From dd89db7c232705ba3cfdcd72cb258287021220bd Mon Sep 17 00:00:00 2001
From: juangaitanv <juan@corgea.com>
Date: Mon, 8 Jun 2026 11:27:35 +0200
Subject: [PATCH 1/2] Fix flaky Linux wheel CI by building maturin on the host.

The manylinux Docker path downloads maturin via unauthenticated curl|tar,
which fails when GitHub release CDN returns a truncated response.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/release.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c4d8c03..ce08c70 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,6 +22,7 @@ jobs:
   linux-x86:
     runs-on: ${{ matrix.platform.runner }}
     strategy:
+      fail-fast: false
       matrix:
         platform:
           - runner: ubuntu-latest
@@ -31,20 +32,19 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+      - name: Install Linux build dependencies
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y libssl-dev openssl pkg-config musl-tools
       - name: Build wheels
         uses: PyO3/maturin-action@v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
           manylinux: auto
-          before-script-linux: |
-            # If we're running on rhel centos, install needed packages.
-            if command -v yum &> /dev/null; then
-                yum update -y && yum install -y perl-core openssl openssl-devel pkgconfig libatomic
-            else
-                # If we're running on debian-based system.
-                apt update -y && apt-get install -y libssl-dev openssl pkg-config musl-tools
-            fi
+          # Host build uses @actions/tool-cache (authenticated) for maturin downloads.
+          # manylinux Docker uses raw `curl | tar`, which flakes on partial CDN responses.
+          container: off
       - name: Upload wheels
         uses: actions/upload-artifact@v4
         with:

From d11a8440644f2b0dfc7f4758312c0f74bd65812a Mon Sep 17 00:00:00 2001
From: juangaitanv <juan@corgea.com>
Date: Mon, 8 Jun 2026 11:57:58 +0200
Subject: [PATCH 2/2] Keep manylinux Docker builds; harden maturin download
 instead.

Revert container: off to preserve manylinux2014 wheel tags and i686
container toolchains. Mount a curl wrapper into the manylinux image so
maturin release downloads use --fail/--retry, and assert wheel tags in CI.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/release.yml | 47 ++++++++++++++++++++++++++++++-----
 1 file changed, 41 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ce08c70..5e06920 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,19 +32,54 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - name: Install Linux build dependencies
+      - name: Prepare resilient maturin download for manylinux Docker
         run: |
-          sudo apt-get update -y
-          sudo apt-get install -y libssl-dev openssl pkg-config musl-tools
+          bin_dir="${RUNNER_TEMP}/maturin-docker-bin"
+          mkdir -p "$bin_dir"
+          cat > "$bin_dir/curl" <<'EOF'
+          #!/bin/bash
+          set -euo pipefail
+          if [[ " $* " == *" PyO3/maturin/releases "* ]]; then
+            exec /usr/bin/curl --fail --retry 5 --retry-delay 3 --retry-all-errors "$@"
+          fi
+          exec /usr/bin/curl "$@"
+          EOF
+          chmod +x "$bin_dir/curl"
       - name: Build wheels
         uses: PyO3/maturin-action@v1
         with:
           target: ${{ matrix.platform.target }}
           args: --release --out dist
           manylinux: auto
-          # Host build uses @actions/tool-cache (authenticated) for maturin downloads.
-          # manylinux Docker uses raw `curl | tar`, which flakes on partial CDN responses.
-          container: off
+          docker-options: -v ${{ runner.temp }}/maturin-docker-bin/curl:/usr/local/bin/curl:ro
+          before-script-linux: |
+            # If we're running on rhel centos, install needed packages.
+            if command -v yum &> /dev/null; then
+                yum update -y && yum install -y perl-core openssl openssl-devel pkgconfig libatomic
+            else
+                # If we're running on debian-based system.
+                apt update -y && apt-get install -y libssl-dev openssl pkg-config musl-tools
+            fi
+      - name: Assert manylinux wheel compatibility tags
+        run: |
+          shopt -s nullglob
+          wheels=(dist/*.whl)
+          if ((${#wheels[@]} == 0)); then
+            echo "No wheels found in dist/"
+            exit 1
+          fi
+          for wheel in "${wheels[@]}"; do
+            base=$(basename "$wheel")
+            if [[ "$base" == *manylinux_2_3[0-9]* ]]; then
+              echo "Wheel tag too new for broad Linux support: $base"
+              exit 1
+            fi
+            if [[ ! "$base" =~ manylinux2014 ]]; then
+              echo "Expected manylinux2014 compatibility tag, got: $base"
+              exit 1
+            fi
+            echo "OK: $base"
+          done
       - name: Upload wheels
         uses: actions/upload-artifact@v4
         with: