diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 53d0d74c35e..704bf07c784 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -138,3 +138,33 @@ jobs:
       # FIXME: rootless is skipped because of EPERM on writing cgroup.procs
         if: false
         run: ssh default "sudo -i make -C /vagrant localrootlessintegration"
+
+  # We need to continue support for 32-bit ARM.
+  # However, we do not have 32-bit ARM CI, so we use i386 for testing 32bit stuff.
+  # We are not interested in providing official support for i386.
+  cross-i386:
+    runs-on: ubuntu-20.04
+
+    steps:
+
+    - name: checkout
+      uses: actions/checkout@v2
+
+    - name: install deps
+      run: |
+        sudo dpkg --add-architecture i386
+        # add criu repo
+        sudo add-apt-repository -y ppa:criu/ppa
+        # apt-add-repository runs apt update so we don't have to.
+
+        # Due to a bug in apt, we have to update it first
+        # (see https://bugs.launchpad.net/ubuntu-cdimage/+bug/1871268)
+        sudo apt -q install apt
+        sudo apt -q install libseccomp-dev libseccomp-dev:i386 gcc-multilib criu
+
+    - name: install go
+      uses: actions/setup-go@v2 # use default Go version
+
+    - name: unit test
+      # cgo is disabled by default when cross-compiling
+      run: sudo -E PATH="$PATH" -- make GOARCH=386 CGO_ENABLED=1 localunittest
diff --git a/libcontainer/seccomp/patchbpf/enosys_linux_test.go b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
index 17b92af9586..f9a4bf63faa 100644
--- a/libcontainer/seccomp/patchbpf/enosys_linux_test.go
+++ b/libcontainer/seccomp/patchbpf/enosys_linux_test.go
@@ -159,7 +159,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 			type syscallTest struct {
 				syscall  string
 				sysno    libseccomp.ScmpSyscall
-				expected int
+				expected uint32
 			}
 
 			scmpArch, err := libseccomp.GetArchFromString(arch)
@@ -177,9 +177,9 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 			// Add explicit syscalls (whether they will return -ENOSYS
 			// depends on the filter rules).
 			for idx, syscall := range explicitSyscalls {
-				expected := int(retFallthrough)
+				expected := retFallthrough
 				if idx >= enosysStart {
-					expected = int(retErrnoEnosys)
+					expected = retErrnoEnosys
 				}
 				sysno, err := libseccomp.GetSyscallFromNameByArch(syscall, scmpArch)
 				if err != nil {
@@ -201,7 +201,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 				syscallTests = append(syscallTests, syscallTest{
 					sysno:    sysno,
 					syscall:  syscall,
-					expected: int(retFallthrough),
+					expected: retFallthrough,
 				})
 			}
 
@@ -216,7 +216,7 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 				syscallTests = append(syscallTests, syscallTest{
 					sysno:    sysno,
 					syscall:  fmt.Sprintf("syscall_%#x", sysno),
-					expected: int(retErrnoEnosys),
+					expected: retErrnoEnosys,
 				})
 			}
 
@@ -224,14 +224,17 @@ func testEnosysStub(t *testing.T, defaultAction configs.Action, arches []string)
 			for _, test := range syscallTests {
 				// Override the expected value in the two special cases.
 				if !archSet[arch] || isAllowAction(defaultAction) {
-					test.expected = int(retFallthrough)
+					test.expected = retFallthrough
 				}
 
 				payload := mockSyscallPayload(t, test.sysno, nativeArch, 0x1337, 0xF00BA5)
-				ret, err := filter.Run(payload)
+				// NOTE: golang.org/x/net/bpf returns int here rather
+				// than uint32.
+				rawRet, err := filter.Run(payload)
 				if err != nil {
 					t.Fatalf("error running filter: %v", err)
 				}
+				ret := uint32(rawRet)
 				if ret != test.expected {
 					t.Logf("mock filter for %v %v:", arches, allowedSyscalls)
 					for idx, insn := range program {