Add native build to CI and MUSL build

.github/workflows/build-native-image.yml

@@ -0,0 +1,112 @@
+name: Build native image
+permissions:
+  contents: read
+defaults:
+  run:
+    shell: bash -euo pipefail -O nullglob {0}
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        type: string
+        description: "Git ref from which to release"
+        required: true
+        default: "master"
+      upload_artifact:
+        type: boolean
+        description: "Upload the native test server executable as an artifact"
+        required: false
+        default: false
+  workflow_call:
+    inputs:
+        ref:
+          type: string
+          description: "Git ref from which to release"
+          required: true
+          default: "master"
+        upload_artifact:
+          type: boolean
+          description: "Upload the native test server executable as an artifact"
+          required: false
+          default: false
+env:
+  INPUT_REF: ${{ github.event.inputs.ref }}
+
+jobs:
+  build_native_images:
+    name: Build native test server
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            os_family: linux
+            arch: amd64
+            musl: true
+          - runner: ubuntu-latest
+            os_family: linux
+            arch: amd64
+            musl: false
+          - runner: macos-13
+            os_family: macOS
+            arch: amd64
+          - runner: macos-latest
+            os_family: macOS
+            arch: arm64
+          - runner: ubuntu-24.04-arm
+            os_family: linux
+            arch: arm64
+          - runner: windows-latest
+            os_family: windows
+            arch: amd64
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+          ref: ${{ env.INPUT_REF }}
+
+      - name: Set up Java
+        if: matrix.os_family != 'Linux'
+        uses: actions/setup-java@v4
+        with:
+          java-version: 23
+          distribution: "graalvm"
+
+      - name: Set up Gradle
+        if: matrix.os_family != 'Linux'
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Build native test server (non-Docker)
+        if: matrix.os_family != 'Linux'
+        run: |
+          ./gradlew -PnativeBuild :temporal-test-server:nativeCompile
+
+      - name: Build native test server (Docker non-musl)
+        if: matrix.os_family == 'Linux' && matrix.musl == false
+        run: |
+          docker run \
+            --rm -w /github/workspace -v "$(pwd):/github/workspace" \
+            $(docker build -q ./docker/native-image) \
+            sh -c "./gradlew -PnativeBuild :temporal-test-server:nativeCompile"
+
+      - name: Build native test server (Docker musl)
+        if: matrix.os_family == 'Linux' && matrix.musl == true
+        run: |
+          docker run \
+            --rm -w /github/workspace -v "$(pwd):/github/workspace" \
+            $(docker build -q ./docker/native-image-musl) \
+            sh -c "./gradlew -PnativeBuild -PnativeBuildMusl  :temporal-test-server:nativeCompile"
+      # path ends in a wildcard because on windows the file ends in '.exe'
+      - name: Upload executable to workflow
+        if: ${{ github.event.inputs.upload_artifact == 'true'}}
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.musl && format('{0}_{1}_musl', matrix.os_family, matrix.arch) || format('{0}_{1}', matrix.os_family, matrix.arch)}}
+          path: |
+            temporal-test-server/build/native/nativeCompile/temporal-test-server*
+          if-no-files-found: error
+          retention-days: 1
+

.github/workflows/ci.yml

@@ -1,4 +1,6 @@
 name: Continuous Integration
+permissions:
+  contents: read
 on:
   pull_request:
   push:
@@ -191,3 +193,9 @@ jobs:
 
     - name: Run copyright and code format checks
       run: ./gradlew --no-daemon spotlessCheck
+
+  build_native_images:
+    name: Build native test server
+    uses: ./.github/workflows/build-native-image.yml
+    with:
+      ref: ${{ github.event.pull_request.head.sha }}

.github/workflows/prepare-release.yml

@@ -124,70 +124,10 @@ jobs:
     name: Build native test server
     needs: create_draft_release
     if: github.event.inputs.do_build_native_images == 'true'
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - runner: ubuntu-latest
-            os_family: linux
-            arch: amd64
-          - runner: macos-13
-            os_family: macOS
-            arch: amd64
-          - runner: macos-latest
-            os_family: macOS
-            arch: arm64
-          - runner: ubuntu-24.04-arm
-            os_family: linux
-            arch: arm64
-          - runner: windows-2019
-            os_family: windows
-            arch: amd64
-    runs-on: ${{ matrix.runner }}
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-        with:
-          submodules: recursive
-          ref: ${{ env.INPUT_REF }}
-
-      # See comment on temporary tag above. tldr: this is a local tag; never
-      # gets pushed
-      - name: Temporary tag
-        run: git tag "$INPUT_TAG"
-
-      - name: Set up Java
-        if: matrix.os_family != 'Linux'
-        uses: actions/setup-java@v4
-        with:
-          java-version: "21"
-          distribution: "graalvm"
-
-      - name: Set up Gradle
-        if: matrix.os_family != 'Linux'
-        uses: gradle/actions/setup-gradle@v4
-
-      - name: Build native test server (non-Docker)
-        if: matrix.os_family != 'Linux'
-        run: |
-          ./gradlew -PnativeBuild :temporal-test-server:nativeBuild
-
-      - name: Build native test server (Docker)
-        if: matrix.os_family == 'Linux'
-        run: |
-          docker run \
-            --rm -w /github/workspace -v "$(pwd):/github/workspace" \
-            $(docker build -q ./docker/native-image) \
-            sh -c "./gradlew -PnativeBuild :temporal-test-server:nativeBuild"
-      # path ends in a wildcard because on windows the file ends in '.exe'
-      - name: Upload executable to workflow
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.os_family }}_${{ matrix.arch }}
-          path: |
-            temporal-test-server/build/native/nativeCompile/temporal-test-server*
-          if-no-files-found: error
-          retention-days: 1
+    uses: ./.github/workflows/build-native-image.yml
+    with:
+      upload_artifact: true
+      ref: ${{ github.event.inputs.ref }}
 
