ci(release): add musl Linux targets for Alpine compatibility#452
Conversation
Adds x86_64-unknown-linux-musl and aarch64-unknown-linux-musl to the release build matrix. The existing gnu-only Linux binaries fail on Alpine (missing libudev.so.1, glibc symbol __res_init), as reported in #428. Both targets use the existing `cross` build-tool. openssl-sys and dbus are already vendored for Linux in Cargo.toml, so no source changes are needed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
b321bc4 to
9c668a1
Compare
There was a problem hiding this comment.
Code Review
This pull request adds the communique tool to the mise.toml configuration and introduces a mise.lock file specifying platform-specific binaries for version 1.0.1. Review feedback highlights that the musl platform entries in the lockfile incorrectly reference GNU binaries, which will lead to execution failures on Alpine Linux. Furthermore, there is a discrepancy between the PR description and the actual changes, as intended workflow updates are missing and the tool addition is not mentioned in the summary.
I am having trouble creating individual review comments. Click here to see my feedback.
mise.lock (12-15)
The linux-arm64-musl platform entry is incorrectly pointing to the GNU binary (communique-aarch64-unknown-linux-gnu.tar.gz). This will cause execution failures on Alpine Linux due to the missing glibc dependency, which contradicts the primary goal of this PR. Please verify if a native musl build is available for communique v1.0.1 or if this is an erroneous fallback in the lockfile generation.
mise.lock (22-25)
The linux-x64-musl platform entry is incorrectly pointing to the GNU binary (communique-x86_64-unknown-linux-gnu.tar.gz). This will fail on musl-based distributions like Alpine. If communique does not support musl, this entry should be removed or updated to a compatible artifact to avoid providing a broken binary to users in those environments.
mise.toml (6)
The pull request description states that x86_64-unknown-linux-musl and aarch64-unknown-linux-musl are being added to the release build matrix in .github/workflows/release.yml, but that file is not included in the current diff. Additionally, the addition of communique to the tools list is not mentioned in the PR summary. Please ensure all intended changes are committed and the description is updated to reflect the tool addition.
Greptile SummaryThis PR adds The implementation is thorough: the Cargo dependency is conditioned via Confidence Score: 5/5Safe to merge — all cfg-gates are consistent across Cargo.toml, build script, source, and tests; no outstanding issues remain. No P0 or P1 issues found. The fido2 exclusion is applied consistently in every required location (dependency declaration, build codegen, provider module, CLI enum variant, match arm, and test). The previous thread's Cross.toml concern is resolved because libudev is no longer pulled in on musl. The test fix using cfg!() is a compile-time evaluation, which is correct. No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Release Matrix] --> B{target_env}
B -->|gnu| C[x86_64/aarch64-linux-gnu\ncross + libudev-dev via Cross.toml]
B -->|musl| D[x86_64/aarch64-linux-musl\ncross, no libudev needed]
D --> E{build/generate_providers.rs\nCARGO_CFG_TARGET_ENV == musl?}
E -->|yes| F[Skip fido2.toml\nGenerate providers without FIDO2]
E -->|no| G[Include fido2.toml\nGenerate all providers]
F --> H[Cargo.toml\ncfg-not-musl dep:\nctap-hid-fido2 excluded]
F --> I[src/providers/mod.rs\ncfg-gate: pub mod fido2 excluded]
F --> J[src/commands/provider/mod.rs\ncfg-gate: ProviderType::Fido2 excluded]
F --> K[src/commands/provider/add.rs\ncfg-gate: Fido2 match arm excluded]
G --> L[All providers compiled\nincluding FIDO2]
Reviews (3): Last reviewed commit: "test(musl): exclude fido2 from provider/..." | Re-trigger Greptile |
| - target: x86_64-unknown-linux-musl | ||
| os: ubuntu-latest | ||
| build-tool: cross | ||
| - target: aarch64-unknown-linux-musl | ||
| os: ubuntu-latest | ||
| build-tool: cross |
There was a problem hiding this comment.
The repo's Cross.toml installs libudev-dev before building the gnu targets because ctap-hid-fido2 (via hidapi) requires udev on Linux. The new musl targets have no corresponding pre-build entries, and there's no musl-compatible static libudev available — apt-installing libudev-dev inside a musl cross image would link the glibc variant and break the static build. Unless ctap-hid-fido2/hidapi is conditionally excluded for *-musl targets (e.g. via a Cargo feature flag or cfg target), these matrix jobs will fail at link time with the same missing-udev error the gnu targets had before Cross.toml was added.
