feat(cross): Add multi-arch cross-build development image

[qzhhhi]

• Add rmcs-develop:latest-full with opposite-architecture sysroots, cross toolchains, and a build-rmcs-cross entrypoint for local cross compilation.
• Update the image publishing workflow to build per-arch digests, smoke test cross builds, and promote multi-arch manifests for base, develop, develop-full, and runtime images.

PR 摘要：多架构交叉构建开发镜像（feat(cross): Add multi-arch cross-build development image）

核心功能

• 新增镜像变体 rmcs-develop:latest-full：在镜像内提供对立架构的 sysroot（/opt/sysroots/*）、交叉工具链和构建入口，支持本地交叉编译。
• 新增本地交叉构建入口脚本 .script/build-rmcs-cross，支持 --target-arch {arm64,amd64}，自动校验并配置 sysroot、交叉编译器、CMake/colcon 环境及必要环境变量隔离，最终调用 colcon build。
• 新增 CMake 工具链文件 rmcs_ws/toolchain.cmake：读取/缓存 RMCS_TARGET_ARCH、RMCS_SYSROOT、RMCS_TARGET_TRIPLET，配置 CMAKE_SYSROOT / CMAKE_FIND_ROOT_PATH、pkg-config 搜索路径，并提供 rmcs_find_host_program() 用于解析主机端工具路径。
• 新增 zsh 补全 .script/complete/_build-rmcs-cross。

Dockerfile 与镜像构建

• 增加 rmcs-sysroot-amd64 / rmcs-sysroot-arm64 阶段及 rmcs-develop-full 阶段，允许通过 build-args（SYSROOT_IMAGE_AMD64 / SYSROOT_IMAGE_ARM64）将已构建的 sysroot 镜像按 digest 注入 rmcs-develop-full。
• 架构感知安装：OpenVINO 仅在 amd64 安装；Neovim/CMake/其它工具根据 TARGETARCH 选择合适二进制或从源码构建（Unison 改为从源码构建并校验 SHA256）。
• .devcontainer/devcontainer.json 切换到 qzhhhi/rmcs-develop:latest-full。

CI/CD / 工作流

• 重构 .github/workflows/update-image.yml：按架构构建并推送各镜像的 immutable digest；导出 per-arch digest 作为短期 artifact；在 pin 到 digest 的镜像中运行交叉构建烟雾测试（并用 readelf 校验生成库的 ELF Machine 字段）；最后汇总各 digest 并通过 docker buildx imagetools create 发布多架构 manifest（为 rmcs-base、rmcs-develop、rmcs-develop-full、rmcs-runtime 的 latest manifest）。
• 扩展 workflow 的触发路径，使其覆盖更多与镜像/构建相关的文件变更。

文档与配置

• 新增 docs/zh-cn/cross_build.md（中文交叉编译指南）：包含 sysroot 布局、使用示例、验证步骤、CI 约定等。
• 更新 docs/zh-cn/build_docker_image.md 与 README.md，加入 latest-full 构建与使用说明及示例命令。
• 更新 .gitignore（新增 log-cross-/build-cross-/install-cross-* 等模式），调整若干文件结尾换行与路径。

破坏性/重要更改

• 删除 .gitmodules 中两个子模块声明：rmcs_ws/src/hikcamera 与 rmcs_ws/src/serial（移除对应子模块引用）。
• 删除文件 rmcs_ws/src/rmcs_core/src/hardware/mecanum_hero.cpp（移除导出插件/类 rmcs_core::hardware::MecanumHero，约 537 行），该硬件组件不再可用。

变更规模与审查建议

• 关注点：工作流的 digest/manifest 可靠性与安全（artifact 导出/导入、promotion 步骤）、Dockerfile 多架构构建与依赖管理（尤其针对 OpenVINO 与交叉工具链的分支逻辑）、rmcs_ws/toolchain.cmake 中主机端工具解析与失败模式、.script/build-rmcs-cross 的环境隔离与参数验证、以及删除的 mecanum_hero 组件对系统的影响与替代方案。
• 评审难度：涉及高复杂度的 CI/镜像构建逻辑与大型文件删除，建议中到高强度代码审查与手动验证烟雾测试步骤。

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8d4e84a4-6a81-420e-b939-ddeab8a9a93c

📥 Commits

Reviewing files that changed from the base of the PR and between 63dae04 and 8097b62.

