fix: exit early on invalid image architecture

Author: dobrac

packages/orchestrator/internal/template/build/core/oci/oci.go

@@ -61,7 +61,8 @@ func GetPublicImage(ctx context.Context, dockerhubRepository dockerhub.RemoteRep
 	}
 
 	// Build options
-	opts := []remote.Option{remote.WithPlatform(DefaultPlatform)}
+	platform := DefaultPlatform
+	opts := []remote.Option{remote.WithPlatform(platform)}
 
 	// Use the auth provider if provided
 	if authProvider != nil {
@@ -81,20 +82,32 @@ func GetPublicImage(ctx context.Context, dockerhubRepository dockerhub.RemoteRep
 
 	telemetry.ReportEvent(ctx, "pulled public image")
 
+	err = verifyImagePlatform(img, platform)
+	if err != nil {
+		return nil, err
+	}
+
 	return img, nil
 }
 
 func GetImage(ctx context.Context, artifactRegistry artifactsregistry.ArtifactsRegistry, templateId string, buildId string) (containerregistry.Image, error) {
 	childCtx, childSpan := tracer.Start(ctx, "pull-docker-image")
 	defer childSpan.End()
 
-	img, err := artifactRegistry.GetImage(childCtx, templateId, buildId, DefaultPlatform)
+	platform := DefaultPlatform
+
+	img, err := artifactRegistry.GetImage(childCtx, templateId, buildId, platform)
 	if err != nil {
 		return nil, fmt.Errorf("error pulling image: %w", err)
 	}
 
 	telemetry.ReportEvent(childCtx, "pulled image")
 
+	err = verifyImagePlatform(img, platform)
+	if err != nil {
+		return nil, err
+	}
+
 	return img, nil
 }
 
@@ -366,3 +379,14 @@ func createExport(ctx context.Context, logger *zap.Logger, srcImage containerreg
 
 	return layerPaths, nil
 }
+
+func verifyImagePlatform(img containerregistry.Image, platform containerregistry.Platform) error {
+	config, err := img.ConfigFile()
+	if err != nil {
+		return fmt.Errorf("error getting image config file: %w", err)
+	}
+	if config.Architecture != platform.Architecture {
+		return fmt.Errorf("image is not %s", platform.Architecture)
+	}
+	return nil
+}