Enhance CI/CD Pipeline for Multi-Architecture and Package Deployment

[clpi]

This commit updates the GitHub Actions CI and Release workflows to support robust, multi-architecture builds. It introduces a comprehensive matrix setup for Linux and macOS environments targeting both x86_64 and aarch64 architectures. Additionally, fpm was integrated to automatically generate .deb and .rpm Linux packages which are seamlessly included as artifacts during GitHub releases. The Nix flake check constraint was modified to avoid failure on incompatible runners, and defensive compiler flags were passed during artifact staging.

---

PR created automatically by Jules for task 7895002293268352215 started by @clpi

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD pipeline to support multiple processor architectures (x86_64 and ARM64) on macOS and Linux.
  • Added automated generation of Linux distribution packages (DEB and RPM formats).

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Walkthrough

The CI and release workflows are updated to build binaries for multiple target architectures (x86_64 and aarch64 on both Linux and macOS). Both workflows define an explicit build matrix, conditionally apply cross-compilation on Linux for aarch64, skip tests for cross-compiled builds, generate Linux DEB and RPM packages via FPM, and update artifact handling to use glob patterns.

Changes

Multi-architecture CI and release workflows

Layer / File(s)	Summary
Build matrix with x86_64 and aarch64 targets .github/workflows/ci.yml	Matrix strategy changed from a simple OS list to explicit target entries covering x86_64 and aarch64 on both Linux and macOS.
CI Linux dependencies and cross-compiler setup .github/workflows/ci.yml	Ruby toolchain and FPM are installed on Linux; aarch64-linux-gnu cross-compiler is conditionally installed for aarch64-linux targets.
CI conditional build and test steps .github/workflows/ci.yml	Build step conditionally uses CC=aarch64-linux-gnu-gcc for aarch64-linux; test step skips cross-compiled targets.
CI packaging and nix setup .github/workflows/ci.yml	FPM generates DEB and RPM packages with target-dependent version and architecture mapping. Nix flake setup is restricted to x86_64-linux.
Release multi-target build and packaging .github/workflows/release.yml	Release job installs dependencies, conditionally applies aarch64 cross-compiler, runs conditional cross-compile make, and generates DEB/RPM packages with architecture mapping.
Release artifact collection .github/workflows/release.yml	Release artifact files changed from explicit filenames to glob patterns that include all files within downloaded artifact directories.

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• clpi/dopl#15: Introduced the .github/workflows/ci.yml and .github/workflows/release.yml files that are now expanded with multi-architecture support and cross-compilation logic in this PR.

Poem

🐰 Four target lands, now all compile with care,
Cross-compilers hop where aarch64 roam the air,
Packages built with FPM's gentle touch,
From Linux through the workflows, we've done much!
Multi-arch release, a bounty to share! 📦✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Enhance CI/CD Pipeline for Multi-Architecture and Package Deployment' directly and comprehensively reflects the main changes: adding multi-architecture support (aarch64/x86_64) and package generation (.deb/.rpm) in both CI and Release workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-cd-robustness-7895002293268352215

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-q-developer]

Review Summary

This PR enhances the CI/CD pipeline with multi-architecture support for Linux (x86_64, aarch64) and macOS (x86_64, aarch64), along with automated package generation for Linux distributions.

Critical Issues Found

Release Workflow - Line 54: The Prepare Artifact step copies doc instead of the actual built executable. This will cause all releases to fail as the binary won't be included in release artifacts. This must be fixed before merge.

Overall Assessment

The multi-architecture matrix configuration and cross-compilation setup are well-structured. The addition of .deb and .rpm package generation is valuable. However, the incorrect binary name in the artifact preparation step is a blocking defect that will prevent successful releases.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Logic Error: The Prepare Artifact step copies doc instead of the actual binary. This will fail if doc is a directory or wrong file, and won't include the built executable in releases. Replace doc with the correct binary name (likely ado based on the package name).

Suggested change

	cp doc dist/${{ matrix.artifact_name }}
	cp ado dist/${{ matrix.artifact_name }}

[amazon-q-developer]

🛑 Crash Risk: The package copy commands use wildcard patterns without error handling. If no .deb or .rpm files exist (e.g., build failures not caught), this will fail silently or cause the workflow to crash. Add error handling or use shell options to catch failures.

Suggested change

	cp *.deb dist/
	cp *.rpm dist/
	cp *.deb dist/ || { echo "Error: No .deb files found"; exit 1; }
	cp *.rpm dist/ || { echo "Error: No .rpm files found"; exit 1; }

[amazon-q-developer]

The workflow attempts to run cross-compiled aarch64 binaries on x86_64 runners, which will fail. Add architecture detection and skip test execution for cross-compiled targets, or use QEMU for emulation if testing is critical.

[Copilot]

Pull request overview

Updates the GitHub Actions CI and release workflows to build and publish multi-architecture artifacts (Linux/macOS; x86_64/aarch64) and to generate Linux .deb/.rpm packages for release attachments.

Changes:

• Expanded CI and release jobs to a 4-way OS/arch matrix (ubuntu x86_64 + aarch64; macOS x86_64 + arm64).
• Added Linux package generation via fpm and included packages in uploaded artifacts and GitHub Releases.
• Restricted nix flake check execution to the x86_64 Linux job to avoid incompatible runners.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/release.yml	Adds multi-arch release builds and Linux .deb/.rpm generation; uploads all outputs into release assets.
.github/workflows/ci.yml	Adds multi-arch CI matrix, Linux package-generation checks, and gates Nix flake checks to x86_64 Linux.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/ci.yml (1)

25-25: 💤 Low value

Consider hardening checkout action.

Add persist-credentials: false to prevent credential persistence through artifacts, as flagged by static analysis.

Proposed fix

     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 25, The checkout step currently uses the
actions/checkout@v4 action without disabling credential persistence; update the
checkout invocation (actions/checkout@v4) to include the input
persist-credentials: false so credentials are not persisted to the workspace or
artifacts—modify the workflow job's checkout step to add that option alongside
any existing parameters.

.github/workflows/release.yml (1)

9-11: ⚡ Quick win

Add explicit permissions block to build-release job.

The build-release job lacks an explicit permissions block, defaulting to potentially broad permissions. For least-privilege security, this job only needs contents: read for checkout and no special permissions for artifact upload.

🔐 Suggested fix

   build-release:
     name: Build Release Artifacts
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     strategy:
       matrix:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 9 - 11, The build-release job
currently lacks an explicit permissions block; update the build-release job
declaration (job name: build-release) to include a minimal permissions block
granting only contents: read (and no broader or write permissions) so the
checkout step can run under least-privilege; add the permissions mapping
directly under the build-release job to override defaults and ensure no extra
permissions are granted for artifact upload or other actions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 19-20: Update the GitHub Actions matrix entry that currently sets
os: macos-13 for the x86_64-darwin target to a supported Intel macOS runner
(e.g., set os: macos-15-intel or macos-14-large) so the Intel x86_64 build can
run; locate the matrix entry where os: macos-13 and target: x86_64-darwin are
declared and replace macos-13 with macos-15-intel (or macos-14-large) to ensure
the workflow uses an available Intel runner.

In @.github/workflows/release.yml:
- Around line 21-23: The matrix entry currently uses the deprecated macOS runner
label "macos-13" for the Intel build (see the keys os: macos-13, target:
x86_64-darwin, artifact_name: ado-macos-amd64); update the os value to a
supported Intel-capable runner such as "macos-15-intel" so the release workflow
uses a valid GitHub-hosted macOS image while keeping target: x86_64-darwin and
artifact_name unchanged.

---

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 25: The checkout step currently uses the actions/checkout@v4 action
without disabling credential persistence; update the checkout invocation
(actions/checkout@v4) to include the input persist-credentials: false so
credentials are not persisted to the workspace or artifacts—modify the workflow
job's checkout step to add that option alongside any existing parameters.

