Skip to content

Commit 6080bd7

Browse files
cscheidclaude
andauthored
fix(release): linux gnu fallback — rusty_v8 has no musl prebuilts (bd-c6l13j79) (#280)
v0.1.0 dry-run iteration 2 (run 27449454203): darwin x2 + windows all green end-to-end (iteration-1 fixes confirmed), but both linux musl legs died with HTTP 404 downloading the rusty_v8 prebuilt static lib — rusty_v8 (deno_core → quarto-system-runtime) publishes no musl archives, and building V8 from source in CI is a non-starter. Static musl is off the table for q2; braid could do it only because it ships no JS engine. - linux legs → x86_64/aarch64-unknown-linux-gnu on ubuntu-22.04 / ubuntu-22.04-arm (glibc 2.35 floor, documented in release notes) - new 'vendored-openssl' feature on crates/quarto (dep:openssl-sys + openssl-sys/vendored), enabled only by the linux release legs via a cargo_flags matrix field — release binaries carry no runtime libssl dependency; dev builds untouched (replaces the musl-scoped dep table) - musl-tools step dropped; keyring bundles still ship musl addons (gcompat'd Alpine users running musl node) actionlint clean; feature graph verified via cargo tree on the gnu target; default-feature build unaffected; Cargo.lock unchanged. Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
1 parent 8f44bcb commit 6080bd7

3 files changed

Lines changed: 60 additions & 22 deletions

File tree

.github/workflows/release.yml

Lines changed: 22 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -36,10 +36,12 @@
3636
# are injected from repo secrets/vars into the cargo build env —
3737
# release builds only; see crates/quarto-mcp-launcher/src/defaults.rs
3838
# for why the Desktop-app client secret is safe to embed.
39-
# - Linux targets are static musl; openssl is built from source via the
40-
# musl-scoped `openssl-sys/vendored` dep in crates/quarto/Cargo.toml.
41-
# If musl turns out unbuildable (aws-lc-sys is the known risk), flip
42-
# the matrix targets to *-unknown-linux-gnu — plan D4.
39+
# - Linux targets are gnu on the oldest available runners (glibc 2.35
40+
# floor). Static musl is impossible for q2: rusty_v8 (deno_core →
41+
# quarto-system-runtime) publishes no musl prebuilt archives — both
42+
# musl legs 404'd in the v0.1.0 dry-run (run 27449454203). The linux
43+
# legs build with `--features vendored-openssl` so the binary has no
44+
# runtime libssl dependency (plan D4).
4345
#
4446
# Signing key: MINISIGN_SECRET_KEY repo secret; the public half is pinned
4547
# in install.sh (MINISIGN_PUBKEY) and README. The sign step verifies its
@@ -184,31 +186,40 @@ jobs:
184186
# node), both mac archs (Rosetta mismatch: x64 q2 under an
185187
# arm64 node and vice versa), both win archs (arm64 Windows
186188
# runs x64 q2 under emulation with a native arm64 node).
189+
# cargo_flags: linux legs vendor openssl (no runtime libssl
190+
# dep); macOS/Windows TLS is security-framework/schannel, no
191+
# openssl involved. ubuntu-22.04 runners set the glibc floor
192+
# at 2.35.
187193
- platform: linux_amd64
188-
target: x86_64-unknown-linux-musl
189-
os: ubuntu-latest
194+
target: x86_64-unknown-linux-gnu
195+
os: ubuntu-22.04
190196
ext: tar.gz
191197
keyring: linux-x64-gnu,linux-x64-musl
198+
cargo_flags: --features vendored-openssl
192199
- platform: linux_arm64
193-
target: aarch64-unknown-linux-musl
194-
os: ubuntu-24.04-arm
200+
target: aarch64-unknown-linux-gnu
201+
os: ubuntu-22.04-arm
195202
ext: tar.gz
196203
keyring: linux-arm64-gnu,linux-arm64-musl
204+
cargo_flags: --features vendored-openssl
197205
- platform: darwin_amd64
198206
target: x86_64-apple-darwin
199207
os: macos-15 # arm64 runner; the x86_64 binary runs under Rosetta
200208
ext: tar.gz
201209
keyring: darwin-x64,darwin-arm64
210+
cargo_flags: ''
202211
- platform: darwin_arm64
203212
target: aarch64-apple-darwin
204213
os: macos-15
205214
ext: tar.gz
206215
keyring: darwin-arm64,darwin-x64
216+
cargo_flags: ''
207217
- platform: windows_amd64
208218
target: x86_64-pc-windows-msvc
209219
os: windows-latest
210220
ext: zip
211221
keyring: win32-x64-msvc,win32-arm64-msvc
222+
cargo_flags: ''
212223
steps:
213224
- uses: actions/checkout@v6
214225
with:
@@ -230,10 +241,6 @@ jobs:
230241
shell: bash
231242
run: rustup target add ${{ matrix.target }}
232243

233-
- name: Install musl-tools
234-
if: contains(matrix.target, 'musl')
235-
run: sudo apt-get update && sudo apt-get install -y musl-tools
236-
237244
- uses: Swatinem/rust-cache@v2
238245
with:
239246
key: release-${{ matrix.target }}
@@ -289,7 +296,7 @@ jobs:
289296
exit 1
290297
fi
291298
done
292-
cargo build --release --locked --target ${{ matrix.target }} -p quarto
299+
cargo build --release --locked --target ${{ matrix.target }} -p quarto ${{ matrix.cargo_flags }}
293300
294301
# Every target in the matrix can execute on its runner (musl
295302
# binaries are static; darwin x86_64 runs under Rosetta; windows
@@ -489,8 +496,8 @@ jobs:
489496
echo
490497
echo "| Platform | File |"
491498
echo "|---|---|"
492-
echo "| Linux x86_64 (static musl) | \`q2-${VERSION}-linux_amd64.tar.gz\` |"
493-
echo "| Linux ARM64 (static musl) | \`q2-${VERSION}-linux_arm64.tar.gz\` |"
499+
echo "| Linux x86_64 (glibc 2.35+) | \`q2-${VERSION}-linux_amd64.tar.gz\` |"
500+
echo "| Linux ARM64 (glibc 2.35+) | \`q2-${VERSION}-linux_arm64.tar.gz\` |"
494501
echo "| macOS Intel | \`q2-${VERSION}-darwin_amd64.tar.gz\` |"
495502
echo "| macOS Apple Silicon | \`q2-${VERSION}-darwin_arm64.tar.gz\` |"
496503
echo "| Windows x86_64 | \`q2-${VERSION}-windows_amd64.zip\` |"

claude-notes/plans/2026-06-12-q2-github-releases-bundled-mcp.md

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -393,6 +393,31 @@ legs failed, two distinct causes:
393393
darwin_arm64 (only leg whose target is host-default) ran the furthest —
394394
its outcome validates the downstream pipeline (defaults injection,
395395
verify gate, packaging, signing).
396+
397+
*Iteration 1 fixes:* PR #279 (merged as `8f44bcbb`): explicit
398+
`rustup target add` step; `shell: true` npm spawn on Windows in
399+
npmPackFetcher. darwin_arm64 then passed END-TO-END in iteration 1 —
400+
bundle, bundled defaults (verify gate green), tar.gz + sha256, minisign
401+
sign + self-verify all confirmed working on a real runner.
402+
403+
*Iteration 2 (run 27449454203, tag re-pushed at `8f44bcbb`):*
404+
darwin_arm64 ✓ again. **Both linux musl legs failed with HTTP 404
405+
downloading the rusty_v8 prebuilt static library** — rusty_v8
406+
(deno_core → quarto-system-runtime → pampa/quarto-core) publishes no
407+
musl archives, and building V8 from source in CI is a non-starter. So
408+
**D4's musl plan is dead for q2 — not openssl/aws-lc, but the JS
409+
engine braid doesn't have.** Resolution (D4 fallback, adjusted):
410+
- linux legs → `*-unknown-linux-gnu` on ubuntu-22.04 / ubuntu-22.04-arm
411+
(glibc 2.35 floor; documented in the release-notes table);
412+
- new `vendored-openssl` cargo feature on `crates/quarto`
413+
(`dep:openssl-sys` + `openssl-sys/vendored`), enabled only by the
414+
linux release legs via a `cargo_flags` matrix field, so release
415+
binaries never depend on the host's libssl and dev builds are
416+
untouched (replaces the musl-scoped dep table);
417+
- musl-tools step dropped.
418+
Alpine users: gnu binaries need gcompat; acceptable for now (the
419+
keyring bundle still ships musl addons for users running musl node
420+
against a gcompat'd q2 — 500 KB of insurance).
396421
- [ ] `install.sh` one-liner on a clean machine/container → `q2 --version`
397422
- [ ] `q2 mcp` with **no env vars set** connects to quarto-hub.com:
398423
browser consent → token → `connect_project` + `read_file` against a

crates/quarto/Cargo.toml

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -44,16 +44,22 @@ tempfile = "3"
4444
# `xdg-open` on Linux, `cmd /C start` on Windows). No heavy transitive
4545
# tree.
4646
open = "5"
47+
# Only via the vendored-openssl feature (see [features]); never a
48+
# direct code dependency.
49+
openssl-sys = { version = "0.9", optional = true }
4750

4851
[build-dependencies]
4952

50-
# Static-musl release builds (release plan D4, bd-c6l13j79): samod →
51-
# tokio-tungstenite(native-tls) → openssl-sys needs an openssl to link,
52-
# and no musl-built system openssl exists on the runners — build it
53-
# from source into the static binary. cfg-scoped so native dev builds
54-
# (glibc/macOS/Windows) are untouched.
55-
[target.'cfg(target_env = "musl")'.dependencies]
56-
openssl-sys = { version = "0.9", features = ["vendored"] }
53+
[features]
54+
# Release-build knob (plan D4, bd-c6l13j79): samod →
55+
# tokio-tungstenite(native-tls) → openssl-sys links openssl on Linux;
56+
# without this feature the binary picks up a runtime dependency on the
57+
# build host's libssl. The release workflow's linux legs enable it so
58+
# openssl is built from source and linked statically; dev builds are
59+
# untouched. (Static *musl* is off the table entirely: rusty_v8, via
60+
# deno_core → quarto-system-runtime, publishes no musl prebuilt
61+
# archives — both linux legs 404'd in the v0.1.0 dry-run.)
62+
vendored-openssl = ["dep:openssl-sys", "openssl-sys/vendored"]
5763

5864
[dev-dependencies]
5965
tempfile = "3"

0 commit comments

Comments
 (0)