fix(build): lock musl outputs to fully static linking in build script and CI workflows#2330
Merged
fix(build): lock musl outputs to fully static linking in build script and CI workflows#2330
Conversation
9 tasks
9 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens musl build outputs to be fully statically linked by centralizing musl linker flags, enforcing external static link mode, and adding CI + script-level verification to fail fast if any musl artifact ends up dynamically linked.
Changes:
- Centralizes musl static
-ldflagsinbuild.shand applies them across musl build paths, plus adds per-artifact static verification. - Forces musl builds to prefer static external linking via
CGO_LDFLAGS=-staticand CI/action configuration (static-link-for-musl: true). - Adds
readelf-based CI verification steps to block publishing dynamic musl binaries.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| build.sh | Adds centralized musl ldflags helper + static-binary assertion; applies static flags across musl build targets. |
| .github/workflows/build.yml | Forces musl ldflags/static-link mode in PR builds and adds a musl static verification step. |
| .github/workflows/beta_release.yml | Forces musl ldflags/static-link mode in beta release builds and adds a musl static verification step over produced artifacts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jyxjjj
approved these changes
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description / 描述
在构建脚本中统一 musl 的 ldflags,并强制外部静态链接模式。
在构建脚本中增加产物静态性校验,若出现动态链接则立即失败。
在 Beta Release 工作流中为 musl 矩阵显式设置静态 ldflags。
显式开启 cgo-actions 的 static-link-for-musl。
在工作流中增加 readelf 静态校验步骤,防止动态 musl 产物被打包发布。
保持现有 x-flags 注入逻辑,不影响非 musl 目标行为。
Motivation and Context / 背景
部分 musl 目标在某些构建路径下出现了动态链接产物,导致在无兼容 musl 运行时/加载器环境中无法执行。
本次修改通过参数锁定和校验步骤双重保证静态产物,并在 CI 阶段及时拦截回归
fix #2296
How Has This Been Tested? / 测试
已在脚本与 CI 工作流中加入确定性的静态校验(readelf 解释器段检测)。
全量跨平台产物结果将通过后续 CI 运行进一步确认。
Checklist / 检查清单
我已阅读 CONTRIBUTING 文档。
go fmtor prettier.我已使用
go fmt或 prettier 格式化提交的代码。我已为此 PR 添加了适当的标签(如无权限或需要的标签不存在,请在描述中说明,管理员将后续处理)。
我已在适当情况下使用"Request review"功能请求相关代码作者进行审查。
我已相应更新了相关仓库(若适用)。