5454 component : gateway
5555 cargo-version : ${{ needs.compute-versions.outputs.cargo_version }}
5656
57+ build-supervisor :
58+ needs : [compute-versions]
59+ uses : ./.github/workflows/docker-build.yml
60+ with :
61+ component : supervisor
62+ cargo-version : ${{ needs.compute-versions.outputs.cargo_version }}
63+
5764 build-cluster :
5865 needs : [compute-versions]
5966 uses : ./.github/workflows/docker-build.yml
7077
7178 tag-ghcr-dev :
7279 name : Tag GHCR Images as Dev
73- needs : [build-gateway, build-cluster]
80+ needs : [build-gateway, build-supervisor, build- cluster]
7481 runs-on : build-amd64
7582 timeout-minutes : 10
7683 steps :
8188 run : |
8289 set -euo pipefail
8390 REGISTRY="ghcr.io/nvidia/openshell"
84- for component in gateway cluster; do
91+ for component in gateway supervisor cluster; do
8592 echo "Tagging ${REGISTRY}/${component}:${{ github.sha }} as dev..."
8693 docker buildx imagetools create \
8794 --prefer-index=false \
@@ -282,11 +289,6 @@ jobs:
282289 # Override z3-sys default (stdc++) so Rust links the matching runtime.
283290 echo "CXXSTDLIB=c++" >> "$GITHUB_ENV"
284291
285- - name : Scope workspace to CLI crates
286- run : |
287- set -euo pipefail
288- sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-prover", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
289-
290292 - name : Patch workspace version
291293 if : needs.compute-versions.outputs.cargo_version != ''
292294 run : |
@@ -378,12 +380,247 @@ jobs:
378380 path : artifacts/*.tar.gz
379381 retention-days : 5
380382
383+ # ---------------------------------------------------------------------------
384+ # Build standalone gateway binaries (Linux GNU — native on each arch)
385+ # ---------------------------------------------------------------------------
386+ build-gateway-binary-linux :
387+ name : Build Gateway Binary (Linux ${{ matrix.arch }})
388+ needs : [compute-versions]
389+ strategy :
390+ matrix :
391+ include :
392+ - arch : amd64
393+ runner : build-amd64
394+ target : x86_64-unknown-linux-gnu
395+ - arch : arm64
396+ runner : build-arm64
397+ target : aarch64-unknown-linux-gnu
398+ runs-on : ${{ matrix.runner }}
399+ timeout-minutes : 60
400+ container :
401+ image : ghcr.io/nvidia/openshell/ci:latest
402+ credentials :
403+ username : ${{ github.actor }}
404+ password : ${{ secrets.GITHUB_TOKEN }}
405+ options : --privileged
406+ env :
407+ MISE_GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
408+ SCCACHE_MEMCACHED_ENDPOINT : ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
409+ steps :
410+ - uses : actions/checkout@v4
411+ with :
412+ fetch-depth : 0
413+
414+ - name : Mark workspace safe for git
415+ run : git config --global --add safe.directory "$GITHUB_WORKSPACE"
416+
417+ - name : Fetch tags
418+ run : git fetch --tags --force
419+
420+ - name : Install tools
421+ run : mise install
422+
423+ - name : Cache Rust target and registry
424+ uses : Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
425+ with :
426+ shared-key : gateway-binary-gnu-${{ matrix.arch }}
427+ cache-directories : .cache/sccache
428+ cache-targets : " true"
429+
430+ - name : Patch workspace version
431+ if : needs.compute-versions.outputs.cargo_version != ''
432+ run : |
433+ set -euo pipefail
434+ sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ needs.compute-versions.outputs.cargo_version }}"'"/}' Cargo.toml
435+
436+ - name : Build ${{ matrix.target }}
437+ run : |
438+ set -euo pipefail
439+ mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-server
440+
441+ - name : Verify packaged binary
442+ run : |
443+ set -euo pipefail
444+ OUTPUT="$(target/${{ matrix.target }}/release/openshell-gateway --version)"
445+ echo "$OUTPUT"
446+ grep -q '^openshell-gateway ' <<<"$OUTPUT"
447+
448+ - name : sccache stats
449+ if : always()
450+ run : mise x -- sccache --show-stats
451+
452+ - name : Package binary
453+ run : |
454+ set -euo pipefail
455+ mkdir -p artifacts
456+ tar -czf artifacts/openshell-gateway-${{ matrix.target }}.tar.gz \
457+ -C target/${{ matrix.target }}/release openshell-gateway
458+ ls -lh artifacts/
459+
460+ - name : Upload artifact
461+ uses : actions/upload-artifact@v4
462+ with :
463+ name : gateway-binary-linux-${{ matrix.arch }}
464+ path : artifacts/*.tar.gz
465+ retention-days : 5
466+
467+ # ---------------------------------------------------------------------------
468+ # Build standalone gateway binary (macOS aarch64 via osxcross)
469+ # ---------------------------------------------------------------------------
470+ build-gateway-binary-macos :
471+ name : Build Gateway Binary (macOS)
472+ needs : [compute-versions]
473+ runs-on : build-amd64
474+ timeout-minutes : 60
475+ container :
476+ image : ghcr.io/nvidia/openshell/ci:latest
477+ credentials :
478+ username : ${{ github.actor }}
479+ password : ${{ secrets.GITHUB_TOKEN }}
480+ options : --privileged
481+ volumes :
482+ - /var/run/docker.sock:/var/run/docker.sock
483+ env :
484+ MISE_GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
485+ SCCACHE_MEMCACHED_ENDPOINT : ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
486+ steps :
487+ - uses : actions/checkout@v4
488+ with :
489+ fetch-depth : 0
490+
491+ - name : Mark workspace safe for git
492+ run : git config --global --add safe.directory "$GITHUB_WORKSPACE"
493+
494+ - name : Fetch tags
495+ run : git fetch --tags --force
496+
497+ - name : Log in to GHCR
498+ run : echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
499+
500+ - name : Set up Docker Buildx
501+ uses : ./.github/actions/setup-buildx
502+
503+ - name : Build macOS binary via Docker
504+ run : |
505+ set -euo pipefail
506+ docker buildx build \
507+ --file deploy/docker/Dockerfile.gateway-macos \
508+ --build-arg OPENSHELL_CARGO_VERSION="${{ needs.compute-versions.outputs.cargo_version }}" \
509+ --build-arg CARGO_TARGET_CACHE_SCOPE="${{ github.sha }}" \
510+ --target binary \
511+ --output type=local,dest=out/ \
512+ .
513+
514+ - name : Verify packaged binary shape
515+ run : |
516+ set -euo pipefail
517+ test -x out/openshell-gateway
518+
519+ - name : Package binary
520+ run : |
521+ set -euo pipefail
522+ mkdir -p artifacts
523+ tar -czf artifacts/openshell-gateway-aarch64-apple-darwin.tar.gz \
524+ -C out openshell-gateway
525+ ls -lh artifacts/
526+
527+ - name : Upload artifact
528+ uses : actions/upload-artifact@v4
529+ with :
530+ name : gateway-binary-macos
531+ path : artifacts/*.tar.gz
532+ retention-days : 5
533+
534+ # ---------------------------------------------------------------------------
535+ # Build standalone supervisor binaries (Linux GNU — native on each arch)
536+ # ---------------------------------------------------------------------------
537+ build-supervisor-binary-linux :
538+ name : Build Supervisor Binary (Linux ${{ matrix.arch }})
539+ needs : [compute-versions]
540+ strategy :
541+ matrix :
542+ include :
543+ - arch : amd64
544+ runner : build-amd64
545+ target : x86_64-unknown-linux-gnu
546+ - arch : arm64
547+ runner : build-arm64
548+ target : aarch64-unknown-linux-gnu
549+ runs-on : ${{ matrix.runner }}
550+ timeout-minutes : 60
551+ container :
552+ image : ghcr.io/nvidia/openshell/ci:latest
553+ credentials :
554+ username : ${{ github.actor }}
555+ password : ${{ secrets.GITHUB_TOKEN }}
556+ options : --privileged
557+ env :
558+ MISE_GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
559+ SCCACHE_MEMCACHED_ENDPOINT : ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
560+ steps :
561+ - uses : actions/checkout@v4
562+ with :
563+ fetch-depth : 0
564+
565+ - name : Mark workspace safe for git
566+ run : git config --global --add safe.directory "$GITHUB_WORKSPACE"
567+
568+ - name : Fetch tags
569+ run : git fetch --tags --force
570+
571+ - name : Install tools
572+ run : mise install
573+
574+ - name : Cache Rust target and registry
575+ uses : Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
576+ with :
577+ shared-key : supervisor-binary-gnu-${{ matrix.arch }}
578+ cache-directories : .cache/sccache
579+ cache-targets : " true"
580+
581+ - name : Patch workspace version
582+ if : needs.compute-versions.outputs.cargo_version != ''
583+ run : |
584+ set -euo pipefail
