[bug] CI tag-build fails: openssl-sys can't find OpenSSL for musl/arm64 cross-compile #27

New issue

Open

opened 2026-05-04 02:16:53 +00:00 by mik-tf · 0 comments

mik-tf commented 2026-05-04 02:16:53 +00:00

Owner

Copy link

Discovered during Phase 2 cluster A propagation

While propagating the Release-asset publishing pattern from hero_browser PR #17 into hero_foundry (branch development_mik_release_assets, tag v0.2.3-rc1), both matrix legs failed at the Build step with:

error: failed to run custom build command for `openssl-sys v0.9.115`
Could not find directory of OpenSSL installation
$HOST = x86_64-unknown-linux-gnu
$TARGET = x86_64-unknown-linux-musl
openssl-sys = 0.9.115

Same class as hero_biz's #14 feature-drift — pre-existing dependency-tree problem unrelated to the Release-asset work. The Release-asset workflow change is correct and will validate once this builds.

Why this is openssl-specific

hero_foundry's dependency tree pulls in openssl-sys (likely transitively via reqwest/native-tls since I see them in the cargo lock log). Cross-compiling openssl-sys for musl needs either:

1. The musl-compatible openssl libs preinstalled in the builder image (they're not), or
2. The crate using OpenSSL switched to rustls (no system dep), or
3. openssl crate with vendored feature flag enabled (compiles openssl from source)

For arm64 cross, the situation is even worse — needs cross-compilable openssl which the builder image doesn't provide.

Recommended fix

Quickest: add openssl = { version = "0.10", features = ["vendored"] } to whichever crate transitively pulls openssl-sys, or set vendored on the existing dependency. Ships openssl as static-linked source — no system dep.

Better long-term: switch reqwest/native-tls to default-features = false, features = ["rustls-tls"]. Eliminates the openssl dep entirely.

Why not caught earlier

hero_foundry's last successful tag run was Feb 2026 (v0.0.1-rc1, v0.1.0 — both reported success but published nothing because of the cluster A pkg-registry path bug). The crate dependency tree has changed since then, pulling in openssl-sys without anyone noticing because the tag-build never actually ran successfully on a clean image.

Blocks

• hero_foundry#26 — cluster B Release-asset fix can be merged once the build passes.

Effort

30 min — single Cargo.toml change (try vendored first; if that ships, done; if not, pivot to rustls). 5 min CI re-run to validate. Phase 2 implementation, separate from cluster A canonical-pattern work.

## Discovered during Phase 2 cluster A propagation While propagating the Release-asset publishing pattern from [hero_browser PR #17](https://forge.ourworld.tf/lhumina_code/hero_browser/pulls/17) into hero_foundry (branch `development_mik_release_assets`, tag `v0.2.3-rc1`), both matrix legs failed at the Build step with: ``` error: failed to run custom build command for `openssl-sys v0.9.115` Could not find directory of OpenSSL installation $HOST = x86_64-unknown-linux-gnu $TARGET = x86_64-unknown-linux-musl openssl-sys = 0.9.115 ``` Same class as hero_biz's [#14](https://forge.ourworld.tf/lhumina_code/hero_biz/issues/14) feature-drift — pre-existing dependency-tree problem unrelated to the Release-asset work. The Release-asset workflow change is correct and will validate once this builds. ## Why this is openssl-specific hero_foundry's dependency tree pulls in `openssl-sys` (likely transitively via `reqwest`/`native-tls` since I see them in the cargo lock log). Cross-compiling openssl-sys for musl needs either: 1. The musl-compatible openssl libs preinstalled in the builder image (they're not), or 2. The crate using OpenSSL switched to `rustls` (no system dep), or 3. `openssl` crate with `vendored` feature flag enabled (compiles openssl from source) For arm64 cross, the situation is even worse — needs cross-compilable openssl which the builder image doesn't provide. ## Recommended fix Quickest: add `openssl = { version = "0.10", features = ["vendored"] }` to whichever crate transitively pulls openssl-sys, or set `vendored` on the existing dependency. Ships openssl as static-linked source — no system dep. Better long-term: switch reqwest/native-tls to `default-features = false, features = ["rustls-tls"]`. Eliminates the openssl dep entirely. ## Why not caught earlier hero_foundry's last successful tag run was Feb 2026 (v0.0.1-rc1, v0.1.0 — both reported success but published nothing because of the cluster A pkg-registry path bug). The crate dependency tree has changed since then, pulling in openssl-sys without anyone noticing because the tag-build never actually ran successfully on a clean image. ## Blocks - [hero_foundry#26](https://forge.ourworld.tf/lhumina_code/hero_foundry/issues/26) — cluster B Release-asset fix can be merged once the build passes. ## Effort 30 min — single Cargo.toml change (try `vendored` first; if that ships, done; if not, pivot to rustls). 5 min CI re-run to validate. Phase 2 implementation, separate from cluster A canonical-pattern work.

mik-tf referenced this issue from lhumina_code/hero_slides 2026-05-04 02:26:55 +00:00

[bug] CI tag-build fails: openssl-sys can't find OpenSSL for musl cross-compile #43

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

development

main

v0.2.3-rc3

v0.2.3-rc2

v0.2.3-rc1

v0.1.0

v0.0.1-rc1

Labels

Clear labels   

prio_critical

  

prio_low

  

type_bug

  

type_contact

  

type_issue

  

type_lead

  

type_question

  

type_story

  

type_task

No labels

prio_critical

prio_low

type_bug

type_contact

type_issue

type_lead

type_question

type_story

type_task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_foundry#27

No description provided.