fix(release): use cross main branch to fix mdbx-sys build

[panos-xyz]

Summary

• Switch from taiki-e/install-action (cross 0.2.5, Ubuntu 16.04) to cargo install cross --git (cross main, Ubuntu 20.04)
• Simplify Cross.toml — cross main images already ship gcc + libclang, no pre-build installs needed
• Add temporary test-cross-build.yml (to be deleted after merge)

Root Cause

cross 0.2.5 uses a Ubuntu 16.04 (Xenial) base image. The pre-build apt-get commands in Cross.toml tried to switch sources to HTTPS, but Xenial lacks apt-transport-https by default, causing apt-get update to fail. reth and scroll-reth both use cargo install cross --git (main branch) which ships Ubuntu 20.04 images with all required toolchain already installed.

Test plan

• CI passed: Cross Build x86_64-unknown-linux-gnu ✓
• CI passed: Cross Build aarch64-unknown-linux-gnu ✓
• After merge: delete test workflow, re-tag v0.2.0, verify full release workflow

Summary by CodeRabbit

• Chores
  • Simplified cross-compilation flow and removed redundant pre-build package setup.
  • Added cross-compilation Make targets and per-target builds to streamline multi-arch builds.
  • Enabled static linkage for native libraries to improve build reliability.
  • Applied an ARM-specific memory tuning value for aarch64 builds.
  • Added a cross-platform container image and updated Docker tagging to use v-prefixed semver while preserving the latest tag.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Reworks CI and local build to use cargo-installed cross and Makefile cross targets, removes Cross.toml pre-build APT steps, adds Dockerfile.cross and multi-arch staging, and adjusts Docker workflow tagging and build steps. No exported/public code entities changed.

Changes

Cohort / File(s)	Summary
Release workflow ​.github/workflows/release.yml	Replaced installer action with cargo install cross --git ...; build step now calls make build-${{ matrix.target }} instead of invoking cross directly; packaging/upload unchanged.
Docker workflow ​.github/workflows/docker.yml	Switches CI to use Rust toolchains + cross, runs make cross-builds, stages dist/bin/{amd64,arm64}; simplifies semver tag to v{{version}}, keeps latest, uses Dockerfile.cross.
Cross configuration Cross.toml	Removed [build] section (pre-build APT commands); retained [build.env] passthrough = ["JEMALLOC_SYS_WITH_LG_PAGE"].
Makefile build targets Makefile	Added build-% pattern rule invoking cross build --target $* --profile "$(PROFILE)" with RUSTFLAGS for -lgcc/-static-libgcc; added build-aarch64-unknown-linux-gnu that exports JEMALLOC_SYS_WITH_LG_PAGE=16; updated docker_build_push to build/stage two arch binaries and use Dockerfile.cross.
New Docker image Dockerfile.cross	New cross-runtime image that copies prebuilt binary from ./dist/bin/$TARGETARCH/, sets labels, exposes ports, and sets entrypoint to /usr/local/bin/morph-reth.

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
participant Dev as Developer/Makefile
participant CI as GitHub Actions
participant Cross as cross (cargo-installed)
participant Dist as Dist staging (dist/bin)
participant Docker as Docker Buildx
Dev->>CI: Push PR triggers workflows
CI->>Cross: Install cross via cargo
CI->>Cross: Run make build-<target> (invokes cross build)
Cross-->>Dist: Output binaries to dist/bin/{amd64,arm64}
CI->>Docker: Build image using Dockerfile.cross with staged binaries
Docker-->>Registry: Push multi-arch image (v{{version}}, latest)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: add Docker multi-platform build and Release workflows #70 — Overlapping edits to release and docker workflows for multi-arch/release builds.
• chore: add Cross.toml for cross-compilation clang/llvm dependencies #83 — Directly related changes to Cross.toml pre-build logic previously installing clang/llvm.
• chore: add Makefile and MakefileEc2.mk, update README #78 — Related Makefile changes adding cross-build and docker build/push targets.

Suggested reviewers

• anylots
• chengwenxi

Poem

🐰 I hopped through CI with a jaunty kick,
Cargo-installed Cross—builds now run quick.
Binaries staged in folders neat and small,
Dockerfile.cross gathers them all.
Carrot-built releases — hop! deploy them all. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions using cross main branch to fix mdbx-sys build, but the changes primarily focus on switching build infrastructure (from install-action to cargo install, removing pre-build apt steps, and restructuring CI/Makefile workflows). While cross main does address the root cause, the actual changeset emphasizes build system refactoring rather than directly fixing mdbx-sys compilation.	Consider a more accurate title like 'fix(release): use cross main and refactor build infrastructure' or 'refactor(release): migrate to cross main with makefile-driven builds' to better reflect the scope of infrastructure changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cross-build-release

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

102-103: Consider pinning to a specific cross commit for reproducibility.

