From af1e919caa7ac68c13d0a6cc1db07cb714d70691 Mon Sep 17 00:00:00 2001
From: Scott Andrews <scott@andrews.me>
Date: Tue, 26 May 2026 11:36:05 -0400
Subject: [PATCH] Use glibc binary and runtime image

The musl memory allocator with rust is significantly slower.

Also pinning cargo-auditable version, with dependabot to manage updates.

Signed-off-by: Scott Andrews <scott@andrews.me>
---
 .github/dependabot.yml              |   6 +
 .github/workflows/publish.yaml      |   9 +-
 Dockerfile                          |   9 +-
 versions/cargo-auditable/Cargo.lock | 310 ++++++++++++++++++++++++++++
 versions/cargo-auditable/Cargo.toml |   8 +
 versions/cargo-auditable/src/lib.rs |   0
 6 files changed, 333 insertions(+), 9 deletions(-)
 create mode 100644 versions/cargo-auditable/Cargo.lock
 create mode 100644 versions/cargo-auditable/Cargo.toml
 create mode 100644 versions/cargo-auditable/src/lib.rs

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 353fe8f..28bdb37 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,6 +8,12 @@ updates:
   directory: "/"
   schedule:
     interval: daily
+- package-ecosystem: cargo
+  directory: "/versions/cargo-auditable"
+  allow:
+  - dependency-name: "cargo-auditable"
+  schedule:
+    interval: daily
 - package-ecosystem: cargo
   directory: "/versions/stable"
   allow:
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 78d4a74..b1d0301 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -56,6 +56,7 @@ jobs:
       base: ${{ steps.existing.outputs.base }}
       base-digest: ${{ steps.existing.outputs.base-digest }}
       wasmtime-commit-date: ${{ steps.existing.outputs.wasmtime-commit-date }}
+      cargo-auditable-version: ${{ steps.existing.outputs.cargo-auditable-version }}
     steps:
     - uses: actions/checkout@v6
     - name: Install crane
@@ -68,13 +69,17 @@ jobs:
         digest="$(crane digest "${{ env.image }}" || echo -n '')"
         echo "digest=${digest}" | tee -a "${GITHUB_OUTPUT}"
 
-        base="cgr.dev/chainguard/static:latest"
+        base="cgr.dev/chainguard/glibc-dynamic:latest"
         echo "base=${base}" | tee -a "${GITHUB_OUTPUT}"
         base_digest="$(crane digest "${base}")"
         echo "base-digest=${base_digest}" | tee -a "${GITHUB_OUTPUT}"
 
         wasmtime_commit_date="$(gh api "repos/bytecodealliance/wasmtime/commits/${{ inputs.wasmtime-git-sha }}" --template '{{.commit.committer.date}}')"
         echo "wasmtime-commit-date=${wasmtime_commit_date}" | tee -a "${GITHUB_OUTPUT}"
+
+        cargo_auditable_version="$(cd versions/cargo-auditable ; yq -p toml -oj -r '.package[] | select(.name == "cargo-auditable") | .version' Cargo.lock)"
+        echo "cargo-auditable-version=${cargo_auditable_version}" | tee -a "${GITHUB_OUTPUT}"
+
       env:
         GH_TOKEN: ${{ github.token }}
 
