From 44ba1bd4e700b2620ef7c44a645a1300558af75c Mon Sep 17 00:00:00 2001
From: Shaun Arman <Shaun.Arman@motorolasolutions.com>
Date: Sun, 14 Jun 2026 04:48:51 -0500
Subject: [PATCH] fix(ci): use vendored libsodium build instead of pkg-config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Problem
Previous approach with SODIUM_USE_PKG_CONFIG=1 still failed:
"libsodium not found via pkg-config or vcpkg"

pkg-config couldn't locate libsodium.pc in CI containers despite
libsodium-dev being installed.

## Solution
Use vendored build approach: Remove all SODIUM_* environment variables
and let libsodium-sys-stable build from source automatically.

## Changes
- **release-beta.yml**: Removed SODIUM_USE_PKG_CONFIG from linux-amd64 and linux-arm64
- **auto-tag.yml**: Removed SODIUM_USE_PKG_CONFIG from linux-amd64 and linux-arm64
- **Windows**: Kept SODIUM_LIB_DIR approach (uses pre-built from Dockerfile)

## Why This Works
libsodium-sys-stable build priority:
1. SODIUM_LIB_DIR (if set) → use pre-built
2. SODIUM_USE_PKG_CONFIG (if set) → use pkg-config
3. Neither set → build from source (vendored) ✅

Vendored builds are more reliable in CI as they don't depend on
system package installation or pkg-config configuration.

## Validation
✅ Local clean build with vendored libsodium: passed
⏳ CI validation: pending

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .gitea/workflows/auto-tag.yml     |  2 --
 .gitea/workflows/release-beta.yml |  2 --
 LIBSODIUM_FIX_SUMMARY.md          | 24 ++++++++++++------------
 3 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/.gitea/workflows/auto-tag.yml b/.gitea/workflows/auto-tag.yml
index 13173d33..c2f47376 100644
--- a/.gitea/workflows/auto-tag.yml
+++ b/.gitea/workflows/auto-tag.yml
@@ -344,7 +344,6 @@ jobs:
       - name: Build
         env:
           APPIMAGE_EXTRACT_AND_RUN: "1"
-          SODIUM_USE_PKG_CONFIG: "1"
         run: |
           npm ci --legacy-peer-deps
           CI=true npx tauri build --target x86_64-unknown-linux-gnu
@@ -633,7 +632,6 @@ jobs:
           PKG_CONFIG_SYSROOT_DIR: /usr/aarch64-linux-gnu
           PKG_CONFIG_PATH: /usr/lib/aarch64-linux-gnu/pkgconfig:/usr/aarch64-linux-gnu/lib/pkgconfig
           PKG_CONFIG_ALLOW_CROSS: "1"
-          SODIUM_USE_PKG_CONFIG: "1"
           OPENSSL_NO_VENDOR: "0"
           OPENSSL_STATIC: "1"
           APPIMAGE_EXTRACT_AND_RUN: "1"
diff --git a/.gitea/workflows/release-beta.yml b/.gitea/workflows/release-beta.yml
index b30c4aef..71d4cf60 100644
--- a/.gitea/workflows/release-beta.yml
+++ b/.gitea/workflows/release-beta.yml
@@ -224,7 +224,6 @@ jobs:
       - name: Build
         env:
           APPIMAGE_EXTRACT_AND_RUN: "1"
-          SODIUM_USE_PKG_CONFIG: "1"
         run: |
           npm ci --legacy-peer-deps
           CI=true npx tauri build --target x86_64-unknown-linux-gnu
@@ -492,7 +491,6 @@ jobs:
           PKG_CONFIG_SYSROOT_DIR: /usr/aarch64-linux-gnu
           PKG_CONFIG_PATH: /usr/lib/aarch64-linux-gnu/pkgconfig:/usr/aarch64-linux-gnu/lib/pkgconfig
           PKG_CONFIG_ALLOW_CROSS: "1"
-          SODIUM_USE_PKG_CONFIG: "1"
           OPENSSL_NO_VENDOR: "0"
           OPENSSL_STATIC: "1"
           APPIMAGE_EXTRACT_AND_RUN: "1"
diff --git a/LIBSODIUM_FIX_SUMMARY.md b/LIBSODIUM_FIX_SUMMARY.md
index 9938d338..fc13e571 100644
--- a/LIBSODIUM_FIX_SUMMARY.md
+++ b/LIBSODIUM_FIX_SUMMARY.md
@@ -42,16 +42,20 @@ The `libsodium-sys-stable` crate (dependency chain: `tauri-plugin-stronghold` 
 
 ## Solution
 
+### Revised Approach: Use Vendored libsodium Build
+
+After initial attempt with `SODIUM_USE_PKG_CONFIG=1` still failed (pkg-config couldn't find libsodium.pc in CI containers), switched to the **vendored build** approach: remove all SODIUM_* environment variables and let libsodium-sys-stable build from source.
+
 ### Changes to `.gitea/workflows/release-beta.yml`
 
 #### 1. Linux amd64 Build
 ```yaml
 env:
   APPIMAGE_EXTRACT_AND_RUN: "1"
-  SODIUM_USE_PKG_CONFIG: "1"  # Added
+  # Removed SODIUM_USE_PKG_CONFIG - let it build from source
 ```
 
-**Why:** Forces libsodium-sys to use pkg-config, which finds `libsodium-dev` package installed in the Docker image.
+**Why:** Vendored build is more reliable in CI. libsodium-sys-stable will download and compile libsodium from source automatically.
 
 #### 2. Windows amd64 Build
 ```yaml
@@ -80,26 +84,22 @@ env:
   AR_aarch64_unknown_linux_gnu: aarch64-linux-gnu-ar
   CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
   PKG_CONFIG_SYSROOT_DIR: /usr/aarch64-linux-gnu
-  PKG_CONFIG_PATH: /usr/lib/aarch64-linux-gnu/pkgconfig:/usr/aarch64-linux-gnu/lib/pkgconfig  # Extended
+  PKG_CONFIG_PATH: /usr/lib/aarch64-linux-gnu/pkgconfig:/usr/aarch64-linux-gnu/lib/pkgconfig
   PKG_CONFIG_ALLOW_CROSS: "1"
-  SODIUM_USE_PKG_CONFIG: "1"  # Added
+  # Removed SODIUM_USE_PKG_CONFIG - let it build from source
   OPENSSL_NO_VENDOR: "0"
   OPENSSL_STATIC: "1"
   APPIMAGE_EXTRACT_AND_RUN: "1"
 ```
 
 **Why:**
-- Added `SODIUM_USE_PKG_CONFIG=1` to force pkg-config detection
-- Extended PKG_CONFIG_PATH to include `/usr/aarch64-linux-gnu/lib/pkgconfig` where arm64 libsodium.pc is located
+- Vendored build approach for consistency with linux-amd64
+- Cross-compilation toolchain env vars still needed for the C compiler
 
 ### Changes to `.gitea/workflows/auto-tag.yml`
 
-#### Linux arm64 Build Only
-```yaml
-PKG_CONFIG_PATH: /usr/lib/aarch64-linux-gnu/pkgconfig:/usr/aarch64-linux-gnu/lib/pkgconfig
-```
-
-**Why:** Same PKG_CONFIG_PATH extension as release-beta.yml for consistency.
+#### Linux amd64 & arm64 Builds
+Removed `SODIUM_USE_PKG_CONFIG=1` from both builds to match release-beta.yml vendored approach.
 
 ## Technical Details