diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 985e9a1..f35d402 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,6 +1,21 @@
 name: build
 
-on: [push, pull_request]
+on:
+  push:
+    branches: main
+    paths-ignore:
+      - '**.md'
+      - '**.rst'
+      - '**.txt'
+  pull_request:
+    branches: main
+    paths-ignore:
+      - '**.md'
+      - '**.rst'
+      - '**.txt'
+  release:
+    types: [published]
+  workflow_dispatch:
 
 jobs:
   build:
@@ -11,7 +26,7 @@ jobs:
         include:
           - os: macos-14
             arch: arm64
-          - os: macos-13
+          - os: macos-15
             arch: x86_64
           - os: ubuntu-24.04-arm
             arch: aarch64
@@ -26,8 +41,8 @@ jobs:
           - os: windows-11-arm
             arch: ARM64
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
         with:
           python-version: 3.11
       - name: Install nasm
@@ -45,7 +60,61 @@ jobs:
           cibuildwheel --output-dir output
           rm output/*.whl
       - name: Upload OpenSSL
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: output-${{ matrix.os }}-${{ matrix.arch }}
           path: output/
+
+  cross-build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        build: [ "manylinux_", "musllinux_" ]
+        # arch: [ "loongarch64", "ppc64le", "riscv64", "s390x" ]
+        arch: [ "ppc64le" ]
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-python@v6
+        with:
+          python-version: "3.11"
+      - uses: docker/setup-qemu-action@v4
+      - name: Build OpenSSL
+        env:
+          CIBW_ARCHS: ${{ matrix.arch }}
+          CIBW_BEFORE_ALL_LINUX: ./scripts/install-static-clang.sh
+          CIBW_BEFORE_BUILD_LINUX: python scripts/build-openssl.py /tmp/vendor
+          CIBW_BUILD: cp39-${{ matrix.build }}${{ matrix.arch }}
+          CIBW_ENVIRONMENT_LINUX: >
+            CC="/opt/clang/bin/clang"
+            CXX="/opt/clang/bin/clang++"
+            LDFLAGS="-fuse-ld=lld"
+          CIBW_ENVIRONMENT_PASS_LINUX: RUNNER_ARCH
+          CIBW_TEST_COMMAND: python -c "import dummy"
+        run: |
+          pip install cibuildwheel
+          cibuildwheel --output-dir output
+          rm output/*.whl
+      - name: Upload OpenSSL
+        uses: actions/upload-artifact@v6
+        with:
+          name: output-${{ matrix.build }}${{ matrix.arch }}
+          path: output/
+
+  upload-release:
+    if: github.event_name == 'release'
+    needs: [build, cross-build]
+    runs-on: ubuntu-slim
+    permissions:
+      contents: write
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v6
+        with:
+          path: artifacts/
+          pattern: output-*
+          merge-multiple: true
+      - name: Upload to release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: artifacts/*.tar.gz
\ No newline at end of file
diff --git a/scripts/install-static-clang.sh b/scripts/install-static-clang.sh
new file mode 100755
index 0000000..f1117be
--- /dev/null
+++ b/scripts/install-static-clang.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# Stop at any error, show all commands
+set -exuo pipefail
+
+TOOLCHAIN_PATH=/opt/clang
+
+# Download static-clang
+DEFAULT_ARCH="$(uname -m)"
+if [ "${STATIC_CLANG_ARCH:-}" == "" ]; then
+	STATIC_CLANG_ARCH="${RUNNER_ARCH:-${DEFAULT_ARCH}}"
+fi
