release: use cross + rustls-tls for linux targets

[jdx]

Summary

• The aarch64-unknown-linux-gnu upload-assets job in run 24613265153 failed with fatal error: openssl/opensslconf.h: No such file or directory — openssl-sys (pulled in by reqwest's native-tls feature) couldn't find aarch64 OpenSSL headers. setup-cross-toolchain-action installs aarch64-linux-gnu-gcc but points it at a stub sysroot that lacks the arch-specific openssl config.
• Switch reqwest to rustls-tls (pure Rust) so TLS no longer depends on system libraries, and run Linux builds through cross so the per-target Docker image also gives us an older, more portable glibc — matching how fnox ships Linux binaries.
• Identity::from_pkcs8_pem is native-tls-only. The per-registry client-cert path now concatenates cert+key into a combined PEM buffer and calls Identity::from_pem, which works under rustls.

Changes

• Cargo.toml — reqwest: default-features = false, add rustls-tls
• crates/aube-registry/Cargo.toml — drop now-redundant native-tls feature override
• crates/aube-registry/src/client.rs — switch Identity::from_pkcs8_pem → Identity::from_pem with combined cert+key PEM
• .github/workflows/release.yml — add build-tool matrix column (cross for Linux, cargo elsewhere); remove setup-cross-toolchain-action (the action installs cross itself)

Test plan

• cargo build passes locally
• cargo clippy --all-targets -- -D warnings clean
• New release run uploads all six target archives, including aarch64-unknown-linux-gnu
• Linux binaries run on a distro with older glibc (cross uses an older base image than ubuntu-latest)

🤖 Generated with Claude Code

---

Note

Medium Risk
Medium risk because it changes the TLS backend for all HTTP calls and modifies the release build pipeline for Linux targets, which could affect network compatibility and artifact portability.

Overview
Switches HTTP TLS from system OpenSSL to pure-Rust rustls. Workspace reqwest is rebuilt with default-features = false and rustls-tls (dropping native-tls/OpenSSL dependencies), and aube-registry removes its native-tls override; Cargo.lock updates accordingly.

Updates registry client mTLS handling and release builds. Per-registry client cert/key loading now concatenates cert+key into a single PEM and uses reqwest::Identity::from_pem for rustls compatibility, and the release workflow builds Linux targets via cross (matrix build-tool) while keeping cargo elsewhere and removing the cross toolchain setup step.

^{Reviewed by Cursor Bugbot for commit e214e23. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a cross-compilation failure for aarch64-unknown-linux-gnu builds by eliminating the OpenSSL system-library dependency via two coordinated changes: switching reqwest from native-tls to rustls-tls (pure-Rust TLS), and replacing setup-cross-toolchain-action with cross for Linux targets in the release workflow.

Key changes:

• Cargo.toml: reqwest now uses default-features = false with features = [\"json\", \"stream\", \"rustls-tls\"]
• crates/aube-registry/Cargo.toml: The now-redundant native-tls feature override is removed
• crates/aube-registry/src/client.rs: Identity::from_pkcs8_pem(cert, key) (native-tls-only) is replaced by concatenating cert+key into a combined PEM buffer and calling Identity::from_pem, which works under rustls
• .github/workflows/release.yml: A build-tool matrix column selects cross for the two Linux targets and cargo for macOS/Windows; the setup-cross-toolchain-action step is removed since taiki-e/upload-rust-binary-action installs cross itself

Confidence Score: 5/5

Safe to merge — changes are well-scoped, the root cause of the build failure is correctly addressed, and the rustls migration is complete and consistent.

All four changed files are coherent: the workspace-level reqwest switch to rustls-tls, the redundant native-tls removal in the registry crate, the Identity::from_pem adaptation (which is the correct API under rustls), and the workflow migration to cross all fit together cleanly. The PEM concatenation correctly inserts a newline between cert and key. No open edge cases were found.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Adds build-tool matrix column (cross for Linux, cargo elsewhere) and removes the now-superseded setup-cross-toolchain-action; both upload steps correctly thread build-tool through to the action.
Cargo.toml	Switches reqwest to default-features = false with rustls-tls, eliminating the openssl-sys transitive dependency that broke aarch64-unknown-linux-gnu builds.
crates/aube-registry/Cargo.toml	Drops the now-redundant native-tls feature override on reqwest; the workspace-level change is the single source of truth.
crates/aube-registry/src/client.rs	Replaces Identity::from_pkcs8_pem(cert, key) (native-tls-only) with a cert+key PEM concatenation and Identity::from_pem, which works under rustls; newline handling between the two PEM blocks is correct.

_{Reviews (2): Last reviewed commit: "release: use cross + rustls-tls for linu..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ddb786b. Configure here.}