ci(release): add musl static Linux builds (glibc-independent)#75
Merged
Conversation
The gnu Linux binaries are glibc-floored (2.35 after #74), so they still won't run on Amazon Linux 2023 / RHEL 9 (glibc 2.34), Alpine, or anything older. Add fully static musl builds that run on ANY Linux regardless of glibc. Adds x86_64-unknown-linux-musl and aarch64-unknown-linux-musl to the build matrix, built with cargo-zigbuild (zig as the C/C++ cross-compiler for BoringSSL). Build scripts (bindgen) run as the glibc host so libclang loads, and the linked output is fully static. A native Alpine build can't do this — its static build scripts can't dlopen libclang. musl assets ship ALONGSIDE the gnu ones (gnu stays default; musl is the runs-anywhere fallback). The release job globs *.tar.gz, so the new assets are checksummed + uploaded automatically; the docker/homebrew jobs enumerate gnu targets explicitly and are unaffected. Validated in Docker: cargo-zigbuild produced a fully static aarch64-musl webclaw-mcp (ldd: not a dynamic executable) that answered an MCP handshake on Alpine, Debian 11 (glibc 2.31), Debian 12, Amazon Linux 2023 (2.34), and Ubuntu 24.04 — everywhere, including where the gnu builds fail. Closes #73 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #73.
Why
After #74 the gnu Linux binaries are floored at glibc 2.35 — still won't run on Amazon Linux 2023 / RHEL 9 (glibc 2.34), Alpine, or anything older. This adds fully static musl builds that run on any Linux regardless of glibc.
What
Adds
x86_64-unknown-linux-musl+aarch64-unknown-linux-muslto the release build matrix, built withcargo-zigbuild(zig as the C/C++ cross-compiler for BoringSSL).Key insight from investigating #73: a native Alpine build doesn't work — rust:alpine compiles build-scripts as static-musl, and a static binary can't
dlopenlibclang, sobindgendies. Cross-compiling from a glibc host fixes it: build-scripts run as glibc (libclang loads), only the final artifact is linked static-musl.musl assets ship alongside the gnu ones (gnu stays the default — musl's allocator/DNS resolver are a bit slower for a network-heavy workload; musl is the runs-anywhere fallback). Downstream jobs need no changes:
releaseglobs*.tar.gzso musl assets are checksummed + uploaded automatically, whiledocker/homebrewenumerate gnu targets explicitly and ignore musl.Validation (Docker)
Built
webclaw-mcpforaarch64-unknown-linux-muslviacargo zigbuild— fully static (ldd: not a dynamic executable, zeroNEEDEDlibs), then ran it with a real MCPinitializehandshake across:Runs everywhere, including where both the current release and the #74 glibc-2.35 build fail.
The
buildjob only runs on tag push, so this YAML couldn't be exercised by PR CI. The build mechanism (cargo-zigbuild → static musl, incl. BoringSSL) is Docker-validated above, but the exact runner steps (zig install viapip ziglang,cargo install cargo-zigbuild) run for real only on the first tagged release — worth watching that release run, or cutting a throwawayv*-rctag to confirm before relying on it.Follow-up (optional, not in this PR)
Teach
create-webclawto fall back to the musl asset when the host glibc is < 2.35, so AL2023 / RHEL 9 users get a working auto-install.🤖 Generated with Claude Code