fix(release): restore PAM RDP and ship statically linked binaries#222
Open
fix(release): restore PAM RDP and ship statically linked binaries#222
Conversation
|
💬 Discussion in Slack: #pr-review-cli-222-fix-release-restore-pam-rdp-and-ship-statically-linked-linux-b Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
bernie-g
force-pushed
the
fix/cli-rdp-musl-static
branch
from
d480f60 to
64773c1
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 64773c169f
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
bernie-g
force-pushed
the
fix/cli-rdp-musl-static
branch
from
5004853 to
9913209
Compare
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
bernie-g
force-pushed
the
fix/cli-rdp-musl-static
branch
4 times, most recently
from
98baa42 to
5e75548
Compare
bernie-g
changed the title
PR #191's release pipeline flipped the linux builds from CGO_ENABLED=0 to CGO_ENABLED=1 to link the Rust IronRDP bridge. With CGO on, the Go linker hands off to gcc, which dynamically links against the build host's glibc. v0.43.80 ended up with a GLIBC_2.39 floor from the ubuntu-24.04 GitHub runner, breaking ~80% of customer environments (Ubuntu 22.04, RHEL 8/9, Amazon Linux, Alpine, distroless/static). Switch the linux RDP builds to musl-static so the binary is fully self-contained again, matching pre-PAM portability: - build-rdp-bridge.yml: linux Rust matrix swapped from *-linux-gnu* to *-linux-musl* (windows-gnu kept). - goreleaser.yaml: each linux-*-rdp build entry uses CC=<triple>-unknown-linux-musl-gcc, points CGO_LDFLAGS at the musl target dir, adds -extldflags '-static' to ldflags, and adds osusergo,netgo to build tags to keep Go's pure-Go user/DNS resolvers (matching pre-RDP behaviour and sidestepping musl's NSS-less getaddrinfo). - release_build_infisical_cli.yml: install musl cross-toolchains from cross-tools/musl-cross GitHub releases (CDN-backed, replaces the unreliable musl.cc single-host mirror); pinned to release 20260430. curl retries kept for any network blips. - README.md (rust bridge): updated example triples. Adds a release-time gate: every linux RDP binary in dist/ must be 'statically linked', and the amd64 binary must --version cleanly across a matrix of older / minimal distros (Ubuntu 20.04+, RHEL 8+, Amazon Linux 2+, Alpine, distroless/static). A regression of the v0.43.80 shape now blocks publish. The Alpine Docker images and the .apk package are fixed for free since copying a musl-static binary into Alpine works cleanly. No Go or Rust source code changed beyond restoring the RDP feature.
bernie-g
force-pushed
the
fix/cli-rdp-musl-static
branch
from
5e75548 to
5b44f1a
Compare
x032205
requested changes
May 7, 2026
Comment on lines
+185
to
+188
| curl --retry 5 --retry-delay 10 --retry-all-errors \ | ||
| --connect-timeout 30 --max-time 240 \ | ||
| -fsSL "https://github.com/cross-tools/musl-cross/releases/download/${MUSL_CROSS_TAG}/${triple}.tar.xz" \ | ||
| | sudo tar -xJ -C /opt/musl-cross |
Member
There was a problem hiding this comment.
Here we download musl-cross pinned to a specific tag, but there's no hash/checksum verification meaning that a supply chain attack is still possible since tags are mutable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description 📣
Restores PRs #191 + #203 (reverted in #221) and fixes the dynamic-linkage regression that triggered the revert. The CGO-on flip silently introduced a host-toolchain dependency on every platform — glibc 2.39 floor on linux, mingw runtime DLLs on windows, macOS 15 SDK floor on darwin. This PR pins all three to portable floors (linux musl-static, windows mingw
-static, macOS deployment target 11.0) and adds a release-time smoke-test gate that blocks publish if the linux binary doesn't run on the supported distro matrix.Type ✨
Tests 🛠️
Verified via dry-run 25520827699. The linux amd64 binary
--versions cleanly on Ubuntu 14.04 → 24.04, RHEL/Rocky 7/8/9, Amazon Linux 1/2/2023, Alpine 3.5+, distroless/static, and busybox; v0.43.80 fails on all of these exceptubuntu:24.04. End-to-end RDP tested against a real Windows EC2 target.