ci: add QEMU-based baseline CPU verification steps (#26571)

## Summary

Add CI steps that verify baseline builds don't use CPU instructions
beyond their target. Uses QEMU user-mode emulation with restricted CPU
features — any illegal instruction causes SIGILL and fails the build.

## Platforms verified

| Build Target | QEMU Command | What it catches |
|---|---|---|
| `linux-x64-baseline` (glibc) | `qemu-x86_64 -cpu Nehalem` | AVX, AVX2,
AVX512 |
| `linux-x64-musl-baseline` | `qemu-x86_64 -cpu Nehalem` | AVX, AVX2,
AVX512 |
| `linux-aarch64` (glibc) | `qemu-aarch64 -cpu cortex-a35` | LSE
atomics, SVE, dotprod |
| `linux-aarch64-musl` | `qemu-aarch64 -cpu cortex-a35` | LSE atomics,
SVE, dotprod |

## How it works

Each verify step:
1. Downloads the built binary artifact from the `build-bun` step
2. Installs `qemu-user-static` on-the-fly (dnf/apk/apt-get)
3. Runs two smoke tests under QEMU with restricted CPU features:
   - `bun --version` — validates startup, linker, static init code
   - `bun -e eval` — validates JSC initialization and basic execution
4. Hard fails on SIGILL (exit code 132)

The verify step runs in the build group after `build-bun`, with a
5-minute timeout.

## Known issue this will surface

**mimalloc on aarch64**: Built with `MI_OPT_ARCH=ON` which adds
`-march=armv8.1-a`, enabling LSE atomics. This will SIGILL on
Cortex-A35/A53 CPUs. The aarch64 verify steps are expected to fail
initially, confirming the test catches real issues. Fix can be done
separately in `cmake/targets/BuildMimalloc.cmake`.

scripts/verify-baseline-cpu.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Verify that a Bun binary doesn't use CPU instructions beyond its baseline target.
+# Uses QEMU user-mode emulation with restricted CPU features.
+# Any illegal instruction (SIGILL) causes exit code 132 and fails the build.
+#
+# QEMU must be pre-installed in the CI image (see .buildkite/Dockerfile and
+# scripts/bootstrap.sh).
+
+ARCH=""
+BINARY=""
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --arch) ARCH="$2"; shift 2 ;;
+    --binary) BINARY="$2"; shift 2 ;;
+    *) echo "Unknown arg: $1"; exit 1 ;;
+  esac
+done
+
+if [ -z "$ARCH" ] || [ -z "$BINARY" ]; then
+  echo "Usage: $0 --arch <x64|aarch64> --binary <path>"
+  exit 1
+fi
+
+if [ ! -f "$BINARY" ]; then
+  echo "ERROR: Binary not found: $BINARY"
+  exit 1
+fi
+
+# Select QEMU binary and CPU model
+HOST_ARCH=$(uname -m)
+if [ "$ARCH" = "x64" ]; then
+  QEMU_BIN="qemu-x86_64"
+  if [ -f "/usr/bin/qemu-x86_64-static" ]; then
+    QEMU_BIN="qemu-x86_64-static"
+  fi
+  QEMU_CPU="Nehalem"
+  CPU_DESC="Nehalem (SSE4.2, no AVX/AVX2/AVX512)"
+elif [ "$ARCH" = "aarch64" ]; then
+  QEMU_BIN="qemu-aarch64"
+  if [ -f "/usr/bin/qemu-aarch64-static" ]; then
+    QEMU_BIN="qemu-aarch64-static"
+  fi
+  # cortex-a53 is ARMv8.0-A (no LSE atomics, no SVE). It's the most widely
+  # supported ARMv8.0 model across QEMU versions.
+  QEMU_CPU="cortex-a53"
+  CPU_DESC="Cortex-A53 (ARMv8.0-A+CRC, no LSE/SVE)"
+else
+  echo "ERROR: Unknown arch: $ARCH"
+  exit 1
+fi
+
+if ! command -v "$QEMU_BIN" &>/dev/null; then
+  echo "ERROR: $QEMU_BIN not found. It must be pre-installed in the CI image."
+  exit 1
+fi
+
+BINARY_NAME=$(basename "$BINARY")
+
+echo "--- Verifying $BINARY_NAME on $CPU_DESC"
+echo "    Binary: $BINARY"
+echo "    QEMU:   $QEMU_BIN -cpu $QEMU_CPU"
+echo "    Host:   $HOST_ARCH"
+echo ""
+
+run_test() {
+  local label="$1"
+  shift
+  echo "+++ $BINARY_NAME: $label"
+  if "$QEMU_BIN" -cpu "$QEMU_CPU" "$@"; then
+    echo "    PASS"
+    return 0
+  else
+    local exit_code=$?
+    echo ""
+    if [ $exit_code -eq 132 ]; then
+      echo "    FAIL: Illegal instruction (SIGILL)"
+      echo ""
+      echo "    The $BINARY_NAME binary uses CPU instructions not available on $QEMU_CPU."
+      if [ "$ARCH" = "x64" ]; then
+        echo "    The baseline x64 build targets Nehalem (SSE4.2)."
+        echo "    AVX, AVX2, and AVX512 instructions are not allowed."
+      else
+        echo "    The aarch64 build targets Cortex-A53 (ARMv8.0-A+CRC)."
+        echo "    LSE atomics, SVE, and dotprod instructions are not allowed."
+      fi
+    else
+      echo "    FAIL: exit code $exit_code"
+    fi
+    exit $exit_code
+  fi
+}
+
+run_test "bun --version" "$BINARY" --version
+run_test "bun -e eval" "$BINARY" -e "console.log(JSON.stringify({ok:1+1}))"
+
+echo ""
+echo "    All checks passed for $BINARY_NAME on $QEMU_CPU."