Skip to content

Commit 5718553

Browse files
authored
feat(release): publish standalone openshell-gateway binaries (#853)
1 parent 3b21df1 commit 5718553

16 files changed

Lines changed: 1003 additions & 275 deletions

File tree

.github/workflows/docker-build.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ on:
44
workflow_call:
55
inputs:
66
component:
7-
description: "Component to build (gateway, cluster)"
7+
description: "Component to build (gateway, supervisor, cluster)"
88
required: true
99
type: string
1010
timeout-minutes:
@@ -93,4 +93,4 @@ jobs:
9393
# Enable dev-settings feature for test settings (dummy_bool, dummy_int)
9494
# used by e2e tests.
9595
EXTRA_CARGO_FEATURES: openshell-core/dev-settings
96-
run: mise run --no-prepare docker:build:${{ inputs.component }}
96+
run: mise run --no-prepare build:docker:${{ inputs.component }}

.github/workflows/release-dev.yml

Lines changed: 280 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,13 @@ jobs:
5454
component: gateway
5555
cargo-version: ${{ needs.compute-versions.outputs.cargo_version }}
5656

57+
build-supervisor:
58+
needs: [compute-versions]
59+
uses: ./.github/workflows/docker-build.yml
60+
with:
61+
component: supervisor
62+
cargo-version: ${{ needs.compute-versions.outputs.cargo_version }}
63+
5764
build-cluster:
5865
needs: [compute-versions]
5966
uses: ./.github/workflows/docker-build.yml
@@ -70,7 +77,7 @@ jobs:
7077

7178
tag-ghcr-dev:
7279
name: Tag GHCR Images as Dev
73-
needs: [build-gateway, build-cluster]
80+
needs: [build-gateway, build-supervisor, build-cluster]
7481
runs-on: build-amd64
7582
timeout-minutes: 10
7683
steps:
@@ -81,7 +88,7 @@ jobs:
8188
run: |
8289
set -euo pipefail
8390
REGISTRY="ghcr.io/nvidia/openshell"
84-
for component in gateway cluster; do
91+
for component in gateway supervisor cluster; do
8592
echo "Tagging ${REGISTRY}/${component}:${{ github.sha }} as dev..."
8693
docker buildx imagetools create \
8794
--prefer-index=false \
@@ -282,11 +289,6 @@ jobs:
282289
# Override z3-sys default (stdc++) so Rust links the matching runtime.
283290
echo "CXXSTDLIB=c++" >> "$GITHUB_ENV"
284291
285-
- name: Scope workspace to CLI crates
286-
run: |
287-
set -euo pipefail
288-
sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-cli", "crates/openshell-core", "crates/openshell-bootstrap", "crates/openshell-policy", "crates/openshell-prover", "crates/openshell-providers", "crates/openshell-tui"]|' Cargo.toml
289-
290292
- name: Patch workspace version
291293
if: needs.compute-versions.outputs.cargo_version != ''
292294
run: |
@@ -378,12 +380,247 @@ jobs:
378380
path: artifacts/*.tar.gz
379381
retention-days: 5
380382

