From 4a02aefc3dbb1f5f162167fb8a3d77bc1b241c47 Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <adityap@microsoft.com>
Date: Mon, 13 Oct 2025 11:06:48 -0700
Subject: [PATCH 1/2] Move building of Alpine to Alpine container host

---
 .pipelines/release.yml                |  19 ++--
 .pipelines/templates/build-alpine.yml | 133 ++++++++++++++++++++++++++
 .pipelines/templates/build-nuget.yml  |   7 +-
 Dockerfile                            |  14 +++
 build.psm1                            |   3 +
 5 files changed, 168 insertions(+), 8 deletions(-)
 create mode 100644 .pipelines/templates/build-alpine.yml
 create mode 100644 Dockerfile

diff --git a/.pipelines/release.yml b/.pipelines/release.yml
index a33a2a0..f6e983d 100644
--- a/.pipelines/release.yml
+++ b/.pipelines/release.yml
@@ -85,6 +85,18 @@ extends:
         parameters:
           ARCHITECTURE: 'x64_arm64'
 
+    - stage: LinuxMuslBuild
+      displayName: Linux Musl Build
+      variables:
+      - name: LinuxContainerImage
+        value: mcr.microsoft.com/dotnet/sdk:10.0-alpine
+
+      jobs:
+      - template: .pipelines/templates/build-alpine.yml@self
+        parameters:
+          ARCHITECTURE: 'linux-musl-x64'
+          Name: 'Build_Linux_musl_x64'
+
     - stage: LinuxBuild
       displayName: Linux Build
       jobs:
@@ -99,11 +111,6 @@ extends:
           Name: 'Build_Linux_arm64'
           hostArchitecture: 'arm64'
 
-      - template: .pipelines/templates/build-linux.yml@self
-        parameters:
-          ARCHITECTURE: 'linux-musl-x64'
-          Name: 'Build_Linux_musl_x64'
-
       - template: .pipelines/templates/build-linux.yml@self
         parameters:
           ARCHITECTURE: 'osx'
@@ -122,7 +129,7 @@ extends:
           Name: 'Build_Linux_arm'
 