Installing from the main branch (--git https://github.com/cross-rs/cross) means builds could break unexpectedly if cross introduces breaking changes. While this solves the Ubuntu 16.04 issue, consider pinning to a specific commit or tag once a stable release with Ubuntu 20.04 images is available:

run: cargo install cross --git https://github.com/cross-rs/cross --rev <commit-sha>

That said, using main is a reasonable approach given the immediate build failure and alignment with reth/scroll-reth practices.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 102 - 103, The workflow step that
installs cross from the main branch currently uses "--git
https://github.com/cross-rs/cross" which risks non-reproducible builds; change
the cargo install invocation to pin to a specific commit or tag by adding "--rev
<commit-sha-or-tag>" (replace <commit-sha-or-tag> with the chosen commit SHA or
release tag), and update the step name/description if desired (the step labeled
"Install cross main") so the intent is clear; pick a stable commit from the
cross repo (or a released tag) that includes the needed Ubuntu 20.04 images and
use that SHA in the --rev flag to ensure reproducible CI.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/test-cross-build.yml:
- Around line 11-14: Add a top-level GitHub Actions permissions block to
restrict GITHUB_TOKEN to least privilege (only read access to repository
contents) for this workflow; update the workflow that defines the jobs/build
(look for the jobs: build: name: Cross Build and runs-on: ubuntu-latest entries)
to include a permissions: contents: read stanza so the workflow only has read
access to repository contents.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 102-103: The workflow step that installs cross from the main
branch currently uses "--git https://github.com/cross-rs/cross" which risks
non-reproducible builds; change the cargo install invocation to pin to a
specific commit or tag by adding "--rev <commit-sha-or-tag>" (replace
<commit-sha-or-tag> with the chosen commit SHA or release tag), and update the
step name/description if desired (the step labeled "Install cross main") so the
intent is clear; pick a stable commit from the cross repo (or a released tag)
that includes the needed Ubuntu 20.04 images and use that SHA in the --rev flag
to ensure reproducible CI.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ebc5efd9-1dbe-40e8-bb82-923ce43d1afb

📥 Commits

Reviewing files that changed from the base of the PR and between cbaf860 and 4a2f2f5.

📒 Files selected for processing (3)

• .github/workflows/release.yml
• .github/workflows/test-cross-build.yml
• Cross.toml

💤 Files with no reviewable changes (1)

• Cross.toml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add permissions block to limit GITHUB_TOKEN scope.

The workflow is missing a permissions block. Even for a temporary test workflow, it's good practice to apply the principle of least privilege. Since this workflow only checks out code and builds, it only needs read access.

🔒 Proposed fix to add permissions

 env:
   CARGO_TERM_COLOR: always
   CARGO_INCREMENTAL: 0
 
+permissions:
+  contents: read
+
 jobs:
   build:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/test-cross-build.yml around lines 11 - 14, Add a top-level
GitHub Actions permissions block to restrict GITHUB_TOKEN to least privilege
(only read access to repository contents) for this workflow; update the workflow
that defines the jobs/build (look for the jobs: build: name: Cross Build and
runs-on: ubuntu-latest entries) to include a permissions: contents: read stanza
so the workflow only has read access to repository contents.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Makefile (1)

47-47: Add --locked to keep cross-builds reproducible

Line 47 currently allows dependency resolution drift if Cargo.lock and index state diverge. For release-oriented targets, prefer locked resolution.

Proposed change

-		cross build --bin morph-reth --target $* --profile "$(PROFILE)"
+		cross build --locked --bin morph-reth --target $* --profile "$(PROFILE)"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` at line 47, Update the cross build invocation to use Cargo's locked
resolution by adding the --locked flag to the existing command that invokes
cross: replace the current invocation "cross build --bin morph-reth --target $*
--profile \"$(PROFILE)\"" with a version that includes --locked so builds use
Cargo.lock and avoid dependency resolution drift for release targets.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Makefile`:
- Around line 45-50: The release workflow can bypass Makefile safeguards because
RUSTFLAGS (used in the build-% recipe) and JEMALLOC_SYS_WITH_LG_PAGE (set for
build-aarch64-unknown-linux-gnu) only take effect when invoking make
build-<target>; update the CI workflow to either (A) call make build-${{
matrix.target }} so the Makefile targets and their env exports are honored
(referencing the build-% and build-aarch64-unknown-linux-gnu targets), or (B) if
you must keep invoking cross build directly, inject the same environment
variables into the workflow step (set RUSTFLAGS with "-C link-arg=-lgcc
-Clink-arg=-static-libgcc" and set JEMALLOC_SYS_WITH_LG_PAGE=16 for aarch64) so
the aarch64 jemalloc page-size and RUSTFLAGS are preserved.