383+
# ---------------------------------------------------------------------------
384+
# Build standalone gateway binaries (Linux GNU — native on each arch)
385+
# ---------------------------------------------------------------------------
386+
build-gateway-binary-linux:
387+
name: Build Gateway Binary (Linux ${{ matrix.arch }})
388+
needs: [compute-versions]
389+
strategy:
390+
matrix:
391+
include:
392+
- arch: amd64
393+
runner: build-amd64
394+
target: x86_64-unknown-linux-gnu
395+
- arch: arm64
396+
runner: build-arm64
397+
target: aarch64-unknown-linux-gnu
398+
runs-on: ${{ matrix.runner }}
399+
timeout-minutes: 60
400+
container:
401+
image: ghcr.io/nvidia/openshell/ci:latest
402+
credentials:
403+
username: ${{ github.actor }}
404+
password: ${{ secrets.GITHUB_TOKEN }}
405+
options: --privileged
406+
env:
407+
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
408+
SCCACHE_MEMCACHED_ENDPOINT: ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
409+
steps:
410+
- uses: actions/checkout@v4
411+
with:
412+
fetch-depth: 0
413+
414+
- name: Mark workspace safe for git
415+
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
416+
417+
- name: Fetch tags
418+
run: git fetch --tags --force
419+
420+
- name: Install tools
421+
run: mise install
422+
423+
- name: Cache Rust target and registry
424+
uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
425+
with:
426+
shared-key: gateway-binary-gnu-${{ matrix.arch }}
427+
cache-directories: .cache/sccache
428+
cache-targets: "true"
429+
430+
- name: Patch workspace version
431+
if: needs.compute-versions.outputs.cargo_version != ''
432+
run: |
433+
set -euo pipefail
434+
sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ needs.compute-versions.outputs.cargo_version }}"'"/}' Cargo.toml
435+
436+
- name: Build ${{ matrix.target }}
437+
run: |
438+
set -euo pipefail
439+
mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-server
440+
441+
- name: Verify packaged binary
442+
run: |
443+
set -euo pipefail
444+
OUTPUT="$(target/${{ matrix.target }}/release/openshell-gateway --version)"
445+
echo "$OUTPUT"
446+
grep -q '^openshell-gateway ' <<<"$OUTPUT"
447+
448+
- name: sccache stats
449+
if: always()
450+
run: mise x -- sccache --show-stats
451+
452+
- name: Package binary
453+
run: |
454+
set -euo pipefail
455+
mkdir -p artifacts
456+
tar -czf artifacts/openshell-gateway-${{ matrix.target }}.tar.gz \
457+
-C target/${{ matrix.target }}/release openshell-gateway
458+
ls -lh artifacts/
459+
460+
- name: Upload artifact
461+
uses: actions/upload-artifact@v4
462+
with:
463+
name: gateway-binary-linux-${{ matrix.arch }}
464+
path: artifacts/*.tar.gz
465+
retention-days: 5
466+
467+
# ---------------------------------------------------------------------------
468+
# Build standalone gateway binary (macOS aarch64 via osxcross)
469+
# ---------------------------------------------------------------------------
470+
build-gateway-binary-macos:
471+
name: Build Gateway Binary (macOS)
472+
needs: [compute-versions]
473+
runs-on: build-amd64
474+
timeout-minutes: 60
475+
container:
476+
image: ghcr.io/nvidia/openshell/ci:latest
477+
credentials:
478+
username: ${{ github.actor }}
479+
password: ${{ secrets.GITHUB_TOKEN }}
480+
options: --privileged
481+
volumes:
482+
- /var/run/docker.sock:/var/run/docker.sock
483+
env:
484+
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
485+
SCCACHE_MEMCACHED_ENDPOINT: ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
486+
steps:
487+
- uses: actions/checkout@v4
488+
with:
489+
fetch-depth: 0
490+
491+
- name: Mark workspace safe for git
492+
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
493+
494+
- name: Fetch tags
495+
run: git fetch --tags --force
496+
497+
- name: Log in to GHCR
498+
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
499+
500+
- name: Set up Docker Buildx
501+
uses: ./.github/actions/setup-buildx
502+
503+
- name: Build macOS binary via Docker
504+
run: |
505+
set -euo pipefail
506+
docker buildx build \
507+
--file deploy/docker/Dockerfile.gateway-macos \
508+
--build-arg OPENSHELL_CARGO_VERSION="${{ needs.compute-versions.outputs.cargo_version }}" \
509+
--build-arg CARGO_TARGET_CACHE_SCOPE="${{ github.sha }}" \
510+
--target binary \
511+
--output type=local,dest=out/ \
512+
.
513+
514+
- name: Verify packaged binary shape
515+
run: |
516+
set -euo pipefail
517+
test -x out/openshell-gateway
518+
519+
- name: Package binary
520+
run: |
521+
set -euo pipefail
522+
mkdir -p artifacts
523+
tar -czf artifacts/openshell-gateway-aarch64-apple-darwin.tar.gz \
524+
-C out openshell-gateway
525+
ls -lh artifacts/
526+
527+
- name: Upload artifact
528+
uses: actions/upload-artifact@v4
529+
with:
530+
name: gateway-binary-macos
531+
path: artifacts/*.tar.gz
532+
retention-days: 5
533+
534+
# ---------------------------------------------------------------------------
535+
# Build standalone supervisor binaries (Linux GNU — native on each arch)
536+
# ---------------------------------------------------------------------------
537+
build-supervisor-binary-linux:
538+
name: Build Supervisor Binary (Linux ${{ matrix.arch }})
539+
needs: [compute-versions]
540+
strategy:
541+
matrix:
542+
include:
543+
- arch: amd64
544+
runner: build-amd64
545+
target: x86_64-unknown-linux-gnu
546+
- arch: arm64
547+
runner: build-arm64
548+
target: aarch64-unknown-linux-gnu
549+
runs-on: ${{ matrix.runner }}
550+
timeout-minutes: 60
551+
container:
552+
image: ghcr.io/nvidia/openshell/ci:latest
553+
credentials:
554+
username: ${{ github.actor }}
555+
password: ${{ secrets.GITHUB_TOKEN }}
556+
options: --privileged
557+
env:
558+
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
559+
SCCACHE_MEMCACHED_ENDPOINT: ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
560+
steps:
561+
- uses: actions/checkout@v4
562+
with:
563+
fetch-depth: 0
564+
565+
- name: Mark workspace safe for git
566+
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
567+
568+
- name: Fetch tags
569+
run: git fetch --tags --force
570+
571+
- name: Install tools
572+
run: mise install
573+
574+
- name: Cache Rust target and registry
575+
uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
576+
with:
577+
shared-key: supervisor-binary-gnu-${{ matrix.arch }}
578+
cache-directories: .cache/sccache
579+
cache-targets: "true"
580+
581+
- name: Patch workspace version
582+
if: needs.compute-versions.outputs.cargo_version != ''
583+
run: |
584+
set -euo pipefail
585+
sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ needs.compute-versions.outputs.cargo_version }}"'"/}' Cargo.toml
586+
587+
- name: Build ${{ matrix.target }}
588+
run: |
589+
set -euo pipefail
590+
mise x -- cargo build --release --target ${{ matrix.target }} -p openshell-sandbox --bin openshell-sandbox
591+
592+
- name: Verify packaged binary
593+
run: |
594+
set -euo pipefail
595+
OUTPUT="$(target/${{ matrix.target }}/release/openshell-sandbox --version)"
596+
echo "$OUTPUT"
597+
grep -q '^openshell-sandbox ' <<<"$OUTPUT"
598+
599+
- name: sccache stats
600+
if: always()
601+
run: mise x -- sccache --show-stats
602+
603+
- name: Package binary
604+
run: |
605+
set -euo pipefail
606+
mkdir -p artifacts
607+
tar -czf artifacts/openshell-sandbox-${{ matrix.target }}.tar.gz \
608+
-C target/${{ matrix.target }}/release openshell-sandbox
609+
ls -lh artifacts/
610+
611+
- name: Upload artifact
612+
uses: actions/upload-artifact@v4
613+
with:
614+
name: supervisor-binary-linux-${{ matrix.arch }}
615+
path: artifacts/*.tar.gz
616+
retention-days: 5
617+
381618
# ---------------------------------------------------------------------------
382619
# Create / update the dev GitHub Release with CLI binaries and wheels
383620
# ---------------------------------------------------------------------------
384621
release-dev:
385622
name: Release Dev
386-
needs: [compute-versions, build-cli-linux, build-cli-macos, build-python-wheels-linux, build-python-wheel-macos]
623+
needs: [compute-versions, build-cli-linux, build-cli-macos, build-gateway-binary-linux, build-gateway-binary-macos, build-supervisor-binary-linux, build-python-wheels-linux, build-python-wheel-macos]
387624
runs-on: build-amd64
388625
timeout-minutes: 10
389626
outputs:
@@ -398,6 +635,20 @@ jobs:
398635
path: release/
399636
merge-multiple: true
400637

