From 03c64a31421d021ef3e36c16b3ad2c26822d7f80 Mon Sep 17 00:00:00 2001
From: Dan Urson <dan.urson@cresta.ai>
Date: Mon, 20 Jan 2025 12:54:29 -0500
Subject: [PATCH 1/5] bug: enable push: true for multi-arch builds

Signed-off-by: Dan Urson <dan.urson@cresta.ai>
---
 .github/workflows/atlantis-image.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml
index 0d11dedafd..d3359f99e0 100644
--- a/.github/workflows/atlantis-image.yml
+++ b/.github/workflows/atlantis-image.yml
@@ -220,8 +220,7 @@ jobs:
           context: .
           build-args: |
             ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }}
-          push: false
-          load: true
+          push: true
           tags: "${{ env.DOCKER_REPO }}:goss-test"
           target: ${{ matrix.image_type }}
 

From e23ae2f435e01d49b68aef81c9015c87c694f347 Mon Sep 17 00:00:00 2001
From: Dan Urson <dan.urson@cresta.ai>
Date: Mon, 20 Jan 2025 13:13:59 -0500
Subject: [PATCH 2/5] switch to parallel multi-arch builds

Signed-off-by: Dan Urson <dan.urson@cresta.ai>
---
 .github/workflows/atlantis-image.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml
index d3359f99e0..edf9e4a6eb 100644
--- a/.github/workflows/atlantis-image.yml
+++ b/.github/workflows/atlantis-image.yml
@@ -53,7 +53,6 @@ jobs:
     strategy:
       matrix:
         image_type: [alpine, debian]
-        platform: [linux/arm64/v8, linux/amd64, linux/arm/v7]
     runs-on: ubuntu-24.04
     env:
       # Set docker repo to either the fork or the main repo where the branch exists
@@ -156,7 +155,7 @@ jobs:
           ATLANTIS_VERSION=${{ env.RELEASE_VERSION }}
           ATLANTIS_COMMIT=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
           ATLANTIS_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
-        platforms: ${{ matrix.platform }}
+        platforms: linux/arm64/v8, linux/amd64, linux/arm/v7
         push: ${{ env.PUSH }}
         tags: ${{ steps.meta.outputs.tags }}
         target: ${{ matrix.image_type }}

From b01401ff7faa998646471393eff96962cb187d18 Mon Sep 17 00:00:00 2001
From: Dan Urson <dan.urson@cresta.ai>
Date: Mon, 20 Jan 2025 13:26:08 -0500
Subject: [PATCH 3/5] remove condition for image signing

we don't need it any more since we're using true multi-arch builds now.

Signed-off-by: Dan Urson <dan.urson@cresta.ai>
---
 .github/workflows/atlantis-image.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml
index edf9e4a6eb..fb94822f20 100644
--- a/.github/workflows/atlantis-image.yml
+++ b/.github/workflows/atlantis-image.yml
@@ -173,7 +173,7 @@ jobs:
     - name: "Sign images with environment annotations"
       # no key needed, we're using the GitHub OIDC flow
       # Only run on alpine/amd64 build to avoid signing multiple times
-      if: env.PUSH == 'true' && github.event_name != 'pull_request' && matrix.image_type == 'alpine' && matrix.platform == 'linux/amd64'
+      if: env.PUSH == 'true' && github.event_name != 'pull_request'
       run: |
         # Sign dev tags, version tags, and latest tags
         echo "${TAGS}" | xargs -I {} cosign sign \

From 07f4e4d5c1909d0c515e49894d6990f1bee1a887 Mon Sep 17 00:00:00 2001
From: Dan Urson <dan.urson@cresta.ai>
Date: Mon, 20 Jan 2025 14:53:47 -0500
Subject: [PATCH 4/5] do not sign manifests recursively

only sign top-level manifest

Signed-off-by: Dan Urson <dan.urson@cresta.ai>
---
 .github/workflows/atlantis-image.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml
index fb94822f20..268b2ce498 100644
--- a/.github/workflows/atlantis-image.yml
+++ b/.github/workflows/atlantis-image.yml
@@ -172,13 +172,11 @@ jobs:
 
     - name: "Sign images with environment annotations"
       # no key needed, we're using the GitHub OIDC flow
-      # Only run on alpine/amd64 build to avoid signing multiple times
       if: env.PUSH == 'true' && github.event_name != 'pull_request'
       run: |
         # Sign dev tags, version tags, and latest tags
         echo "${TAGS}" | xargs -I {} cosign sign \
           --yes \
-          --recursive=true \
           -a actor=${{ github.actor}} \
           -a ref_name=${{ github.ref_name}} \
           -a ref=${{ github.sha }} \

From 0e732ac6845708192743d68230233932e610a58b Mon Sep 17 00:00:00 2001
From: Dan Urson <dan.urson@cresta.ai>
Date: Mon, 20 Jan 2025 14:57:53 -0500
Subject: [PATCH 5/5] do not push test images to repo

when testing, push is false and load is true

Signed-off-by: Dan Urson <dan.urson@cresta.ai>
---
 .github/workflows/atlantis-image.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/atlantis-image.yml b/.github/workflows/atlantis-image.yml
index 268b2ce498..e341bc0fb6 100644
--- a/.github/workflows/atlantis-image.yml
+++ b/.github/workflows/atlantis-image.yml
@@ -200,7 +200,6 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
         # https://github.com/docker/build-push-action/issues/761#issuecomment-1575006515
@@ -217,7 +216,8 @@ jobs:
           context: .
           build-args: |
             ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }}
-          push: true
+          push: false
+          load: true
           tags: "${{ env.DOCKER_REPO }}:goss-test"
           target: ${{ matrix.image_type }}