feat: add aarch64 cross-compilation support

[tomasmach]

Summary

• Add Cross.toml and Dockerfile.cross-aarch64 for local cross-compilation to aarch64-unknown-linux-gnu using the cross tool
• Add just build-aarch64 recipe for one-command ARM builds
• Document the cross-compilation workflow in the README Quick Start section

Motivation

CI builds ARM binaries natively on ubuntu-24.04-arm runners, but there's no way for developers to cross-compile for ARM locally from an x86_64 machine. This is useful for anyone deploying to Raspberry Pi or ARM servers without ARM hardware.

Details

The Dockerfile.cross-aarch64 is based on Ubuntu 22.04 (required because ort-sys bundles a prebuilt ONNX Runtime aarch64 static lib that needs glibc 2.32+ and GCC 11+ libstdc++). It includes:

• aarch64 cross-toolchain (gcc-aarch64-linux-gnu, g++-aarch64-linux-gnu)
• ARM64 sysroot libraries (libssl-dev:arm64, libsqlite3-dev:arm64)
• Host-arch protoc for prost/lancedb build-time codegen
• Correct environment variables for cross-pkg-config, OpenSSL, and SQLite discovery

Usage:

cargo install cross --locked
just build-aarch64
# Output: target/aarch64-unknown-linux-gnu/release/spacebot

Test plan

• gate-pr passes (confirmed locally — no Rust source changes)
• just build-aarch64 produces a valid ELF 64-bit LSB ... ARM aarch64 binary

[coderabbitai]

Walkthrough

Adds ARM64 (aarch64) cross-compilation support: new Dockerfile to provision cross-toolchain and sysroot, a justfile build target for aarch64 release, and README guidance (duplicated block) explaining local cross-build steps and CI behaviour.

Changes

Cohort / File(s)	Summary
Cross-compile Dockerfile Dockerfile.cross-aarch64	New Dockerfile that sets up an amd64 container with multi-arch/arm64 apt sources, installs host and aarch64 cross toolchains and dev libs, adds libssl/libsqlite3:arm64, installs host protoc, and exports cross-compilation environment variables (toolchain prefix, sysroot, linker, pkg-config, OpenSSL/SQLite paths).
Build recipe justfile	Added build-aarch64 recipe that sets SPACEBOT_SKIP_FRONTEND_BUILD=1 and runs cargo build --target aarch64-unknown-linux-gnu --release for cross-building aarch64 binaries.
Documentation (duplicated blocks) README.md	Inserted Cross-compile for ARM (aarch64) guidance in two locations (under Build and Run and under Quick Start), describing how to use the Dockerfile, run the cross build, and expected output path; content is duplicated.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding aarch64 cross-compilation support, which aligns with the primary purpose of all changes in the PR (Dockerfile, justfile recipe, and README updates).
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, covering the motivation, implementation details, usage instructions, and test plan for the aarch64 cross-compilation support.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the tone of the review comments and chat replies.

Configure the tone_instructions setting to customize the tone of the review comments and chat replies. For example, you can set the tone to Act like a strict teacher, Act like a pirate and more.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Dockerfile.cross-aarch64 (1)

26-26: Consider whether OpenSSL and SQLite dev packages are needed.

Per build.rs context, the codebase uses rustls for TLS (pure Rust) and sqlx with the sqlite feature (also pure Rust via bundled SQLite). These libssl-dev:arm64 and libsqlite3-dev:arm64 packages may be unnecessary.

That said, keeping them is harmless and provides safety for transitive dependencies or future changes that might require native linking.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.cross-aarch64` at line 26, The Dockerfile.cross-aarch64 installs
libssl-dev:arm64 and libsqlite3-dev:arm64 which may be unnecessary because the
project uses rustls and sqlx with bundled sqlite; remove those two packages from
the apt-get install line (the entries libssl-dev:arm64 and libsqlite3-dev:arm64)
to slim the image, or alternatively leave them with a comment explaining they
are kept for transitive/native-link safety—update the apt-get install invocation
accordingly and ensure the package list and trailing backslashes remain valid.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile.cross-aarch64`:
- Around line 44-46: The Dockerfile sets OPENSSL_INCLUDE_DIR and
SQLITE3_INCLUDE_DIR to incorrect Ubuntu multiarch paths
(/usr/aarch64-linux-gnu/usr/include); update the assignments for
OPENSSL_INCLUDE_DIR and SQLITE3_INCLUDE_DIR to use the standard multiarch header
directory /usr/include/aarch64-linux-gnu so that headers from libssl-dev:arm64
and libsqlite3-dev:arm64 are found during build.