638+
- name: Download gateway binary artifacts
639+
uses: actions/download-artifact@v4
640+
with:
641+
pattern: gateway-binary-*
642+
path: release/
643+
merge-multiple: true
644+
645+
- name: Download supervisor binary artifacts
646+
uses: actions/download-artifact@v4
647+
with:
648+
pattern: supervisor-binary-*
649+
path: release/
650+
merge-multiple: true
651+
401652
- name: Download wheel artifacts
402653
uses: actions/download-artifact@v4
403654
with:
@@ -417,8 +668,21 @@ jobs:
417668
run: |
418669
set -euo pipefail
419670
cd release
420-
sha256sum *.tar.gz *.whl > openshell-checksums-sha256.txt
671+
sha256sum \
672+
openshell-x86_64-unknown-linux-musl.tar.gz \
673+
openshell-aarch64-unknown-linux-musl.tar.gz \
674+
openshell-aarch64-apple-darwin.tar.gz \
675+
*.whl > openshell-checksums-sha256.txt
421676
cat openshell-checksums-sha256.txt
677+
sha256sum \
678+
openshell-gateway-x86_64-unknown-linux-gnu.tar.gz \
679+
openshell-gateway-aarch64-unknown-linux-gnu.tar.gz \
680+
openshell-gateway-aarch64-apple-darwin.tar.gz > openshell-gateway-checksums-sha256.txt
681+
cat openshell-gateway-checksums-sha256.txt
682+
sha256sum \
683+
openshell-sandbox-x86_64-unknown-linux-gnu.tar.gz \
684+
openshell-sandbox-aarch64-unknown-linux-gnu.tar.gz > openshell-sandbox-checksums-sha256.txt
685+
cat openshell-sandbox-checksums-sha256.txt
422686
423687
- name: Prune stale wheel assets from dev release
424688
uses: actions/github-script@v7
@@ -496,8 +760,15 @@ jobs:
496760
release/openshell-x86_64-unknown-linux-musl.tar.gz
497761
release/openshell-aarch64-unknown-linux-musl.tar.gz
498762
release/openshell-aarch64-apple-darwin.tar.gz
763+
release/openshell-gateway-x86_64-unknown-linux-gnu.tar.gz
764+
release/openshell-gateway-aarch64-unknown-linux-gnu.tar.gz
765+
release/openshell-gateway-aarch64-apple-darwin.tar.gz
766+
release/openshell-sandbox-x86_64-unknown-linux-gnu.tar.gz
767+
release/openshell-sandbox-aarch64-unknown-linux-gnu.tar.gz
499768
release/*.whl
500769
release/openshell-checksums-sha256.txt
770+
release/openshell-gateway-checksums-sha256.txt
771+
release/openshell-sandbox-checksums-sha256.txt
501772
502773
trigger-wheel-publish:
503774
name: Trigger Wheel Publish

0 commit comments

Comments
 (0)