chore: shorten Docker build times

[mbevc1]

• Preserve job inputs and backwards compatibility - no changes for the release workflow, but we ecan now run build for both platforms in tests as we run both the same time in parallel
• Remove QEMU and build natively in parallel
• Merge builds and run attestations and scanning after the merge
• Expand permissions for attestation to remove warnings noise about unable to use storage

[claude]

Claude finished @mbevc1's task in 2m 10s —— View job

---

PR Review: Shorten Docker Build Times

• Run static analysis checks — Go builds and vets clean, modules tidy
• Read changed files and review code
• Post review findings

---

Summary

This is a well-structured rework of the Docker build pipeline. The 3-job architecture (prepare → build → merge) is clean, and native arm64 builds will be a significant speedup over QEMU emulation. Several items from earlier reviews have already been addressed (empty digest guard, env: var for fingerprint, platform validation in RUNNER_MAP).

What looks good

• RUNNER_MAP + jq matrix generation — clean, extensible, and includes validation for unsupported platforms with a clear error message
• Empty digest guard on both the build step (line 158) and the merge step (line 240-243) — good defensive coding
• Per-arch build cache (buildcache-${{ matrix.slug }}) — prevents cross-arch cache busting
• Fingerprint via env: block (line 254-258) — follows GitHub's recommended pattern

Remaining items

1. Expression injection in attestation steps (low severity) — ${{ inputs.flow_name }}, ${{ inputs.trail_name }}, ${{ inputs.tag }}, ${{ inputs.kosli_org }} are interpolated directly into run: blocks (lines 286-358). The fingerprint step already uses the safer env: pattern — worth applying consistently. See inline comment.

2. PR description says "no changes for main" but main.yml now passes linux/amd64,linux/arm64 instead of just linux/amd64. This is a meaningful behavioral change (two parallel runners per push to main). See inline comment.

3. Smoke test coverage (pre-existing, non-blocking) — the smoke test runs only on amd64. If the arm64 image has issues (wrong entrypoint, missing lib), it won't be caught. Could be improved in a follow-up.

Verdict

Looks good overall. The two inline comments are the only actionable items — #1 is good hygiene, #2 is a documentation accuracy fix. Neither is a blocker.