From ddd99fbb4696a50659f807c4ffb76a0551a68ec6 Mon Sep 17 00:00:00 2001
From: Luke Craig <lacraig3@gmail.com>
Date: Tue, 16 Jun 2026 22:41:15 -0400
Subject: [PATCH 1/3] Extract cross toolchains with --no-same-owner for
 rootless podman

The musl.cc / panda.re cross-toolchain tarballs are packed with the upstream
maintainer's uid/gid (e.g. 98601130:98600513). `tar -xz` preserves that
ownership, so the resulting image has files owned by those very high IDs.

Under docker this is harmless, but it breaks rootless podman: pulling/unpacking
the image into a rootless user namespace fails because those IDs exceed the
user's /etc/subuid|subgid range:

  potentially insufficient UIDs or GIDs available in user namespace
  (requested 98601130:98600513 ...): Check /etc/subuid and /etc/subgid

Add --no-same-owner to every cross-toolchain extraction so the files are owned
by the build user (root, id 0) instead. The image is functionally identical and
now pulls/runs/builds under rootless podman without requiring every host to
widen its subuid range.
---
 Dockerfile | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index a57605a..05924b3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,7 +16,7 @@ COPY --from=go /go/dwarf2json/dwarf2json /bin/dwarf2json
 # i686
 FROM base AS i686
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/i686-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/i686-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/i686-linux-musl-cross /opt/cross/i686-linux-musl && \
     echo 'ln -sf /opt/cross/i686-linux-musl-cross /opt/cross/i686-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -67,7 +67,7 @@ ENV PATH="/opt/cross/x86_64-legacy/bin:${PATH}"
 # x86_64
 FROM base AS x86_64
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/x86_64-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/x86_64-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/x86_64-linux-musl-cross /opt/cross/x86_64-linux-musl && \
     echo 'ln -sf /opt/cross/x86_64-linux-musl-cross /opt/cross/x86_64-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -79,7 +79,7 @@ ENV PATH="${PATH}:/opt/cross/x86_64-legacy/bin"
 # armel
 FROM base AS armel
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/arm-linux-musleabi-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/arm-linux-musleabi-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/arm-linux-musleabi-cross /opt/cross/arm-linux-musleabi && \
     echo 'ln -sf /opt/cross/arm-linux-musleabi-cross /opt/cross/arm-linux-musleabi' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -88,7 +88,7 @@ ENV PATH="/opt/cross/arm-linux-musleabi/bin:${PATH}"
 # arm64
 FROM base AS arm64
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/aarch64-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/aarch64-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/aarch64-linux-musl-cross /opt/cross/aarch64-linux-musl && \
     echo 'ln -sf /opt/cross/aarch64-linux-musl-cross /opt/cross/aarch64-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -97,21 +97,21 @@ ENV PATH="/opt/cross/aarch64-linux-musl/bin:${PATH}"
 # mipseb
 FROM base AS mipseb
 RUN mkdir -p /opt/cross && \
-    wget http://panda.re/secret/mipseb-linux-musl_gcc-5.3.0.tar.gz -O - | tar -xz -C /opt/cross && \
+    wget http://panda.re/secret/mipseb-linux-musl_gcc-5.3.0.tar.gz -O - | tar --no-same-owner -xz -C /opt/cross && \
     bash /opt/cross/setup-cross.sh
 ENV PATH="/opt/cross/mipseb-linux-musl/bin:${PATH}"
 
 # mipsel
 FROM base AS mipsel
 RUN mkdir -p /opt/cross && \
-    wget http://panda.re/secret/mipsel-linux-musl_gcc-5.3.0.tar.gz -O - | tar -xz -C /opt/cross && \
+    wget http://panda.re/secret/mipsel-linux-musl_gcc-5.3.0.tar.gz -O - | tar --no-same-owner -xz -C /opt/cross && \
     bash /opt/cross/setup-cross.sh
 ENV PATH="/opt/cross/mipsel-linux-musl/bin:${PATH}"
 
