ci: use native arm64 runners for multi-arch Docker builds (#531)

* ci: use native arm64 runners for multi-arch Docker builds

Replace QEMU-emulated arm64 builds with native ubuntu-24.04-arm runners
to dramatically speed up multi-arch Docker image builds. The UI (Next.js)
build was taking 40+ minutes under QEMU; native builds should complete
in under 10 minutes.

Changes:
- Split reusable workflow into parallel build (per-platform) + merge jobs
- amd64 builds on ubuntu-latest, arm64 builds on ubuntu-24.04-arm
- Merge job creates multi-arch manifest via docker buildx imagetools
- Cache scopes split per platform to avoid cross-arch pollution
- Add optional `file` input for custom Dockerfile paths
- Refactor admin-release.yaml to reuse the shared workflow

* ci: add actionlint workflow to validate GitHub Actions on PR

* fix(ci): use correct actionlint installation method

* fix(ci): use raven-actions/actionlint for workflow linting

* fix(ci): resolve shellcheck SC2181 in security-reusable workflow

Author: GenerQAQ

.github/workflows/_reusable-docker-release.yaml

@@ -11,6 +11,11 @@ on:
         description: "Docker build context path (e.g. ./src/server/core)"
         required: true
         type: string
+      file:
+        description: "Dockerfile path (defaults to {context}/Dockerfile)"
+        required: false
+        type: string
+        default: ""
       tag_prefix:
         description: "Git tag prefix (e.g. core/v)"
         required: true
@@ -29,14 +34,22 @@ permissions:
   packages: write
 
 jobs:
-  build-and-push:
-    runs-on: ubuntu-latest
-    timeout-minutes: 60
+  build:
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 30
+    strategy:
+      fail-fast: true
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            suffix: amd64
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            suffix: arm64
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
 
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
@@ -45,33 +58,64 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
+
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
         with:
           images: ghcr.io/memodb-io/${{ inputs.image_name }}
           tags: |
             type=sha
-            type=semver,pattern={{version}},match=${{ inputs.tag_prefix }}(\d+\.\d+\.\d+)$
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Build and Push Docker image
         uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.platform }}
           context: ${{ inputs.context }}
+          file: ${{ inputs.file || '' }}
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ghcr.io/memodb-io/${{ inputs.image_name }}:sha-${{ github.sha }}-${{ matrix.suffix }}
           labels: ${{ steps.meta.outputs.labels }}
           sbom: true
           provenance: mode=max
-          cache-from: type=gha,scope=${{ inputs.image_name }}
-          cache-to: type=gha,mode=max,scope=${{ inputs.image_name }}
+          cache-from: type=gha,scope=${{ inputs.image_name }}-${{ matrix.suffix }}
+          cache-to: type=gha,mode=max,scope=${{ inputs.image_name }}-${{ matrix.suffix }}
+
+  merge:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          fetch-depth: 0
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          VERSION="${GITHUB_REF_NAME#${{ inputs.tag_prefix }}}"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+
+      - name: Create multi-arch manifest
+        run: |
+          IMAGE="ghcr.io/memodb-io/${{ inputs.image_name }}"
+          SHA_SHORT="$(echo "$GITHUB_SHA" | head -c 7)"
+
+          docker buildx imagetools create \
+            --tag "${IMAGE}:${{ steps.version.outputs.version }}" \
+            --tag "${IMAGE}:sha-${SHA_SHORT}" \
+            "${IMAGE}:sha-${GITHUB_SHA}-amd64" \
+            "${IMAGE}:sha-${GITHUB_SHA}-arm64"
 
       - name: Generate Changelog
         run: |

.github/workflows/admin-release.yaml

@@ -10,61 +10,12 @@ permissions:
   packages: write
 
 jobs:
-  build-and-push:
-    runs-on: ubuntu-latest
-    timeout-minutes: 60
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-        with:
-          fetch-depth: 0
-
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
-        with:
-          images: ghcr.io/memodb-io/acontext-admin
-          tags: |
-            type=sha
-            type=semver,pattern={{version}},match=admin/v(\d+\.\d+\.\d+)$
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
-
-      - name: Build and Push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
-        with:
-          platforms: linux/amd64,linux/arm64
-          context: ./src/server/api/go
-          file: ./src/server/api/go/Dockerfile.admin
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          sbom: true
-          provenance: mode=max
-          cache-from: type=gha,scope=acontext-admin
-          cache-to: type=gha,mode=max,scope=acontext-admin
-
-      - name: Generate Changelog
-        run: |
-          bash .github/scripts/generate-changelog.sh \
-            --tag-prefix "admin/v" \
-            --source-dir "src/server/api/go" \
-            --display-name "Admin API" \
-            --output "$GITHUB_WORKSPACE-CHANGELOG.txt" \
-            --footer "Published to https://github.com/memodb-io/Acontext/pkgs/container/acontext-admin"
-
-      - name: Create Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe
-        with:
-          body_path: ${{ github.workspace }}-CHANGELOG.txt
+  release:
+    uses: ./.github/workflows/_reusable-docker-release.yaml
+    with:
+      image_name: acontext-admin
+      context: ./src/server/api/go
+      file: ./src/server/api/go/Dockerfile.admin
+      tag_prefix: "admin/v"
+      display_name: Admin API
+      source_dir: src/server/api/go

.github/workflows/lint-workflows.yaml

@@ -0,0 +1,17 @@
+name: Lint Workflows
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+
+      - name: Run actionlint
+        uses: raven-actions/actionlint@v2

.github/workflows/security-reusable.yaml

@@ -60,7 +60,7 @@ jobs:
             uv export --format requirements-txt --no-hashes --no-dev > reqs.txt
             # Run pip-audit in JSON mode; filter out vulnerabilities with no fix available
             pip-audit -r reqs.txt -f json -o audit.json || true
-            python3 -c "
+            if python3 -c "
           import json, sys
           data = json.load(open('audit.json'))
           fixable = [v for dep in data.get('dependencies', [])
@@ -71,12 +71,13 @@ jobs:
                   print(f\"  {v['id']}: fix available -> {v['fix_versions']}\", file=sys.stderr)
               sys.exit(1)
           "
-            if [ $? -ne 0 ]; then
+            then
+              echo "✅ $dir clean (unfixed-only vulnerabilities ignored)"
+            else
               echo "❌ Fixable vulnerabilities found in $dir"
               rm -f reqs.txt audit.json
               exit 1
             fi
-            echo "✅ $dir clean (unfixed-only vulnerabilities ignored)"
             rm -f reqs.txt audit.json
             cd - > /dev/null
           done