     - stage: Build_Nuget
-      dependsOn: [WinBuildAndSign, LinuxBuild, LinuxBuildARM]
+      dependsOn: [WinBuildAndSign, LinuxBuild, LinuxBuildARM, LinuxMuslBuild]
       displayName: Build NuGet
       jobs:
       - template: .pipelines/templates/build-nuget.yml@self
diff --git a/.pipelines/templates/build-alpine.yml b/.pipelines/templates/build-alpine.yml
new file mode 100644
index 0000000..2d02126
--- /dev/null
+++ b/.pipelines/templates/build-alpine.yml
@@ -0,0 +1,133 @@
+parameters:
+  - name: ARCHITECTURE
+    type: string
+    default: 'x64'
+  - name: Name
+    type: string
+    default: 'Build_musl_x64'
+  - name: hostArchitecture
+    type: string
+    default: 'amd64'
+
+jobs:
+- job: PrepareDockerBuild
+  pool:
+    type: linux
+    ${{ if eq(parameters.hostArchitecture, 'arm64') }}:
+      hostArchitecture: 'arm64'
+  displayName: Prepare_Docker_Build
+  variables:
+    - name: ob_outputDirectory
+      value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+    - name: ob_signing_setup_enabled
+      value: true
+    - name: LinuxContainerImage
+      value: mcr.microsoft.com/onebranch/azurelinux/build:3.0
+  steps:
+    - checkout: self
+      clean: true
+
+    - pwsh: |
+        Get-ChildItem Env:\ | Out-String -Stream | Write-Verbose -Verbose
+      displayName: Capture environment variables
+
+    - pwsh: |
+        New-Item -ItemType Directory -Path "$(ob_outputDirectory)" | Out-Null
+      displayName: 'Create output directory'
+
+    - pwsh: |
+        Copy-Item -Path "$(Build.SourcesDirectory)/*" -Destination "$(ob_outputDirectory)" -Force -Verbose -Recurse
+      displayName: 'Copy Dockerfile to output directory'
+
+- job: ${{ parameters.Name }}
+  pool:
+    type: docker
+    os: linux
+    ${{ if eq(parameters.hostArchitecture, 'arm64') }}:
+      hostArchitecture: 'arm64'
+  displayName: Linux_MUSL_${{ parameters.ARCHITECTURE }}
+  dependsOn: PrepareDockerBuild
+  variables:
+    - name: LinuxContainerImage
+      value: mcr.microsoft.com/dotnet/sdk:10.0-alpine
+    - name: ob_outputDirectory
+      value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+    - name: ob_signing_setup_enabled
+      value: true
+    - name: ARCHITECTURE
+      value: ${{ parameters.ARCHITECTURE }}
+    - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
+      value: 1
+    - ${{ if eq(parameters.ARCHITECTURE, 'linux-arm64') }}:
+      - name: ob_sdl_binskim_enabled
+        value: false
+      - name: ob_sdl_credscan_enabled
+        value: false
+  steps:
+    - task: DownloadPipelineArtifact@2
+      displayName: 'Download prepared Docker build context'
+      inputs:
+        buildType: 'current'
+        artifactName: 'drop_LinuxMuslBuild_PrepareDockerBuild'
+        targetPath: '$(Build.SourcesDirectory)/dst/drop_LinuxMuslBuild_PrepareDockerBuild'
+
+    - task: onebranch.pipeline.imagebuildinfo@1
+      displayName: 'Build Alpine Image'
+      inputs:
+        repositoryName: 'psnative-alpine'
+        dockerFileRelPath: 'drop_LinuxMuslBuild_PrepareDockerBuild/powershell-native/Dockerfile'
+        dockerFileContextPath: 'drop_LinuxMuslBuild_PrepareDockerBuild/powershell-native'
+        addPipelineData: false
+        saveImageToPath: docker-images/psnative-alpine.tar
+        build_tag: $(Build.BuildId)
+        compress: false
+        enable_isolated_acr_push: false
+        enable_service_tree_acr_path: false
+        enable_network: true
+
+- job: ExtractLibPSL
+  displayName: 'Extract libpsl-native.so'
+  dependsOn: ${{ parameters.Name }}
+  pool:
+    type: linux
+  variables:
+    - name: LinuxContainerImage
+      value: mcr.microsoft.com/onebranch/azurelinux/build:3.0
+    - name: ob_outputDirectory
+      value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
+    - name: ob_signing_setup_enabled
+      value: false
+
+  steps:
+    - checkout: self
+      clean: true
+
+    - download: current
+      artifact: drop_LinuxMuslBuild_Build_Linux_musl_x64
+      patterns: docker-images/psnative-alpine.tar
+      displayName: 'Download Docker image artifact'
+
+    - pwsh: |
+        Get-ChildItem $(Pipeline.Workspace)/drop_LinuxMuslBuild_Build_Linux_musl_x64 -Recurse | Out-String -Stream | Write-Verbose -Verbose
+      displayName: Capture downloaded artifacts
+
+    - pwsh: |
+        New-Item -ItemType Directory -Path "$(ob_outputDirectory)" | Out-Null
+        New-Item -ItemType Directory -Path $(Pipeline.Workspace)/temp | Out-Null
+        tar -xvf $(Pipeline.Workspace)/drop_LinuxMuslBuild_Build_Linux_musl_x64/docker-images/psnative-alpine.tar -C $(Pipeline.Workspace)/temp
+        $manifest = Get-Content "$(Pipeline.Workspace)/temp/manifest.json"
+        $manifest | Out-String -Stream | Write-Verbose -Verbose
+
+        $manifestJson = $manifest | ConvertFrom-Json
+        $imageId = $manifestJson[0].Layers[0]
+        $libPSLPath = "$(Pipeline.Workspace)/temp/$imageId"
+
+        Write-Verbose "Extracted layer path: $libPSLPath" -Verbose
+        Get-ChildItem -Path "$libPSLPath" -Recurse | Out-String -Stream | Write-Verbose -Verbose
+
+        tar -xvf $libPSLPath
+
+        Get-ChildItem -Path . | Out-String -Stream | Write-Verbose -Verbose
+
+        Copy-Item -Path ./libpsl-native.so -Destination "$(ob_outputDirectory)/libpsl-native.so" -Force -Verbose
+      displayName: 'Extract libpsl-native.so from image'
diff --git a/.pipelines/templates/build-nuget.yml b/.pipelines/templates/build-nuget.yml
index dc002b3..e688049 100644
--- a/.pipelines/templates/build-nuget.yml
+++ b/.pipelines/templates/build-nuget.yml
@@ -34,7 +34,7 @@ jobs:
 
