feat: enable arm support

- Build arm64 build for main branch.
- Enable bpfvalidator to run on arm system
- Release multi-arch images for arm.
- Publish arm64 attestation.

Signed-off-by: Sam Wang (holyspectral) <sam.wang@suse.com>

Author: holyspectral

.github/workflows/bpf_test.yml

@@ -7,11 +7,18 @@ on:
 jobs:
   test:
     name: test-${{ matrix.arch }}
-    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
+    runs-on: ${{ matrix.runner }}
     strategy:
       fail-fast: false
       matrix:
-        arch: [amd64]
+        arch: [amd64, arm64]
+        include:
+          - arch: amd64
+            runner: ubuntu-24.04
+            platform: linux/amd64
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+            platform: linux/arm64
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/container-build.yml

@@ -14,11 +14,14 @@ jobs:
     strategy:
       matrix:
         component: [operator, agent]
-        arch: [amd64]
+        arch: [amd64, arm64]
         include:
           - arch: amd64
             runner: ubuntu-latest
             platform: linux/amd64
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+            platform: linux/arm64
     permissions:
       contents: read
       packages: write # Pushing images to ghcr.io
@@ -51,7 +54,7 @@ jobs:
       - name: Merge images
         uses: ./.github/actions/merge-multiarch
         with:
-          arch: amd64
+          arch: amd64,arm64
           image: ${{ matrix.component }}
           repo: ${{ github.repository }}
           tag: latest

.github/workflows/release.yml

@@ -10,11 +10,14 @@ jobs:
     strategy:
       matrix:
         component: [operator, agent]
-        arch: [amd64]
+        arch: [amd64, arm64]
         include:
           - arch: amd64
             runner: ubuntu-latest
             platform: linux/amd64
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+            platform: linux/arm64
     permissions:
       contents: read # Access private repos
       packages: write
@@ -47,7 +50,7 @@ jobs:
       - name: Merge images
         uses: ./.github/actions/merge-multiarch
         with:
-          arch: amd64
+          arch: amd64,arm64
           image: ${{ matrix.component }}
           repo: ${{ github.repository }}
           tag: ${{ github.ref_name }}
@@ -57,11 +60,14 @@ jobs:
     strategy:
       matrix:
         component: [operator, agent]
-        arch: [amd64]
+        arch: [amd64, arm64]
         include:
           - arch: amd64
             runner: ubuntu-latest
             platform: linux/amd64
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+            platform: linux/arm64
     needs: [merge]
     permissions:
       contents: read # Access private repos
@@ -129,6 +135,15 @@ jobs:
                 'RuntimeEnforcer-operator-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore',
                 'RuntimeEnforcer-operator-attestation-amd64-sbom.json',
                 'RuntimeEnforcer-operator-attestation-amd64-sbom.json.bundle.sigstore',
+
+                'RuntimeEnforcer-agent-attestation-arm64-provenance.intoto.jsonl',
+                'RuntimeEnforcer-agent-attestation-arm64-provenance.intoto.jsonl.bundle.sigstore',
+                'RuntimeEnforcer-agent-attestation-arm64-sbom.json',
+                'RuntimeEnforcer-agent-attestation-arm64-sbom.json.bundle.sigstore',
+                'RuntimeEnforcer-operator-attestation-arm64-provenance.intoto.jsonl',
+                'RuntimeEnforcer-operator-attestation-arm64-provenance.intoto.jsonl.bundle.sigstore',
+                'RuntimeEnforcer-operator-attestation-arm64-sbom.json',
+                'RuntimeEnforcer-operator-attestation-arm64-sbom.json.bundle.sigstore',
                 ]
             const {RELEASE_ID} = process.env
             for (const file of files) {

bpfvalidator-arm64-config.yaml

@@ -0,0 +1,9 @@
+# Number of parallel VMs to run
+parallel: 3
+# kernel versions to test
+kernel_versions:
+    - v6.4
+    - v6.6.119
+    - v6.12.62
+      #- v6.17.12 # disabled due to qemu's "unable to handle EFI zboot image with "zstd" compression" error
+      #- v6.18.1 # disabled due to qemu's "unable to handle EFI zboot image with "zstd" compression" error