fix(ci): use zig as musl C/C++ compiler for Linux CLI builds

Replace the Alpine Docker-in-Docker approach (Dockerfile.cli-musl) with
direct-on-host builds using zig cc/c++ to target musl.  This eliminates:

- Docker-in-Docker overhead and cache mount complexity
- The libclang dlopen failure in Alpine (static musl binaries cannot dlopen)
- ~15 min z3 C++ compilation without sccache

Zig provides a first-class musl-targeting C/C++ toolchain that avoids
glibc contamination (no _FORTIFY_SOURCE symbols) while running natively
on the glibc CI host where bindgen/libclang and sccache work normally.

Author: drew

.github/workflows/release-dev.yml

@@ -149,6 +149,11 @@ jobs:
 
   # ---------------------------------------------------------------------------
   # Build CLI binaries (Linux musl — static, native on each arch)
+  #
+  # Builds run directly on the CI host (glibc Ubuntu).  Zig provides a
+  # musl-targeting C/C++ compiler so that bundled-z3 produces musl-compatible
+  # objects without glibc contamination.  This avoids Docker-in-Docker and
+  # lets sccache work normally.
   # ---------------------------------------------------------------------------
   build-cli-linux:
     name: Build CLI (Linux ${{ matrix.arch }})
@@ -157,13 +162,13 @@ jobs:
       matrix:
         include:
           - arch: amd64
-            docker_platform: linux/amd64
             runner: build-amd64
             target: x86_64-unknown-linux-musl
+            zig_target: x86_64-linux-musl
           - arch: arm64
-            docker_platform: linux/arm64
             runner: build-arm64
             target: aarch64-unknown-linux-musl
+            zig_target: aarch64-linux-musl
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 60
     container:
@@ -172,8 +177,6 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
       options: --privileged
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock
     env:
       MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       SCCACHE_MEMCACHED_ENDPOINT: ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
@@ -189,29 +192,58 @@ jobs:
       - name: Fetch tags
         run: git fetch --tags --force
 
-      - name: Set up Docker Buildx
-        uses: ./.github/actions/setup-buildx
+      - name: Install tools
+        run: mise install
+
+      - name: Cache Rust target and registry
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
+        with:
+          shared-key: cli-musl-${{ matrix.arch }}
+          cache-directories: .cache/sccache
+          cache-targets: "true"
 
-      - name: Build ${{ matrix.target }} via Docker
+      - name: Add Rust musl target
+        run: mise x -- rustup target add ${{ matrix.target }}
+
+      - name: Set up zig-musl toolchain
         run: |
           set -euo pipefail
-          docker buildx build \
-            --platform "${{ matrix.docker_platform }}" \
-            --file deploy/docker/Dockerfile.cli-musl \
-            --build-arg TARGET_TRIPLE="${{ matrix.target }}" \
-            --build-arg OPENSHELL_CARGO_VERSION="${{ needs.compute-versions.outputs.cargo_version }}" \
-            --build-arg OPENSHELL_IMAGE_TAG=dev \
-            --build-arg CARGO_TARGET_CACHE_SCOPE="${{ github.sha }}" \
-            --target binary \
-            --output type=local,dest=out/ \
-            .
+          ZIG="$(mise which zig)"
+          mkdir -p /tmp/zig-musl
+          printf '#!/bin/sh\nexec "%s" cc --target=${{ matrix.zig_target }} "$@"\n' "$ZIG" > /tmp/zig-musl/cc
+          printf '#!/bin/sh\nexec "%s" c++ --target=${{ matrix.zig_target }} "$@"\n' "$ZIG" > /tmp/zig-musl/cxx
+          chmod +x /tmp/zig-musl/cc /tmp/zig-musl/cxx
+
+          # Tell cargo / cc-rs / cmake to use zig for the musl target
+          TARGET_ENV=$(echo "${{ matrix.target }}" | tr '-' '_')
+          echo "CC_${TARGET_ENV}=/tmp/zig-musl/cc" >> "$GITHUB_ENV"
+          echo "CXX_${TARGET_ENV}=/tmp/zig-musl/cxx" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_${TARGET_ENV^^}_LINKER=/tmp/zig-musl/cc" >> "$GITHUB_ENV"
+
+      - name: Scope workspace to CLI crates
+        run: |
+          set -euo pipefail
+          sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-prover", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
+
+      - name: Patch workspace version
+        if: needs.compute-versions.outputs.cargo_version != ''
+        run: |
+          set -euo pipefail
+          sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ needs.compute-versions.outputs.cargo_version }}"'"/}' Cargo.toml
+
+      - name: Build ${{ matrix.target }}
+        run: mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-cli --features bundled-z3
+
+      - name: sccache stats
+        if: always()
+        run: mise x -- sccache --show-stats
 
       - name: Package binary
         run: |
           set -euo pipefail
           mkdir -p artifacts
           tar -czf artifacts/openshell-${{ matrix.target }}.tar.gz \
-            -C out openshell
+            -C target/${{ matrix.target }}/release openshell
           ls -lh artifacts/
 
