feat: add ARM64 binary support for awf CLI (#965)

* feat: add ARM64 binary support for awf CLI

Publish both x64 and arm64 binaries in releases so agentic workflows
can run natively on ARM64 self-hosted runners without QEMU emulation.

- Add node18-linux-arm64 target to pkg config
- Build and upload both binaries in release workflow
- Add arm64 ELF validation step in CI
- Update install.sh to auto-detect architecture (x86_64/aarch64)
- Update release template docs for ARM64

Closes github/gh-aw#16005

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: resolve high-severity minimatch vulnerability via npm override

Add npm overrides for minimatch>=10.2.1 to fix GHSA-3ppc-4f35-3m26
(ReDoS via repeated wildcards). This resolves 24 high-severity
findings from transitive deps in jest, eslint, and typescript-eslint.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

.github/workflows/release.yml

@@ -300,24 +300,36 @@ jobs:
         run: |
           mkdir -p release
 
-          # Create standalone executable for Linux
+          # Create standalone executables for Linux (x64 and arm64)
           pkg . \
             --targets node18-linux-x64 \
             --output release/awf-linux-x64
 
-          # Verify the binary was created
+          pkg . \
+            --targets node18-linux-arm64 \
+            --output release/awf-linux-arm64
+
+          # Verify the binaries were created
           echo "=== Contents of release directory ==="
           ls -lh release/
-          echo "=== Verifying binary ==="
-          test -f release/awf-linux-x64 && echo "✓ Binary exists at release/awf-linux-x64" || echo "✗ Binary NOT found!"
-          file release/awf-linux-x64
+          echo "=== Verifying binaries ==="
+          for bin in awf-linux-x64 awf-linux-arm64; do
+            test -f "release/$bin" && echo "✓ Binary exists at release/$bin" || echo "✗ Binary NOT found: $bin"
+            file "release/$bin"
+          done
 
-      - name: Smoke test binary
+      - name: Smoke test binary (x64)
         run: |
           npx tsx scripts/ci/smoke-test-binary.ts \
             release/awf-linux-x64 \
             ${{ needs.setup.outputs.version_number }}
 
+      - name: Verify arm64 binary is valid ELF
+        run: |
+          file release/awf-linux-arm64 | grep -q "ELF 64-bit LSB" || { echo "ERROR: arm64 binary is not a valid ELF"; exit 1; }
+          file release/awf-linux-arm64 | grep -qi "aarch64\|arm" || { echo "ERROR: arm64 binary is not for ARM architecture"; exit 1; }
+          echo "✓ arm64 binary is a valid ELF for ARM64"
+
       - name: Create tarball for npm package
         run: |
           npm pack
@@ -442,6 +454,7 @@ jobs:
           prerelease: ${{ contains(needs.setup.outputs.version, 'alpha') || contains(needs.setup.outputs.version, 'beta') || contains(needs.setup.outputs.version, 'rc') }}
           files: |
             release/awf-linux-x64
+            release/awf-linux-arm64
             release/awf.tgz
             release/checksums.txt
         env:

docs/RELEASE_TEMPLATE.md

@@ -31,13 +31,14 @@ Everything below the `---` separator becomes the release notes.
 
 ### One-Line Installer (Recommended)
 
-**Linux (x64) with automatic SHA verification:**
+**Linux (x64 and ARM64) with automatic SHA verification:**
 ```bash
 curl -sSL https://raw.githubusercontent.com/{{REPOSITORY}}/main/install.sh | sudo bash
 ```
 
 This installer:
-- Downloads the latest release binary
+- Automatically detects your architecture (x86_64 or aarch64)
+- Downloads the correct release binary
 - Verifies SHA256 checksum against `checksums.txt`
 - Validates the file is a valid ELF executable
 - Installs to `/usr/local/bin/awf`
@@ -58,6 +59,20 @@ chmod +x awf
 sudo mv awf /usr/local/bin/
 ```
 
+**Linux (ARM64):**
+```bash
+# Download binary and checksums
+curl -fL https://github.com/{{REPOSITORY}}/releases/download/{{VERSION}}/awf-linux-arm64 -o awf
+curl -fL https://github.com/{{REPOSITORY}}/releases/download/{{VERSION}}/checksums.txt -o checksums.txt
+
+# Verify checksum
+sha256sum -c checksums.txt --ignore-missing
+
+# Install
+chmod +x awf
+sudo mv awf /usr/local/bin/
+```
+
 ### NPM Installation (Alternative)
 
 ```bash

install.sh

@@ -32,7 +32,7 @@ set -e
 # Issue #107: https://github.com/github/gh-aw-firewall/issues/107
 
 REPO="github/gh-aw-firewall"
-BINARY_NAME="awf-linux-x64"
+BINARY_NAME=""  # Set dynamically by check_platform
 INSTALL_DIR="/usr/local/bin"
 INSTALL_NAME="awf"
 
@@ -93,12 +93,18 @@ check_platform() {
 
     case "$arch" in
         x86_64|amd64)
+            BINARY_NAME="awf-linux-x64"
+            ;;
+        aarch64|arm64)
+            BINARY_NAME="awf-linux-arm64"
             ;;
         *)
-            error "Unsupported architecture: $arch (supported: x86_64)"
+            error "Unsupported architecture: $arch (supported: x86_64, aarch64)"
             exit 1
             ;;
     esac
+
+    info "Detected architecture: $arch (binary: $BINARY_NAME)"
 }
 
 # Validate version format (should be like v1.0.0, v1.2.3, etc.)