fix: package fleet-server using golang-crossbuild

[pkoutsovasilis]

What is the problem this PR solves?

The fleet-server binary was previously built directly on VM runners instead of using a controlled environment such as golang-crossbuild.
This caused the binary to be dynamically linked against the host system’s GLIBC, introducing higher GLIBC requirements (≥ 2.32) than those declared in the Elastic OS support matrix (≥ 2.17).

Note that, even if the build configuration used CGO_ENABLED=0 (which didn't before this PR) together with -buildmode=pie, on Linux, this combination still produces a dynamically linked binary because pie relies on the dynamic loader (e.g. /lib/ld-linux-aarch64.so.1 on arm64).

How does this PR solve the problem?

• Switches builds for all packaging steps to run inside golang-crossbuild images (via mage docker:release), avoiding linkage against host GLIBC.
• Forces CGO_ENABLED=0 across builds (except for FIPS variants, which require CGO).
• Removes -buildmode=pie so that binaries are fully static, with no interpreter requirement.
• Updates Buildkite pipelines to:
  • Add explicit packaging steps for x86_64 and arm64 (including FIPS variants).
  • Save packaging artifacts (build/distributions/**) for DRA validation and debugging.
• Fixes an issue with mage docker:image when compiling FIPS variants.

As a result, Fleet Server binaries are now fully static and do not have a GLIBC requirement, restoring compatibility with Amazon Linux 2 and other supported distributions.

For example, you can download the Linux packaging artifacts from the CI steps introduced in this PR:

• https://buildkite.com/elastic/fleet-server/builds/10236#0199110e-b2cf-46d8-8360-aee228303572
• https://buildkite.com/elastic/fleet-server/builds/10236#0199110e-b2d1-4770-9f03-7e6d9ab5a2d8

Running file against them after extraction shows static binaries:

$ file ~/Downloads/fleet-server-9.2.0-linux-arm64/fleet-server
/Users/pkoutsovasilis/Downloads/fleet-server-9.2.0-linux-arm64/fleet-server: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, BuildID[sha1]=22095f2a8f3da7f6271dd858dcc13fe86e19acf2, stripped

$ file ~/Downloads/fleet-server-9.2.0-linux-x86_64/fleet-server
/Users/pkoutsovasilis/Downloads/fleet-server-9.2.0-linux-x86_64/fleet-server: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=f9a203f5c78161f88d9e10be1bf5863f970adcac, stripped

How to test this PR locally

mage docker:binary
docker run --rm -it --entrypoint /app/fleet-server -v $PWD/build/binaries/fleet-server-9.2.0-linux-arm64:/app amazonlinux:2 --version

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool

Related issues

• Closes Fleet Server binary requires GLIBC ≥ 2.32, breaking compatibility with Amazon Linux 2 #5262
• Depends on [8.18] backport #4912 #4985 #5000 #5075 #5397
• Depends on [9.0](backport #4912) Convert Makefile to magefile.go #5395

[prodsecmachine]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[github-actions]

@Mergifyio backport 8.18 8.19 9.0 9.1

[mergify]

backport 8.18 8.19 9.0 9.1

✅ Backports have been created

Details

• #5427 [8.18](backport #5392) fix: package fleet-server using golang-crossbuild has been created for branch 8.18 but encountered conflicts
• #5428 [8.19](backport #5392) fix: package fleet-server using golang-crossbuild has been created for branch 8.19
• #5429 [9.0](backport #5392) fix: package fleet-server using golang-crossbuild has been created for branch 9.0 but encountered conflicts
• #5430 [9.1](backport #5392) fix: package fleet-server using golang-crossbuild has been created for branch 9.1