+case "${STATIC_CLANG_ARCH}" in
+	ARM64|aarch64|arm64|arm64/*) GO_ARCH=arm64;;
+	ARM|armv7l|armv8l|arm|arm/v7) GO_ARCH=arm;;  # assume arm/v7 for arm
+	X64|x86_64|amd64|amd64/*) GO_ARCH=amd64;;
+	X86|i686|386) GO_ARCH=386;;
+	loongarch64) GO_ARCH=loong64;;
+	ppc64le) GO_ARCH=ppc64le;;
+	riscv64) GO_ARCH=riscv64;;
+	s390x) GO_ARCH=s390x;;
+	*) echo "No static-clang toolchain for ${CLANG_ARCH}">2; exit 1;;
+esac
+STATIC_CLANG_VERSION=21.1.8.1
+STATIC_CLANG_FILENAME="static-clang-linux-${GO_ARCH}.tar.xz"
+STATIC_CLANG_URL="https://github.com/mayeut/static-clang-images/releases/download/v${STATIC_CLANG_VERSION}/${STATIC_CLANG_FILENAME}"
+pushd /tmp
+cat<<'EOF' | grep "${STATIC_CLANG_FILENAME}" > "${STATIC_CLANG_FILENAME}.sha256"
+583980309e73fa753c0791e05deceac7cb06c5444956d61189f1d651941bcd8e  static-clang-linux-386.tar.xz
+f539f1fd24bcc07ecc220594022907865914236540091fbf189cb496a9a3751c  static-clang-linux-amd64.tar.xz
+d0c8b7fac4734cc8048fda3b1f33ccdf24d26f81a52df53348e5fa84ab4b203a  static-clang-linux-arm.tar.xz
+57fb9cf798b3a2c4b0f3c31c0b7fe3803b5319d2af075407e1aef0cd57882f65  static-clang-linux-arm64.tar.xz
+5a2b296e9030d0320d9e4eac8859e5db0504cf1d4169981af233cb339292fa4c  static-clang-linux-loong64.tar.xz
+c8541b2d36f0fd8f13ddabe1292b6fb7550a742e76e0f1f70fb29fcee073be4a  static-clang-linux-ppc64le.tar.xz
+b311137f955b55139b02e8c1d7ec259628404a0563d136df7a817a33784bd2bf  static-clang-linux-riscv64.tar.xz
+de74fd8e5de244d36398684b2afa67add2311df6ccfa24f3c08a1d777ca814fa  static-clang-linux-s390x.tar.xz
+EOF
+curl -fsSLO "${STATIC_CLANG_URL}"
+sha256sum -c "${STATIC_CLANG_FILENAME}.sha256"
+tar -C /opt -xf "${STATIC_CLANG_FILENAME}"
+popd
+
+# configure target triple
+case "${AUDITWHEEL_POLICY}-${AUDITWHEEL_ARCH}" in
+	manylinux*-armv7l) TARGET_TRIPLE=armv7-unknown-linux-gnueabihf;;
+	musllinux*-armv7l) TARGET_TRIPLE=armv7-alpine-linux-musleabihf;;
+	manylinux*-ppc64le) TARGET_TRIPLE=powerpc64le-unknown-linux-gnu;;
+	musllinux*-ppc64le) TARGET_TRIPLE=powerpc64le-alpine-linux-musl;;
+	manylinux*-*) TARGET_TRIPLE=${AUDITWHEEL_ARCH}-unknown-linux-gnu;;
+	musllinux*-*) TARGET_TRIPLE=${AUDITWHEEL_ARCH}-alpine-linux-musl;;
+esac
+case "${AUDITWHEEL_POLICY}-${AUDITWHEEL_ARCH}" in
+	*-riscv64) M_ARCH="-march=rv64gc";;
+	*-x86_64) M_ARCH="-march=x86-64";;
+	*-armv7l) M_ARCH="-march=armv7a";;
+	manylinux*-i686) M_ARCH="-march=k8 -mtune=generic";;  # same as gcc manylinux2014 / manylinux_2_28
+	musllinux*-i686) M_ARCH="-march=pentium-m -mtune=generic";;  # same as gcc musllinux_1_2
+esac
+GCC_TRIPLE=$(gcc -dumpmachine)
+
+cat<<EOF >"${TOOLCHAIN_PATH}/bin/${AUDITWHEEL_PLAT}.cfg"
+	-target ${TARGET_TRIPLE}
+	${M_ARCH:-}
+	--gcc-toolchain=${DEVTOOLSET_ROOTPATH:-}/usr
+	--gcc-triple=${GCC_TRIPLE}
+EOF
+
+cat<<EOF >"${TOOLCHAIN_PATH}/bin/clang.cfg"
+	@${AUDITWHEEL_PLAT}.cfg
+EOF
+
+cat<<EOF >"${TOOLCHAIN_PATH}/bin/clang++.cfg"
+	@${AUDITWHEEL_PLAT}.cfg
+EOF
+
+cat<<EOF >"${TOOLCHAIN_PATH}/bin/clang-cpp.cfg"
+	@${AUDITWHEEL_PLAT}.cfg
+EOF
+
+# override entrypoint to add the toolchain to PATH
+mv /usr/local/bin/manylinux-entrypoint /usr/local/bin/manylinux-entrypoint-org
+cat<<EOF >/usr/local/bin/manylinux-entrypoint
+#!/bin/bash
+
+set -eu
+
+export PATH="${TOOLCHAIN_PATH}/bin:\${PATH}"
+exec /usr/local/bin/manylinux-entrypoint-org "\$@"
+EOF
+
+chmod +x /usr/local/bin/manylinux-entrypoint