📒 Files selected for processing (11)

• .devcontainer/devcontainer.json
• .github/workflows/update-image.yml
• .gitignore
• .script/build-rmcs-cross
• .script/complete/_build-rmcs-cross
• .script/host/rmcs
• Dockerfile
• README.md
• docs/zh-cn/build_docker_image.md
• docs/zh-cn/cross_build.md
• rmcs_ws/toolchain.cmake

✅ Files skipped from review due to trivial changes (7)

• .script/host/rmcs
• .gitignore
• .devcontainer/devcontainer.json
• README.md
• .script/complete/_build-rmcs-cross
• docs/zh-cn/cross_build.md
• rmcs_ws/toolchain.cmake

---

Walkthrough

引入多架构跨编译支持：新增交叉编译工具链与脚本，扩展 Docker 多阶段镜像（含双 sysroot 的 latest-full）、更新镜像构建/验证/发布的 CI 流水线，并移除两个子模块与一个硬件插件实现文件。

Changes

Cohort / File(s)	Summary
容器配置 \.devcontainer/devcontainer.json	将 devcontainer 镜像标签改为 qzhhhi/rmcs-develop:latest-full，并修复文件尾换行。
CI/CD 工作流 .github/workflows/update-image.yml	重构为多作业流水线：按架构构建并导出 digest、使用 digest 构建带 sysroot 的镜像、运行交叉烟雾测试、最后组装 multi-arch manifest 列表；触发路径条件扩展。
跨编译脚本与补全 .script/build-rmcs-cross, .script/complete/_build-rmcs-cross	新增跨架构构建脚本（--target-arch、环境清理、sysroot/编译器检测、调用 colcon）及对应 zsh 补全。
Dockerfile / 镜像阶段 Dockerfile	引入 rmcs-sysroot-* 与 rmcs-develop-full 阶段；按架构条件安装 OpenVINO/Neovim/CMake；改为从源码构建 Unison 并校验；添加对向 sysroot 提取与交叉工具链安装。
CMake 工具链 rmcs_ws/toolchain.cmake	新增交叉编译 toolchain：读取/缓存 RMCS 变量、校验 sysroot、设置 CMAKE_SYSROOT/CMAKE_FIND_ROOT_PATH、配置 pkg-config，并新增 rmcs_find_host_program 工具函数。
文档 README.md, docs/zh-cn/build_docker_image.md, docs/zh-cn/cross_build.md	新增/更新跨编译与镜像构建文档：说明 latest-full 用法、build-rmcs-cross 示例、sysroot 约定与 CI 验证流程。
配置/子模块 .gitmodules, .gitignore, rmcs_ws/src/hikcamera, rmcs_ws/src/serial	从 .gitmodules 中移除 hikcamera 与 serial 条目；删除对应子模块提交指针；.gitignore 新增 log-cross-*、build-cross-*、install-cross-*。
工具脚本微调 .script/host/rmcs	调整 Neovim 可执行路径由 /opt/nvim-linux-x86_64/bin/nvim 改为 /opt/nvim/bin/nvim。
删除的组件 rmcs_ws/src/rmcs_core/src/hardware/mecanum_hero.cpp	完全移除 MecanumHero 硬件插件实现及其 pluginlib 导出（组件已删除）。

Sequence Diagram(s)

sequenceDiagram
    rect rgba(52,160,255,0.5)
    participant CI as CI/CD
    end
    rect rgba(102,204,102,0.5)
    participant Builder as Buildx
    participant Registry as Registry
    end
    rect rgba(255,153,51,0.5)
    participant Verifier as SmokeTest
    end

    CI->>Builder: 构建 rmcs-base (amd64/arm64)
    Builder->>Registry: 推送并导出各架构 digest
    Registry-->>CI: 返回 digest 文件

    CI->>Builder: 使用 digest 构建 rmcs-develop / rmcs-runtime（按架构）
    Builder->>Registry: 推送并导出 digest

