Conversation
Add linux/arm64 to the build-docker-image workflow alongside linux/amd64 so the published image runs natively on Apple Silicon. This enables Sentry staff to more easily run on M-series mac.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 3fcc2e1. Configure here.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,88 @@ | |||
| name: multiarch-build-workflow | |||
There was a problem hiding this comment.
i made this a reusable workflow since many repos at sentry seem to need the same thing. might extract it later.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| # the assemble job stitches them into the multi-arch :sha and :latest. | ||
| # This is the same as Snuba's multiarch workflow. | ||
| tag_suffix: -${{ matrix.pair }} | ||
| ghcr: false | ||
| google_ar: true | ||
| google_ar_image_name: ${{ inputs.google_ar_image_name }} | ||
| google_workload_identity_provider: ${{ inputs.google_workload_identity_provider }} | ||
| google_service_account: ${{ inputs.google_service_account }} | ||
| # latest/nightly belong on the assembled manifest, not per-arch. | ||
| tag_latest: false | ||
| tag_nightly: false |
There was a problem hiding this comment.
Bug: The build-arch job unconditionally pushes images to the production Google Artifact Registry on every PR run because google_ar: true is hardcoded, ignoring the inputs.push condition.
Severity: MEDIUM
Suggested Fix
Add a condition to the getsentry/action-build-and-push-images step within the build-arch job to respect the inputs.push input. For example, change google_ar: true to google_ar: ${{ inputs.push }}. This will ensure images are only pushed to the production registry when intended.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: .github/workflows/multiarch-build-workflow.yml#L42-L57
Potential issue: The `build-arch` job in the `multiarch-build-workflow.yml` workflow
unconditionally pushes per-architecture images to the production Google Artifact
Registry (GAR) on every pull request. The `getsentry/action-build-and-push-images` step
has `google_ar: true` hardcoded. While the workflow has an `inputs.push` parameter
intended to control this behavior, it is not used to gate the image push in the
`build-arch` job. This is a regression from the previous workflow, where pushing to GAR
was correctly conditioned on merges to the `main` branch, and will pollute the
production registry with intermediate images from every PR.
Did we get this right? 👍 / 👎 to inform future reviews.
| # the assemble job stitches them into the multi-arch :sha and :latest. | ||
| # This is the same as Snuba's multiarch workflow. | ||
| tag_suffix: -${{ matrix.pair }} | ||
| ghcr: false |
There was a problem hiding this comment.
Having GHCR images can be useful in sandboxes where we can't reach production images.
There was a problem hiding this comment.
The prod images are public. I've used it successfully in the sandbox here: https://github.com/getsentry/terraform-sandboxes.private/pull/427
3 participants
Add linux/arm64 to the build-docker-image workflow alongside linux/amd64 so the published image runs natively on Apple Silicon.
This enables Sentry staff to more easily run on M-series mac.