support ARM64 with official Ruby + jemalloc

[deltaguita]

Summary

Add ARM64 architecture support to enable iCook, tv, market, newsroom, and other Rails projects to run on Graviton instances.

Changes

Dockerfile

• Switch from fullstaq-ruby to official ruby:2.7.8-slim (fullstaq doesn't support ARM64)
• Manually install libjemalloc2 with LD_PRELOAD for memory optimization

.github/workflows/release.yml

• Add QEMU + buildx for multi-arch builds
• Build both linux/amd64 and linux/arm64
• Add automated ECR Public sync job
• Update actions to latest versions

README.md

• Add ARM64 support documentation
• Update release workflow

Release Flow

# 1. Merge PR
# 2. Create and push tag
git tag 0.32.0
git push origin 0.32.0

# 3. GitHub Actions automatically builds and syncs to both DockerHub and ECR

Related

• Shortcut ticket sc-97578

[amazon-q-developer]

Review Summary

This PR successfully adds ARM64 support to the Docker base image, which is a valuable enhancement for running on Graviton instances. However, there are several critical issues that need to be addressed before merging:

Critical Issues Found:

1. Security vulnerability in Dockerfile: The wildcard pattern in the jemalloc symbolic link could cause unpredictable behavior across architectures
2. Logic error in sync script: The ARM64 tagging approach breaks Docker's multi-architecture support by creating separate tags instead of proper multi-arch manifests
3. Missing error handling: The sync script lacks proper error handling for Docker operations

Performance Improvements:

• GitHub Actions workflow should include build caching to improve multi-architecture build times
• Documentation should use generic version placeholders instead of hardcoded version numbers

Overall Assessment:

The core changes (switching from fullstaq-ruby to official Ruby + jemalloc, adding multi-arch CI support) are well-implemented. The main concerns are around the deployment script architecture handling and some security/reliability improvements needed in the Dockerfile.

Please address the critical issues, particularly the jemalloc symbolic link and the multi-architecture manifest handling in the sync script, before merging.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[deltaguita]

[ch97578]

[deltaguita]

/q review

[amazon-q-developer]

Summary

This PR successfully adds ARM64 support by migrating from fullstaq-ruby to the official Ruby image with manual jemalloc installation. The changes are well-structured and the multi-architecture build setup is appropriate.

Critical Issues Found

1. Dockerfile: The jemalloc symbolic link creation could fail silently, causing runtime crashes when LD_PRELOAD attempts to load a missing library.

2. sync-to-ecr.sh: The script assumes both base and -testing tags exist without verification, which will cause sync failures if only the base version is available.

Recommendations

• Add explicit error handling for jemalloc library detection in the Dockerfile
• Include build caching in the GitHub Actions workflow to improve multi-arch build performance
• Add tag existence verification in the ECR sync script
• Update documentation to include script permission setup

The ARM64 support implementation is solid, but these reliability improvements are essential for production deployment.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[deltaguita]

/q review

[amazon-q-developer]

Code Review Summary

This PR successfully adds ARM64 support to the Docker base image by switching from fullstaq-ruby to the official Ruby image and implementing jemalloc via LD_PRELOAD. The multi-architecture build setup and ECR sync script are well-implemented.

Critical Security Issues Found

I've identified 3 security vulnerabilities that must be addressed before merging:

1. Dockerfile: Unsafe script download without integrity checks
2. sync-to-ecr.sh: Unquoted shell variables creating command injection risks (2 instances)

All issues have specific code suggestions provided for easy fixes. Please apply the suggested changes to resolve these security concerns.

Overall Assessment

The architectural changes are sound and the ARM64 support implementation is appropriate. Once the security issues are resolved, this PR will be ready for merge.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[dlackty]

/q review

[amazon-q-developer]

Review Summary

This PR successfully adds ARM64 support by switching from fullstaq-ruby to the official Ruby image and implementing multi-architecture builds. The changes are well-structured and the approach is sound.