---

Nitpick comments:
In `@Makefile`:
- Line 47: Update the cross build invocation to use Cargo's locked resolution by
adding the --locked flag to the existing command that invokes cross: replace the
current invocation "cross build --bin morph-reth --target $* --profile
\"$(PROFILE)\"" with a version that includes --locked so builds use Cargo.lock
and avoid dependency resolution drift for release targets.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 567996b7-52bd-4c46-9bf7-c009a0daf32f

📥 Commits

Reviewing files that changed from the base of the PR and between 952186e and ece9bb7.

📒 Files selected for processing (1)

• Makefile

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

Makefile (1)

46-47: Preserve caller-supplied RUSTFLAGS in cross builds.

Current assignment overwrites any upstream RUSTFLAGS. Appending keeps this target flexible for CI/local overrides. (Line 46 and Line 47)

Suggested patch

-	RUSTFLAGS="-C link-arg=-lgcc -Clink-arg=-static-libgcc" \
+	RUSTFLAGS="$$RUSTFLAGS -C link-arg=-lgcc -Clink-arg=-static-libgcc" \
 		cross build --locked --bin morph-reth --target $* --profile "$(PROFILE)"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 46 - 47, The Makefile currently overwrites any
caller-supplied RUSTFLAGS before invoking cross build for the morph-reth target;
change the RUSTFLAGS assignment so it preserves existing RUSTFLAGS (i.e., append
the flags -C link-arg=-lgcc and -Clink-arg=-static-libgcc to the existing
RUSTFLAGS) and then invoke cross build --locked --bin morph-reth --target $*
--profile "$(PROFILE)"; update the line that sets RUSTFLAGS and the subsequent
cross build invocation to use the preserved/appended RUSTFLAGS rather than
replacing them.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile.cross`:
- Around line 3-14: Add a non-root user and switch to it before ENTRYPOINT:
create a dedicated user and group (e.g., "morph" or similar) and chown the
installed binary path (/usr/local/bin/morph-reth) to that user, then switch to
that user via USER before the ENTRYPOINT. Update the Dockerfile around the COPY
and ENTRYPOINT steps that reference ARG TARGETARCH and COPY
./dist/bin/$TARGETARCH/morph-reth so ownership and permissions are set for the
new user and the container runs as that non-root account instead of root.

In `@Makefile`:
- Line 41: Update every occurrence of the unpinned installer invocation "cargo
install cross --git https://github.com/cross-rs/cross" in the CI config to
include a fixed --tag or --rev (e.g., --tag <version> or --rev <commit>) so the
cross tool is pinned for reproducible builds, and mirror that change in the
Makefile comment line that documents the Cross Build instruction so the doc
string reflects the pinned installation. Ensure both CI invocations use the same
pinned value and that the Makefile text mentions the specific tag/revision.

---

Nitpick comments:
In `@Makefile`:
- Around line 46-47: The Makefile currently overwrites any caller-supplied
RUSTFLAGS before invoking cross build for the morph-reth target; change the
RUSTFLAGS assignment so it preserves existing RUSTFLAGS (i.e., append the flags
-C link-arg=-lgcc and -Clink-arg=-static-libgcc to the existing RUSTFLAGS) and
then invoke cross build --locked --bin morph-reth --target $* --profile
"$(PROFILE)"; update the line that sets RUSTFLAGS and the subsequent cross build
invocation to use the preserved/appended RUSTFLAGS rather than replacing them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f2773fbd-a40e-4a7b-a722-c462f4182251

📥 Commits

Reviewing files that changed from the base of the PR and between 6371da8 and 1dd13ff.

📒 Files selected for processing (4)

• .github/workflows/docker.yml
• .github/workflows/release.yml
• Dockerfile.cross
• Makefile

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/release.yml
• .github/workflows/docker.yml