fix: add script for checking unicorn multiarch images (defenseunicorns#2047)

## Description
Dynamically grab all unicorn images, based on `quay.io/rfcurated`,
create a list of those images, then iterate over those images and do a
crane manifest against each image. Keep track of each image that doesn't
have both an `arm64` and `amd64` published architecture. If any images
don't have both architectures, `exit 1` at the end of the script. Script
automatically cleans up tmp files with the `trap` functionality.


<img width="980" height="1245" alt="Screenshot from 2025-10-20 10-16-45"
src="https://github.com/user-attachments/assets/fe52ddf2-d8d1-4373-a4ce-9603a0558ca0"
/>

## Related Issue

Fixes #
<!-- or -->
Relates to #

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Steps to Validate
- If this PR introduces new functionality to UDS Core or addresses a
bug, please document the steps to test the changes.

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

Author: chance-coleman

scripts/check-multiarch.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+# Copyright 2025 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+SRC_DIR="${1:-$SCRIPT_DIR/../src}"
+
+# Create temporary files and ensure cleanup no matter script outcome
+TEMP_IMAGES=$(mktemp)
+TEMP_MISSING=$(mktemp)
+trap "rm -f $TEMP_IMAGES $TEMP_MISSING" EXIT
+
+echo "Scanning $SRC_DIR for unicorn and registry1 images..."
+
+# Extract all quay.io/rfcurated/ (unicorn) and registry1.dso.mil/ironbank/ (registry1) images
+find "$SRC_DIR" -name "zarf.yaml" -type f -exec grep -hE "quay.io/rfcurated/|registry1.dso.mil/ironbank/" {} \; | \
+    sed 's/^[[:space:]]*-[[:space:]]*//' | \
+    sed 's/"//g' | \
+    sort -u > "$TEMP_IMAGES"
+
+TOTAL=$(wc -l < "$TEMP_IMAGES")
+echo "Found $TOTAL images"
+echo ""
+
+# Check each image
+COUNT=0
+> "$TEMP_MISSING"
+
+cat "$TEMP_IMAGES" | while read -r IMAGE; do
+    COUNT=$((COUNT + 1))
+    echo "[$COUNT/$TOTAL] $IMAGE"
+
+    MANIFEST=$(crane manifest "$IMAGE" 2>/dev/null || echo "")
+
+    if [ -z "$MANIFEST" ]; then
+        echo "  ERROR: Failed to fetch"
+        echo "$IMAGE" >> "$TEMP_MISSING"
+        continue
+    fi
+
+    AMD64=$(echo "$MANIFEST" | jq -r '.manifests[]?.platform.architecture' 2>/dev/null | grep -c "amd64" || echo "0" | tr -d '\n')
+    ARM64=$(echo "$MANIFEST" | jq -r '.manifests[]?.platform.architecture' 2>/dev/null | grep -c "arm64" || echo "0" | tr -d '\n')
+
+    # Ensure we have clean integers
+    AMD64=${AMD64//[^0-9]/}
+    ARM64=${ARM64//[^0-9]/}
+    AMD64=${AMD64:-0}
+    ARM64=${ARM64:-0}
+
+    if [ "$AMD64" -eq 0 ] || [ "$ARM64" -eq 0 ]; then
+        ARCHS=$(echo "$MANIFEST" | jq -r '.manifests[]?.platform.architecture // .architecture // "unknown"' 2>/dev/null | paste -sd "," -)
+        echo "  ✗ MISSING [$ARCHS]"
+        echo "$IMAGE" >> "$TEMP_MISSING"
+    else
+        echo "  ✓ OK"
+    fi
+done
+
+echo ""
+echo "=========================================="
+MISSING_COUNT=$(wc -l < "$TEMP_MISSING")
+echo "Images missing amd64/arm64: $MISSING_COUNT"
+
+if [ "$MISSING_COUNT" -gt 0 ]; then
+    echo ""
+    echo "Missing multi-arch support:"
+    cat "$TEMP_MISSING"
+    exit 1
+fi

tasks/utils.yaml

@@ -116,3 +116,9 @@ tasks:
             BASE_NAME=$(echo "${FLAVORED_PACKAGE}" | sed "s/-${FLAVOR}\.tar\.zst/.tar.zst/")
             mv -v "${FLAVORED_PACKAGE}" "${BASE_NAME}"
           done
+
+  - name: check-multiarch-images
+    description: "Script to check if/what Unicorn and Registry1 images are missing from registry."
+    actions:
+      - description: Check Unicorn and Registry1 Multi-Arch images
+        cmd: ./scripts/check-multiarch.sh