chore: speed up multi-arch Docker builds with cargo-zigbuild

.dockerignore

@@ -1,6 +1,5 @@
 target/
 .git/
-bin/
 *.md
 !README.md
 docs/

.github/workflows/auto-tag.yml

@@ -16,7 +16,7 @@ jobs:
             echo "::error::RELEASE_TOKEN secret is not configured. Tags pushed with the default GITHUB_TOKEN cannot trigger the Release workflow."
             exit 1
           fi
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.RELEASE_TOKEN }}

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
         with:
           components: clippy, rustfmt
@@ -20,31 +20,46 @@ jobs:
   dprint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: dprint/check@v2.2
+      - uses: actions/checkout@v6
+      - uses: dprint/check@v2.3
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - run: cargo test --all
   build:
     runs-on: ubuntu-latest
     needs: [lint, test]
+    strategy:
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-musl
+            arch: amd64
+          - target: aarch64-unknown-linux-musl
+            arch: arm64
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
-      - run: cargo build --release
-      - uses: actions/upload-artifact@v4
         with:
-          name: initium-binary
-          path: target/release/initium
+          targets: ${{ matrix.target }}
+      - name: Install zig and cargo-zigbuild
+        run: pip install ziglang && curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash && cargo binstall -y cargo-zigbuild
+      - uses: mozilla-actions/sccache-action@v0.0.9
+      - name: Cross-compile for ${{ matrix.arch }}
+        run: cargo zigbuild --release --target ${{ matrix.target }}
+        env:
+          SCCACHE_GHA_ENABLED: "true"
+          RUSTC_WRAPPER: sccache
+      - uses: actions/upload-artifact@v7
+        with:
+          name: initium-${{ matrix.arch }}
+          path: target/${{ matrix.target }}/release/initium
   helm-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: azure/setup-helm@v4
       - run: helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git --version v0.5.1
       - run: helm lint charts/initium

.github/workflows/integration.yml

@@ -48,7 +48,7 @@ jobs:
           --health-timeout 5s
           --health-retries 5
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - name: Run integration tests