    CI->>Builder: 使用两端 sysroot digest 构建 rmcs-develop-full
    Builder->>Registry: 推送并导出 digest

    CI->>Verifier: 拉取按 digest 的镜像，运行交叉烟雾测试（build-rmcs-cross、readelf 校验）
    Verifier-->>CI: 验证结果

    CI->>Builder: 创建并推送 multi-arch manifest 列表 (:latest)
    Builder->>Registry: 发布 manifest

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 分钟

Possibly related PRs

• refactor: Rebase main branch to clean up messy commit history #53: 修改相同的 CI/镜像构建文件（.github/workflows/update-image.yml 等），代码级关联强。
• Add some util for neovim developing, and switch default compile toolchain #47: 调整了 .script/host/rmcs（Neovim 路径/启动相关），与本次脚本微调相关。
• refactor(hardware)!: Migrate Hardware Stack to librmcs v3 #54: 涉及 MecanumHero 的改动/重构，可能与本次删除该组件存在直接冲突或关联。

Suggested reviewers

• creeper5820

Poem

🐰 我在树洞里敲键盘，跨架构的桥梁搭好了，
sysroot 两端相望，amd 与 arm 手牵手，
CI 把镜像编成册，验证一遍又一遍，
旧叶落下新芽冒，小兔跳跃唱合并歌，
咚咚鼓点里，构建花园又新高。

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	标题准确概括了本次变更的主要内容：添加多架构交叉编译开发镜像，与所有修改的文件和目标都紧密相关。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev/arm64

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

rmcs_ws/toolchain.cmake (1)

138-142: 考虑是否需要使用 FORCE 覆盖 CMAKE_PREFIX_PATH。

使用 FORCE 会无条件覆盖用户可能通过命令行传入的 CMAKE_PREFIX_PATH 值。由于 build-rmcs-cross 已经通过环境变量设置了 CMAKE_PREFIX_PATH（见 context snippet 1），这里的硬编码路径可能与环境变量中的设置产生冲突。

建议：仅在变量未定义时设置默认值，或者移除 FORCE 以允许用户覆盖。

♻️ 可选的修改方案

-set(CMAKE_PREFIX_PATH
-  "/opt/ros/jazzy"
-  "/usr"
-  CACHE STRING "Target-side prefix path for cross-compilation" FORCE
-)
+if(NOT DEFINED CACHE{CMAKE_PREFIX_PATH})
+  set(CMAKE_PREFIX_PATH
+    "/opt/ros/jazzy"
+    "/usr"
+    CACHE STRING "Target-side prefix path for cross-compilation"
+  )
+endif()

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rmcs_ws/toolchain.cmake` around lines 138 - 142, The current
set(CMAKE_PREFIX_PATH ... CACHE STRING ... FORCE) unconditionally overwrites any
CMAKE_PREFIX_PATH a user or build script provided; change it so the toolchain
only supplies defaults and does not clobber user input: either remove the FORCE
flag or wrap the cache assignment in a conditional that only sets
CMAKE_PREFIX_PATH when it is not already defined/has no value (i.e., ensure the
code that sets CMAKE_PREFIX_PATH in toolchain.cmake only provides defaults and
allows overrides rather than forcing them).

.devcontainer/devcontainer.json (1)

5-5: 默认切换到 latest-full 镜像可能影响不需要交叉编译的开发者。

latest-full 镜像包含对向架构的 sysroot 和交叉工具链，体积会显著增大。对于不需要交叉编译功能的开发者，这会增加镜像拉取时间和磁盘占用。

建议：

• 在文档中说明两种镜像的区别和适用场景
• 或者保留 latest 作为默认，让需要交叉编译的开发者手动切换到 latest-full

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.devcontainer/devcontainer.json at line 5, Change the default devcontainer
image from "qzhhhi/rmcs-develop:latest-full" to the lighter
"qzhhhi/rmcs-develop:latest" by updating the "image" property, and add
documentation (e.g., README or CONTRIBUTING) explaining the difference between
the two tags and when to switch to "latest-full" for cross-compilation,
including a short example or command showing how to override the "image"
property to opt into the full image.

