From 44244fc3771fa99307f1dccd71a4ffb16592720e Mon Sep 17 00:00:00 2001
From: Claude Code <noreply@anthropic.com>
Date: Mon, 18 May 2026 23:39:52 -0500
Subject: [PATCH] ci: pin QEMU binfmt image to stabilize arm64 docker builds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The multi-platform `docker-build (websocket)` job on master has been
flaking ~13% with `exit code: 132` (SIGILL) during `npm ci && npm run build`
on the `linux/arm64` leg. The `linux/amd64` leg always succeeds on the
same host, so the trigger is QEMU's user-mode x86_64→aarch64 translator
mis-executing one of the instructions a newer Node native module
postinstall emits.

`docker/setup-qemu-action@v3.6.0` is itself pinned, but it pulls
`tonistiigi/binfmt:latest` by default — a moving target. Pin the binfmt
image to `tonistiigi/binfmt:qemu-v8.1.5` (a recent, broadly-used QEMU
release) so the emulator binaries stop drifting under us.

This is a CI-only change. Output image bytes are unchanged: cross-built
amd64/arm64 artifacts are identical regardless of which QEMU version
emulates the build. Affects all four workflows that consume
`./.github/actions/setup-docker` (docker.yml, tag-release.yml,
showtime-trigger.yml, ephemeral-env.yml) — same emulator gets registered
for all of them; for amd64-only workflows the registration is a no-op.
---
 .github/actions/setup-docker/action.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/actions/setup-docker/action.yml b/.github/actions/setup-docker/action.yml
index 91f2c8ce954..49b477ace33 100644
--- a/.github/actions/setup-docker/action.yml
+++ b/.github/actions/setup-docker/action.yml
@@ -27,6 +27,15 @@ runs:
     - name: Set up QEMU
       if: ${{ inputs.build == 'true' }}
       uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      with:
+        # Pin the binfmt image to a specific QEMU release. The default
+        # (`tonistiigi/binfmt:latest`) is a moving target, and drift across
+        # QEMU's x86_64→aarch64 translator has been the proximate cause of
+        # intermittent `exit code: 132` (SIGILL) failures during the arm64
+        # leg of the multi-platform docker build — newer Node native modules
+        # emit instructions QEMU's user-mode emulation occasionally drops on
+        # the floor. Pinning a known-good release stabilises that path.
+        image: tonistiigi/binfmt:qemu-v8.1.5
 
     - name: Set up Docker Buildx
       if: ${{ inputs.build == 'true' }}