Infisical · bernie-g · May 4, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.github/workflows/build-rdp-bridge.yml b/.github/workflows/build-rdp-bridge.yml
@@ -16,11 +16,11 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - target: x86_64-unknown-linux-gnu
-          - target: aarch64-unknown-linux-gnu
-          - target: i686-unknown-linux-gnu
-          - target: arm-unknown-linux-gnueabi
-          - target: armv7-unknown-linux-gnueabihf
+          - target: x86_64-unknown-linux-musl
+          - target: aarch64-unknown-linux-musl
+          - target: i686-unknown-linux-musl
+          - target: arm-unknown-linux-musleabi
+          - target: armv7-unknown-linux-musleabihf
           - target: x86_64-pc-windows-gnu
     steps:
       - uses: actions/checkout@v4
@@ -56,6 +56,8 @@ jobs:
   rust-darwin:
     name: macos-latest (${{ matrix.target }})
     runs-on: macos-latest
+    env:
+      MACOSX_DEPLOYMENT_TARGET: "11.0"
     strategy:
       fail-fast: false
       matrix:

diff --git a/.github/workflows/release_build_infisical_cli.yml b/.github/workflows/release_build_infisical_cli.yml
@@ -36,7 +36,11 @@ jobs:
   # parallel instead of serializing on ubuntu creating the draft.
   # Skipped on dry-run since --snapshot doesn't touch GitHub at all.
   create-release-draft:
-    if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && !inputs.dry_run)
+    if: |
+      always() &&
+      (needs.validate-tag-branch.result == 'success' || needs.validate-tag-branch.result == 'skipped') &&
+      needs.cli-tests.result == 'success' &&
+      (github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && !inputs.dry_run))
     needs:
       - validate-tag-branch
       - cli-tests
@@ -168,12 +172,22 @@ jobs:
           sudo apt-get install -y libssl1.0-dev
       - name: Install cross-compile toolchains for RDP tier
         run: |
-          sudo apt-get install -y \
-            gcc-aarch64-linux-gnu \
-            gcc-i686-linux-gnu \
-            gcc-arm-linux-gnueabi \
-            gcc-arm-linux-gnueabihf \
-            gcc-mingw-w64-x86-64
+          set -euo pipefail
+          sudo apt-get install -y gcc-mingw-w64-x86-64
+          MUSL_CROSS_TAG=20260430
+          sudo mkdir -p /opt/musl-cross
+          for triple in \
+            x86_64-unknown-linux-musl \
+            aarch64-unknown-linux-musl \
+            i686-unknown-linux-musl \
+            arm-unknown-linux-musleabi \
+            armv7-unknown-linux-musleabihf; do
+            curl --retry 5 --retry-delay 10 --retry-all-errors \
+                 --connect-timeout 30 --max-time 240 \
+                 -fsSL "https://github.com/cross-tools/musl-cross/releases/download/${MUSL_CROSS_TAG}/${triple}.tar.xz" \
+              | sudo tar -xJ -C /opt/musl-cross
+            echo "/opt/musl-cross/${triple}/bin" >> "$GITHUB_PATH"
+          done
       - name: Download RDP bridge static libs
         uses: actions/download-artifact@v4
         with:
@@ -183,49 +197,93 @@ jobs:
         run: |
           set -euo pipefail
           for triple in \
-            x86_64-unknown-linux-gnu \
-            aarch64-unknown-linux-gnu \
-            i686-unknown-linux-gnu \
-            arm-unknown-linux-gnueabi \
-            armv7-unknown-linux-gnueabihf \
+            x86_64-unknown-linux-musl \
+            aarch64-unknown-linux-musl \
+            i686-unknown-linux-musl \
+            arm-unknown-linux-musleabi \
+            armv7-unknown-linux-musleabihf \
             x86_64-pc-windows-gnu; do
             target_dir="packages/pam/handlers/rdp/native/target/$triple/release"
             mkdir -p "$target_dir"
             cp "/tmp/rdp-bridge-artifacts/rdp-bridge-$triple/libinfisical_rdp_bridge.a" "$target_dir/"
           done
-      - name: GoReleaser (dry-run snapshot)
-        if: github.event_name == 'workflow_dispatch' && inputs.dry_run
+      - name: GoReleaser (build, no publish)
         uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser-pro
           version: v1.26.2-pro
-          args: release --clean --snapshot --skip=publish
+          args: >-
+            release --clean --skip=publish,announce
+            ${{ (github.event_name == 'workflow_dispatch' && inputs.dry_run) && '--snapshot' || '' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
           POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
           AUR_KEY: ${{ secrets.AUR_KEY }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-      - name: GoReleaser (release)
+      - name: Upload dry-run dist as workflow artifact
+        if: github.event_name == 'workflow_dispatch' && inputs.dry_run
+        uses: actions/upload-artifact@v4
+        with:
+          name: goreleaser-dist-linux
+          path: dist/
+          retention-days: 7
+      - name: Smoke test linux binary across supported distros
+        run: |
+          set -uo pipefail
+          fail=0
+          echo "::group::Static-link assertion (file)"
+          for d in dist/linux-*-rdp_linux_*; do
+            bin="$d/infisical"
+            [ -f "$bin" ] || continue
+            info=$(file "$bin")
+            echo "$info"
+            if ! echo "$info" | grep -q "statically linked"; then
+              echo "::error file=$bin::not statically linked"
+              fail=1
+            fi
+          done
+          echo "::endgroup::"
+
+          BIN=dist/linux-amd64-rdp_linux_amd64_v1/infisical
+          if [ ! -f "$BIN" ]; then
+            echo "::error::expected $BIN missing from dist/"
+            exit 1
+          fi
+          echo "::group::Smoke test linux-amd64 binary across distro floor"
+          for img in \
+              ubuntu:22.04 \
+              ubuntu:20.04 \
+              rockylinux:9 \
+              rockylinux:8 \
+              amazonlinux:2023 \
+              amazonlinux:2 \
+              alpine:3.19 \
+              gcr.io/distroless/static-debian12; do
+            echo "--- $img ---"
+            if ! docker run --rm --platform linux/amd64 \
+                    -v "$PWD/$BIN":/infisical:ro \
+                    "$img" /infisical --version; then
+              echo "::error::binary failed to run on $img"
+              fail=1
+            fi
+          done
+          echo "::endgroup::"
+
+          [ "$fail" -eq 0 ] || exit 1
+      - name: GoReleaser (publish)
         if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && !inputs.dry_run)
         uses: goreleaser/goreleaser-action@v4
         with:
           distribution: goreleaser-pro
           version: v1.26.2-pro
-          args: release --clean
+          args: release --skip=build,validate,before
         env:
           GITHUB_TOKEN: ${{ secrets.GO_RELEASER_GITHUB_TOKEN }}
           POSTHOG_API_KEY_FOR_CLI: ${{ secrets.POSTHOG_API_KEY_FOR_CLI }}
           FURY_TOKEN: ${{ secrets.FURYPUSHTOKEN }}
           AUR_KEY: ${{ secrets.AUR_KEY }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-      - name: Upload dry-run dist as workflow artifact
-        if: github.event_name == 'workflow_dispatch' && inputs.dry_run
-        uses: actions/upload-artifact@v4
-        with:
-          name: goreleaser-dist-linux
-          path: dist/
-          retention-days: 7
       - uses: actions/setup-python@v4
         with:
           python-version: "3.12"

diff --git a/.goreleaser-darwin.yaml b/.goreleaser-darwin.yaml
@@ -14,6 +14,7 @@ builds:
       - -tags=rdp
     env:
       - CGO_ENABLED=1
+      - MACOSX_DEPLOYMENT_TARGET=11.0
       - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/x86_64-apple-darwin/release'
     goos:
       - darwin
@@ -30,6 +31,7 @@ builds:
       - -tags=rdp
     env:
       - CGO_ENABLED=1
+      - MACOSX_DEPLOYMENT_TARGET=11.0
       - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/aarch64-apple-darwin/release'
     goos:
       - darwin

diff --git a/.goreleaser-windows.yaml b/.goreleaser-windows.yaml
@@ -13,6 +13,7 @@ builds:
     ldflags:
       - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
       - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+      - -extldflags "-static"
     flags:
       - -trimpath
       - -tags=rdp

