From 842c171770ce20f37aaae03574b37ea9c4c43f61 Mon Sep 17 00:00:00 2001
From: cyrilthommen <taprootfreak@dfx.swiss>
Date: Mon, 4 May 2026 19:20:25 +0200
Subject: [PATCH 1/2] Scripts and tools: test Dockerfile on linux/amd64 and
 linux/arm64

The Dockerfile already cross-builds for the host architecture via the
depends/ system (uname -m -> {x86_64,aarch64}-linux-gnu). This extends
the existing single-platform Dockerfile test to a buildx matrix that
verifies both linux/amd64 and linux/arm64 build cleanly on every PR
that touches Dockerfile or depends/, so an arm64 regression cannot
slip in unnoticed.
---
 .github/workflows/test-dockerfile.yml | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/test-dockerfile.yml b/.github/workflows/test-dockerfile.yml
index 20abc0662a..cc0dc8ea69 100644
--- a/.github/workflows/test-dockerfile.yml
+++ b/.github/workflows/test-dockerfile.yml
@@ -1,20 +1,30 @@
- 
 name: build Dockerfile
 
 on:
   push:
     paths:
       - 'Dockerfile'
+      - 'depends/**'
+      - '.github/workflows/test-dockerfile.yml'
   pull_request:
     paths:
       - 'Dockerfile'
+      - 'depends/**'
+      - '.github/workflows/test-dockerfile.yml'
 
 jobs:
   build:
-   runs-on: ubuntu-latest
-  
-   steps:
-     - uses: actions/checkout@v5
-     - name: Build Docker image 
-       run: docker build -t firo .
-
+    name: Build Dockerfile (${{ matrix.platform }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: [linux/amd64, linux/arm64]
+    steps:
+      - uses: actions/checkout@v5
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build Docker image
+        run: docker buildx build --platform ${{ matrix.platform }} -t firo .

From 58d436b64a97a7a6a51b5d309ee4f48fdb7d2d0c Mon Sep 17 00:00:00 2001
From: TaprootFreak <142087526+TaprootFreak@users.noreply.github.com>
Date: Tue, 5 May 2026 14:18:32 +0200
Subject: [PATCH 2/2] Scripts and tools: pin QEMU binfmt image by digest

Pin tonistiigi/binfmt to its current manifest digest to prevent
supply-chain attacks via a compromised :latest tag.

refs #1834
---
 .github/workflows/test-dockerfile.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test-dockerfile.yml b/.github/workflows/test-dockerfile.yml
index cc0dc8ea69..92bbcdcec1 100644
--- a/.github/workflows/test-dockerfile.yml
+++ b/.github/workflows/test-dockerfile.yml
@@ -24,6 +24,9 @@ jobs:
       - uses: actions/checkout@v5
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:latest@sha256:d3b963f787999e6c0219a48dba02978769286ff61a5f4d26245cb6a6e5567ea3
+          platforms: arm64
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build Docker image