Skip to content

Commit 92e71d4

Browse files
committed
feat(release): add Debian package publishing
Signed-off-by: Drew Newberry <anewberry@nvidia.com>
1 parent 2472474 commit 92e71d4

15 files changed

Lines changed: 849 additions & 22 deletions

File tree

.github/workflows/deb-package.yml

Lines changed: 331 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,331 @@
1+
name: Debian Package
2+
3+
on:
4+
workflow_call:
5+
inputs:
6+
cargo-version:
7+
required: true
8+
type: string
9+
deb-version:
10+
required: true
11+
type: string
12+
image-tag:
13+
required: true
14+
type: string
15+
checkout-ref:
16+
required: true
17+
type: string
18+
19+
permissions:
20+
contents: read
21+
packages: read
22+
23+
defaults:
24+
run:
25+
shell: bash
26+
27+
jobs:
28+
download-kernel-runtime:
29+
name: Download Kernel Runtime
30+
runs-on: build-amd64
31+
timeout-minutes: 10
32+
container:
33+
image: ghcr.io/nvidia/openshell/ci:latest
34+
credentials:
35+
username: ${{ github.actor }}
36+
password: ${{ secrets.GITHUB_TOKEN }}
37+
steps:
38+
- uses: actions/checkout@v4
39+
with:
40+
ref: ${{ inputs['checkout-ref'] }}
41+
42+
- name: Download Linux runtime tarballs
43+
env:
44+
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
45+
run: |
46+
set -euo pipefail
47+
mkdir -p runtime-artifacts
48+
49+
for platform in linux-aarch64 linux-x86_64; do
50+
asset="vm-runtime-${platform}.tar.zst"
51+
echo "Downloading ${asset}..."
52+
asset_url=$(curl -fsSL \
53+
-H "Accept: application/vnd.github+json" \
54+
-H "Authorization: Bearer ${GH_TOKEN}" \
55+
"https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/vm-dev" \
56+
| jq -r --arg asset "$asset" '.assets[] | select(.name == $asset) | .browser_download_url' \
57+
| head -n1)
58+
if [ -z "$asset_url" ]; then
59+
echo "::error::No ${asset} asset found on vm-dev release"
60+
exit 1
61+
fi
62+
curl -fL -o "runtime-artifacts/${asset}" "$asset_url"
63+
done
64+
65+
ls -lah runtime-artifacts/
66+
67+
- name: Verify downloads
68+
run: |
69+
set -euo pipefail
70+
for platform in linux-aarch64 linux-x86_64; do
71+
test -f "runtime-artifacts/vm-runtime-${platform}.tar.zst"
72+
done
73+
74+
- name: Upload as workflow artifact
75+
uses: actions/upload-artifact@v4
76+
with:
77+
name: deb-kernel-runtime-tarballs
78+
path: runtime-artifacts/vm-runtime-*.tar.zst
79+
retention-days: 1
80+
81+
build-rootfs:
82+
name: Build Rootfs (${{ matrix.arch }})
83+
needs: [download-kernel-runtime]
84+
strategy:
85+
matrix:
86+
include:
87+
- arch: arm64
88+
runner: build-arm64
89+
guest_arch: aarch64
90+
- arch: amd64
91+
runner: build-amd64
92+
guest_arch: x86_64
93+
runs-on: ${{ matrix.runner }}
94+
timeout-minutes: 30
95+
container:
96+
image: ghcr.io/nvidia/openshell/ci:latest
97+
credentials:
98+
username: ${{ github.actor }}
99+
password: ${{ secrets.GITHUB_TOKEN }}
100+
options: --privileged
101+
volumes:
102+
- /var/run/docker.sock:/var/run/docker.sock
103+
env:
104+
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
105+
OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }}
106+
steps:
107+
- uses: actions/checkout@v4
108+
with:
109+
ref: ${{ inputs['checkout-ref'] }}
110+
111+
- name: Mark workspace safe for git
112+
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
113+
114+
- name: Log in to GHCR
115+
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
116+
117+
- name: Install tools
118+
run: mise install --locked
119+
120+
- name: Install zstd
121+
run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/*
122+
123+
- name: Build base rootfs tarball
124+
run: |
125+
set -euo pipefail
126+
crates/openshell-vm/scripts/build-rootfs.sh \
127+
--base \
128+
--arch ${{ matrix.guest_arch }} \
129+
target/rootfs-build
130+
131+
mkdir -p target/vm-runtime-compressed
132+
tar -C target/rootfs-build -cf - . \
133+
| zstd -19 -T0 -o target/vm-runtime-compressed/rootfs.tar.zst
134+
135+
- name: Upload rootfs artifact
136+
uses: actions/upload-artifact@v4
137+
with:
138+
name: deb-rootfs-${{ matrix.arch }}
139+
path: target/vm-runtime-compressed/rootfs.tar.zst
140+
retention-days: 1
141+
142+
build-driver-vm-linux:
143+
name: Build Driver VM (Linux ${{ matrix.arch }})
144+
needs: [download-kernel-runtime, build-rootfs]
145+
strategy:
146+
matrix:
147+
include:
148+
- arch: arm64
149+
runner: build-arm64
150+
target: aarch64-unknown-linux-gnu
151+
platform: linux-aarch64
152+
- arch: amd64
153+
runner: build-amd64
154+
target: x86_64-unknown-linux-gnu
155+
platform: linux-x86_64
156+
runs-on: ${{ matrix.runner }}
157+
timeout-minutes: 30
158+
container:
159+
image: ghcr.io/nvidia/openshell/ci:latest
160+
credentials:
161+
username: ${{ github.actor }}
162+
password: ${{ secrets.GITHUB_TOKEN }}
163+
options: --privileged
164+
env:
165+
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
166+
SCCACHE_MEMCACHED_ENDPOINT: ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
167+
OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }}
168+
steps:
169+
- uses: actions/checkout@v4
170+
with:
171+
ref: ${{ inputs['checkout-ref'] }}
172+
fetch-depth: 0
173+
174+
- name: Mark workspace safe for git
175+
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
176+
177+
- name: Fetch tags
178+
run: git fetch --tags --force
179+
180+
- name: Install tools
181+
run: mise install --locked
182+
183+
- name: Cache Rust target and registry
184+
uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
185+
with:
186+
shared-key: deb-driver-vm-linux-${{ matrix.arch }}
187+
cache-directories: .cache/sccache
188+
cache-targets: "true"
189+
190+
- name: Install zstd
191+
run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/*
192+
193+
- name: Download kernel runtime tarball
194+
uses: actions/download-artifact@v4
195+
with:
196+
name: deb-kernel-runtime-tarballs
197+
path: runtime-download/
198+
199+
- name: Download rootfs tarball
200+
uses: actions/download-artifact@v4
201+
with:
202+
name: deb-rootfs-${{ matrix.arch }}
203+
path: rootfs-download/
204+
205+
- name: Stage compressed runtime for embedding
206+
run: |
207+
set -euo pipefail
208+
COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed"
209+
mkdir -p "$COMPRESSED_DIR"
210+
211+
EXTRACT_DIR=$(mktemp -d)
212+
zstd -d "runtime-download/vm-runtime-${{ matrix.platform }}.tar.zst" --stdout \
213+
| tar -xf - -C "$EXTRACT_DIR"
214+
215+
for file in "$EXTRACT_DIR"/*; do
216+
[ -f "$file" ] || continue
217+
name=$(basename "$file")
218+
[ "$name" = "provenance.json" ] && continue
219+
zstd -19 -f -q -T0 -o "${COMPRESSED_DIR}/${name}.zst" "$file"
220+
done
221+
222+
cp rootfs-download/rootfs.tar.zst "${COMPRESSED_DIR}/rootfs.tar.zst"
223+
ls -lah "$COMPRESSED_DIR"
224+
225+
- name: Scope workspace to driver-vm crates
226+
run: |
227+
set -euo pipefail
228+
sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-driver-vm", "crates/openshell-core"]|' Cargo.toml
