cnjack · dependabot · Jun 1, 2026 · Jun 1, 2026
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -11,9 +11,9 @@ env:
   REGISTRY: ghcr.io
 
 jobs:
-  publish:
-    name: Build & Push — ${{ matrix.name }}
-    runs-on: ubuntu-latest
+  build:
+    name: Build — ${{ matrix.image }} (${{ matrix.platform }})
+    runs-on: ${{ matrix.runner }}
     permissions:
       contents: read
       packages: write
@@ -22,26 +22,101 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - name: control
+          - image: jbrowser-control
+            file: docker/Dockerfile.control
+            platform: linux/amd64
+            runner: ubuntu-latest
+            artifact: digest-control-amd64
+            cache-scope: control-amd64
+          - image: jbrowser-control
             file: docker/Dockerfile.control
-            image: jbrowser-control
-            scope: control
-          - name: agent-chromium
+            platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            artifact: digest-control-arm64
+            cache-scope: control-arm64
+          - image: jbrowser-agent-chromium
+            file: docker/Dockerfile.agent-chromium
+            platform: linux/amd64
+            runner: ubuntu-latest
+            artifact: digest-agent-amd64
+            cache-scope: agent-amd64
+          - image: jbrowser-agent-chromium
             file: docker/Dockerfile.agent-chromium
-            image: jbrowser-agent-chromium
-            scope: agent-chromium
+            platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            artifact: digest-agent-arm64
+            cache-scope: agent-arm64
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build & Push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ${{ matrix.file }}
+          platforms: ${{ matrix.platform }}
+          outputs: type=image,name=ghcr.io/${{ github.repository_owner }}/${{ matrix.image }},push-by-digest=true
+          cache-from: type=gha,scope=${{ matrix.cache-scope }}
+          cache-to: type=gha,scope=${{ matrix.cache-scope }},mode=max
+          provenance: false
+          sbom: false
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.artifact }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    name: Merge — ${{ matrix.image }}
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      contents: read
+      packages: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - image: jbrowser-control
+            artifact-prefix: digest-control
+          - image: jbrowser-agent-chromium
+            artifact-prefix: digest-agent
+
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: ${{ matrix.artifact-prefix }}-*
+          merge-multiple: true
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to GitHub Container Registry
+      - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -59,14 +134,17 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
-      - name: Build & Push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ${{ matrix.file }}
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=gha,scope=${{ matrix.scope }}
-          cache-to: type=gha,scope=${{ matrix.scope }},mode=max
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          TAG_ARGS=$(echo '${{ steps.meta.outputs.json }}' | jq -r '.tags | map("-t " + .) | join(" ")')
+          SOURCE_IMAGES=""
+          for digest_file in *; do
+            SOURCE_IMAGES="${SOURCE_IMAGES} ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}@sha256:${digest_file}"
+          done
+          docker buildx imagetools create ${TAG_ARGS} ${SOURCE_IMAGES}
+
+      - name: Inspect image
+        run: |
+          TAG=$(echo '${{ steps.meta.outputs.json }}' | jq -r '.tags[0]')
+          docker buildx imagetools inspect "${TAG}"
diff --git a/frontend/package.json b/frontend/package.json
@@ -24,6 +24,6 @@
     "@vitejs/plugin-react": "^4.5.2",
     "typescript": "^5.8.3",
     "vite": "^6.3.5",
-    "vitest": "^3.2.3"
+    "vitest": "^4.1.0"
   }
 }