[publish images] bake QEMU into CI images instead of installing at runtime

- Add qemu-user-static to .buildkite/Dockerfile (glibc agents)
- Add qemu-x86_64/qemu-aarch64 to scripts/bootstrap.sh (Alpine agents)
- Bump bootstrap version 26 -> 27 to trigger image rebuild
- Remove install logic from verify-baseline-cpu.sh
- Switch aarch64 CPU model from cortex-a35 to cortex-a53 (more widely
  supported across QEMU versions, same ARMv8.0-A feature set)

.buildkite/Dockerfile

@@ -26,7 +26,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    wget curl git python3 python3-pip ninja-build \
    software-properties-common apt-transport-https \
    ca-certificates gnupg lsb-release unzip \
-   libxml2-dev ruby ruby-dev bison gawk perl make golang ccache \
+   libxml2-dev ruby ruby-dev bison gawk perl make golang ccache qemu-user-static \
    && add-apt-repository ppa:ubuntu-toolchain-r/test \
    && apt-get update \
    && apt-get install -y gcc-13 g++-13 libgcc-13-dev libstdc++-13-dev \

scripts/bootstrap.sh

@@ -1,5 +1,5 @@
 #!/bin/sh
-# Version: 26
+# Version: 27
 
 # A script that installs the dependencies needed to build and test Bun.
 # This should work on macOS and Linux with a POSIX shell.
@@ -1061,6 +1061,11 @@ install_build_essentials() {
 			go \
 			xz
 		install_packages apache2-utils
+		# QEMU user-mode for baseline CPU verification in CI
+		case "$arch" in
+		x64)     install_packages qemu-x86_64 ;;
+		aarch64) install_packages qemu-aarch64 ;;
+		esac
 		;;
 	esac
 

scripts/verify-baseline-cpu.sh

@@ -4,6 +4,9 @@ set -euo pipefail
 # Verify that a Bun binary doesn't use CPU instructions beyond its baseline target.
 # Uses QEMU user-mode emulation with restricted CPU features.
 # Any illegal instruction (SIGILL) causes exit code 132 and fails the build.
+#
+# QEMU must be pre-installed in the CI image (see .buildkite/Dockerfile and
+# scripts/bootstrap.sh).
 
 ARCH=""
 BINARY=""
@@ -26,33 +29,6 @@ if [ ! -f "$BINARY" ]; then
   exit 1
 fi
 
-# Install QEMU user-mode
-echo "--- Installing QEMU user-mode"
-SUDO=""
-if [ "$(id -u)" -ne 0 ]; then
-  if sudo -n true 2>/dev/null; then
-    SUDO="sudo -n"
-  else
-    echo "ERROR: Not root and passwordless sudo not available"
-    exit 1
-  fi
-fi
-
-if command -v apk &>/dev/null; then
-  if [ "$ARCH" = "x64" ]; then
-    $SUDO apk add --no-cache qemu-x86_64
-  else
-    $SUDO apk add --no-cache qemu-aarch64
-  fi
-elif command -v dnf &>/dev/null; then
-  $SUDO dnf install -y qemu-user-static
-elif command -v apt-get &>/dev/null; then
-  $SUDO apt-get update -qq && $SUDO apt-get install -y -qq qemu-user-static
-else
-  echo "ERROR: No supported package manager found (apk/dnf/apt-get)"
-  exit 1
-fi
-
 # Select QEMU binary and CPU model
 HOST_ARCH=$(uname -m)
 if [ "$ARCH" = "x64" ]; then
@@ -66,12 +42,19 @@ elif [ "$ARCH" = "aarch64" ]; then
   if [ -f "/usr/bin/qemu-aarch64-static" ]; then
     QEMU_BIN="qemu-aarch64-static"
   fi
-  QEMU_CPU="cortex-a35"
+  # cortex-a53 is ARMv8.0-A (no LSE atomics, no SVE). It's the most widely
+  # supported ARMv8.0 model across QEMU versions.
+  QEMU_CPU="cortex-a53"
 else
   echo "ERROR: Unknown arch: $ARCH"
   exit 1
 fi
 
+if ! command -v "$QEMU_BIN" &>/dev/null; then
+  echo "ERROR: $QEMU_BIN not found. It must be pre-installed in the CI image."
+  exit 1
+fi
+
 echo "--- Verifying baseline CPU compatibility"
 echo "Binary: $BINARY"
 echo "QEMU: $QEMU_BIN -cpu $QEMU_CPU"
@@ -93,7 +76,7 @@ run_test() {
     if [ "$ARCH" = "x64" ]; then
       echo "The baseline x64 build targets Nehalem (SSE4.2). AVX/AVX2/AVX512 instructions are not allowed."
     else
-      echo "The aarch64 build targets Cortex-A35 (ARMv8.0-A+CRC). LSE atomics, SVE, and dotprod are not allowed."
+      echo "The aarch64 build targets Cortex-A53 (ARMv8.0-A+CRC). LSE atomics, SVE, and dotprod are not allowed."
     fi
   fi
   exit $exit_code