From d9ae8c029091139e9421e8bd4d1739e4f59b5da1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Gonz=C3=A1lez=20Di=20Antonio?=
 <christiangda@gmail.com>
Date: Sun, 24 May 2026 11:03:51 +0200
Subject: [PATCH] fix(ci): restore multi-arch container builds in release
 workflow

The Publish Container Images job has been failing since v0.44.1 (visible
again on the v0.45.0 release as "Could not resolve digest for
ghcr.io/slashdevops/idp-scim-sync:v0.45.0") because the arm64 image is
never produced.

Root cause: when the workflow was migrated from Docker to Podman in
ab22744, docker/setup-qemu-action was removed on the assumption that
pre-built binaries no longer needed cross-compilation. They don't, but
every RUN line in Containerfile (apk add ca-certificates, etc.) still
executes under the target architecture, which on an amd64 runner
requires QEMU user-mode emulation registered with binfmt_misc. Without
it, `podman build --platform linux/arm64` exits with
"exec /bin/sh: Exec format error", no arm64 image is created,
container-publish then fails to add it to the manifest, and cosign
finally fails to resolve the (never-pushed) digest.

The two upstream make failures were not surfaced as red steps because
`make ... | tee $GITHUB_STEP_SUMMARY` runs under bash without pipefail,
so tee's exit 0 masked the make exit 1.

Changes:
* Install qemu-user-static and binfmt-support alongside podman so the
  kernel can run arm64 binaries during the build.
* Add `defaults.run.shell: bash -eo pipefail {0}` at the job level so
  future `cmd | tee ...` failures fail the step instead of being
  silently swallowed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/container-image.yml | 13 +++++++++++--
 docs/Whats-New.md                     | 13 +++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/container-image.yml b/.github/workflows/container-image.yml
index 2e0943a..6a0da64 100644
--- a/.github/workflows/container-image.yml
+++ b/.github/workflows/container-image.yml
@@ -15,6 +15,11 @@ jobs:
   build:
     name: Build and Publish Container Images
     runs-on: ubuntu-latest
+    defaults:
+      # pipefail so `make ... | tee $GITHUB_STEP_SUMMARY` propagates the
+      # upstream make exit code instead of being swallowed by tee's exit 0.
+      run:
+        shell: bash -eo pipefail {0}
     permissions:
       contents: read
       packages: write
@@ -23,10 +28,14 @@ jobs:
       - name: Check out code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
-      - name: Install Podman
+      - name: Install Podman and cross-arch emulation
+        # qemu-user-static + binfmt-support register QEMU user-mode handlers
+        # in /proc/sys/fs/binfmt_misc so podman can RUN steps inside arm64
+        # images on this amd64 runner (the Containerfile's `apk add` step
+        # otherwise dies with "exec /bin/sh: Exec format error").
         run: |
           sudo apt-get update
-          sudo apt-get install -y podman
+          sudo apt-get install -y podman qemu-user-static binfmt-support
 
       - name: Tools and versions
         run: |
diff --git a/docs/Whats-New.md b/docs/Whats-New.md
index 1a45f50..348c80f 100644
--- a/docs/Whats-New.md
+++ b/docs/Whats-New.md
@@ -4,6 +4,19 @@ This document tracks notable changes, new features, and bug fixes across release
 
 ## Unreleased
 
+### CI fix: restore multi-arch container builds in the release workflow
+
+Fixes the `Publish Container Images` job (failing since v0.44.1, surfaced again on the v0.45.0 release as ["Could not resolve digest for ghcr.io/slashdevops/idp-scim-sync:v0.45.0"](https://github.com/slashdevops/idp-scim-sync/actions/runs/26356807875/job/77585211704)).
+
+**Root cause.** When the workflow was migrated from Docker to Podman in `ab22744`, the `docker/setup-qemu-action` step was removed on the assumption that pre-built binaries no longer required cross-compilation. They don't — but every `RUN` line in `Containerfile` (notably `apk add ca-certificates`) still has to execute under the target architecture. On the `amd64` runner, building the `arm64` variant therefore needs QEMU user-mode emulation registered with `binfmt_misc`. Without it, `podman build --platform linux/arm64` died with `exec /bin/sh: Exec format error`, the `arm64` image was never created, `podman manifest add` then failed, no manifest was pushed, and `cosign sign` finally failed with "Could not resolve digest". The two upstream `make` failures were not surfaced as red steps because `make ... | tee $GITHUB_STEP_SUMMARY` runs under bash without `pipefail`, so `tee`'s exit 0 masked the make exit 1.
+
+**Changes in `.github/workflows/container-image.yml`:**
+
+* Install `qemu-user-static` and `binfmt-support` alongside `podman` so the kernel can run arm64 binaries during the build.
+* Set `defaults.run.shell: bash -eo pipefail {0}` at the job level so future `cmd | tee` failures fail the step instead of being silently swallowed.
+
+No code changes; release artifacts and signing flow are unchanged.
+
 ### SCIM members sync — major security & performance improvement (closes [#520](https://github.com/slashdevops/idp-scim-sync/issues/520))
 
 > [!IMPORTANT]