflow grants elevated permissions at the root
level; move the permissions block into each job and set least-privilege values:
for the attest-binaries job grant attestations: write, id-token: write, and
contents: read; for the docker job grant packages: write, attestations: write,
and id-token: write; for the release job grant contents: write only; and for
build (and any other jobs that only need repo read access) set contents: read.
Update the workflow to remove the root-level permissions block and add per-job
permissions entries for job names attest-binaries, docker, release, and build
using the permission keys id-token, attestations, packages, and contents as
specified.
- Around line 71-76: The workflow step named "Generate SBOM" currently uses the
floating tag anchore/sbom-action@v0; update the uses entry to a pinned reference
(either a specific semver tag like anchore/sbom-action@v0.24.0 or a commit SHA)
so the action version is immutable; edit the step that contains uses:
anchore/sbom-action@v0 and replace the tag with the chosen `@vX.Y.Z` or
@<commit-sha>, test the workflow runs to ensure SBOM generation and output-file:
sbom.spdx.json still work.
- Around line 136-141: The attestation step uses subject-name: ghcr.io/${{
github.repository }} which can contain uppercase letters (e.g.,
Dockermint/pebblify) and must be lowercased; change subject-name to reference a
lowercased repository string (either use the workflow expression with a lower
filter if available, or add a preparatory step that sets an output like
steps.lowercase.outputs.repo by lowercasing github.repository and then set
subject-name to ghcr.io/${{ steps.lowercase.outputs.repo }} while keeping
subject-digest: ${{ steps.push.outputs.digest }} and push-to-registry: true so
the attestation references the exact image pushed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 00a88c4f-847a-428b-bfbf-759eeef84515

📥 Commits

Reviewing files that changed from the base of the PR and between 1aeca73 and 2219f30.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

[nayrosk]

CodeRabbit findings addressed in a3769a7

All 5 actionable comments resolved in a single fix commit:

#	Finding	Fix
1	release needs [build, docker, attest-binaries] blocks release on docker failure	Dropped docker; now [build, attest-binaries]. Docker runs in parallel as supplementary artifact.
2	Unnecessary actions/checkout@v6 in attest-binaries	Removed. Job only operates on downloaded artifacts.
3	Root-level permissions too broad	Replaced with per-job least-privilege: build (contents:read), attest-binaries (id-token:write, attestations:write, contents:read), docker (packages:write, attestations:write, id-token:write, contents:read), release (contents:write).
4	Floating anchore/sbom-action@v0 tag	Pinned to SHA e22c389904149dbc22b58101806040fa8d37a610 (v0.24.0).
5	ghcr.io/${{ github.repository }} has uppercase	Added Lowercase repo step (id: repo) in docker job; both metadata-action images: and attest subject-name: now reference steps.repo.outputs.name.

Deferred to v0.5.0: per-subject SBOMs (current impl = single multi-artifact SBOM, acceptable per spec).

@coderabbitai ready for re-review.

[coderabbitai]

@nayrosk, thanks for the detailed breakdown — all five fixes look well-reasoned:

• Decoupling docker from the release gate is the right call (Docker is a supplementary artifact, not a blocker).
• Per-job least-privilege is a significant security improvement over the root-level broad permissions.
• SHA-pinning anchore/sbom-action and lowercasing the GHCR image name are solid hardening steps.

Kicking off the re-review now.

---

🧠 Learnings used

Learnt from: CR
Repo: Dockermint/pebblify PR: 0
File: .claude/agents/software-architect.md:0-0
Timestamp: 2026-04-18T09:06:21.261Z
Learning: Flag cross-compilation issues in specs for 4 mandatory targets (especially arm64 and darwin), including platform-specific APIs, cgo, and -sys packages

---

Learnt from: CR
Repo: Dockermint/pebblify PR: 0
File: .claude/agents/devops.md:0-0
Timestamp: 2026-04-18T09:04:16.225Z
Learning: Applies to .github/workflows/*.yml : Configure build matrix to cross-compile for 4 mandatory targets: linux/amd64 (ubuntu-latest), linux/arm64 (ubuntu-latest), darwin/amd64 (macos-latest), and darwin/arm64 (macos-latest).

---

Learnt from: CR
Repo: Dockermint/pebblify PR: 0
File: .claude/agents/container-engineer.md:0-0
Timestamp: 2026-04-18T09:03:59.031Z
Learning: Applies to Dockerfile{,.*} : Test multi-arch builds for linux/amd64, linux/arm64, darwin/amd64, and darwin/arm64 using Docker Buildx

---

Learnt from: CR
Repo: Dockermint/pebblify PR: 0
File: .claude/agents/lead-dev.md:0-0
Timestamp: 2026-04-18T09:05:05.867Z
Learning: Applies to go.mod : Pebblify must compile on all 4 mandatory targets: linux/amd64, linux/arm64, darwin/amd64, darwin/arm64

---

Learnt from: CR
Repo: Dockermint/pebblify PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-18T09:03:35.908Z
Learning: Applies to Makefile : Build targets MUST compile and work with linux/amd64, linux/arm64, darwin/amd64, and darwin/arm64 architectures.

---

Learnt from: CR
Repo: Dockermint/pebblify PR: 0
File: .claude/agents/devops.md:0-0
Timestamp: 2026-04-18T09:04:16.225Z
Learning: Applies to .github/workflows/*.yml : For multi-architecture Docker builds, use `docker/setup-buildx-action` for multi-arch builds, build for `linux/amd64,linux/arm64` with `--platform` flag, and push to GHCR with `docker/build-push-action`.

---

Learnt from: CR
Repo: Dockermint/pebblify PR: 0
File: .claude/agents/assistant.md:0-0
Timestamp: 2026-04-18T09:03:43.618Z
Learning: For package/library research, always check and report compatibility with the four mandatory build targets: linux/amd64, linux/arm64, darwin/amd64, darwin/arm64

✅ Actions performed

Full review triggered.