.script/build-rmcs-cross (1)

153-165: set -u 模式下空数组展开可能导致问题

当 colcon_args 数组为空时，在 Bash 4.3 及更早版本中，"${colcon_args[@]}" 会触发 "unbound variable" 错误（因为脚本启用了 set -u）。虽然 Bash 4.4+ 已修复此行为，但为了更好的兼容性，建议使用防御性写法。

🛡️ 建议的防御性写法

 CLICOLOR_FORCE=1 NINJA_STATUS="" \
     colcon \
     --log-base "${log_base}" \
     build \
     --merge-install \
     --build-base "${build_base}" \
     --install-base "${install_base}" \
-    "${colcon_args[@]}" \
+    ${colcon_args[@]+"${colcon_args[@]}"} \
     --cmake-args \
     -DCMAKE_TOOLCHAIN_FILE="${toolchain_file}" \
     -DRMCS_TARGET_ARCH="${RMCS_TARGET_ARCH}" \
     -DRMCS_SYSROOT="${RMCS_SYSROOT}" \
     -DRMCS_TARGET_TRIPLET="${RMCS_TARGET_TRIPLET}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.script/build-rmcs-cross around lines 153 - 165, The use of
"${colcon_args[@]}" can trigger an "unbound variable" under set -u when the
array is unset (Bash ≤4.3); update the expansion in the colcon invocation to a
defensive form that yields an empty expansion when the array is not set (e.g.,
use a default-empty expansion like "${colcon_args[@]:-}" or equivalent) so the
CLICOLOR_FORCE... colcon build command (where "${colcon_args[@]}" is referenced)
will not fail on older Bash versions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/zh-cn/cross_build.md`:
- Around line 66-72: The self-check commands mismatch the build scope: the
script invocation ./.script/build-rmcs-cross --packages-up-to rmcs_core only
builds rmcs_core (and deps) but the checklist also calls readelf on
librmcs_executor.so; either remove the executor check or expand the build
target—update the snippet so the build command uses --packages-up-to
rmcs_executor if you intend to validate librmcs_executor.so, or delete the
readelf call for librmcs_executor.so if you only want to build/check rmcs_core;
refer to the ./.script/build-rmcs-cross invocation and the readelf checks for
librmcs_core.so and librmcs_executor.so when making the change.

---

Nitpick comments:
In @.devcontainer/devcontainer.json:
- Line 5: Change the default devcontainer image from
"qzhhhi/rmcs-develop:latest-full" to the lighter "qzhhhi/rmcs-develop:latest" by
updating the "image" property, and add documentation (e.g., README or
CONTRIBUTING) explaining the difference between the two tags and when to switch
to "latest-full" for cross-compilation, including a short example or command
showing how to override the "image" property to opt into the full image.

In @.script/build-rmcs-cross:
- Around line 153-165: The use of "${colcon_args[@]}" can trigger an "unbound
variable" under set -u when the array is unset (Bash ≤4.3); update the expansion
in the colcon invocation to a defensive form that yields an empty expansion when
the array is not set (e.g., use a default-empty expansion like
"${colcon_args[@]:-}" or equivalent) so the CLICOLOR_FORCE... colcon build
command (where "${colcon_args[@]}" is referenced) will not fail on older Bash
versions.

In `@rmcs_ws/toolchain.cmake`:
- Around line 138-142: The current set(CMAKE_PREFIX_PATH ... CACHE STRING ...
FORCE) unconditionally overwrites any CMAKE_PREFIX_PATH a user or build script
provided; change it so the toolchain only supplies defaults and does not clobber
user input: either remove the FORCE flag or wrap the cache assignment in a
conditional that only sets CMAKE_PREFIX_PATH when it is not already defined/has
no value (i.e., ensure the code that sets CMAKE_PREFIX_PATH in toolchain.cmake
only provides defaults and allows overrides rather than forcing them).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8a837972-2ea2-4403-a013-024884282c37

📥 Commits

Reviewing files that changed from the base of the PR and between 4b153ea and 8cb8f00.