 # mips64eb
 FROM base AS mips64eb
 RUN mkdir -p /opt/cross && \
-    wget http://panda.re/secret/mips64-linux-musl-cross_gcc-6.5.0.tar.gz -O - | tar -xz -C /opt/cross && \
+    wget http://panda.re/secret/mips64-linux-musl-cross_gcc-6.5.0.tar.gz -O - | tar --no-same-owner -xz -C /opt/cross && \
     echo 'ln -sf /opt/cross/mips64-linux-musl-cross /opt/cross/mips64eb-linux-musl' >> /opt/cross/setup-cross.sh && \
     # Dynamically create symlinks for every tool: mips64-linux-musl-* -> mips64eb-linux-musl-*
     echo 'for f in /opt/cross/mips64eb-linux-musl/bin/mips64-linux-musl-*; do [ -e "$f" ] || continue; b=$(basename "$f"); suf=${b#mips64-linux-musl-}; ln -sf "$f" "/opt/cross/mips64eb-linux-musl/bin/mips64eb-linux-musl-$suf"; done' >> /opt/cross/setup-cross.sh && \
@@ -132,7 +132,7 @@ ENV PATH="/opt/cross/mips64eb-linux-musl/bin:${PATH}"
 # It's a bit nutty to symlink all of these, but easier to keep track of what's needed for the future
 FROM base AS mips64el
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/mips64el-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/mips64el-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/mips64el-linux-musl-cross /opt/cross/mips64el-linux-musl && \
     echo 'ln -sf /opt/cross/mips64el-linux-musl-cross /opt/cross/mips64el-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -141,7 +141,7 @@ ENV PATH="/opt/cross/mips64el-linux-musl/bin:${PATH}"
 # arm
 FROM base AS arm
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/arm-linux-musleabi-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/arm-linux-musleabi-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/arm-linux-musleabi-cross /opt/cross/arm-linux-musleabi && \
     echo 'ln -sf /opt/cross/arm-linux-musleabi-cross /opt/cross/arm-linux-musleabi' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -150,7 +150,7 @@ ENV PATH="/opt/cross/arm-linux-musleabi/bin:${PATH}"
 # armhf
 FROM base AS armhf
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/arm-linux-musleabihf-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/arm-linux-musleabihf-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/arm-linux-musleabihf-cross /opt/cross/arm-linux-musleabihf && \
     echo 'ln -sf /opt/cross/arm-linux-musleabihf-cross /opt/cross/arm-linux-musleabihf' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -160,7 +160,7 @@ ENV PATH="/opt/cross/arm-linux-musleabihf/bin:${PATH}"
 FROM base AS riscv32
 RUN apt-get update && apt-get install -y gcc-riscv64-linux-gnu && rm -rf /var/lib/apt/lists/*
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/riscv32-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/riscv32-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/riscv32-linux-musl-cross /opt/cross/riscv32-linux-musl && \
     echo 'ln -sf /opt/cross/riscv32-linux-musl-cross /opt/cross/riscv32-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -170,7 +170,7 @@ ENV PATH="/opt/cross/riscv32-linux-musl/bin:${PATH}"
 FROM base AS riscv64
 RUN apt-get update && apt-get install -y gcc-riscv64-linux-gnu && rm -rf /var/lib/apt/lists/*
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/riscv64-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/riscv64-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/riscv64-linux-musl-cross /opt/cross/riscv64-linux-musl && \
     echo 'ln -sf /opt/cross/riscv64-linux-musl-cross /opt/cross/riscv64-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -179,7 +179,7 @@ ENV PATH="/opt/cross/riscv64-linux-musl/bin:${PATH}"
 # powerpc64
 FROM base AS powerpc64
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/powerpc64-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/powerpc64-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/powerpc64-linux-musl-cross /opt/cross/powerpc64-linux-musl && \
     echo 'ln -sf /opt/cross/powerpc64-linux-musl-cross /opt/cross/powerpc64-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -193,7 +193,7 @@ RUN sed -i 's/^# deb \(.*\) universe$/deb \1 universe/' /etc/apt/sources.list  &
 # powerpc64le
 FROM powerpc64 AS powerpc64le
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/powerpc64le-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/powerpc64le-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/powerpc64le-linux-musl-cross /opt/cross/powerpc64le-linux-musl && \
     echo 'ln -sf /opt/cross/powerpc64le-linux-musl-cross /opt/cross/powerpc64le-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -202,7 +202,7 @@ ENV PATH="/opt/cross/powerpc64le-linux-musl/bin:${PATH}"
 # powerpc
 FROM powerpc64 AS powerpc
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/powerpc-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/powerpc-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/powerpc-linux-musl-cross /opt/cross/powerpc-linux-musl && \
     echo 'ln -sf /opt/cross/powerpc-linux-musl-cross /opt/cross/powerpc-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -211,7 +211,7 @@ ENV PATH="/opt/cross/powerpc-linux-musl/bin:${PATH}"
 # powerpcle
 FROM powerpc64 AS powerpcle
 RUN mkdir -p /opt/cross && \
-    wget https://musl.cc/powerpcle-linux-musl-cross.tgz -O - | tar -xz -C /opt/cross && \
+    wget https://musl.cc/powerpcle-linux-musl-cross.tgz -O - | tar --no-same-owner -xz -C /opt/cross && \
     ln -s /opt/cross/powerpcle-linux-musl-cross /opt/cross/powerpcle-linux-musl && \
     echo 'ln -sf /opt/cross/powerpcle-linux-musl-cross /opt/cross/powerpcle-linux-musl' >> /opt/cross/setup-cross.sh && \
     bash /opt/cross/setup-cross.sh
@@ -220,7 +220,7 @@ ENV PATH="/opt/cross/powerpcle-linux-musl/bin:${PATH}"
 # loongarch64
 FROM base AS loongarch64
 RUN mkdir -p /opt/cross && \
-    wget https://github.com/loongson/build-tools/releases/download/2025.02.21/x86_64-cross-tools-loongarch64-binutils_2.44-gcc_14.2.0-glibc_2.41.tar.xz -O - | tar -xJ -C /tmp && \
+    wget https://github.com/loongson/build-tools/releases/download/2025.02.21/x86_64-cross-tools-loongarch64-binutils_2.44-gcc_14.2.0-glibc_2.41.tar.xz -O - | tar --no-same-owner -xJ -C /tmp && \
     mv /tmp/cross-tools/ /opt/cross/loongarch64-linux-gcc-cross && \
     ln -s /opt/cross/loongarch-linux-gcc-cross /opt/cross/loongarch-linux-musl && \
     echo 'ln -sf /opt/cross/loongarch64-linux-gcc-cross /opt/cross/loongarch-linux-musl' >> /opt/cross/setup-cross.sh && \

