From 1fc3d2c4ae18857b1a5b309a8f9698acbf57b79b Mon Sep 17 00:00:00 2001
From: DaniPopes <57450786+DaniPopes@users.noreply.github.com>
Date: Wed, 4 Feb 2026 15:58:29 +0100
Subject: [PATCH] ci: verify docker output (#21807)

---
 .github/scripts/verify_image_arch.sh | 60 ++++++++++++++++++++++++++++
 .github/workflows/docker.yml         | 10 +++++
 2 files changed, 70 insertions(+)
 create mode 100755 .github/scripts/verify_image_arch.sh

diff --git a/.github/scripts/verify_image_arch.sh b/.github/scripts/verify_image_arch.sh
new file mode 100755
index 0000000000..b234a8680b
--- /dev/null
+++ b/.github/scripts/verify_image_arch.sh
@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+# Verifies that Docker images have the expected architectures.
+#
+# Usage:
+#   ./verify_image_arch.sh <targets> <registry> <ethereum_tags> <optimism_tags>
+#
+# Environment:
+#   DRY_RUN=true  - Skip actual verification, just print what would be checked.
+
+set -euo pipefail
+
+TARGETS="${1:-}"
+REGISTRY="${2:-}"
+ETHEREUM_TAGS="${3:-}"
+OPTIMISM_TAGS="${4:-}"
+DRY_RUN="${DRY_RUN:-false}"
+
+verify_image() {
+    local image="$1"
+    shift
+    local expected_archs=("$@")
+
+    echo "Checking $image..."
+
+    if [[ "$DRY_RUN" == "true" ]]; then
+        echo "  [dry-run] Would verify architectures: ${expected_archs[*]}"
+        return 0
+    fi
+
+    manifest=$(docker manifest inspect "$image" 2>/dev/null) || {
+        echo "::error::Failed to inspect manifest for $image"
+        return 1
+    }
+
+    for arch in "${expected_archs[@]}"; do
+        if ! echo "$manifest" | jq -e ".manifests[] | select(.platform.architecture == \"$arch\" and .platform.os == \"linux\")" > /dev/null; then
+            echo "::error::Missing architecture $arch for $image"
+            return 1
+        fi
+        echo "  ✓ linux/$arch"
+    done
+}
+
+if [[ "$TARGETS" == *"nightly"* ]]; then
+    verify_image "${REGISTRY}/reth:nightly" amd64 arm64
+    verify_image "${REGISTRY}/op-reth:nightly" amd64 arm64
+    verify_image "${REGISTRY}/reth:nightly-profiling" amd64
+    verify_image "${REGISTRY}/reth:nightly-edge-profiling" amd64
+    verify_image "${REGISTRY}/op-reth:nightly-profiling" amd64
+    verify_image "${REGISTRY}/op-reth:nightly-edge-profiling" amd64
+else
+    for tag in $(echo "$ETHEREUM_TAGS" | tr ',' ' '); do
+        verify_image "$tag" amd64 arm64
+    done
+    for tag in $(echo "$OPTIMISM_TAGS" | tr ',' ' '); do
+        verify_image "$tag" amd64 arm64
+    done
+fi
+
+echo "All image architectures verified successfully"
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6d4c4cad18..fadcd03f98 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -102,3 +102,13 @@ jobs:
           set: |
             ethereum.tags=${{ steps.params.outputs.ethereum_tags }}
             optimism.tags=${{ steps.params.outputs.optimism_tags }}
+
+      - name: Verify image architectures
+        env:
+          DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && inputs.dry_run }}
+        run: |
+          ./.github/scripts/verify_image_arch.sh \
+            "${{ steps.params.outputs.targets }}" \
+            "ghcr.io/${{ github.repository_owner }}" \
+            "${{ steps.params.outputs.ethereum_tags }}" \
+            "${{ steps.params.outputs.optimism_tags }}"