📒 Files selected for processing (15)

• .devcontainer/devcontainer.json
• .github/workflows/update-image.yml
• .gitignore
• .gitmodules
• .script/build-rmcs-cross
• .script/complete/_build-rmcs-cross
• .script/host/rmcs
• Dockerfile
• README.md
• docs/zh-cn/build_docker_image.md
• docs/zh-cn/cross_build.md
• rmcs_ws/src/hikcamera
• rmcs_ws/src/rmcs_core/src/hardware/mecanum_hero.cpp
• rmcs_ws/src/serial
• rmcs_ws/toolchain.cmake

💤 Files with no reviewable changes (4)

• rmcs_ws/src/hikcamera
• rmcs_ws/src/serial
• rmcs_ws/src/rmcs_core/src/hardware/mecanum_hero.cpp
• .gitmodules

[creeper5820]

Accept

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

139-146: ⚠️ Potential issue | 🔴 Critical

不要把私钥烘焙进开发镜像。

Line 141-143 会把 .ssh/id_rsa 复制进 /home/ubuntu/.ssh，而 rmcs-develop / rmcs-develop-full 又会被推送到镜像仓库。这样任何能拉镜像的人都能拿到同一把私钥，等于直接泄露凭据。这里应改成运行时挂载或启动时生成，而不是在构建期写进镜像层。

🔐 建议修改

-RUN --mount=type=bind,target=/tmp/.ssh,source=.ssh,readonly=false \
-    cd /home/ubuntu && mkdir -p .ssh && \
-    if [ ! -f "/tmp/.ssh/id_rsa" ]; then ssh-keygen -N "" -f "/tmp/.ssh/id_rsa"; fi && \
-    cp -r /tmp/.ssh/* .ssh && \
-    chown -R 1000:1000 .ssh && chmod 600 .ssh/id_rsa && \
-    mkdir -p .unison && \
+RUN cd /home/ubuntu && \
+    mkdir -p .ssh .unison && \
+    chown -R 1000:1000 .ssh .unison && \
     echo 'confirmbigdel = false' >> ".unison/default.prf" && \
     chown -R 1000:1000 .unison

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 139 - 146, The Dockerfile RUN block is baking a
private key into the image by generating/copying .ssh/id_rsa into
/home/ubuntu/.ssh (the lines using ssh-keygen, cp -r /tmp/.ssh/* .ssh and chmod
600 .ssh/id_rsa); remove those steps so private keys are not written into the
build layer and instead expect keys to be provided at runtime via a mounted
volume or create them at container start in an entrypoint script. Update the
Dockerfile to omit the ssh-keygen/cp/chmod for .ssh/id_rsa and keep only
non-sensitive setup (mkdir -p .ssh, chown -R 1000:1000 .ssh if needed), and
add/modify the container entrypoint or startup logic (e.g., an entrypoint script
referenced by the image) that checks for a mounted /home/ubuntu/.ssh or
generates keys on first run, sets secure permissions (chmod 600) and chown
there; this ensures images like rmcs-develop / rmcs-develop-full do not contain
baked private keys.

🧹 Nitpick comments (1)

.github/workflows/update-image.yml (1)

267-267: 优先改用 ${CROSS_TRIPLET}-readelf 做 ELF 校验。

Line 267 现在依赖未显式保证存在的通用 readelf。rmcs-develop-full 在 Dockerfile Line 205-209 只明确安装了交叉 binutils-*，这里直接调用带 triplet 的工具会更稳，避免把镜像里的宿主 binutils 差异误判成 smoke test 失败。

🛠️ 建议修改

-              readelf -h "${lib_path}" | grep -q "Machine:.*${EXPECTED_MACHINE}"
+              "${CROSS_TRIPLET}-readelf" -h "${lib_path}" | grep -q "Machine:.*${EXPECTED_MACHINE}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/update-image.yml at line 267, Replace the plain readelf
invocation with the triplet-prefixed tool: use "${CROSS_TRIPLET}-readelf -h
\"${lib_path}\" | grep -q \"Machine:.*${EXPECTED_MACHINE}\"" so the workflow
calls the cross-compiled binutils binary explicitly; if desired, add a pre-check
that ${CROSS_TRIPLET}-readelf exists and fail fast with a clear message if not
present to avoid falling back to a host readelf.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Around line 193-244: The rmcs-develop-full stage installs toolchains and
sysroots but does not include the entry script .script/build-rmcs-cross or put
it on PATH; add a step in the rmcs-develop-full stage to COPY (or --mount) the
repository script .script/build-rmcs-cross into the image (e.g.
/usr/local/bin/build-rmcs-cross), make it executable (chmod +x), and ensure its
directory is on PATH (or symlink into /usr/local/bin) so the build-rmcs-cross
command is available at runtime and for users pulling latest-full.

