From 027fc1f9ddc2f9b667edde1a3ce24600033ee595 Mon Sep 17 00:00:00 2001
From: KaraZajac <kara@soulstone.org>
Date: Sat, 23 May 2026 00:30:13 -0400
Subject: [PATCH] release.yml: add static-musl x86_64 build (Alpine)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a third matrix job that builds a static-musl binary on Alpine
so future tags ship 4 assets per arch: dynamic + static.

The dynamic x86_64 build (gcc on ubuntu-latest) hits a glibc-version
ceiling — built against glibc 2.39, refuses to run on Debian 12
(2.36), RHEL 8/9, etc. install.sh now fetches the static asset by
default for x86_64; the dynamic remains available via
SKELETONKEY_DYNAMIC=1.

Static build details:
- Alpine container (native musl + linux-headers from apk).
- -DMSG_COPY=040000 covers the only musl-vs-glibc gap
  (netfilter_xtcompat uses MSG_COPY, which is a Linux-kernel
  constant that glibc exposes but musl omits — kernel header:
  include/uapi/linux/msg.h).
- LDFLAGS=-static produces a static-PIE ELF (~1.2 MB).
- Cross-distro verified locally: Alpine-built binary runs on
  Debian/Ubuntu/Fedora/RHEL.

Locally-built static binary was uploaded to v0.6.2 by hand to
unblock the one-liner installer immediately.
---
 .github/workflows/release.yml | 43 ++++++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a39d461..ba60b94 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -59,8 +59,47 @@ jobs:
             skeletonkey-${{ matrix.target }}
             skeletonkey-${{ matrix.target }}.sha256
 
+  # Portable static-musl build for x86_64. Runs in Alpine (native
+  # musl + linux-headers) so the resulting binary works on every
+  # libc — glibc 2.x of any version, musl, etc. This is what
+  # install.sh fetches by default (the dynamic binary above hits a
+  # glibc-version ceiling on older distros like Debian 12 / RHEL 8).
+  build-static-x86_64:
+    runs-on: ubuntu-latest
+    name: build (x86_64-static / musl)
+    container:
+      image: alpine:latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: install build deps
+        run: |
+          apk add --no-cache build-base linux-headers tar
+
+      - name: build static (musl)
+        run: |
+          # MSG_COPY is a Linux-only SysV msg flag that glibc defines
+          # but musl does not — netfilter_xtcompat needs it. Define
+          # the kernel constant explicitly. (Kernel: include/uapi/
+          # linux/msg.h: MSG_COPY = 040000)
+          make CFLAGS="-O2 -Wall -Wextra -Wno-unused-parameter -Wno-pointer-arith -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -DMSG_COPY=040000" LDFLAGS=-static
+          file skeletonkey
+          ls -la skeletonkey
+
+      - name: rename + checksum
+        run: |
+          mv skeletonkey skeletonkey-x86_64-static
+          sha256sum skeletonkey-x86_64-static > skeletonkey-x86_64-static.sha256
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: skeletonkey-x86_64-static
+          path: |
+            skeletonkey-x86_64-static
+            skeletonkey-x86_64-static.sha256
+
   release:
-    needs: build
+    needs: [build, build-static-x86_64]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -114,6 +153,8 @@ jobs:
           files: |
             skeletonkey-x86_64
             skeletonkey-x86_64.sha256
+            skeletonkey-x86_64-static
+            skeletonkey-x86_64-static.sha256
             skeletonkey-arm64
             skeletonkey-arm64.sha256
             install.sh