.github/workflows/release.yml

@@ -3,83 +3,148 @@ on:
   push:
     tags:
       - "v*"
+  workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Dry run — build and verify without pushing images or publishing"
+        type: boolean
+        default: true
 permissions:
   contents: read
   packages: write
   id-token: write
+env:
+  DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && inputs.dry-run == true }}
 jobs:
-  release:
+  test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
       - uses: Swatinem/rust-cache@v2
       - run: cargo test --all
-      - name: Publish to crates.io
-        run: |
-          cargo publish 2>&1 || {
-            if cargo search initium --limit 1 | grep -q "$(grep '^version' Cargo.toml | head -1 | sed 's/.*"\(.*\)"/\1/')"; then
-              echo "::warning::Version already published to crates.io — skipping"
-            else
-              echo "::error::cargo publish failed"
-              exit 1
-            fi
-          }
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-musl
+            arch: amd64
+          - target: aarch64-unknown-linux-musl
+            arch: arm64
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: ${{ matrix.target }}
+      - name: Install zig and cargo-zigbuild
+        run: pip install ziglang && curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash && cargo binstall -y cargo-zigbuild
+      - uses: mozilla-actions/sccache-action@v0.0.9
+      - name: Cross-compile for ${{ matrix.arch }}
+        run: cargo zigbuild --release --target ${{ matrix.target }}
         env:
-          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          SCCACHE_GHA_ENABLED: "true"
+          RUSTC_WRAPPER: sccache
+      - uses: actions/upload-artifact@v7
+        with:
+          name: initium-${{ matrix.arch }}
+          path: target/${{ matrix.target }}/release/initium
+  docker:
+    runs-on: ubuntu-latest
+    needs: [test, build]
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/download-artifact@v8
+        with:
+          name: initium-amd64
+          path: bin/
+      - run: mv bin/initium bin/initium-amd64 && chmod +x bin/initium-amd64
+      - uses: actions/download-artifact@v8
+        with:
+          name: initium-arm64
+          path: bin/
+      - run: mv bin/initium bin/initium-arm64 && chmod +x bin/initium-arm64
+      - name: Verify binaries
+        run: |
+          file bin/initium-amd64 bin/initium-arm64
+          echo "amd64 size: $(du -h bin/initium-amd64 | cut -f1)"
+          echo "arm64 size: $(du -h bin/initium-arm64 | cut -f1)"
       - uses: sigstore/cosign-installer@v3
-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
+        if: env.DRY_RUN == 'false'
+      - uses: docker/setup-buildx-action@v4
+      - uses: docker/login-action@v4
+        if: env.DRY_RUN == 'false'
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Extract version
         id: version
-        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
-      - uses: docker/build-push-action@v6
+        run: |
+          if [[ "$GITHUB_REF" == refs/tags/v* ]]; then
+            echo "VERSION=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
+          else
+            echo "VERSION=dry-run-$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+          fi
+      - name: Build initium image
+        uses: docker/build-push-action@v7
         id: build-main
         with:
           context: .
           platforms: linux/amd64,linux/arm64
-          push: true
-          build-args: |
-            VERSION=${{ steps.version.outputs.VERSION }}
+          push: ${{ env.DRY_RUN == 'false' }}
           tags: |
             ghcr.io/kitstream/initium:${{ steps.version.outputs.VERSION }}
             ghcr.io/kitstream/initium:latest
-          cache-from: type=gha,scope=docker-main
-          cache-to: type=gha,mode=max,scope=docker-main
           sbom: true
           provenance: true
       - name: Sign initium image
+        if: env.DRY_RUN == 'false'
         run: cosign sign --yes ghcr.io/kitstream/initium@${{ steps.build-main.outputs.digest }}
       - name: SBOM attestation for initium image
+        if: env.DRY_RUN == 'false'
         run: |
           cosign attest --yes --type spdx \
             --predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium@${{ steps.build-main.outputs.digest }} --format '{{json (index .SBOM "linux/amd64").SPDX}}') \
             ghcr.io/kitstream/initium@${{ steps.build-main.outputs.digest }}
-      - uses: docker/build-push-action@v6
+      - name: Build initium-jyq image
+        uses: docker/build-push-action@v7
         id: build-jyq
         with:
           context: .
           file: Dockerfile.jyq
           platforms: linux/amd64,linux/arm64
-          push: true
-          build-args: |
-            VERSION=${{ steps.version.outputs.VERSION }}
+          push: ${{ env.DRY_RUN == 'false' }}
           tags: |
             ghcr.io/kitstream/initium-jyq:${{ steps.version.outputs.VERSION }}
             ghcr.io/kitstream/initium-jyq:latest
-          cache-from: type=gha,scope=docker-jyq
-          cache-to: type=gha,mode=max,scope=docker-jyq
           sbom: true
           provenance: true
       - name: Sign initium-jyq image
+        if: env.DRY_RUN == 'false'
         run: cosign sign --yes ghcr.io/kitstream/initium-jyq@${{ steps.build-jyq.outputs.digest }}
       - name: SBOM attestation for initium-jyq image
+        if: env.DRY_RUN == 'false'
         run: |
           cosign attest --yes --type spdx \
             --predicate <(docker buildx imagetools inspect ghcr.io/kitstream/initium-jyq@${{ steps.build-jyq.outputs.digest }} --format '{{json (index .SBOM "linux/amd64").SPDX}}') \
             ghcr.io/kitstream/initium-jyq@${{ steps.build-jyq.outputs.digest }}
+  publish:
+    runs-on: ubuntu-latest
+    needs: [docker]
+    if: ${{ !(github.event_name == 'workflow_dispatch' && inputs.dry-run == true) }}
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Publish to crates.io
+        run: |
+          cargo publish 2>&1 || {
+            if cargo search initium --limit 1 | grep -q "$(grep '^version' Cargo.toml | head -1 | sed 's/.*"\(.*\)"/\1/')"; then
+              echo "::warning::Version already published to crates.io — skipping"
+            else
+              echo "::error::cargo publish failed"
+              exit 1
+            fi
+          }
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}

CHANGELOG.md

@@ -18,6 +18,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Chores
 
 - Added integration tests for structured database connectivity: special-character passwords (URL-reserved chars like `@`, `:`, `/`, `?`, `#`, `%`), PostgreSQL `options` field (`connect_timeout`), and `create_if_missing` with non-existent database ([#50](https://github.com/KitStream/initium/issues/50)).
+- Release workflow: replaced QEMU-emulated multi-arch Docker builds with native cross-compilation using `cargo-zigbuild` + `sccache`. Build time reduced from ~50 minutes to ~8-12 minutes.
+- Release workflow: split into parallel `test`, `build` (matrix: amd64 + arm64), `docker`, and `publish` jobs. Crates.io publish now runs after Docker images are pushed.
+- CI workflow: `build` job now cross-compiles for both amd64 and arm64 using `cargo-zigbuild` + `sccache`, warming the cache for release builds.
+- Dockerfiles (`Dockerfile`, `Dockerfile.jyq`): replaced multi-stage Rust build with minimal images that COPY pre-built binaries. No more in-Docker compilation.
+- Switched `mysql` crate from `native-tls` (OpenSSL) to `rustls-tls`, eliminating the OpenSSL dependency entirely. Binary size stays at ~5 MB.
+- Makefile: added `cross-build` and `docker-multiarch` targets for local multi-arch builds.
+- README: added Development section with cross-compilation and sccache setup instructions.
 
 ## [2.0.1] - 2026-03-14