Phase 4 (partial): GitHub Actions build-check CI

- .github/workflows/build.yml: matrix of {gcc, clang} x {default,
  debug} builds on every push + PR. Smoke tests after build:
  --version, --list, --scan, --detect-rules auditd, --detect-rules
  sigma. Build failure breaks merge gate.
- Static-build job runs continue-on-error (glibc + NSS issue with
  static linking — getpwnam pulls in NSS at runtime; legacy DIRTYFAIL
  Makefile noted this. Revisit with musl-gcc to get a truly portable
  static binary).
- Kernel-VM matrix placeholder commented at the bottom of build.yml.
  Real kernel matrix needs self-hosted runners or a paid VM service —
  out of scope for tonight, in scope for Phase 4 followup.

.github/workflows/build.yml

@@ -0,0 +1,91 @@
+name: build
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        cc: [gcc, clang]
+        flavor: [default, debug]
+    name: build (${{ matrix.cc }} / ${{ matrix.flavor }})
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: install build deps
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y --no-install-recommends \
+            build-essential clang make linux-libc-dev
+
+      - name: show compiler
+        run: ${{ matrix.cc }} --version
+
+      - name: build
+        env:
+          CC: ${{ matrix.cc }}
+        run: |
+          if [ "${{ matrix.flavor }}" = "debug" ]; then
+            make debug
+          else
+            make
+          fi
+
+      - name: sanity — iamroot --version
+        run: ./iamroot --version
+
+      - name: sanity — iamroot --list
+        run: ./iamroot --list
+
+      - name: sanity — iamroot --scan (no exploit; just detect)
+        run: ./iamroot --scan --no-color || true
+        # exit code may be nonzero (vulnerable host = exit 2, missing
+        # precond = exit 4) — that's diagnostic data, not CI failure
+
+      - name: sanity — --detect-rules auditd
+        run: ./iamroot --detect-rules --format=auditd | head -50
+
+      - name: sanity — --detect-rules sigma
+        run: ./iamroot --detect-rules --format=sigma | head -50
+
+  # Static build job: ensures the project links cleanly when -static is
+  # requested. Useful for deployment to minimal containers / fleet scans
+  # where shared-libc availability isn't guaranteed.
+  static-build:
+    runs-on: ubuntu-latest
+    name: static-build
+    steps:
+      - uses: actions/checkout@v4
+      - name: install build deps
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y --no-install-recommends \
+            build-essential make linux-libc-dev libc6-dev
+      - name: make static
+        # Glibc static linking pulls in NSS at runtime which breaks
+        # getpwnam; the legacy DIRTYFAIL Makefile noted this. For now,
+        # we allow this job to fail loudly so we know if a regression
+        # makes the regular dynamic build also break, but we don't
+        # gate the merge on it. Migrate to musl-gcc when we want a
+        # truly portable static binary.
+        continue-on-error: true
+        run: make static && ls -la iamroot
+
+  # Phase 4 followup (placeholder): kernel-VM matrix. Each entry runs
+  # the binary against a VM running a specific (vulnerable or patched)
+  # kernel and asserts the correct detect() verdict + exploit behavior.
+  # Requires self-hosted runners or a paid VM service; not enabled yet.
+  #
+  # kernel-vm-matrix:
+  #   strategy:
+  #     matrix:
+  #       distro: [ubuntu-22.04, debian-11, alma-9, fedora-40]
+  #       kernel: [5.10.50, 5.13.0, 5.15.30, 6.1.x, 6.12.x]
+  #   runs-on: [self-hosted, kvm-host]
+  #   ...

ROADMAP.md

@@ -85,11 +85,18 @@ primitive** that other modules can chain. Bundled because:
       Future enhancement: auto-detect via /boot/System.map or
       /proc/kallsyms if accessible.
 
-## Phase 4 — CI matrix
+## Phase 4 — CI matrix (PARTIAL — build-check landed 2026-05-16)
 
+- [x] `.github/workflows/build.yml`: matrix of {gcc, clang} ×
+      {default, debug} builds on every push and PR. Includes smoke
+      tests: `--version`, `--list`, `--scan`, `--detect-rules` in
+      both auditd and sigma formats. Build failure breaks the merge
+      gate. Static-build job runs continue-on-error (glibc + NSS
+      issue; revisit with musl-gcc).
 - [ ] Distro+kernel VM matrix in GitHub Actions (Ubuntu 20.04 /
       22.04 / 24.04 / 26.04, Debian 11 / 12 / 13, Alma 8 / 9 / 10,
-      Fedora 39 / 40 / 41)
+      Fedora 39 / 40 / 41). Needs self-hosted runners or paid VM
+      service; placeholder commented in build.yml.
 - [ ] Each module's exploit runs against matched-vulnerable VMs and
       MUST land root; runs against patched VMs and MUST fail at
       detect step