ctap-hid-fido2 → hidapi → libudev cannot be statically linked into musl binaries (apt-installing libudev-dev inside a cross musl image links the glibc variant and breaks the static build). On musl targets: - Move ctap-hid-fido2 to a target-specific dep (cfg(not(target_env = "musl"))) - Gate `pub mod fido2;` and the fido2 import in providers/mod.rs - Gate ProviderType::Fido2 and its add-command match arm - Skip providers/fido2.toml in the build-script codegen so the generated ProviderConfig and dispatch tables don't reference it Verified `cargo tree --target x86_64-unknown-linux-musl` no longer pulls ctap-hid-fido2 or hidapi, while the gnu target tree is unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Addressed Greptile P1: musl builds now exclude the fido2 provider so they don't pull Changes in 3e0c397:
Verified locally: So musl builds shouldn't need the libudev pre-build step that the gnu targets use. No Trade-off: musl binaries won't have the fido2 provider. That seems acceptable since musl/Alpine deployments are typically headless containers without USB hardware-key access; users who need fido2 on musl can build from source on a glibc host or wait for a future libusb-static backend. Re Gemini's review — those comments are reviewing the stale |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 3e0c397. Configure here.
provider_add_types_match_provider_definitions reads providers/*.toml from disk and asserts the names match ProviderType::value_variants(). Since the Fido2 variant is cfg-gated out on musl but fido2.toml is still on disk, the assertion failed. Mirror the gate in the test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
### 🚜 Refactor - extract providers and core types into fnox-core crate by [@jdx](https://github.com/jdx) in [#458](#458) ### 📚 Documentation - prefix star count with ★ glyph and populate it on deploy by [@jdx](https://github.com/jdx) in [#447](#447) - add favicons and web app manifest by [@jdx](https://github.com/jdx) in [#448](#448) ### 🔍 Other Changes - **(docs)** remove shrill.en.dev analytics script by [@jdx](https://github.com/jdx) in [#457](#457) - **(release)** add musl Linux targets for Alpine compatibility by [@jdx](https://github.com/jdx) in [#452](#452) - add plausible analytics by [@jdx](https://github.com/jdx) in [#451](#451) - bump hk to 1.44.3 by [@jdx](https://github.com/jdx) in [#454](#454) ### 📦️ Dependency Updates - update autofix-ci/action action to v1.3.4 by [@renovate[bot]](https://github.com/renovate[bot]) in [#455](#455) - update apple-actions/import-codesign-certs action to v7 by [@renovate[bot]](https://github.com/renovate[bot]) in [#456](#456)
Summary
x86_64-unknown-linux-muslandaarch64-unknown-linux-muslto the release build matrix in.github/workflows/release.yml.cannot execute: required file not found(missinglibudev.so.1, glibc symbol__res_init).Why
Alpine and other musl-based distros can't run glibc-linked binaries — even with
gcompat, some glibc-only symbols like__res_initaren't satisfied. Shipping native musl artifacts is the standard fix.No source changes needed:
openssl-sysanddbusare already vendored for Linux at Cargo.toml:82-86, andcross(already in use for the gnu targets) supports musl out of the box and produces statically linked binaries.taiki-e/upload-rust-binary-actionhandles musl artifact naming transparently.Notes for reviewer
keyringcrate'ssync-secret-servicefeature) compiles fine on musl with vendored dbus. At runtime on a headless Alpine container it'll fail to find a session bus — but that's the existing behavior on any headless Linux, not a musl-specific regression. Alpine users who need a keychain-equivalent should use age/pass/cloud providers.dbus/openssl-sysbuild fails on the cross musl images (cmake/pkg-config not present), the fallback is aCross.tomlat the repo root with apre-buildstep to install them. Not added preemptively — try the simpler change first.Test plan
dry-run: truealready, so it builds without uploading until a real tag is pushed).fnox-*-x86_64-unknown-linux-musl.tar.gzartifact from the workflow run and verify it executes insidealpine:3:v*tag will publish musl binaries alongside the gnu ones — update the discussion to point Alpine users at the new artifacts.🤖 Generated with Claude Code
Note
Medium Risk
Moderate build/release pipeline change plus conditional compilation that removes the
fido2provider on musl targets; risk is mainly missed cfg sync causing build failures or provider-list drift on certain targets.Overview
Adds
x86_64-unknown-linux-muslandaarch64-unknown-linux-muslto the GitHub Actions release build matrix so tagged releases also produce musl-compatible Linux binaries.To make musl builds succeed, the PR gates the
ctap-hid-fido2dependency and thefido2provider behindcfg(not(target_env = "musl")), and updates provider code generation/tests to skipproviders/fido2.tomlwhen targeting musl so generated enums/instantiation remain consistent.Reviewed by Cursor Bugbot for commit 31d7bc3. Bugbot is set up for automated code reviews on this repo. Configure here.