---

Nitpick comments:
In `@Dockerfile.cross-aarch64`:
- Line 26: The Dockerfile.cross-aarch64 installs libssl-dev:arm64 and
libsqlite3-dev:arm64 which may be unnecessary because the project uses rustls
and sqlx with bundled sqlite; remove those two packages from the apt-get install
line (the entries libssl-dev:arm64 and libsqlite3-dev:arm64) to slim the image,
or alternatively leave them with a comment explaining they are kept for
transitive/native-link safety—update the apt-get install invocation accordingly
and ensure the package list and trailing backslashes remain valid.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6f61d8a2-8db3-4ba7-a636-ea676fb1b538

📥 Commits

Reviewing files that changed from the base of the PR and between ed3aebe and bc9feeb.

⛔ Files ignored due to path filters (1)

• Cross.toml is excluded by !**/*.toml

📒 Files selected for processing (3)

• Dockerfile.cross-aarch64
• README.md
• justfile

[coderabbitai]

🧹 Nitpick comments (2)

Dockerfile.cross-aarch64 (2)

1-4: Static analysis flags root user — acceptable for build-only containers.

Trivy reports DS-0002 (image should not run as root). Since this container is only used for cross-compilation (not runtime), running as root is acceptable and simplifies package installation. If the team prefers stricter container hygiene, a non-root user could be added at the end for the cargo build step.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.cross-aarch64` around lines 1 - 4, Trivy flags the
Dockerfile.cross-aarch64 for running as root (DS-0002); if you want stricter
hygiene instead of accepting root for the build container, add an unprivileged
user and switch to it before the cargo build step: create a user/group (e.g.,
builder), chown the workspace, use USER builder, and ensure any apt/installation
steps that require root remain earlier in the Dockerfile (keep ENV
DEBIAN_FRONTEND=noninteractive and package installation as root, then switch to
the non-root user before invoking cargo build).

---

32-37: Add checksum verification for the protoc download.

The protoc binary is downloaded over HTTPS but without verifying its integrity. Adding a SHA256 checksum check would guard against supply-chain tampering or partial downloads.

🔒 Proposed fix to add checksum verification

 # protoc (x86_64 host binary for prost/lancedb build-time codegen)
+ARG PROTOC_VERSION=29.3
+ARG PROTOC_SHA256=3e866620c5be27664f3d2fa2d656b5f3e09b5152b42f1bedbf427b333e90021a
 RUN curl -fsSL -o /tmp/protoc.zip \
-        https://github.com/protocolbuffers/protobuf/releases/download/v29.3/protoc-29.3-linux-x86_64.zip \
+        https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-x86_64.zip \
+    && echo "${PROTOC_SHA256}  /tmp/protoc.zip" | sha256sum -c - \
     && unzip /tmp/protoc.zip -d /usr/local \
     && chmod +x /usr/local/bin/protoc \
     && rm /tmp/protoc.zip

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.cross-aarch64` around lines 32 - 37, Add SHA256 checksum
verification for the protoc download: after downloading /tmp/protoc.zip (the RUN
block that fetches protoc for build-time codegen and before unzip/chmod/rm),
fetch or embed the expected SHA256 value for protoc-29.3-linux-x86_64.zip,
compute the checksum with sha256sum (or similar) against /tmp/protoc.zip, and
abort (exit non-zero) if the checksum does not match so unzip/chmod/rm only run
on a verified archive; update the RUN chain around the protoc download/unpack
steps accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@Dockerfile.cross-aarch64`:
- Around line 1-4: Trivy flags the Dockerfile.cross-aarch64 for running as root
(DS-0002); if you want stricter hygiene instead of accepting root for the build
container, add an unprivileged user and switch to it before the cargo build
step: create a user/group (e.g., builder), chown the workspace, use USER
builder, and ensure any apt/installation steps that require root remain earlier
in the Dockerfile (keep ENV DEBIAN_FRONTEND=noninteractive and package
installation as root, then switch to the non-root user before invoking cargo
build).
- Around line 32-37: Add SHA256 checksum verification for the protoc download:
after downloading /tmp/protoc.zip (the RUN block that fetches protoc for
build-time codegen and before unzip/chmod/rm), fetch or embed the expected
SHA256 value for protoc-29.3-linux-x86_64.zip, compute the checksum with
sha256sum (or similar) against /tmp/protoc.zip, and abort (exit non-zero) if the
checksum does not match so unzip/chmod/rm only run on a verified archive; update
the RUN chain around the protoc download/unpack steps accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ecce3e3c-1464-492d-bde3-aeae2113e0d8

📥 Commits

Reviewing files that changed from the base of the PR and between bc9feeb and d223ed5.

📒 Files selected for processing (1)

• Dockerfile.cross-aarch64