From 154caa9b3b0a6fd76a8682a59cc605308d735bae Mon Sep 17 00:00:00 2001
From: Luke Craig <lacraig3@gmail.com>
Date: Wed, 17 Jun 2026 13:32:08 -0400
Subject: [PATCH 2/3] CI: run PR build on rehosting-arc (musl.cc blocks
 GitHub-hosted runners)

musl.cc blocks GitHub-hosted runner IP ranges wholesale (since 2025-05-27), so
the cross-toolchain `wget https://musl.cc/...` steps fail on ubuntu-latest:

  Connecting to musl.cc (musl.cc)|216.82.192.11|:443...   (stalls)
  ERROR: ... wget https://musl.cc/powerpc64-linux-musl-cross.tgz ... exit code 2

Move the PR check to the self-hosted rehosting-arc runners (whose egress isn't
blocked), mirroring publish.yml: trust the Harbor cert, log in, set up buildx
with the insecure-registry config, pull base images via the Harbor proxy, and
read the publish layer cache so unchanged layers don't re-download. Builds the
`final` target to validate; does not push (PR check).
---
 .github/workflows/build.yml | 50 +++++++++++++++++++++++++++++++------
 1 file changed, 43 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ab31f9b..64c2643 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,17 +3,53 @@ name: Test and Build container
 on:
   pull_request:
     branches:
-      - main 
+      - main
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    # Self-hosted runners: musl.cc blocks GitHub-hosted runner IPs wholesale
+    # (since 2025-05-27), so the cross-toolchain downloads fail on ubuntu-latest.
+    # rehosting-arc egress is not blocked and matches the publish environment.
+    runs-on: rehosting-arc
 
     steps:
+      - name: Trust Harbor's self-signed certificate
+        run: |
+          echo "Fetching certificate from ${{ secrets.REHOSTING_ARC_REGISTRY }}"
+          openssl s_client -showcerts -connect ${{ secrets.REHOSTING_ARC_REGISTRY }}:443 < /dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /usr/local/share/ca-certificates/harbor.crt > /dev/null
+          sudo update-ca-certificates
+
+      - name: Log in to Rehosting Arc Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ secrets.REHOSTING_ARC_REGISTRY }}
+          username: ${{ secrets.REHOSTING_ARC_REGISTRY_USER }}
+          password: ${{ secrets.REHOSTING_ARC_REGISTRY_PASSWORD }}
+
       - name: 'Checkout code'
         uses: actions/checkout@v4
-      
-      - name: Build 
-        run: |
-          docker build -t base_container --target base .
-          docker build -t rust_container .
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: |
+            image=moby/buildkit:master
+            network=host
+          buildkitd-config-inline: |
+            [registry."${{ secrets.REHOSTING_ARC_REGISTRY }}"]
+              insecure = true
+              http = true
+
+      # Validate the image builds (exercises every cross-toolchain stage).
+      # Reuse the publish cache so unchanged layers don't re-download from
+      # musl.cc; don't push -- this is a PR check.
+      - name: Build embedded-toolchains (validate, no push)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          target: final
+          build-args: |
+            REGISTRY=${{ secrets.REHOSTING_ARC_REGISTRY }}/proxy
+          cache-from: |
+            type=registry,ref=${{ secrets.REHOSTING_ARC_REGISTRY }}/rehosting/embedded-toolchains:cache,mode=max

From 1fd7b4b52bccffe61c8ad9b106536022f08ec059 Mon Sep 17 00:00:00 2001
From: Luke Craig <lacraig3@gmail.com>
Date: Wed, 17 Jun 2026 13:36:58 -0400
Subject: [PATCH 3/3] CI: use buildx default stable buildkit (master regressed
 /proc/acpi on rehosting-arc)

---
 .github/workflows/build.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 64c2643..350599b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -32,8 +32,11 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
+          # Use buildx's default (pinned, stable) buildkit image rather than the
+          # floating moby/buildkit:master. A recent master regressed on the
+          # rehosting-arc runners with: runc ... can't mask dir "/proc/acpi"
+          # ... invalid argument, failing every RUN step.
           driver-opts: |
-            image=moby/buildkit:master
             network=host
           buildkitd-config-inline: |
             [registry."${{ secrets.REHOSTING_ARC_REGISTRY }}"]