Merge pull request #1846 from session-foundation/fix-enforce-static-builds-node

Bilb · web-flow · commit 74415660250d · 2026-02-19T14:56:33.000+11:00
fix: enforce static builds for libsession-util-nodejs
diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
@@ -167,6 +167,9 @@ jobs:
         if: ${{ matrix.is_qa == true }}
         uses: ./actions/sed_for_qa
 
+      - name: Custom build for QA if needed
+        uses: ./actions/enforce_static_builds
+
       - name: Build
         run: pnpm run build
 
diff --git a/actions/enforce_static_builds/action.yml b/actions/enforce_static_builds/action.yml
@@ -0,0 +1,48 @@
+name: 'Enforce static builds link only to system libs'
+description: 'Enforce that the libsession-util-nodejs.node is only linking to system libraries'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Check static library linkage
+      shell: bash
+      run: |
+        if [ "$RUNNER_OS" == "Windows" ]; then
+            echo "Skipping library check on Windows"
+            exit 0
+        fi
+
+        if ! find . -name 'libsession_util_nodejs.node' | grep -q .; then
+            echo -e "\n\n\n\n\e[31;1mNo libsession_util_nodejs.node file found\e[0m\n\n\n"
+            exit 1
+        fi
+
+        echo "Found files:"
+        find . -name 'libsession_util_nodejs.node' | while IFS= read -r f; do
+            echo "  $f"
+        done
+
+        bad=
+
+        while IFS= read -r node_file; do
+            if [ "$RUNNER_OS" == "macOS" ]; then
+                if otool -L "$node_file" | \
+                    grep -Ev '^.*\.node:|^\t(/usr/lib/lib(System\.|c\+\+|objc))|/System/Library/Frameworks/(CoreFoundation|NetworkExtension|Foundation|Network)\.framework'; then
+                    bad=1
+                fi
+            elif [ "$RUNNER_OS" == "Linux" ]; then
+                if ldd "$node_file" | grep -Ev '(linux-vdso|ld-linux-(x86-64|armhf|aarch64)|lib(pthread|dl|rt|stdc\+\+|gcc_s|c|m))\.so'; then
+                    bad=1
+                fi
+            else
+                echo -e "\n\n\n\n\e[31;1mDon't know how to check linked libs on $RUNNER_OS\e[0m\n\n\n"
+                exit 1
+            fi
+        done < <(find . -name 'libsession_util_nodejs.node')
+
+        if [ -n "$bad" ]; then
+            echo -e "\n\n\n\n\e[31;1mlibsession-util-nodejs links to unexpected libraries\e[0m\n\n\n"
+            exit 1
+        fi
+
+        echo -e "\n\n\n\n\e[32;1mNo unexpected linked libraries found\e[0m\n\n\n"