585+ sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ needs.compute-versions.outputs.cargo_version }}"'"/}' Cargo.toml
586+
587+ - name : Build ${{ matrix.target }}
588+ run : |
589+ set -euo pipefail
590+ mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-sandbox --bin openshell-sandbox
591+
592+ - name : Verify packaged binary
593+ run : |
594+ set -euo pipefail
595+ OUTPUT="$(target/${{ matrix.target }}/release/openshell-sandbox --version)"
596+ echo "$OUTPUT"
597+ grep -q '^openshell-sandbox ' <<<"$OUTPUT"
598+
599+ - name : sccache stats
600+ if : always()
601+ run : mise x -- sccache --show-stats
602+
603+ - name : Package binary
604+ run : |
605+ set -euo pipefail
606+ mkdir -p artifacts
607+ tar -czf artifacts/openshell-sandbox-${{ matrix.target }}.tar.gz \
608+ -C target/${{ matrix.target }}/release openshell-sandbox
609+ ls -lh artifacts/
610+
611+ - name : Upload artifact
612+ uses : actions/upload-artifact@v4
613+ with :
614+ name : supervisor-binary-linux-${{ matrix.arch }}
615+ path : artifacts/*.tar.gz
616+ retention-days : 5
617+
381618 # ---------------------------------------------------------------------------
382619 # Create / update the dev GitHub Release with CLI binaries and wheels
383620 # ---------------------------------------------------------------------------
384621 release-dev :
385622 name : Release Dev
386- needs : [compute-versions, build-cli-linux, build-cli-macos, build-python-wheels-linux, build-python-wheel-macos]
623+ needs : [compute-versions, build-cli-linux, build-cli-macos, build-gateway-binary-linux, build-gateway-binary-macos, build-supervisor-binary-linux, build- python-wheels-linux, build-python-wheel-macos]
387624 runs-on : build-amd64
388625 timeout-minutes : 10
389626 outputs :
@@ -398,6 +635,20 @@ jobs:
398635 path : release/
399636 merge-multiple : true
400637
638+ - name : Download gateway binary artifacts
639+ uses : actions/download-artifact@v4
640+ with :
641+ pattern : gateway-binary-*
642+ path : release/
643+ merge-multiple : true
644+
645+ - name : Download supervisor binary artifacts
646+ uses : actions/download-artifact@v4
647+ with :
648+ pattern : supervisor-binary-*
649+ path : release/
650+ merge-multiple : true
651+
401652 - name : Download wheel artifacts
402653 uses : actions/download-artifact@v4
403654 with :
@@ -417,8 +668,21 @@ jobs:
417668 run : |
418669 set -euo pipefail
419670 cd release
420- sha256sum *.tar.gz *.whl > openshell-checksums-sha256.txt
671+ sha256sum \
672+ openshell-x86_64-unknown-linux-musl.tar.gz \
673+ openshell-aarch64-unknown-linux-musl.tar.gz \
674+ openshell-aarch64-apple-darwin.tar.gz \
675+ *.whl > openshell-checksums-sha256.txt
421676 cat openshell-checksums-sha256.txt
677+ sha256sum \
678+ openshell-gateway-x86_64-unknown-linux-gnu.tar.gz \
679+ openshell-gateway-aarch64-unknown-linux-gnu.tar.gz \
680+ openshell-gateway-aarch64-apple-darwin.tar.gz > openshell-gateway-checksums-sha256.txt
681+ cat openshell-gateway-checksums-sha256.txt
682+ sha256sum \
683+ openshell-sandbox-x86_64-unknown-linux-gnu.tar.gz \
684+ openshell-sandbox-aarch64-unknown-linux-gnu.tar.gz > openshell-sandbox-checksums-sha256.txt
685+ cat openshell-sandbox-checksums-sha256.txt
422686
423687 - name : Prune stale wheel assets from dev release
424688 uses : actions/github-script@v7
@@ -496,8 +760,15 @@ jobs:
496760 release/openshell-x86_64-unknown-linux-musl.tar.gz
497761 release/openshell-aarch64-unknown-linux-musl.tar.gz
498762 release/openshell-aarch64-apple-darwin.tar.gz
763+ release/openshell-gateway-x86_64-unknown-linux-gnu.tar.gz
764+ release/openshell-gateway-aarch64-unknown-linux-gnu.tar.gz
765+ release/openshell-gateway-aarch64-apple-darwin.tar.gz
766+ release/openshell-sandbox-x86_64-unknown-linux-gnu.tar.gz
767+ release/openshell-sandbox-aarch64-unknown-linux-gnu.tar.gz
499768 release/*.whl
500769 release/openshell-checksums-sha256.txt
770+ release/openshell-gateway-checksums-sha256.txt
771+ release/openshell-sandbox-checksums-sha256.txt
501772
502773 trigger-wheel-publish :
503774 name : Trigger Wheel Publish
0 commit comments