BLO-4373 Check for matching runner and target architecture

Author: kaitimmer

README.md

@@ -121,7 +121,7 @@ jobs:
 | `docker-build-secrets`      | List of secrets to expose to the build (e.g., key=string, GIT_AUTH_TOKEN=mytoken)                                              |                                                      |
 | `docker-build-secret-files` | List of secret files to expose to the build (e.g., key=filename, MY_SECRET=./secret.txt)                                       |                                                      |
 | `docker-build-target`       | Sets the target stage to build like: "runtime"                                                                                 |                                                      |
-| `docker-build-platforms`       | Sets the target platforms for build                                                                                 | linux/amd64,linux/arm64 |
+| `docker-build-platforms`       | Sets the target platforms for build                                                                                 | linux/amd64 |
 | `docker-build-provenance`   | Generate [provenance](https://docs.docker.com/build/attestations/slsa-provenance/) attestation for the build                   | `false`                                              |
 | `docker-disable-retagging`  | Disables retagging of existing images and run a new build instead                                                              | `false`                                              |
 | `gitops-organization`       | GitHub Organization for GitOps                                                                                                 | `Staffbase`                                          |

action.yml

@@ -42,7 +42,7 @@ inputs:
   docker-build-platforms:
     description: "Sets the target platforms for build"
     required: false
-    default: 'linux/amd64,linux/arm64'
+    default: 'linux/amd64'
   docker-build-provenance:
     description: "Generate provenance attestation for the build"
     required: false
@@ -155,11 +155,33 @@ runs:
         echo "tag=$TAG" >> $GITHUB_OUTPUT
         echo "tag_list=$TAG_LIST" >> $GITHUB_OUTPUT
 
-    - name: Set up QEMU
-      if: inputs.docker-username != '' && inputs.docker-password != ''
-      uses: docker/setup-qemu-action@v3
-      with:
-        platforms: arm64,amd64
+    - name: Verify Architecture Match
+      shell: bash
+      if: steps.preparation.outputs.build == 'true'
+      run: |
+        RUNNER_ARCH="${{ runner.arch }}" # X64 (AMD64) or ARM64
+        TARGET_PLATFORMS="${{ inputs.docker-build-platforms }}"
+        
+        echo "Runner CPU Architecture: $RUNNER_ARCH"
+        echo "Requested Build Platforms: $TARGET_PLATFORMS"
+
+        # Check for AMD64 mismatch (Runner is X64, but user requests ONLY arm64, OR user requests multi-arch which requires emulation)
+        if [[ "$RUNNER_ARCH" == "X64" ]]; then
+          if [[ "$TARGET_PLATFORMS" == *"linux/arm64"* ]]; then
+            echo "::error::Runner is X64 (Intel/AMD) but build includes 'linux/arm64'. This requires emulation. Aborting strictly."
+            exit 1
+          fi
+        fi
+
+        # Check for ARM64 mismatch
+        if [[ "$RUNNER_ARCH" == "ARM64" ]]; then
+          if [[ "$TARGET_PLATFORMS" == *"linux/amd64"* ]]; then
+            echo "::error::Runner is ARM64 (Apple Silicon/Graviton) but build includes 'linux/amd64'. This requires emulation. Aborting strictly."
+            exit 1
+          fi
+        fi
+        
+        echo "Architecture match verified for native build ✅"
 
     - name: Set up Docker Buildx
       if: inputs.docker-username != '' && inputs.docker-password != ''