229+
230+
- name: Patch workspace version
231+
if: ${{ inputs['cargo-version'] != '' }}
232+
run: |
233+
set -euo pipefail
234+
sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ inputs['cargo-version'] }}"'"/}' Cargo.toml
235+
236+
- name: Build openshell-driver-vm
237+
run: |
238+
set -euo pipefail
239+
OPENSHELL_VM_RUNTIME_COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed" \
240+
mise x -- cargo build --release -p openshell-driver-vm
241+
242+
- name: sccache stats
243+
if: always()
244+
run: mise x -- sccache --show-stats
245+
246+
- name: Package binary
247+
run: |
248+
set -euo pipefail
249+
mkdir -p artifacts
250+
tar -czf "artifacts/openshell-driver-vm-${{ matrix.target }}.tar.gz" \
251+
-C target/release openshell-driver-vm
252+
253+
- name: Upload artifact
254+
uses: actions/upload-artifact@v4
255+
with:
256+
name: driver-vm-linux-${{ matrix.arch }}
257+
path: artifacts/*.tar.gz
258+
retention-days: 5
259+
260+
build-deb-linux:
261+
name: Build Debian Package (Linux ${{ matrix.arch }})
262+
needs: [build-driver-vm-linux]
263+
strategy:
264+
matrix:
265+
include:
266+
- arch: amd64
267+
runner: build-amd64
268+
deb_arch: amd64
269+
cli_target: x86_64-unknown-linux-musl
270+
gnu_target: x86_64-unknown-linux-gnu
271+
- arch: arm64
272+
runner: build-arm64
273+
deb_arch: arm64
274+
cli_target: aarch64-unknown-linux-musl
275+
gnu_target: aarch64-unknown-linux-gnu
276+
runs-on: ${{ matrix.runner }}
277+
timeout-minutes: 20
278+
container:
279+
image: ghcr.io/nvidia/openshell/ci:latest
280+
credentials:
281+
username: ${{ github.actor }}
282+
password: ${{ secrets.GITHUB_TOKEN }}
283+
steps:
284+
- uses: actions/checkout@v4
285+
with:
286+
ref: ${{ inputs['checkout-ref'] }}
287+
288+
- name: Download CLI artifact
289+
uses: actions/download-artifact@v4
290+
with:
291+
name: cli-linux-${{ matrix.arch }}
292+
path: package-input/
293+
294+
- name: Download gateway artifact
295+
uses: actions/download-artifact@v4
296+
with:
297+
name: gateway-binary-linux-${{ matrix.arch }}
298+
path: package-input/
299+
300+
- name: Download VM driver artifact
301+
uses: actions/download-artifact@v4
302+
with:
303+
name: driver-vm-linux-${{ matrix.arch }}
304+
path: package-input/
305+
306+
- name: Extract package inputs
307+
run: |
308+
set -euo pipefail
309+
mkdir -p package-binaries
310+
tar -xzf "package-input/openshell-${{ matrix.cli_target }}.tar.gz" -C package-binaries
311+
tar -xzf "package-input/openshell-gateway-${{ matrix.gnu_target }}.tar.gz" -C package-binaries
312+
tar -xzf "package-input/openshell-driver-vm-${{ matrix.gnu_target }}.tar.gz" -C package-binaries
313+
ls -lah package-binaries
314+
315+
- name: Build Debian package
316+
run: |
317+
set -euo pipefail
318+
OPENSHELL_CLI_BINARY="${PWD}/package-binaries/openshell" \
319+
OPENSHELL_GATEWAY_BINARY="${PWD}/package-binaries/openshell-gateway" \
320+
OPENSHELL_DRIVER_VM_BINARY="${PWD}/package-binaries/openshell-driver-vm" \
321+
OPENSHELL_DEB_VERSION="${{ inputs['deb-version'] }}" \
322+
OPENSHELL_DEB_ARCH="${{ matrix.deb_arch }}" \
323+
OPENSHELL_OUTPUT_DIR=artifacts \
324+
tasks/scripts/package-deb.sh
325+
326+
- name: Upload Debian package artifact
327+
uses: actions/upload-artifact@v4
328+
with:
329+
name: deb-linux-${{ matrix.arch }}
330+
path: artifacts/*.deb
331+
retention-days: 5

0 commit comments

Comments
 (0)