From ad60f88dda7758ddd4ba43b2044de0d968f89837 Mon Sep 17 00:00:00 2001
From: Torsten Raudssus <torsten@raudss.us>
Date: Mon, 22 Jun 2026 18:00:07 +0200
Subject: [PATCH 1/2] Docker: link system libffi instead of fetching from
 GitHub
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Alien::FFI in share mode (the global ALIEN_INSTALL_TYPE=share) fetches a
libffi tarball from a GitHub release page to build it from source. That
download is fragile and rate-limited — Alien::Build itself warns the
release-page download negotiator "will typically not work" — and it broke
the Docker image build intermittently in CI (identical Alien-FFI-0.27 /
FFI-Platypus-2.11 succeeded ~16h earlier, then failed with no code change).

Install Alien::FFI up front with ALIEN_INSTALL_TYPE=system against the
packaged libffi (apt libffi-dev), so it links the system library and never
touches GitHub. The libgit2 vendoring (share build) is left untouched, so
the runtime stays self-contained; libffi8 is added to the runtime image for
the now-dynamically-linked FFI::Platypus.

Verified end-to-end with a multi-stage build mirroring the Dockerfile:
Alien::FFI links system libffi (no fetch), libgit2 still vendors, and the
runtime loads Git::Native + FFI::Platypus + libgit2 + libffi cleanly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Changes    |  8 ++++++++
 Dockerfile | 16 ++++++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/Changes b/Changes
index ceb93d6..21ea24d 100644
--- a/Changes
+++ b/Changes
@@ -1,5 +1,13 @@
 {{$NEXT}}
 
+    - Docker: build Alien::FFI against the system libffi (apt libffi-dev) instead
+      of fetching a libffi tarball from a GitHub release page, which broke the
+      image build intermittently in CI (Alien::Build itself warns the
+      release-page download negotiator "will typically not work"). The runtime
+      image now ships libffi8 for the dynamically linked FFI::Platypus. The
+      vendored libgit2 (share) build is unchanged, so the runtime stays
+      self-contained.
+
 0.302     2026-06-21 23:04:42Z
 
     - `karr board` now renders a compact, Markdown-flavoured plaintext board
diff --git a/Dockerfile b/Dockerfile
index fc21d85..228236c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,11 +2,18 @@ FROM perl:5.40-slim AS builder
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     build-essential cmake pkg-config \
-    libssl-dev zlib1g-dev libssh2-1-dev git \
+    libssl-dev zlib1g-dev libssh2-1-dev libffi-dev git \
     && rm -rf /var/lib/apt/lists/*
 
 COPY . /tmp/karr-src
 
+# Install Alien::FFI against the system libffi (libffi-dev above) up front, so it
+# links the packaged libffi.so instead of fetching a libffi tarball from a GitHub
+# release page — that download is fragile and rate-limited (Alien::Build itself
+# warns the release-page negotiator "will typically not work"), and it is what
+# broke CI builds intermittently.
+RUN ALIEN_INSTALL_TYPE=system cpanm --notest Alien::FFI
+
 # Force Alien::Libgit2 to vendor libgit2 (share build) so the runtime image is
 # self-contained — the slim runtime has no system libgit2 to dynamically link.
 ENV ALIEN_INSTALL_TYPE=share
@@ -17,11 +24,12 @@ RUN cpanm --notest --installdeps /tmp/karr-src \
 
 FROM perl:5.40-slim AS runtime-base
 
-# git + runtime shared libs the vendored libgit2.so links against
-# (OpenSSL for HTTPS, libssh2 for SSH, zlib for compression).
+# git + runtime shared libs: the vendored libgit2.so links against OpenSSL
+# (HTTPS), libssh2 (SSH) and zlib (compression); FFI::Platypus now links the
+# system libffi (see builder stage), so libffi8 must be present at runtime too.
 RUN apt-get update && apt-get install -y --no-install-recommends \
     git gosu passwd \
-    libssl3 libssh2-1 zlib1g \
+    libssl3 libssh2-1 zlib1g libffi8 \
     && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /usr/local/lib/perl5/site_perl/ /usr/local/lib/perl5/site_perl/

From 0e5b27dbbf9389855a5f49ad2def2958c88b13e8 Mon Sep 17 00:00:00 2001
From: Torsten Raudssus <torsten@raudss.us>
Date: Mon, 22 Jun 2026 19:05:04 +0200
Subject: [PATCH 2/2] ci: match slashed branch names on push (['*'] -> ['**'])

A push trigger with branches: ['*'] only matches single-segment branch
names; a branch like fix/foo (with a slash) never fires the push event, so
feature branches silently get no on-push CI. ['**'] matches across slashes.
pull_request already covered PRs; this fixes direct branch pushes too.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9927f0e..71ccd60 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,7 +1,7 @@
 name: ci
 on:
   push:
-    branches: ['*']
+    branches: ['**']
     tags-ignore: ['*']
   pull_request:
 jobs: