ci: add musl Linux targets to release builds

[jdx]

Summary

• Adds x86_64-unknown-linux-musl and aarch64-unknown-linux-musl to the release matrix so fnox can run on Alpine Linux and other musl-based distros
• Uses the existing cross build-tool path (same as the glibc targets)

Why

Discussion #428 reports that fnox fails on Alpine with cannot execute: required file not found — the error you get when a dynamically-linked glibc binary is run on a musl system. The current release only ships linux-gnu binaries, so mise-installed fnox can't run on Alpine.

The project is already set up for this: Cargo.toml already vendors OpenSSL and dbus for Linux cross-compilation, and taiki-e/upload-rust-binary-action handles musl targets via cross.

Reviewer notes

• keyring pulls in libdbus via sync-secret-service — already vendored, so it should build; users on Alpine who want the keychain provider will still need libsecret at runtime
• arboard (TUI clipboard) won't have X11/Wayland in a headless Alpine container — clipboard copy will no-op there, which is fine
• Worth watching the first release run to confirm both musl targets build cleanly before closing Error running fnox on alpine (musl) #428

Test plan

• Release workflow builds both musl targets successfully
• Download the musl tarball and verify fnox --version runs on an Alpine container

🤖 Generated with Claude Code

---

Note

Medium Risk
Moderate risk because it changes the release build matrix and cross-compilation setup, which could cause CI failures or missing/incorrect release artifacts if the new targets don’t build cleanly.

Overview
Adds x86_64-unknown-linux-musl and aarch64-unknown-linux-musl to the GitHub Actions release build matrix so releases produce musl-linked Linux artifacts alongside existing glibc builds.

Updates Cross.toml with per-target pre-build steps for the new musl targets (installing libudev-dev, including multi-arch setup for aarch64) to support successful cross compilation.

^{Reviewed by Cursor Bugbot for commit c1f004a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Code Review

This pull request adds the communique tool to the configuration and introduces a mise.lock file. However, the linux-arm64-musl entry in the lock file incorrectly points to a gnu binary, which will fail on musl-based systems. Additionally, the CI workflow changes mentioned in the PR description are missing from the current implementation.

[gemini-code-assist]

The pull request description states that x86_64-unknown-linux-musl and aarch64-unknown-linux-musl are being added to the release matrix. However, the current diff only includes changes to mise.toml and mise.lock for the communique tool. The actual modifications to the CI release workflow (e.g., .github/workflows/release.yml) or Cargo.toml that would implement these new build targets are missing from this pull request.

[gemini-code-assist]

The linux-arm64-musl platform entry for communique incorrectly points to the gnu target binary (communique-aarch64-unknown-linux-gnu.tar.gz) and uses its checksum. This binary will fail to execute on musl-based distributions like Alpine Linux due to the missing glibc dependency. If a musl-specific binary is available for communique, this entry should be updated with the correct URL and checksum; otherwise, it should be removed to avoid providing a broken tool in musl environments.

[greptile-apps]

Greptile Summary

This PR adds x86_64-unknown-linux-musl and aarch64-unknown-linux-musl to the release matrix so Alpine Linux users get natively-linked binaries, and bundles a TUI match-arm refactor (guards lifted out of arm bodies) that is unrelated to the musl work. The musl CI additions are blocked by two open issues from the previous review round: the libudev-dev Debian package installed in Cross.toml is glibc-linked and cannot be used by the musl sysroot linker, and rustls's aws-lc-rs backend requires CMake/C++ tooling that the default cross musl images do not ship.

Confidence Score: 4/5

Safe to merge the TUI refactor portion, but the musl release targets will likely fail to build until the libudev-dev and aws-lc-rs toolchain issues are resolved.

Two P1 build-blocking issues flagged in prior review threads (libudev-dev glibc/musl ABI mismatch in Cross.toml, aws-lc-rs missing CMake in cross musl images) remain unaddressed. The tui/app.rs and tui/event.rs changes are correct. Score is 4 rather than lower because fail-fast is disabled so existing targets are unaffected, and the only new finding is a P2 style concern in event.rs.

Cross.toml — the musl pre-build steps copy the gnu libudev-dev pattern verbatim, which will produce a linker error at cross-compile time.

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Adds x86_64-unknown-linux-musl and aarch64-unknown-linux-musl to the release matrix using cross; build success depends on resolving the libudev-dev/aws-lc-rs musl compatibility issues raised in prior threads.
Cross.toml	Adds pre-build steps for musl targets mirroring the gnu target setup; installs the glibc-linked libudev-dev into a musl sysroot, which will not link — this is the open P1 flagged in a prior review thread and has not yet been addressed.
src/tui/app.rs	Refactors nested if-inside-match-arm guards into inline match guards; all refactors are semantically equivalent and the _ => {} fallthrough handles previously-guarded-against cases correctly.
src/tui/event.rs	Refactors event dispatch arms to use match guards with send() as the guard condition; functionally correct but non-idiomatic since the send is a side effect inside the guard, making the forwarding intent non-obvious.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[git push tag] --> B[build-binaries matrix]
    B --> C[macOS arm64 / x86_64\ncargo]
    B --> D[Linux gnu arm64 / x86_64\ncross + Cross.toml pre-build]
    B --> E[Linux musl x86_64\ncross + Cross.toml pre-build\n⚠️ libudev-dev glibc mismatch]
    B --> F[Linux musl arm64\ncross + Cross.toml pre-build\n⚠️ libudev-dev glibc mismatch]
    B --> G[Windows msvc\ncargo]
    C & D & E & F & G --> H[upload-artifact]
    H --> I[create-release\ncollect + publish assets]
    I --> J[enhance-release\ncommunique AI notes]

Loading

_{Reviews (6): Last reviewed commit: "[autofix.ci] apply automated fixes (atte..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c1f004a. Configure here.}

[cursor]

Glibc libudev-dev incompatible with musl cross-compilation targets

High Severity

The musl target sections install libudev-dev via apt-get, which provides glibc-linked libraries and objects. The hidapi crate (depended on by ctap-hid-fido2) requires libudev via pkg-config for its default linux-static-hidraw backend. When the musl linker attempts to link against glibc's libudev, it will fail due to ABI incompatibility. This configuration was copy-pasted from the glibc targets but is not valid for musl — musl targets need either a musl-compiled libudev (e.g., from Alpine's eudev-dev) or a different hidapi backend like linux-static-libusb.

 

^{Reviewed by Cursor Bugbot for commit c1f004a. Configure here.}