From 7a5f2272576df83f3e870d7ab097e67797159f6c Mon Sep 17 00:00:00 2001 From: Khalefa Date: Sat, 6 Jun 2026 17:44:59 +0300 Subject: [PATCH] =?UTF-8?q?build:=20static=20binaries=20only=20=E2=80=94?= =?UTF-8?q?=20CGO=5FENABLED=3D0=20+=20netgo/osusergo?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit scripts/build.sh now builds a fully static, single binary with no dynamic linking — CGO_ENABLED=0 forces Gos pure-Go net resolver (netgo) and os/user (osusergo) too, so there is no libc dependency. Verified on the amd64 builder: `file` reports "statically linked", `ldd` reports "not a dynamic executable". All server components are pure-Go (modernc.org/sqlite), so no cgo is needed. Co-Authored-By: Claude Opus 4.8 (1M context) --- scripts/build.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/scripts/build.sh b/scripts/build.sh index c07eb14..a1cbb36 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -1,9 +1,13 @@ #!/usr/bin/env bash # SPDX-License-Identifier: Apache-2.0 -# Build node with the version from VERSION injected at link time. -# scripts/build.sh [output-path] +# Build node — a fully static, single binary (no dynamic linking, ever): +# CGO_ENABLED=0 forces pure-Go net (netgo) + os/user (osusergo) too, so there +# is no libc dependency. Version is injected from VERSION at link time. +# scripts/build.sh [output-path] (GOOS/GOARCH from env for cross-builds) set -euo pipefail cd "$(dirname "$0")/.." VERSION="$(tr -d '[:space:]' < VERSION)" -go build -ldflags "-X github.com/PharosVPN/node/internal/cli.version=$VERSION" -o "${1:-bin/node}" ./cmd/node -echo "built node $VERSION -> ${1:-bin/node}" +CGO_ENABLED=0 go build -trimpath -tags netgo,osusergo \ + -ldflags "-X github.com/PharosVPN/node/internal/cli.version=$VERSION" \ + -o "${1:-bin/node}" ./cmd/node +echo "built node $VERSION (static) -> ${1:-bin/node}"