From 50dddff91bb72917c8d542954b671925f4aee9e8 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Fri, 9 Jan 2026 16:07:51 +0100
Subject: [PATCH] pin binfmt image

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/.test-bake.yml  | 13 +++++++++++++
 .github/workflows/.test-build.yml | 13 +++++++++++++
 .github/workflows/bake.yml        |  2 ++
 .github/workflows/build.yml       |  2 ++
 4 files changed, 30 insertions(+)

diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml
index 7ce57b7..afdbe9e 100644
--- a/.github/workflows/.test-bake.yml
+++ b/.github/workflows/.test-bake.yml
@@ -395,3 +395,16 @@ jobs:
         public.ecr.aws/q3b5f1u4/test-docker-action
       meta-tags: |
         type=raw,value=bake-ghbuilder-${{ github.run_id }}
+
+  bake-qemu:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      setup-qemu: true
+      artifact-upload: false
+      context: test
+      output: local
+      sbom: true
+      target: hello-cross
diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml
index 457c5ea..4ba6b74 100644
--- a/.github/workflows/.test-build.yml
+++ b/.github/workflows/.test-build.yml
@@ -490,3 +490,16 @@ jobs:
       meta-images: ghcr.io/docker/github-builder-test
       meta-tags: |
         type=raw,value=build-${{ github.run_id }}
+
+  build-qemu:
+    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      id-token: write
+    with:
+      setup-qemu: true
+      artifact-upload: false
+      file: test/hello.Dockerfile
+      output: local
+      platforms: linux/amd64,linux/arm64
+      sbom: true
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
index a0ce873..bbd6cc2 100644
--- a/.github/workflows/bake.yml
+++ b/.github/workflows/bake.yml
@@ -140,6 +140,7 @@ env:
   BUILDX_VERSION: "v0.30.1"
   BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
   SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
+  BINFMT_IMAGE: "tonistiigi/binfmt:qemu-v10.0.4-56"
   DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"
   COSIGN_VERSION: "v3.0.2"
   LOCAL_EXPORT_DIR: "/tmp/buildx-output"
@@ -351,6 +352,7 @@ jobs:
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
         if: ${{ inputs.setup-qemu }}
         with:
+          image: ${{ env.BINFMT_IMAGE }}
           cache-image: false
       -
         name: Expose GitHub Runtime
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 16f0ea6..c1f49c0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -147,6 +147,7 @@ env:
   BUILDX_VERSION: "v0.30.1"
   BUILDKIT_IMAGE: "moby/buildkit:master@sha256:bdefeba47634c596286beabe68219708ed364c4f1a5e4e9a2e160274712a0e89" # TODO: pin to a specific version when signed gha cache feature is available
   SBOM_IMAGE: "docker/buildkit-syft-scanner:1.9.0"
+  BINFMT_IMAGE: "tonistiigi/binfmt:qemu-v10.0.4-56"
   DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.72.0"
   COSIGN_VERSION: "v3.0.2"
   LOCAL_EXPORT_DIR: "/tmp/buildx-output"
@@ -310,6 +311,7 @@ jobs:
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
         if: ${{ inputs.setup-qemu }}
         with:
+          image: ${{ env.BINFMT_IMAGE }}
           cache-image: false
       -
         name: Expose GitHub Runtime