       - name: Upload artifact

.github/workflows/release-tag.yml

@@ -170,6 +170,11 @@ jobs:
 
   # ---------------------------------------------------------------------------
   # Build CLI binaries (Linux musl — static, native on each arch)
+  #
+  # Builds run directly on the CI host (glibc Ubuntu).  Zig provides a
+  # musl-targeting C/C++ compiler so that bundled-z3 produces musl-compatible
+  # objects without glibc contamination.  This avoids Docker-in-Docker and
+  # lets sccache work normally.
   # ---------------------------------------------------------------------------
   build-cli-linux:
     name: Build CLI (Linux ${{ matrix.arch }})
@@ -178,13 +183,13 @@ jobs:
       matrix:
         include:
           - arch: amd64
-            docker_platform: linux/amd64
             runner: build-amd64
             target: x86_64-unknown-linux-musl
+            zig_target: x86_64-linux-musl
           - arch: arm64
-            docker_platform: linux/arm64
             runner: build-arm64
             target: aarch64-unknown-linux-musl
+            zig_target: aarch64-linux-musl
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 60
     container:
@@ -193,8 +198,6 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
       options: --privileged
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock
     env:
       MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       SCCACHE_MEMCACHED_ENDPOINT: ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
@@ -211,29 +214,58 @@ jobs:
       - name: Fetch tags
         run: git fetch --tags --force
 
-      - name: Set up Docker Buildx
-        uses: ./.github/actions/setup-buildx
+      - name: Install tools
+        run: mise install
+
+      - name: Cache Rust target and registry
+        uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
+        with:
+          shared-key: cli-musl-${{ matrix.arch }}
+          cache-directories: .cache/sccache
+          cache-targets: "true"
 
-      - name: Build ${{ matrix.target }} via Docker
+      - name: Add Rust musl target
+        run: mise x -- rustup target add ${{ matrix.target }}
+
+      - name: Set up zig-musl toolchain
         run: |
           set -euo pipefail
-          docker buildx build \
-            --platform "${{ matrix.docker_platform }}" \
-            --file deploy/docker/Dockerfile.cli-musl \
-            --build-arg TARGET_TRIPLE="${{ matrix.target }}" \
-            --build-arg OPENSHELL_CARGO_VERSION="${{ needs.compute-versions.outputs.cargo_version }}" \
-            --build-arg OPENSHELL_IMAGE_TAG="${{ needs.compute-versions.outputs.semver }}" \
-            --build-arg CARGO_TARGET_CACHE_SCOPE="${{ github.sha }}" \
-            --target binary \
-            --output type=local,dest=out/ \
-            .
+          ZIG="$(mise which zig)"
+          mkdir -p /tmp/zig-musl
+          printf '#!/bin/sh\nexec "%s" cc --target=${{ matrix.zig_target }} "$@"\n' "$ZIG" > /tmp/zig-musl/cc
+          printf '#!/bin/sh\nexec "%s" c++ --target=${{ matrix.zig_target }} "$@"\n' "$ZIG" > /tmp/zig-musl/cxx
+          chmod +x /tmp/zig-musl/cc /tmp/zig-musl/cxx
+
+          # Tell cargo / cc-rs / cmake to use zig for the musl target
+          TARGET_ENV=$(echo "${{ matrix.target }}" | tr '-' '_')
+          echo "CC_${TARGET_ENV}=/tmp/zig-musl/cc" >> "$GITHUB_ENV"
+          echo "CXX_${TARGET_ENV}=/tmp/zig-musl/cxx" >> "$GITHUB_ENV"
+          echo "CARGO_TARGET_${TARGET_ENV^^}_LINKER=/tmp/zig-musl/cc" >> "$GITHUB_ENV"
+
+      - name: Scope workspace to CLI crates
+        run: |
+          set -euo pipefail
+          sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-prover", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
+
+      - name: Patch workspace version
+        if: needs.compute-versions.outputs.cargo_version != ''
+        run: |
+          set -euo pipefail
+          sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ needs.compute-versions.outputs.cargo_version }}"'"/}' Cargo.toml
+
+      - name: Build ${{ matrix.target }}
+        run: mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-cli --features bundled-z3
+
+      - name: sccache stats
+        if: always()
+        run: mise x -- sccache --show-stats
 
       - name: Package binary
         run: |
           set -euo pipefail
           mkdir -p artifacts
           tar -czf artifacts/openshell-${{ matrix.target }}.tar.gz \
-            -C out openshell
+            -C target/${{ matrix.target }}/release openshell
           ls -lh artifacts/
 
       - name: Upload artifact

deploy/docker/Dockerfile.cli-musl

@@ -23,6 +23,7 @@ helm = "4.1.1"
 "ubi:mozilla/sccache" = { version = "0.14.0", matching = "sccache-v" }
 "ubi:anchore/syft" = { version = "1.42.3", matching = "syft_" }
 "ubi:EmbarkStudios/cargo-about" = "0.8.4"
+zig = "0.14.1"
 
 [env]
 _.path = ["{{config_root}}/scripts/bin"]