From b611609c30a3fbd2719cd30c936b9bc74258a1db Mon Sep 17 00:00:00 2001
From: Chummy <chumyin0912@gmail.com>
Date: Thu, 19 Feb 2026 19:25:01 +0800
Subject: [PATCH] ci(docker): publish multi-arch latest and harden release
 tagging path

---
 .github/workflows/main-branch-flow.md | 2 +-
 .github/workflows/pub-docker-img.yml  | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/main-branch-flow.md b/.github/workflows/main-branch-flow.md
index 3a26ed1..6490e97 100644
--- a/.github/workflows/main-branch-flow.md
+++ b/.github/workflows/main-branch-flow.md
@@ -143,7 +143,7 @@ Workflow: `.github/workflows/pub-docker-img.yml`
    - `latest` + SHA tag (`sha-<12 chars>`) for `main`
    - semantic tag from pushed git tag (`vX.Y.Z`) + SHA tag for tag pushes
    - branch name + SHA tag for non-`main` manual dispatch refs
-5. Multi-platform publish is used for tag pushes (`linux/amd64,linux/arm64`), while `main` publish stays `linux/amd64`.
+5. Multi-platform publish is used for both `main` and tag pushes (`linux/amd64,linux/arm64`).
 6. Typical runtime in recent sample: ~139.9s.
 7. Result: pushed image tags under `ghcr.io/<owner>/<repo>`.
 
diff --git a/.github/workflows/pub-docker-img.yml b/.github/workflows/pub-docker-img.yml
index 15ea8aa..b34765c 100644
--- a/.github/workflows/pub-docker-img.yml
+++ b/.github/workflows/pub-docker-img.yml
@@ -75,6 +75,8 @@ jobs:
                   tags: zeroclaw-pr-smoke:latest
                   labels: ${{ steps.meta.outputs.labels || '' }}
                   platforms: linux/amd64
+                  cache-from: type=gha
+                  cache-to: type=gha,mode=max
 
             - name: Verify image
               run: docker run --rm zeroclaw-pr-smoke:latest --version
@@ -83,7 +85,7 @@ jobs:
         name: Build and Push Docker Image
         if: (github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')))) && github.repository == 'zeroclaw-labs/zeroclaw'
         runs-on: blacksmith-2vcpu-ubuntu-2404
-        timeout-minutes: 25
+        timeout-minutes: 45
         permissions:
             contents: read
             packages: write
@@ -128,7 +130,9 @@ jobs:
                   context: .
                   push: true
                   tags: ${{ steps.meta.outputs.tags }}
-                  platforms: ${{ startsWith(github.ref, 'refs/tags/v') && 'linux/amd64,linux/arm64' || 'linux/amd64' }}
+                  platforms: linux/amd64,linux/arm64
+                  cache-from: type=gha
+                  cache-to: type=gha,mode=max
 
             - name: Set GHCR package visibility to public
               shell: bash