   - pwsh: |
       $platforms = @("drop_LinuxBuild_Build_Linux_arm64",
-                     "drop_LinuxBuild_Build_Linux_musl_x64",
+                     "drop_LinuxMuslBuild_ExtractLibPSL",
                      "drop_LinuxBuild_Build_Linux_x64",
                      "drop_LinuxBuildARM_Build_Linux_arm",
                      "drop_WinBuildAndSign_Build_Sign_x64",
@@ -50,7 +50,7 @@ jobs:
       $LinuxZipPath = "$(ob_outputDirectory)/drop_LinuxBuild_Build_Linux_x64.zip"
       $LinuxARMZipPath = "$(ob_outputDirectory)/drop_LinuxBuildARM_Build_Linux_arm.zip"
       $LinuxARM64ZipPath = "$(ob_outputDirectory)/drop_LinuxBuild_Build_Linux_arm64.zip"
-      $LinuxAlpineZipPath = "$(ob_outputDirectory)/drop_LinuxBuild_Build_Linux_musl_x64.zip"
+      $LinuxAlpineZipPath = "$(ob_outputDirectory)/drop_LinuxMuslBuild_ExtractLibPSL.zip"
       $macOSZipPath = "$(ob_outputDirectory)/drop_osx.zip"
 
       $symbolsRoot = "$(ob_outputDirectory)/symbols"
@@ -67,6 +67,9 @@ jobs:
           }
       }
 
+      Write-Verbose -Verbose "Compressed platform artifacts"
+      Get-ChildItem -Path "$(ob_outputDirectory)" | Out-String -Stream | Write-Verbose -Verbose
+
       Import-Module $(Build.SourcesDirectory)/build.psm1 -Force
       $PackageRoot = New-Item -ItemType Directory -Path  $(ob_outputDirectory)\NugetPackageSrc
       Start-BuildPowerShellNativePackage -PackageRoot $PackageRoot -Version $(PackageVersion) -WindowsX64ZipPath  $WindowsX64ZipPath -WindowsX86ZipPath $WindowsX86ZipPath -WindowsARM64ZipPath  $WindowsARM64ZipPath -LinuxZipPath $LinuxZipPath -LinuxARMZipPath  $LinuxARMZipPath -LinuxARM64ZipPath $LinuxARM64ZipPath -LinuxAlpineZipPath $LinuxAlpineZipPath -macOSZipPath $macOSZipPath
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..b7f53eb
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,14 @@
+FROM mcr.microsoft.com/dotnet/sdk:10.0-alpine AS build
+
+RUN apk update \
+    && apk add build-base gcc abuild binutils git python3 bash cmake \
+    && apk upgrade
+
+COPY . .
+
+RUN pwsh -c "Import-Module ./build.psm1; Start-BuildNativeUnixBinaries";
+
+FROM scratch AS export
+COPY --from=build /src/powershell-unix/libpsl-native.so /libpsl-native.so
+
+ENTRYPOINT [ "pwsh" ]
diff --git a/build.psm1 b/build.psm1
index 3380eb7..21e59c2 100644
--- a/build.psm1
+++ b/build.psm1
@@ -541,6 +541,9 @@ function Start-BuildNativeUnixBinaries {
     if (-not (Test-Path $Lib)) {
         throw "Compilation of $Lib failed"
     }
+
+    Write-Verbose -Verbose "Build completed - $Lib"
+    Get-ChildItem $Lib | Out-String -Stream | Write-Verbose -Verbose
 }
 
 <#

From 4adc538a31ab28921312a1d52d43a74a7f0961f3 Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <adityap@microsoft.com>
Date: Thu, 23 Oct 2025 10:18:50 -0700
Subject: [PATCH 2/2] CR feedback from co-pilot

---
 .pipelines/templates/build-alpine.yml | 2 +-
 Dockerfile                            | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/.pipelines/templates/build-alpine.yml b/.pipelines/templates/build-alpine.yml
index 2d02126..29b1f8d 100644
--- a/.pipelines/templates/build-alpine.yml
+++ b/.pipelines/templates/build-alpine.yml
@@ -58,7 +58,7 @@ jobs:
       value: ${{ parameters.ARCHITECTURE }}
     - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT
       value: 1
-    - ${{ if eq(parameters.ARCHITECTURE, 'linux-arm64') }}:
+    - ${{ if eq(parameters.ARCHITECTURE, 'linux-musl-arm64') }}:
       - name: ob_sdl_binskim_enabled
         value: false
       - name: ob_sdl_credscan_enabled
diff --git a/Dockerfile b/Dockerfile
index b7f53eb..688f3a4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,5 +10,3 @@ RUN pwsh -c "Import-Module ./build.psm1; Start-BuildNativeUnixBinaries";
 
 FROM scratch AS export
 COPY --from=build /src/powershell-unix/libpsl-native.so /libpsl-native.so
-
-ENTRYPOINT [ "pwsh" ]