@@ -105,10 +110,10 @@ jobs:
         docker buildx build \
           --builder container \
           --output type=oci,dest="./wasmtime-${{ inputs.tag }}-${{ matrix.arch }}.tar" \
-          --platform "linux/${{ matrix.arch }}" \
           --build-arg "SOURCE_DATE_EPOCH=$(date -d "${{ needs.preflight.outputs.wasmtime-commit-date }}" +%s)" \
           --build-arg "wasmtime_crate=${{ inputs.wasmtime-crate }}" \
           --build-arg "wasmtime_git_rev=${{ inputs.wasmtime-git-sha }}" \
+          --build-arg "cargo_auditable_version=${{ needs.preflight.outputs.cargo-auditable-version }}" \
           --build-arg "from_base=${{ needs.preflight.outputs.base }}@${{ needs.preflight.outputs.base-digest }}" \
           --build-arg "from_build=rust:${{ inputs.rust-version }}" \
           --label org.opencontainers.image.authors="Bytecode Alliance <https://bytecodealliance.org>" \
diff --git a/Dockerfile b/Dockerfile
index 09688b3..5661f1d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,10 @@
 ARG from_build from_base
 FROM ${from_build} AS build
-ARG wasmtime_crate wasmtime_git_rev
+ARG wasmtime_crate wasmtime_git_rev cargo_auditable_version
 RUN \
-  apt-get update ; \
-  apt-get install gcc-$(arch | tr _ -)-linux-gnu musl-tools -y ; \
-  rustup target add $(arch)-unknown-linux-musl ; \
-  cargo install --locked cargo-auditable ; \
+  cargo install --locked "cargo-auditable@${cargo_auditable_version}" ; \
   if [ "${wasmtime_crate}" = "" ] ; then \
     cargo auditable install \
-      --target "$(arch)-unknown-linux-musl" \
       --git https://github.com/bytecodealliance/wasmtime.git \
       --rev "${wasmtime_git_rev}" \
       --locked \
@@ -16,7 +12,6 @@ RUN \
     ; \
   else \
     cargo auditable install \
-      --target "$(arch)-unknown-linux-musl" \
       --locked \
       wasmtime-cli@${wasmtime_crate} \
     ; \
diff --git a/versions/cargo-auditable/Cargo.lock b/versions/cargo-auditable/Cargo.lock
new file mode 100644
index 0000000..880967c
--- /dev/null
+++ b/versions/cargo-auditable/Cargo.lock
@@ -0,0 +1,310 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "adler2"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"
+
+[[package]]
+name = "auditable-serde"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d026218ae25ba5c72834245412dd1338f6d270d2c5109ee03a4badec288d4056"
+dependencies = [
+ "semver",
+ "serde",
+ "serde_json",
+ "topological-sort",
+]
+
+[[package]]
+name = "byteorder"
+version = "0.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0fc10e8cc6b2580fda3f36eb6dc5316657f812a3df879a44a66fc9f0fdbc4855"
+
+[[package]]
+name = "camino"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e629a66d692cb9ff1a1c664e41771b3dcaf961985a9774c0eb0bd1b51cf60a48"
+dependencies = [
+ "serde_core",
+]
+
+[[package]]
+name = "cargo-auditabl"
+version = "0.1.0"
+dependencies = [
+ "cargo-auditable",
+]
+
+[[package]]
+name = "cargo-auditable"
+version = "0.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c30906ad94da619129898d934bdaa6264e947a59d575e7e4c70194e95d4d633d"
+dependencies = [
+ "auditable-serde",
+ "cargo_metadata",
+ "miniz_oxide",
+ "object",
+ "pico-args",
+ "serde",
+ "serde_json",
+ "wasm-gen",
+]
+
+[[package]]
+name = "cargo-platform"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dd0061da739915fae12ea00e16397555ed4371a6bb285431aab930f61b0aa4ba"
+dependencies = [
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "cargo_metadata"
+version = "0.23.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef987d17b0a113becdd19d3d0022d04d7ef41f9efe4f3fb63ac44ba61df3ade9"
+dependencies = [
+ "camino",
+ "cargo-platform",
+ "semver",
+ "serde",
+ "serde_json",
+ "thiserror",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
+
+[[package]]
+name = "crc32fast"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9481c1c90cbf2ac953f07c8d4a58aa3945c425b7185c9154d67a65e4230da511"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "equivalent"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+
+[[package]]
+name = "foldhash"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
+
+[[package]]
+name = "hashbrown"
+version = "0.15.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
+dependencies = [
+ "foldhash",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.17.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a"
+
+[[package]]
+name = "indexmap"
+version = "2.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
+dependencies = [
+ "equivalent",
+ "hashbrown 0.17.1",
+]
+
+[[package]]
+name = "itoa"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
+
+[[package]]
+name = "leb128"
+version = "0.2.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6cc46bac87ef8093eed6f272babb833b6443374399985ac8ed28471ee0918545"
+
+[[package]]
+name = "memchr"
+version = "2.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
+
+[[package]]
+name = "miniz_oxide"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fa76a2c86f704bdb222d66965fb3d63269ce38518b83cb0575fca855ebb6316"
+dependencies = [
+ "adler2",
+]
+
+[[package]]
+name = "object"
+version = "0.37.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff76201f031d8863c38aa7f905eca4f53abbfa15f609db4277d44cd8938f33fe"
+dependencies = [
+ "crc32fast",
+ "hashbrown 0.15.5",
+ "indexmap",
+ "memchr",
+]
+
+[[package]]
+name = "pico-args"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5be167a7af36ee22fe3115051bc51f6e6c7054c9348e28deb4f49bd6f705a315"
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "semver"
+version = "1.0.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
+dependencies = [
+ "serde",
+ "serde_core",
+]
+
+[[package]]
+name = "serde"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
+dependencies = [
+ "serde_core",
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_core"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.228"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.150"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e8014e44b4736ed0538adeecded0fce2a272f22dc9578a7eb6b2d9993c74cfb9"
+dependencies = [
+ "itoa",
+ "memchr",
+ "serde",
+ "serde_core",
+ "zmij",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.117"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "thiserror"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "2.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "topological-sort"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea68304e134ecd095ac6c3574494fc62b909f416c4fca77e440530221e549d3d"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
+
+[[package]]
+name = "wasm-gen"
+version = "0.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b854b1461005a7b3365742310f7faa3cac3add809d66928c64a40c7e9e842ebb"
+dependencies = [
+ "byteorder",
+ "leb128",
+]
+
+[[package]]
+name = "zmij"
+version = "1.0.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa"
diff --git a/versions/cargo-auditable/Cargo.toml b/versions/cargo-auditable/Cargo.toml
new file mode 100644
index 0000000..6fe88db
--- /dev/null
+++ b/versions/cargo-auditable/Cargo.toml
@@ -0,0 +1,8 @@
+[package]
+name = "cargo-auditable-version"
+version = "0.1.0"
+edition = "2024"
+
+[dependencies]
+cargo-auditable = "=0.7.4"
+
diff --git a/versions/cargo-auditable/src/lib.rs b/versions/cargo-auditable/src/lib.rs
new file mode 100644
index 0000000..e69de29