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -9,13 +9,14 @@ builds:
     ldflags:
       - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
       - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+      - -extldflags "-static"
     flags:
       - -trimpath
-      - -tags=rdp
+      - -tags=rdp,osusergo,netgo
     env:
       - CGO_ENABLED=1
-      - CC=gcc
-      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/x86_64-unknown-linux-gnu/release'
+      - CC=x86_64-unknown-linux-musl-gcc
+      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/x86_64-unknown-linux-musl/release'
     goos:
       - linux
     goarch:
@@ -26,13 +27,14 @@ builds:
     ldflags:
       - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
       - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+      - -extldflags "-static"
     flags:
       - -trimpath
-      - -tags=rdp
+      - -tags=rdp,osusergo,netgo
     env:
       - CGO_ENABLED=1
-      - CC=aarch64-linux-gnu-gcc
-      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/aarch64-unknown-linux-gnu/release'
+      - CC=aarch64-unknown-linux-musl-gcc
+      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/aarch64-unknown-linux-musl/release'
     goos:
       - linux
     goarch:
@@ -43,6 +45,7 @@ builds:
     ldflags:
       - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
       - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+      - -extldflags "-static"
     flags:
       - -trimpath
       - -tags=rdp
@@ -61,13 +64,14 @@ builds:
     ldflags:
       - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
       - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+      - -extldflags "-static"
     flags:
       - -trimpath
-      - -tags=rdp
+      - -tags=rdp,osusergo,netgo
     env:
       - CGO_ENABLED=1
-      - CC=i686-linux-gnu-gcc
-      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/i686-unknown-linux-gnu/release'
+      - CC=i686-unknown-linux-musl-gcc
+      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/i686-unknown-linux-musl/release'
     goos:
       - linux
     goarch:
@@ -78,13 +82,14 @@ builds:
     ldflags:
       - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
       - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+      - -extldflags "-static"
     flags:
       - -trimpath
-      - -tags=rdp
+      - -tags=rdp,osusergo,netgo
     env:
       - CGO_ENABLED=1
-      - CC=arm-linux-gnueabi-gcc
-      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/arm-unknown-linux-gnueabi/release'
+      - CC=arm-unknown-linux-musleabi-gcc
+      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/arm-unknown-linux-musleabi/release'
     goos:
       - linux
     goarch:
@@ -97,13 +102,14 @@ builds:
     ldflags:
       - -X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION={{ .Version }}
       - -X github.com/Infisical/infisical-merge/packages/telemetry.POSTHOG_API_KEY_FOR_CLI={{ .Env.POSTHOG_API_KEY_FOR_CLI }}
+      - -extldflags "-static"
     flags:
       - -trimpath
-      - -tags=rdp
+      - -tags=rdp,osusergo,netgo
     env:
       - CGO_ENABLED=1
-      - CC=arm-linux-gnueabihf-gcc
-      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/armv7-unknown-linux-gnueabihf/release'
+      - CC=armv7-unknown-linux-musleabihf-gcc
+      - 'CGO_LDFLAGS=-L packages/pam/handlers/rdp/native/target/armv7-unknown-linux-musleabihf/release'
     goos:
       - linux
     goarch:

diff --git a/packages/pam/handlers/rdp/bridge.go b/packages/pam/handlers/rdp/bridge.go
@@ -15,3 +15,44 @@ type Bridge struct {
 	handle  uint64
 	cleanup func()
 }
+
+// EventType discriminates the variants in Event.
+type EventType uint8
+
+const (
+	EventTypeKeyboard    EventType = 1
+	EventTypeUnicode     EventType = 2
+	EventTypeMouse       EventType = 3
+	EventTypeTargetFrame EventType = 4
+)
+
+// Action identifies the RDP framing of a TargetFrame event.
+type Action uint8
+
+const (
+	ActionX224     Action = 0
+	ActionFastPath Action = 1
+)
+
+// Fields are reused across variants; switch on Type.
+type Event struct {
+	Type       EventType
+	ElapsedNs  uint64
+	Scancode   uint8
+	CodePoint  uint16
+	X          uint16
+	Y          uint16
+	Flags      uint32
+	WheelDelta int32
+	Action     Action
+	Payload    []byte
+}
+
+// PollResult discriminates PollEvent outcomes.
+type PollResult uint8
+
+const (
+	PollOK      PollResult = 0
+	PollTimeout PollResult = 1
+	PollEnded   PollResult = 2
+)