In @.github/workflows/release.yml:
- Around line 9-11: The build-release job currently lacks an explicit
permissions block; update the build-release job declaration (job name:
build-release) to include a minimal permissions block granting only contents:
read (and no broader or write permissions) so the checkout step can run under
least-privilege; add the permissions mapping directly under the build-release
job to override defaults and ensure no extra permissions are granted for
artifact upload or other actions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 551b4b9c-20c1-40dc-8beb-e5197e4e8dd7

📥 Commits

Reviewing files that changed from the base of the PR and between f717d76 and ff920e4.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

macos-13 runner is deprecated and unavailable.

GitHub Actions has removed the macos-13 runner. The workflow will fail for the x86_64-darwin target. Use macos-15-intel (or macos-14-large) for Intel x86_64 builds, since macos-14/macos-15 default to ARM64.

Proposed fix

         include:
           - os: ubuntu-latest
             target: x86_64-linux
           - os: ubuntu-latest
             target: aarch64-linux
-          - os: macos-13
+          - os: macos-15-intel
             target: x86_64-darwin
           - os: macos-14
             target: aarch64-darwin

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- os: macos-13
	target: x86_64-darwin
	- os: macos-15-intel
	target: x86_64-darwin

🧰 Tools

🪛 actionlint (1.7.12)

[error] 19-19: label "macos-13" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 19 - 20, Update the GitHub Actions
matrix entry that currently sets os: macos-13 for the x86_64-darwin target to a
supported Intel macOS runner (e.g., set os: macos-15-intel or macos-14-large) so
the Intel x86_64 build can run; locate the matrix entry where os: macos-13 and
target: x86_64-darwin are declared and replace macos-13 with macos-15-intel (or
macos-14-large) to ensure the workflow uses an available Intel runner.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

GitHub Actions macos-13 runner deprecation status 2026

💡 Result:

As of 2026-05-22, GitHub-hosted macos-13 runner images are already retired/deprecated and not available for new jobs. GitHub announced that the macOS 13 (Ventura) hosted runner image labels begin deprecation on September 22, 2025 and would be fully unsupported by December 4, 2025 for GitHub Actions and Azure DevOps; GitHub also stated that jobs using the macos-13 image label would be terminated with an error during/after the brownout and retirement period [1][2]. What to do instead (current guidance from the announcement): migrate your workflow off macos-13 to newer labels such as macos-latest / macos-14 / macos-15 (and for Intel/x86_64 requirements, macos-15-intel or other “-large”/“-intel” options mentioned in the same announcement) [1][2]. Note: a separate 2026 changelog entry discusses migrations of macos-latest to point to macOS 26 (starting June 15, 2026), which is unrelated to macos-13 availability but indicates ongoing changes in default macOS runner mappings in 2026 [3].

Citations:

• 1: [macOS] The macOS 13 Ventura based runner images will begin deprecation on September 22nd and will be fully unsupported by December 4th for GitHub and ADO actions/runner-images#13046
• 2: https://github.blog/changelog/2025-09-19-github-actions-macos-13-runner-image-is-closing-down/
• 3: https://github.blog/changelog/2026-05-14-github-actions-upcoming-image-migrations/

---

Replace deprecated macos-13 runner in release workflow matrix

GitHub-hosted macos-13 runner images are retired/deprecated; jobs using the macos-13 label will fail/terminate. Switch the x86_64-darwin entry to an Intel-capable macOS runner label (e.g., macos-15-intel).

🔧 Suggested fix

          - os: macos-15-intel
            target: x86_64-darwin
            artifact_name: ado-macos-amd64

🧰 Tools

🪛 actionlint (1.7.12)

[error] 21-21: label "macos-13" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2025-vs2026", "windows-2022", "windows-11-arm", "ubuntu-slim", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "macos-latest", "macos-latest-xlarge", "macos-latest-large", "macos-26-intel", "macos-26-xlarge", "macos-26-large", "macos-26", "macos-15-intel", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xlarge", "macos-14-large", "macos-14", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 21 - 23, The matrix entry
currently uses the deprecated macOS runner label "macos-13" for the Intel build
(see the keys os: macos-13, target: x86_64-darwin, artifact_name:
ado-macos-amd64); update the os value to a supported Intel-capable runner such
as "macos-15-intel" so the release workflow uses a valid GitHub-hosted macOS
image while keeping target: x86_64-darwin and artifact_name unchanged.