   attach_to_release:
     name: Attach native executables to release

docker/native-image-musl/dockerfile

@@ -0,0 +1,16 @@
+# This Dockerfile builds a GraalVM Native Image Test Server with musl support.
+FROM ubuntu:24.04
+ENV JAVA_HOME=/usr/lib64/graalvm/graalvm-community-java23
+COPY --from=ghcr.io/graalvm/native-image-community:23 $JAVA_HOME $JAVA_HOME
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
+RUN apt-get -y update --allow-releaseinfo-change && apt-get install -y -V git build-essential curl binutils
+COPY install-musl.sh /opt/install-musl.sh
+RUN chmod +x /opt/install-musl.sh
+WORKDIR /opt
+# We need to build musl and zlibc with musl to for a static build
+# See https://www.graalvm.org/21.3/reference-manual/native-image/StaticImages/index.html
+RUN ./install-musl.sh
+ENV MUSL_HOME=/opt/musl-toolchain
+ENV PATH="$MUSL_HOME/bin:$PATH"
+# Avoid errors like: "fatal: detected dubious ownership in repository"
+RUN git config --global --add safe.directory '*'

docker/native-image-musl/install-musl.sh

@@ -0,0 +1,28 @@
+# Specify an installation directory for musl:
+export MUSL_HOME=$PWD/musl-toolchain
+
+# Download musl and zlib sources:
+curl -O https://musl.libc.org/releases/musl-1.2.5.tar.gz
+curl -O https://zlib.net/fossils/zlib-1.2.13.tar.gz
+
+# Build musl from source
+tar -xzvf musl-1.2.5.tar.gz
+cd musl-1.2.5
+./configure --prefix=$MUSL_HOME --static
+# The next operation may require privileged access to system resources, so use sudo
+make && make install
+cd ..
+
+# Install a symlink for use by native-image
+ln -s $MUSL_HOME/bin/musl-gcc $MUSL_HOME/bin/x86_64-linux-musl-gcc
+
+# Extend the system path and confirm that musl is available by printing its version
+export PATH="$MUSL_HOME/bin:$PATH"
+x86_64-linux-musl-gcc --version
+
+# Build zlib with musl from source and install into the MUSL_HOME directory
+tar -xzvf zlib-1.2.13.tar.gz
+cd zlib-1.2.13
+CC=musl-gcc ./configure --prefix=$MUSL_HOME --static
+make && make install
+cd ..

docker/native-image/dockerfile

@@ -1,10 +1,15 @@
+# This Dockerfile builds a GraalVM Native Image Test Server with glibc support.
 # Use an old version of Ubuntu to build the test server to maintain compatibility with 
 # older versions of glibc, specifically glib 2.17.
 FROM ubuntu:18.04
-ENV JAVA_HOME=/usr/lib64/graalvm/graalvm-community-java21
-COPY --from=ghcr.io/graalvm/jdk-community:21 $JAVA_HOME $JAVA_HOME
+ENV JAVA_HOME=/usr/lib64/graalvm/graalvm-community-java23
+COPY --from=ghcr.io/graalvm/native-image-community:23 $JAVA_HOME $JAVA_HOME
 ENV PATH="${JAVA_HOME}/bin:${PATH}"
+RUN apt-get -y update --allow-releaseinfo-change && apt-get install -V -y software-properties-common
+RUN add-apt-repository ppa:ubuntu-toolchain-r/test
 RUN apt-get update
-RUN apt-get install -y git build-essential zlib1g-dev
+# We need to update gcc and g++ to 10 for Graal to work on ARM64
+RUN apt-get install -y git build-essential zlib1g-dev gcc-10 g++-10
+RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 60 --slave /usr/bin/g++ g++ /usr/bin/g++-10
 # Avoid errors like: "fatal: detected dubious ownership in repository"
 RUN git config --global --add safe.directory '*'

temporal-sdk/build.gradle

@@ -51,8 +51,14 @@ dependencies {
 }
 
 tasks.named('compileJava21Java') {
-    javaCompiler = javaToolchains.compilerFor {
-        languageVersion = JavaLanguageVersion.of(21)
+    // Gradle toolchains are too strict and require the JDK to match the specified version exactly.
+    // This is a workaround to use a JDK 21+ compiler.
+    //
+    // See also: https://github.com/gradle/gradle/issues/16256
+    if (!JavaVersion.current().isCompatibleWith(JavaVersion.VERSION_21)) {
+        javaCompiler = javaToolchains.compilerFor {
+            languageVersion = JavaLanguageVersion.of(21)
+        }
     }
     options.release = 21
 }

temporal-test-server/build.gradle

@@ -120,9 +120,14 @@ if (project.hasProperty("nativeBuild")) {
                 // If we're on linux, static link everything but libc. Otherwise link
                 // everything dynamically (note the '-' rather than '+' in front of
                 // StaticExecutable)
-                buildArgs.add(isLinux() ? "-H:+StaticExecutableWithDynamicLibC": "-H:-StaticExecutable")
+                if (isLinux() && !project.hasProperty("nativeBuildMusl")) {
+                    buildArgs.add("--static-nolibc")
+                } else if (isLinux() && project.hasProperty("nativeBuildMusl")) {
+                    buildArgs.add("--static")
+                    buildArgs.add("--libc=musl")
+                }
                 buildArgs.add("-H:+UnlockExperimentalVMOptions")
-                buildArgs.add("-O4")
+                buildArgs.add("-Os")
 
                 runtimeArgs.add("7233")
             }

temporal-test-server/src/main/resources/META-INF/native-image/io.temporal/temporal-test-server/jni-config.json

@@ -9,22 +9,29 @@
 },
 {
   "name":"java.lang.String",
-  "methods":[{"name":"lastIndexOf","parameterTypes":["int"] }, {"name":"substring","parameterTypes":["int"] }]
+  "methods":[
+    {"name":"lastIndexOf","parameterTypes":["int"] }, 
+    {"name":"substring","parameterTypes":["int"] }
+  ]
 },
 {
   "name":"java.lang.System",
-  "methods":[{"name":"getProperty","parameterTypes":["java.lang.String"] }, {"name":"setProperty","parameterTypes":["java.lang.String","java.lang.String"] }]
-},
-{
-  "name":"sun.instrument.InstrumentationImpl",
-  "methods":[{"name":"<init>","parameterTypes":["long","boolean","boolean","boolean"] }, {"name":"loadClassAndCallAgentmain","parameterTypes":["java.lang.String","java.lang.String"] }, {"name":"loadClassAndCallPremain","parameterTypes":["java.lang.String","java.lang.String"] }, {"name":"transform","parameterTypes":["java.lang.Module","java.lang.ClassLoader","java.lang.String","java.lang.Class","java.security.ProtectionDomain","byte[]","boolean"] }]
+  "methods":[
+    {"name":"getProperty","parameterTypes":["java.lang.String"] }, 
+    {"name":"setProperty","parameterTypes":["java.lang.String","java.lang.String"] }
+  ]
 },
 {
   "name":"sun.management.VMManagementImpl",
-  "fields":[{"name":"compTimeMonitoringSupport"}, {"name":"currentThreadCpuTimeSupport"}, {"name":"objectMonitorUsageSupport"}, {"name":"otherThreadCpuTimeSupport"}, {"name":"remoteDiagnosticCommandsSupport"}, {"name":"synchronizerUsageSupport"}, {"name":"threadAllocatedMemorySupport"}, {"name":"threadContentionMonitoringSupport"}]
-},
-{
-  "name":"worker.org.gradle.process.internal.worker.GradleWorkerMain",
-  "methods":[{"name":"main","parameterTypes":["java.lang.String[]"] }]
+  "fields":[
+    {"name":"compTimeMonitoringSupport"}, 
+    {"name":"currentThreadCpuTimeSupport"}, 
+    {"name":"objectMonitorUsageSupport"}, 
+    {"name":"otherThreadCpuTimeSupport"}, 
+    {"name":"remoteDiagnosticCommandsSupport"}, 
+    {"name":"synchronizerUsageSupport"}, 
+    {"name":"threadAllocatedMemorySupport"}, 
+    {"name":"threadContentionMonitoringSupport"}
+  ]
 }
 ]

temporal-test-server/src/main/resources/META-INF/native-image/io.temporal/temporal-test-server/native-image.properties

@@ -23,5 +23,7 @@ Args = -H:+UnlockExperimentalVMOptions \
   -H:JNIConfigurationResources=${.}/jni-config.json \
   -H:ReflectionConfigurationResources=${.}/reflect-config.json \
   -H:ResourceConfigurationResources=${.}/resource-config.json \
-  -H:SerializationConfigurationResources=${.}/serialization-config.json
+  -H:SerializationConfigurationResources=${.}/serialization-config.json \
+  --initialize-at-build-time=org.slf4j.helpers.SubstituteLoggerFactory \
+  --initialize-at-build-time=org.slf4j.helpers.NOPLoggerFactory