From 69e4bcb14ad3c512be449d6a93dc9c0d39fbd1a6 Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Wed, 20 May 2026 00:31:42 +0200
Subject: [PATCH] ci(pi-gen): tonistiigi/binfmt --install arm64 (F flag,
 kernel-resident QEMU)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

apt's qemu-user-static + update-binfmts produces a registration that
pi-gen's nested Docker container still couldn't see. Switch to the
canonical tonistiigi/binfmt approach: privileged container that
installs QEMU statically with the F (fix-binary) flag, so the kernel
opens the qemu-aarch64-static binary at registration time and uses it
for all subsequent arm64 execs — independent of which container the
exec happens in.

Plus diagnostic: ls /proc/sys/fs/binfmt_misc + cat qemu-aarch64
detail, so next run's log surfaces whether registration actually
landed.
---
 .github/workflows/build.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 625d983..ba39580 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -169,18 +169,18 @@ jobs:
           chmod +x deploy/pi-gen/stage-betterframe-client/01-install-kiosk/00-run-chroot.sh
 
       # x86 runner can't natively execute the arm64 binaries pi-gen drops
-      # into the chroot. Install qemu-user-static + binfmt-support so the
-      # kernel routes arm64 ELFs through QEMU. docker/setup-qemu-action
-      # registers via a privileged container which pi-gen's own nested
-      # container doesn't pick up — apt path is what pi-gen documents.
+      # into the chroot. tonistiigi/binfmt registers QEMU with the F flag
+      # (kernel preloads the static binary), making it visible inside
+      # pi-gen's nested container kernel-namespace-share. This is what
+      # docker/setup-qemu-action wraps, called directly here so we control
+      # the flags + can sanity-check after.
       - name: Register QEMU binfmt for arm64
         run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends \
-            qemu-user-static binfmt-support
-          sudo update-binfmts --enable qemu-aarch64
-          # Sanity check — pi-gen looks for this exact file.
-          ls -la /proc/sys/fs/binfmt_misc/qemu-aarch64
+          docker run --rm --privileged tonistiigi/binfmt --install arm64
+          echo "--- binfmt_misc registrations ---"
+          ls -la /proc/sys/fs/binfmt_misc/ || true
+          echo "--- qemu-aarch64 details ---"
+          cat /proc/sys/fs/binfmt_misc/qemu-aarch64 || true
 
       - name: Build Pi image (pi-gen)
         uses: usimd/pi-gen-action@v1