From 5e6c96bdd10278a2ff0ef8e3ba2815c4c16830e8 Mon Sep 17 00:00:00 2001
From: Cyber MacGeddon <cybermaggedon@gmail.com>
Date: Mon, 13 Apr 2026 23:14:37 +0100
Subject: [PATCH] Separate platform builds & combine to single manifest

---
 .github/workflows/release.yaml | 72 ++++++++++++++++++++++++++--------
 Makefile                       | 35 ++++++++++++++++-
 2 files changed, 89 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f29e642c..5b41972e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -40,10 +40,62 @@ jobs:
       - name: Publish release distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
 
-  deploy-container-image:
+  build-platform-image:
 
-    name: Release container images
+    name: Build ${{ matrix.container }} (${{ matrix.platform }})
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      id-token: write
+    environment:
+      name: release
+    strategy:
+      matrix:
+        container:
+          - base
+          - flow
+          - bedrock
+          - vertexai
+          - hf
+          - ocr
+          - unstructured
+          - mcp
+        platform:
+          - amd64
+          - arm64
+
+    steps:
+
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU - for ARM emulation
+        if: matrix.platform == 'arm64'
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm64
+
+      - name: Docker Hub token
+        run: echo ${{ secrets.DOCKER_SECRET }} > docker-token.txt
+
+      - name: Authenticate with Docker hub
+        run: make docker-hub-login
+
+      - name: Get version
+        id: version
+        run: echo VERSION=$(git describe --exact-match --tags | sed 's/^v//') >> $GITHUB_OUTPUT
+
+      - name: Build container
+        run: make platform-${{ matrix.container }}-${{ matrix.platform }} VERSION=${{ steps.version.outputs.VERSION }}
+
+      - name: Push container
+        run: make push-platform-${{ matrix.container }}-${{ matrix.platform }} VERSION=${{ steps.version.outputs.VERSION }}
+
+  combine-manifests:
+
+    name: Combine manifest ${{ matrix.container }}
+    runs-on: ubuntu-24.04
+    needs: build-platform-image
     permissions:
       contents: write
       id-token: write
@@ -66,11 +118,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Set up QEMU - for ARM emulation
-        uses: docker/setup-qemu-action@v3
-        with:
-          platforms: arm64
-
       - name: Docker Hub token
         run: echo ${{ secrets.DOCKER_SECRET }} > docker-token.txt
 
@@ -81,12 +128,5 @@ jobs:
         id: version
         run: echo VERSION=$(git describe --exact-match --tags | sed 's/^v//') >> $GITHUB_OUTPUT
 
-      - name: Put version into package manifests
-        run: make update-package-versions VERSION=${{ steps.version.outputs.VERSION }}
-
-      - name: Build container - ${{ matrix.container }}
-        run: make manifest-${{ matrix.container }} VERSION=${{ steps.version.outputs.VERSION }}
-
-      - name: Push container - ${{ matrix.container }}
-        run: make push-manifest-${{ matrix.container }} VERSION=${{ steps.version.outputs.VERSION }}
-
+      - name: Combine and push manifest
+        run: make combine-manifest-${{ matrix.container }} VERSION=${{ steps.version.outputs.VERSION }}
diff --git a/Makefile b/Makefile
index 593b7a9c..85f10fdd 100644
--- a/Makefile
+++ b/Makefile
@@ -75,7 +75,7 @@ container-%: update-package-versions
 	    -f containers/Containerfile.${@:container-%=%} \
 	    -t ${CONTAINER_BASE}/trustgraph-${@:container-%=%}:${VERSION} .
 
-# Individual container build targets
+# Multi-arch: build both platforms sequentially into one manifest (local use)
 manifest-%: update-package-versions
 	-@${DOCKER} manifest rm \
 	    ${CONTAINER_BASE}/trustgraph-${@:manifest-%=%}:${VERSION}
@@ -84,12 +84,43 @@ manifest-%: update-package-versions
 	    --manifest \
 	    ${CONTAINER_BASE}/trustgraph-${@:manifest-%=%}:${VERSION} .
 
+# Multi-arch: build a single platform image (for parallel CI)
+platform-%-amd64: update-package-versions
+	${DOCKER} build --platform linux/amd64 \
+	    -f containers/Containerfile.${@:platform-%-amd64=%} \
+	    -t ${CONTAINER_BASE}/trustgraph-${@:platform-%-amd64=%}:${VERSION}-amd64 .
+
+platform-%-arm64: update-package-versions
+	${DOCKER} build --platform linux/arm64 \
+	    -f containers/Containerfile.${@:platform-%-arm64=%} \
+	    -t ${CONTAINER_BASE}/trustgraph-${@:platform-%-arm64=%}:${VERSION}-arm64 .
+
+# Push a single platform image
+push-platform-%-amd64:
+	${DOCKER} push \
+	    ${CONTAINER_BASE}/trustgraph-${@:push-platform-%-amd64=%}:${VERSION}-amd64
+
+push-platform-%-arm64:
+	${DOCKER} push \
+	    ${CONTAINER_BASE}/trustgraph-${@:push-platform-%-arm64=%}:${VERSION}-arm64
+
+# Combine per-platform images into a multi-arch manifest
+combine-manifest-%:
+	-@${DOCKER} manifest rm \
+	    ${CONTAINER_BASE}/trustgraph-${@:combine-manifest-%=%}:${VERSION}
+	${DOCKER} manifest create \
+	    ${CONTAINER_BASE}/trustgraph-${@:combine-manifest-%=%}:${VERSION} \
+	    docker://${CONTAINER_BASE}/trustgraph-${@:combine-manifest-%=%}:${VERSION}-amd64 \
+	    docker://${CONTAINER_BASE}/trustgraph-${@:combine-manifest-%=%}:${VERSION}-arm64
+	${DOCKER} manifest push \
+	    ${CONTAINER_BASE}/trustgraph-${@:combine-manifest-%=%}:${VERSION}
+
 # Push a container
 push-container-%:
 	${DOCKER} push \
 	    ${CONTAINER_BASE}/trustgraph-${@:push-container-%=%}:${VERSION}
 
-# Push a manifest
+# Push a manifest (from local multi-arch build)
 push-manifest-%:
 	${DOCKER} manifest push \
 	    ${CONTAINER_BASE}/trustgraph-${@:push-manifest-%=%}:${VERSION}