Skip to content

ci(release): add musl static Linux builds (glibc-independent)#75

Merged
0xMassi merged 1 commit into
mainfrom
feat/musl-static-builds
Jun 27, 2026
Merged

ci(release): add musl static Linux builds (glibc-independent)#75
0xMassi merged 1 commit into
mainfrom
feat/musl-static-builds

Conversation

@0xMassi

@0xMassi 0xMassi commented Jun 27, 2026

Copy link
Copy Markdown
Owner

Closes #73.

Why

After #74 the gnu Linux binaries are floored at glibc 2.35 — still won't run on Amazon Linux 2023 / RHEL 9 (glibc 2.34), Alpine, or anything older. This adds fully static musl builds that run on any Linux regardless of glibc.

What

Adds x86_64-unknown-linux-musl + aarch64-unknown-linux-musl to the release build matrix, built with cargo-zigbuild (zig as the C/C++ cross-compiler for BoringSSL).

Key insight from investigating #73: a native Alpine build doesn't work — rust:alpine compiles build-scripts as static-musl, and a static binary can't dlopen libclang, so bindgen dies. Cross-compiling from a glibc host fixes it: build-scripts run as glibc (libclang loads), only the final artifact is linked static-musl.

musl assets ship alongside the gnu ones (gnu stays the default — musl's allocator/DNS resolver are a bit slower for a network-heavy workload; musl is the runs-anywhere fallback). Downstream jobs need no changes: release globs *.tar.gz so musl assets are checksummed + uploaded automatically, while docker/homebrew enumerate gnu targets explicitly and ignore musl.

Validation (Docker)

Built webclaw-mcp for aarch64-unknown-linux-musl via cargo zigbuild — fully static (ldd: not a dynamic executable, zero NEEDED libs), then ran it with a real MCP initialize handshake across:

Distro libc Static musl
Alpine 3.20 musl ✅ PASS
Debian 11 glibc 2.31 ✅ PASS
Debian 12 glibc 2.36 ✅ PASS
Amazon Linux 2023 glibc 2.34 ✅ PASS
Ubuntu 24.04 glibc 2.39 ✅ PASS

Runs everywhere, including where both the current release and the #74 glibc-2.35 build fail.

⚠️ Caveat

The build job only runs on tag push, so this YAML couldn't be exercised by PR CI. The build mechanism (cargo-zigbuild → static musl, incl. BoringSSL) is Docker-validated above, but the exact runner steps (zig install via pip ziglang, cargo install cargo-zigbuild) run for real only on the first tagged release — worth watching that release run, or cutting a throwaway v*-rc tag to confirm before relying on it.

Follow-up (optional, not in this PR)

Teach create-webclaw to fall back to the musl asset when the host glibc is < 2.35, so AL2023 / RHEL 9 users get a working auto-install.

🤖 Generated with Claude Code

The gnu Linux binaries are glibc-floored (2.35 after #74), so they still
won't run on Amazon Linux 2023 / RHEL 9 (glibc 2.34), Alpine, or anything
older. Add fully static musl builds that run on ANY Linux regardless of
glibc.

Adds x86_64-unknown-linux-musl and aarch64-unknown-linux-musl to the build
matrix, built with cargo-zigbuild (zig as the C/C++ cross-compiler for
BoringSSL). Build scripts (bindgen) run as the glibc host so libclang loads,
and the linked output is fully static. A native Alpine build can't do this —
its static build scripts can't dlopen libclang.

musl assets ship ALONGSIDE the gnu ones (gnu stays default; musl is the
runs-anywhere fallback). The release job globs *.tar.gz, so the new assets
are checksummed + uploaded automatically; the docker/homebrew jobs enumerate
gnu targets explicitly and are unaffected.

Validated in Docker: cargo-zigbuild produced a fully static aarch64-musl
webclaw-mcp (ldd: not a dynamic executable) that answered an MCP handshake on
Alpine, Debian 11 (glibc 2.31), Debian 12, Amazon Linux 2023 (2.34), and
Ubuntu 24.04 — everywhere, including where the gnu builds fail.

Closes #73

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@0xMassi 0xMassi merged commit 1d49b44 into main Jun 27, 2026
4 checks passed
@0xMassi 0xMassi deleted the feat/musl-static-builds branch June 27, 2026 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Linux release binaries require glibc 2.38+ — fail on Debian 12 / Ubuntu 22.04 / Amazon Linux 2023

1 participant