BRE-536/Add-ARM-targz-builds-for-desktop-and-cli

[aj-bw]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/BRE-536

📔 Objective

update our desktop and CLI build workflows to produce a Linux build compatible with ARM64 arch. This first ticket will be adding a tar.gz package type only for desktop, and the regular binary no snap for CLI. Additional types will be added in subsequent work

Updated the build.js file to allow for more flexibility and specifying arch while maintaining functionality of existing cross-platform call being used elsewhere in the workflow

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[Copilot]

Copilot reviewed 3 out of 5 changed files in this pull request and generated no comments.

Files not reviewed (2)

• apps/cli/package.json: Language not supported
• apps/desktop/package.json: Language not supported

Comments suppressed due to low confidence (3)

apps/desktop/desktop_native/build.js:51

• A new ARM64 target is added; please add corresponding tests to ensure that the ARM64 build process works as intended.

['aarch64-unknown-linux-musl', 'arm64']

.github/workflows/build-desktop.yml:309

• Verify that the 'ubuntu-22.04-arm' runner is supported by GitHub Actions; if not, update the runner label to prevent potential workflow failures.

runs-on: ubuntu-22.04-arm

.github/workflows/build-cli.yml:99

• Ensure that the conditional runner assignment works as expected for all entries in the build matrix to avoid unintended runner mismatches.

runs-on: ${{ matrix.os.runner || matrix.os.distro }}

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.87%. Comparing base (5006a29) to head (41819c8).
Report is 41 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14270      +/-   ##
==========================================
- Coverage   36.88%   36.87%   -0.01%     
==========================================
  Files        3202     3213      +11     
  Lines       92454    92648     +194     
  Branches    16579    16632      +53     
==========================================
+ Hits        34103    34166      +63     
- Misses      55937    56061     +124     
- Partials     2414     2421       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – 4ef5744f-7522-4980-85d8-27645cff0830

New Issues (4)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-3619	Npm-electron-34.0.0	details Description: The package google chrome versions prior to 135.0.7049.95 is vulnerable to Heap Buffer Overflow in Codecs. Attack Vector: NETWORK Attack Complexity: LOW ID: AP2eEeFhoao8GjNENLYioTQq0WRrxyab178VnSXaccg%3D Vulnerable Package
	CVE-2025-27152	Npm-axios-1.7.9	details Recommended version: 1.8.2 Description: Axios is a promise-based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to... Attack Vector: NETWORK Attack Complexity: LOW ID: hWn1CSfFTW66UIUPdVwsgpOt1cCfWMszM5jAZ74UHvg%3D Vulnerable Package
	CVE-2025-3620	Npm-electron-34.0.0	details Description: The package google chrome versions prior to 135.0.7049.95 is vulnerable to Use after free in USB. Attack Vector: NETWORK Attack Complexity: LOW ID: h2qh3WGt7B%2FdwactCl6NBYfivpohgPuhzAvzri0eh3Q%3D Vulnerable Package
	CVE-2025-32379	Npm-koa-2.15.4	details Description: Koa is expressive middleware for Node.js using ES2017 async functions. In koa versions prior to 2.16.1 and 3.x prior to 3.0.0-alpha.5, passing untr... Attack Vector: NETWORK Attack Complexity: HIGH ID: BWOz040uNb6vTZEaF5xJdZTs0Gxx6zL3MmFCTPlKCfQ%3D Vulnerable Package

[tangowithfoxtrot]

Great work! Looking forward to ARM support on Linux!

I mostly just have a few formatting nits and a question:

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[aj-bw]

closed and reopened to run workflow linter again