Fix multi-arch Docker build SIGILL by splitting frontend stage (#36646)

## Summary
- Split Dockerfile and Dockerfile.rootless into a two-stage build:
frontend assets are built on the native platform (`$BUILDPLATFORM`) then
copied to the per-architecture backend build stage
- This avoids running esbuild/webpack under QEMU emulation which causes
SIGILL (Invalid machine instruction) on arm64/riscv64
- Frontend assets (JS/CSS/fonts) are platform-independent so they only
need to be built once
- The `build-env` stage no longer needs `nodejs`/`pnpm` since it only
builds the Go backend

Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>

Dockerfile.rootless

@@ -1,5 +1,12 @@
 # syntax=docker/dockerfile:1
-# Build stage
+# Build frontend on the native platform to avoid QEMU-related issues with esbuild/webpack
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26-alpine3.23 AS frontend-build
+RUN apk --no-cache add build-base git nodejs pnpm
+WORKDIR /src
+COPY --exclude=.git/ . .
+RUN --mount=type=cache,target=/root/.local/share/pnpm/store make frontend
+
+# Build backend for each target platform
 FROM docker.io/library/golang:1.26-alpine3.23 AS build-env
 
 ARG GOPROXY=direct
@@ -12,20 +19,18 @@ ARG CGO_EXTRA_CFLAGS
 # Build deps
 RUN apk --no-cache add \
     build-base \
-    git \
-    nodejs \
-    pnpm
+    git
 
 WORKDIR ${GOPATH}/src/code.gitea.io/gitea
 # See the comments in Dockerfile
 COPY --exclude=.git/ . .
+COPY --from=frontend-build /src/public/assets public/assets
 
 # Build gitea, .git mount is required for version data
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target="/root/.cache/go-build" \
-    --mount=type=cache,target=/root/.local/share/pnpm/store \
     --mount=type=bind,source=".git/",target=".git/" \
-    make
+    make backend
 
 COPY docker/rootless /tmp/local