From 87cc2d27b07673daf349bfe980d930d10a0b4053 Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes-agent@local>
Date: Thu, 7 May 2026 23:11:33 +0000
Subject: [PATCH] fix: enforce real static build and use job token for releases

---
 .gitea/workflows/iperf3.yml | 2 +-
 scripts/build_iperf3.sh     | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/iperf3.yml b/.gitea/workflows/iperf3.yml
index b066abf..7c0fa64 100644
--- a/.gitea/workflows/iperf3.yml
+++ b/.gitea/workflows/iperf3.yml
@@ -55,7 +55,7 @@ jobs:
       - name: Publish release assets
         shell: sh
         env:
-          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GITEA_TOKEN: ${{ gitea.token }}
           GITEA_API_URL: ${{ gitea.api_url }}
           REPO_OWNER: ${{ gitea.repository_owner }}
           REPO_NAME: static-musl-builds
diff --git a/scripts/build_iperf3.sh b/scripts/build_iperf3.sh
index e604dde..b53e942 100755
--- a/scripts/build_iperf3.sh
+++ b/scripts/build_iperf3.sh
@@ -26,9 +26,9 @@ curl -fsSLO "https://downloads.es.net/pub/iperf/iperf-${VERSION}.tar.gz"
 tar -xzf "iperf-${VERSION}.tar.gz"
 cd "iperf-${VERSION}"
 
-export CFLAGS="-O2 -static"
+export CFLAGS="-O2 -static -fno-pie"
 export CPPFLAGS=""
-export LDFLAGS="-static"
+export LDFLAGS="-static -no-pie"
 
 ./configure \
   --disable-shared \
@@ -47,3 +47,8 @@ install -m 0755 src/iperf3 "$OUTPUT_DIR/$PREFIX_NAME"
 
 file "$OUTPUT_DIR/$PREFIX_NAME"
 ldd "$OUTPUT_DIR/$PREFIX_NAME" || true
+
+if file "$OUTPUT_DIR/$PREFIX_NAME" | grep -qi 'dynamically linked'; then
+  echo "error: output binary is still dynamically linked" >&2
+  exit 1
+fi