feat: add musl static binaries for linux

[infiniteregrets]

S2-916

When someone tries to run the binary on a system with an older glibc version:

they may get this:

s2: /lib/aarch64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found (required by s2)

so we can provide statically linked binaries

[greptile-apps]

Greptile Summary

This PR adds support for building static musl binaries for Linux on both x86_64 and aarch64 architectures, enabling better portability across different Linux distributions.

Key Changes:

• Added x86_64-unknown-linux-musl target using musl-tools from apt
• Added aarch64-unknown-linux-musl target with external toolchain from musl.cc
• Configured appropriate linker for aarch64-musl builds

Security Concern:

• The aarch64-musl toolchain is downloaded from an external source without checksum verification, which poses a supply chain security risk

Confidence Score: 3/5

• The PR is functional but has a security concern with unverified external toolchain download
• The implementation correctly adds musl targets and follows the existing pattern for cross-compilation. However, the aarch64-musl toolchain is downloaded from an external source without checksum verification, which is a supply chain security risk. The x86_64-musl implementation is safe as it uses official apt packages.
• Pay attention to .github/workflows/release.yml line 33 where the external toolchain is downloaded without verification

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Adds musl static binary targets for Linux (x86_64 and aarch64), downloads external toolchain for aarch64-musl

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Build as Build Job
    participant Rust as Rust Toolchain
    participant Deps as Dependencies
    participant Cargo as Cargo Build
    participant Artifact as Artifact Storage

    Note over GH,Artifact: New: musl targets added
    
    GH->>Build: Trigger on tag push
    Build->>Rust: Setup Rust with target
    
    alt x86_64-musl target
        Build->>Deps: Install musl-tools via apt
    else aarch64-musl target
        Build->>Deps: Download aarch64-musl-cross toolchain
        Deps->>Deps: Extract and add to PATH
        Build->>Build: Set CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER
    end
    
    Build->>Cargo: cargo build --release --target
    Cargo-->>Build: Binary artifact
    Build->>Build: Zip binary
    Build->>Artifact: Upload artifact
    
    Note over GH,Artifact: Artifacts used by create_release job

Loading

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: Downloading toolchain from external source without checksum verification. Consider verifying the archive's integrity or pinning to a specific checksum to prevent supply chain attacks.

Suggested change

	wget -q https://musl.cc/aarch64-linux-musl-cross.tgz
	wget -q https://musl.cc/aarch64-linux-musl-cross.tgz
	echo "EXPECTED_SHA256 aarch64-linux-musl-cross.tgz" | sha256sum -c -

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 33:33

Comment:
**logic:** Downloading toolchain from external source without checksum verification. Consider verifying the archive's integrity or pinning to a specific checksum to prevent supply chain attacks.

```suggestion
              wget -q https://musl.cc/aarch64-linux-musl-cross.tgz
              echo "EXPECTED_SHA256 aarch64-linux-musl-cross.tgz" | sha256sum -c -
```

How can I resolve this? If you propose a fix, please make it concise.