diff --git a/.github/workflows/component-build.yml b/.github/workflows/component-build.yml
index 343f390..e2024e1 100644
--- a/.github/workflows/component-build.yml
+++ b/.github/workflows/component-build.yml
@@ -50,6 +50,11 @@ on:
         required: false
         type: string
         description: 'Git SHA to checkout and build from. Defaults to the triggering commit SHA.'
+      platforms:
+        required: false
+        type: string
+        default: "linux/arm64"
+        description: 'Target build platforms. Defaults to arm64-only (single-arch). Set to a comma-separated list (e.g. "linux/amd64,linux/arm64") to push a multi-arch manifest; cross-arch builds run under QEMU emulation.'
     secrets:
       AWS_ACCOUNT_ID:
         required: true
@@ -139,6 +144,9 @@ jobs:
           tags: |
             type=raw,value=${{ inputs.git-sha || github.sha }}
             type=raw,value=latest
+      - name: Set up QEMU for cross-platform build
+        if: ${{ inputs.platforms != 'linux/arm64' }}
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
       - name: Set up Blacksmith Docker builder
         uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
       - name: Build and push
@@ -150,7 +158,7 @@ jobs:
           context: .
           file: ./${{ inputs.docker-file-name }}
           push: true
-          platforms: linux/arm64
+          platforms: ${{ inputs.platforms }}
           # provenance/sbom off (with BUILDX_NO_DEFAULT_ATTESTATIONS=1 above) so the
           # pushed tag is a plain single-arch image, not a manifest list.
           provenance: false
@@ -202,6 +210,9 @@ jobs:
           tags: |
             type=raw,value=${{ inputs.git-sha || github.sha }}
             type=raw,value=latest
+      - name: Set up QEMU for cross-platform build
+        if: ${{ inputs.platforms != 'linux/arm64' }}
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
       # registry cache export needs the docker-container buildx driver (the default
       # docker driver does not support cache-to).
       - name: Set up Docker Buildx
@@ -215,9 +226,9 @@ jobs:
           context: .
           file: ./${{ inputs.docker-file-name }}
           push: true
-          platforms: linux/arm64
-          # provenance/sbom off (with BUILDX_NO_DEFAULT_ATTESTATIONS=1 above) so the
-          # pushed tag is a plain single-arch image, not a manifest list.
+          platforms: ${{ inputs.platforms }}
+          # provenance/sbom off (with BUILDX_NO_DEFAULT_ATTESTATIONS=1 above) to avoid
+          # attestation entries; single-platform pushes a plain image, multi a manifest list.
           provenance: false
           sbom: false
           # Registry-backed BuildKit cache (mode=max) in the same ECR repo, covered by
diff --git a/.github/workflows/deploy-generic.yml b/.github/workflows/deploy-generic.yml
index 4bea364..c8cd86e 100644
--- a/.github/workflows/deploy-generic.yml
+++ b/.github/workflows/deploy-generic.yml
@@ -21,6 +21,11 @@ on:
         type: string
         description: "[DEPRECATED] Ignored - all builds and CI run on arm64. No-op kept for backwards compatibility; will be removed in a future release."
         default: "arm64"
+      platforms:
+        required: false
+        type: string
+        default: "linux/arm64"
+        description: 'Target build platforms. Defaults to arm64-only. Set to a comma-separated list (e.g. "linux/amd64,linux/arm64") to push a multi-arch manifest; cross-arch builds run under QEMU.'
       stage:
         required: true
         type: string
@@ -149,6 +154,7 @@ jobs:
       additional-build-args: ${{ inputs.additional-build-args }}
       ecr-repository-name: ${{ inputs.ecr-repository-name }}
       git-sha: ${{ inputs.git-sha }}
+      platforms: ${{ inputs.platforms }}
     secrets:
       AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
       SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}