ci: parallelize push-latest-images workflow using matrix

[Shivampal157]

Fixes #312

Description

This PR refactors the push-latest-images workflow to use a GitHub Actions
matrix strategy so that images for different architectures are built and
pushed in parallel instead of sequentially.

What changed

• Introduced a matrix over architectures for the push-latest-images job
• Each architecture is now built and published in its own parallel job
• Added a follow-up job to create and sign the multi-arch manifest list

Result

• Before: Single long job (~1.5 hours) building all architectures sequentially
• After: Parallel per-architecture jobs + one short manifest/sign job
  → Total wall time reduced to roughly the slowest single-arch build

Notes

• The tagged release pipeline (publish-release on tags) is unchanged

---

Summary by cubic

Parallelized the push-latest-images workflow using a per-arch matrix so each architecture builds and pushes in parallel, then a separate job assembles and signs the multi-arch manifest. This reduces wall time from ~1.5h to roughly the slowest single-arch build.

• Refactors
  • Added per-arch matrix jobs (amd64, arm64, ppc64le, s390x, riscv64) with fail-fast disabled, plus a follow-up manifest/sign job.
  • Extended the composite action with PLATFORM, TAG_SUFFIX, and CREATE_MANIFEST_ONLY, with conditional steps for single-arch vs manifest creation.
  • Updated Taskfile to support single-platform builds with tag suffixes, a manifest-list-and-sign task, and signing deferred to the manifest stage for per-arch builds.

^{Written for commit a25e4c7. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Enhanced build and release infrastructure to support multi-platform image publishing across additional processor architectures.
  • Improved container image signing and manifest list generation processes for consistency and efficiency.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR parallelizes multi-architecture image builds using GitHub Actions matrix strategy, enabling concurrent builds across platforms (amd64, arm64, ppc64le, s390x, riscv64). A dependent job creates and signs manifest lists after per-platform builds complete. New action inputs and Taskfile tasks support single-platform builds and manifest-only workflows.

Changes

Cohort / File(s)	Summary
GitHub Action Definition .github/actions/publish-and-sign/action.yaml	Added three new inputs (PLATFORM, TAG_SUFFIX, CREATE_MANIFEST_ONLY) to control build scope. Introduced conditional logic to skip multi-component publish when CREATE_MANIFEST_ONLY is true, with a new step for manifest creation and signing that uses distinct environment variables.
Release Workflow .github/workflows/release.yaml	Introduced matrix strategy to push-latest-images job for parallel per-platform builds. Added new push-latest-manifest job that depends on matrix job to create manifest lists. Extended Publish step to pass PLATFORM, TAG_SUFFIX, and credentials to the action.
Build Tasks taskfiles/publish.yml	Updated image and image-and-sign tasks to accept PLATFORM and TAG_SUFFIX inputs with conditional platform selection and tag suffix appending. Added new manifest-list-and-sign task to create multi-arch manifest lists and sign them via Cosign for both satellite and ground-control components.

Sequence Diagram

sequenceDiagram
    participant GitHub Actions as Workflow
    participant Matrix as Matrix Strategy
    participant Builders as Build Runners<br/>(Per-Platform)
    participant Registry as Container Registry
    participant Manifest as Manifest Job
    participant Cosign as Cosign Signer

    GitHub Actions->>Matrix: Trigger with platforms<br/>[amd64, arm64, ppc64le, s390x, riscv64]
    
    par Parallel Builds
        Matrix->>Builders: Build for amd64
        Matrix->>Builders: Build for arm64
        Matrix->>Builders: Build for ppc64le
        Matrix->>Builders: Build for s390x
        Matrix->>Builders: Build for riscv64
    end
    
    Builders->>Registry: Push per-platform images<br/>with TAG_SUFFIX
    
    Note over Manifest: Depends on all matrix jobs
    
    GitHub Actions->>Manifest: Trigger manifest job
    Manifest->>Registry: Fetch per-platform images
    Manifest->>Registry: Create manifest list<br/>(combines all architectures)
    Manifest->>Cosign: Sign manifest list
    Cosign->>Registry: Store signed manifest

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Add Taskfile-based Build System with E2E Tests #303 — Directly related as it previously modified the same publish.yml Taskfile; this PR extends those changes with new manifest-list-and-sign task and variable additions.
• removed duplicate step #191 — Related as it modifies the same release workflow's image publish step parameters and action inputs.

Suggested labels

golang

Suggested reviewers

• bupd

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: introducing matrix parallelization to the push-latest-images workflow.
Description check	✅ Passed	The description follows the template structure, includes the linked issue reference, provides clear explanation of changes, and contextualizes the performance improvement.
Linked Issues check	✅ Passed	All objectives from issue #312 are met: matrix strategy implemented for parallel per-architecture builds, manifest creation added as dependent job, and runtime optimizations addressed.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the parallelization objective. No unrelated refactoring, dependency updates, or out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Codacy's Analysis Summary

0 new issue (≤ 0 issue)
0 new security issue

Review Pull Request in Codacy →

✨ AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.

[cubic-dev-ai]

1 issue found across 3 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="taskfiles/publish.yml">

<violation number="1" location="taskfiles/publish.yml:162">
P2: manifest-list-and-sign uses BASE_TAG directly without stripping a leading "v", while image builds strip it. If BASE_TAG comes from a Git tag (e.g., v1.0.0), the manifest task will reference non-existent images (v1.0.0-<arch>).</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: manifest-list-and-sign uses BASE_TAG directly without stripping a leading "v", while image builds strip it. If BASE_TAG comes from a Git tag (e.g., v1.0.0), the manifest task will reference non-existent images (v1.0.0-).

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At taskfiles/publish.yml, line 162:

<comment>manifest-list-and-sign uses BASE_TAG directly without stripping a leading "v", while image builds strip it. If BASE_TAG comes from a Git tag (e.g., v1.0.0), the manifest task will reference non-existent images (v1.0.0-<arch>).</comment>

<file context>
@@ -106,17 +120,57 @@ tasks:
+        for COMPONENT in satellite ground-control; do
+          SOURCES=""
+          for suf in {{.SUFFIXES}}; do
+            SOURCES="$SOURCES {{.REGISTRY}}/{{.PROJECT_NAME}}/$COMPONENT:{{.BASE_TAG}}-$suf"
+          done
+          echo "Creating manifest list for $COMPONENT:{{.BASE_TAG}}..."
</file context>

[Shivampal157]

Thanks for pointing this out.

In this PR, the parallelization only applies to the push-latest-images workflow.
The tagged release pipeline (publish-release on refs/tags/*) is intentionally kept unchanged
and still builds and signs all architectures in a single job.
For the matrix-based path, the manifest is created only after the per-arch images
are successfully pushed, so BASE_TAG should already exist at that point.
That said, I agree this edge case is worth improving. I can follow up with a small
safety check or refactor in a separate PR if maintainers think it’s required here.