From ca7c88b1f0d1564120280af1c635c0ccff373faf Mon Sep 17 00:00:00 2001 From: ehsan shariati Date: Thu, 18 Jun 2026 17:01:20 -0400 Subject: [PATCH 1/2] ci: pin newer QEMU binfmt to fix arm64 build segfault The arm64 cross-build under QEMU emulation on the amd64 runner segfaults ("qemu: uncaught target signal 11 (Segmentation fault)") while dpkg runs libc-bin's post-install trigger during `apt-get install` (Dockerfile:116), failing the build with dpkg exit 139. This is a QEMU user-mode emulation bug, not a Dockerfile/code change: the same Dockerfile built green on the prior main pushes (2026-05-29/30); only the GitHub runner's bundled QEMU regressed. Pin a newer QEMU via tonistiigi/binfmt so setup-qemu-action installs an emulator without the libc-bin segfault. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/docker-build-publish.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/docker-build-publish.yml b/.github/workflows/docker-build-publish.yml index fa0548a..3378965 100644 --- a/.github/workflows/docker-build-publish.yml +++ b/.github/workflows/docker-build-publish.yml @@ -40,6 +40,15 @@ jobs: - name: Set up QEMU (for cross-platform arm64 build on amd64 runner) uses: docker/setup-qemu-action@v3 + with: + # Pin a newer QEMU binfmt image. setup-qemu-action's bundled QEMU + # segfaults emulating arm64 dpkg/libc-bin post-install triggers + # ("qemu: uncaught target signal 11 (Segmentation fault)" -> dpkg + # exit 139 at the apt-get layer, Dockerfile:116). The Dockerfile is + # unchanged from prior green builds; the runner's bundled QEMU + # regressed. A newer QEMU fixes the emulation bug. Pin to a specific + # qemu-vX.Y.Z if reproducibility is preferred over `latest`. + image: tonistiigi/binfmt:latest - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 From 8635ecad47a16a0306c6369c861a6467d6ae08e8 Mon Sep 17 00:00:00 2001 From: ehsan shariati Date: Thu, 18 Jun 2026 17:19:24 -0400 Subject: [PATCH 2/2] ci: pin QEMU binfmt by digest sha256:400a4873 (validated green image) --- .github/workflows/docker-build-publish.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-build-publish.yml b/.github/workflows/docker-build-publish.yml index 3378965..ab376ca 100644 --- a/.github/workflows/docker-build-publish.yml +++ b/.github/workflows/docker-build-publish.yml @@ -41,14 +41,15 @@ jobs: - name: Set up QEMU (for cross-platform arm64 build on amd64 runner) uses: docker/setup-qemu-action@v3 with: - # Pin a newer QEMU binfmt image. setup-qemu-action's bundled QEMU - # segfaults emulating arm64 dpkg/libc-bin post-install triggers + # Pin QEMU binfmt by DIGEST. setup-qemu-action's previously-bundled + # QEMU segfaulted emulating arm64 dpkg/libc-bin post-install # ("qemu: uncaught target signal 11 (Segmentation fault)" -> dpkg - # exit 139 at the apt-get layer, Dockerfile:116). The Dockerfile is + # exit 139 at the apt-get layer, Dockerfile:116). The Dockerfile was # unchanged from prior green builds; the runner's bundled QEMU - # regressed. A newer QEMU fixes the emulation bug. Pin to a specific - # qemu-vX.Y.Z if reproducibility is preferred over `latest`. - image: tonistiigi/binfmt:latest + # regressed. This digest is the tonistiigi/binfmt image that :latest + # resolved to in the validated green build (~qemu-v10.2.3, 2026-06-08), + # pinned by digest so it cannot drift. + image: tonistiigi/binfmt@sha256:400a4873b838d1b89194d982c45e5fb3cda4593fbfd7e08a02e76b03b21166f0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3