In `@rmcs_ws/toolchain.cmake`:
- Around line 138-156: 在交叉编译的搜索路径中缺少 /usr/local 及其 pkgconfig 子目录：在
toolchain.cmake 中将 "/usr/local" 加入 CMAKE_PREFIX_PATH，并在 _rmcs_pkg_config_libdirs
列表中加入对应的
"${RMCS_SYSROOT}/usr/local/lib/${RMCS_TARGET_TRIPLET}/pkgconfig"、"${RMCS_SYSROOT}/usr/local/lib/pkgconfig"
和 "${RMCS_SYSROOT}/usr/local/share/pkgconfig"（以确保 ENV{PKG_CONFIG_LIBDIR}
包含这些项），同时同步更新构建脚本 build-rmcs-cross 中设置的相关环境变量以反映这些新增路径（注意使用相同的 RMCS_SYSROOT/
RMCS_TARGET_TRIPLET 变量形式）。

---

Outside diff comments:
In `@Dockerfile`:
- Around line 139-146: The Dockerfile RUN block is baking a private key into the
image by generating/copying .ssh/id_rsa into /home/ubuntu/.ssh (the lines using
ssh-keygen, cp -r /tmp/.ssh/* .ssh and chmod 600 .ssh/id_rsa); remove those
steps so private keys are not written into the build layer and instead expect
keys to be provided at runtime via a mounted volume or create them at container
start in an entrypoint script. Update the Dockerfile to omit the
ssh-keygen/cp/chmod for .ssh/id_rsa and keep only non-sensitive setup (mkdir -p
.ssh, chown -R 1000:1000 .ssh if needed), and add/modify the container
entrypoint or startup logic (e.g., an entrypoint script referenced by the image)
that checks for a mounted /home/ubuntu/.ssh or generates keys on first run, sets
secure permissions (chmod 600) and chown there; this ensures images like
rmcs-develop / rmcs-develop-full do not contain baked private keys.

---

Nitpick comments:
In @.github/workflows/update-image.yml:
- Line 267: Replace the plain readelf invocation with the triplet-prefixed tool:
use "${CROSS_TRIPLET}-readelf -h \"${lib_path}\" | grep -q
\"Machine:.*${EXPECTED_MACHINE}\"" so the workflow calls the cross-compiled
binutils binary explicitly; if desired, add a pre-check that
${CROSS_TRIPLET}-readelf exists and fail fast with a clear message if not
present to avoid falling back to a host readelf.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1d8a8276-3430-4b4b-8872-f68eb76e53f0

📥 Commits

Reviewing files that changed from the base of the PR and between 8cb8f00 and 63dae04.

📒 Files selected for processing (15)

• .devcontainer/devcontainer.json
• .github/workflows/update-image.yml
• .gitignore
• .gitmodules
• .script/build-rmcs-cross
• .script/complete/_build-rmcs-cross
• .script/host/rmcs
• Dockerfile
• README.md
• docs/zh-cn/build_docker_image.md
• docs/zh-cn/cross_build.md
• rmcs_ws/src/hikcamera
• rmcs_ws/src/rmcs_core/src/hardware/mecanum_hero.cpp
• rmcs_ws/src/serial
• rmcs_ws/toolchain.cmake

💤 Files with no reviewable changes (4)

• rmcs_ws/src/hikcamera
• rmcs_ws/src/serial
• .gitmodules
• rmcs_ws/src/rmcs_core/src/hardware/mecanum_hero.cpp

✅ Files skipped from review due to trivial changes (6)

• .gitignore
• .script/complete/_build-rmcs-cross
• .devcontainer/devcontainer.json
• README.md
• .script/host/rmcs
• docs/zh-cn/cross_build.md

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/zh-cn/build_docker_image.md