Critical Issues Found:

1. Security vulnerability in Dockerfile: The curl | bash pattern for installing Volta lacks integrity checks, creating a supply chain attack vector
2. Version inconsistency in README: Bundler version mismatch between documentation (2.4.20) and actual implementation (2.4.22)
3. Workflow reliability: ECR sync job lacks proper error handling

Recommendations:

• Fix the security issue by adding proper curl flags for the Volta installation
• Update the README to reflect the correct Bundler version
• Consider adding explicit success condition to the ECR sync job

The ARM64 support implementation looks solid, and the jemalloc integration via LD_PRELOAD is a good approach for maintaining memory optimization across architectures.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Security Vulnerability: Downloading and executing shell scripts from external sources without verification creates a supply chain attack vector¹. The curl | bash command executes arbitrary code from the internet without integrity checks.

Suggested change

	&& curl https://get.volta.sh | bash
	&& curl -fsSL | bash

Footnotes

1. CWE-494: Download of Code Without Integrity Check - https://cwe.mitre.org/data/definitions/494.html ↩

[amazon-q-developer]

The ECR sync job will fail if the DockerHub push fails, but there's no error handling or retry mechanism. Consider adding error handling or making the ECR sync conditional on successful DockerHub push.

Suggested change

	sync-to-ecr:
	name: Sync to ECR Public
	needs: build-and-push-docker-image
	runs-on: ubuntu-latest
	steps:
	sync-to-ecr:
	name: Sync to ECR Public
	needs: build-and-push-docker-image
	runs-on: ubuntu-latest
	if: success()
	steps:

[amazon-q-developer]

The Bundler version in the table shows 2.4.20 but the Dockerfile uses 2.4.22. This inconsistency could confuse users about which version is actually included in the image.

Suggested change

	| 0.32.0 | 2.7.8 | 18.18.0 | 1.22.22 | 2.4.20 | 9.9.0 | ✅ |
	| 0.32.0 | 2.7.8 | 18.18.0 | 1.22.22 | 2.4.22 | 9.9.0 | ✅ |

[dlackty]

/q review

[amazon-q-developer]

Review Summary

This PR successfully adds ARM64 support by switching from fullstaq-ruby to the official Ruby image and implementing manual jemalloc installation. The changes are well-structured and the multi-architecture build setup looks solid.

Key Changes Reviewed:

• ✅ Dockerfile: Proper transition to official Ruby image with manual jemalloc setup
• ✅ GitHub Actions: Multi-arch build configuration with ECR sync
• ✅ Documentation: Clear ARM64 support documentation and updated version table

Critical Issues Found:

1. Security: Volta installation script downloaded without integrity verification
2. Build Process: Missing error handling for volta installation
3. Infrastructure: ECR sync job missing Docker Buildx setup

Recommendation:

Address the security and build reliability issues before merging. The core ARM64 implementation is sound, but the identified issues could cause build failures or security vulnerabilities in production.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Logic Error: The symlink creation will fail if /usr/lib/libjemalloc.so.2 already exists. Use ln -sf to force overwrite or check if the symlink already exists before creating it.

Suggested change

	&& ln -sf "$JEMALLOC_PATH" /usr/lib/libjemalloc.so.2 \
	&& ln -sf "$JEMALLOC_PATH" /usr/lib/libjemalloc.so.2 \

[amazon-q-developer]

🛑 Portability Issue: Hardcoded LD_PRELOAD path may not work across ARM64 and AMD64 architectures. The jemalloc library path can vary between architectures.

Suggested change

	ENV LD_PRELOAD=/usr/lib/libjemalloc.so.2
	ENV LD_PRELOAD=/usr/lib/libjemalloc.so.2

[amazon-q-developer]

🛑 Security Vulnerability: Downloading and executing scripts from external sources without integrity verification poses a security risk. Consider verifying the script checksum or using a pinned version.