feat: build CLI during pull request (#1491)

jeffmaury · TaylorMutch · web-flow · commit f5e109ae2a81 · 2026-06-17T14:20:39.000-05:00
* feat: build CLI during pull request Fixes #1454 Signed-off-by: Jeff MAURY <jmaury@redhat.com> * fix: removed secrets passing Signed-off-by: Jeff MAURY <jmaury@redhat.com> * fix: fix wrong conflict resolution Signed-off-by: Jeff MAURY <jmaury@redhat.com> * fix: apply suggestion from @TaylorMutch Co-authored-by: Taylor Mutch <taylormutch@gmail.com> * fix: remove doubled quote Signed-off-by: Jeff MAURY <jmaury@redhat.com> * fix: sync mise.lock Signed-off-by: Jeff MAURY <jmaury@redhat.com> --------- Signed-off-by: Jeff MAURY <jmaury@redhat.com> Co-authored-by: Taylor Mutch <taylormutch@gmail.com>
diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml
@@ -80,6 +80,17 @@ jobs:
       component: supervisor
       image-tag: ${{ github.sha }}
 
+  build-cli:
+    needs: [pr_metadata]
+    if: needs.pr_metadata.outputs.should_run == 'true'
+    permissions:
+      contents: read
+      packages: write
+    uses: ./.github/workflows/docker-build.yml
+    with:
+      component: cli
+      platform: linux/amd64
+
   e2e:
     needs: [pr_metadata, build-gateway, build-supervisor]
     if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true'
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -4,7 +4,7 @@ on:
   workflow_call:
     inputs:
       component:
-        description: "Component to build (gateway, supervisor)"
+        description: "Component to build (gateway, supervisor, cli)"
         required: true
         type: string
       timeout-minutes:
@@ -71,6 +71,8 @@ jobs:
       binary_name: ${{ steps.resolve.outputs.binary_name }}
       artifact_prefix: ${{ steps.resolve.outputs.artifact_prefix }}
       image_tag_base: ${{ steps.resolve.outputs.image_tag_base }}
+      features: ${{ steps.resolve.outputs.features }}
+      has_image: ${{ steps.resolve.outputs.has_image }}
     steps:
       - name: Resolve component and platform matrix
         id: resolve
@@ -82,10 +84,20 @@ jobs:
             gateway)
               binary_component=gateway
               binary_name=openshell-gateway
+              features="openshell-core/dev-settings bundled-z3"
+              has_image=true
               ;;
             supervisor)
               binary_component=sandbox
               binary_name=openshell-sandbox
+              features="openshell-core/dev-settings"
+              has_image=true
+              ;;
+            cli)
+              binary_component=cli
+              binary_name=openshell
+              features="bundled-z3"
+              has_image=false
               ;;
             *)
               echo "unsupported component: $component" >&2
@@ -144,6 +156,8 @@ jobs:
             echo "binary_name=$binary_name"
             echo "artifact_prefix=rust-binary-${component}-${binary_component}"
             echo "image_tag_base=$image_tag_base"
+            echo "features=$features"
+            echo "has_image=$has_image"
           } >> "$GITHUB_OUTPUT"
 
   rust-binary:
@@ -162,13 +176,14 @@ jobs:
       cargo-version: ${{ inputs['cargo-version'] }}
       image-tag: ${{ needs.resolve.outputs.image_tag_base }}
       checkout-ref: ${{ inputs['checkout-ref'] }}
-      features: ${{ inputs.component == 'gateway' && 'openshell-core/dev-settings bundled-z3' || 'openshell-core/dev-settings' }}
+      features: ${{ needs.resolve.outputs.features }}
       artifact-name: ${{ needs.resolve.outputs.artifact_prefix }}-linux-${{ matrix.arch }}
     secrets: inherit
 
   build:
     name: Build ${{ inputs.component }} (${{ matrix.arch }})
     needs: [resolve, rust-binary]
+    if: needs.resolve.outputs.has_image == 'true'
     runs-on: ${{ matrix.runner }}
     timeout-minutes: ${{ inputs['timeout-minutes'] }}
     strategy:
@@ -262,7 +277,7 @@ jobs:
   merge:
     name: Merge ${{ inputs.component }} manifest
     needs: [resolve, build]
-    if: ${{ inputs.push && inputs['publish-manifest'] }}
+    if: ${{ inputs.push && inputs['publish-manifest'] && needs.resolve.outputs.has_image == 'true' }}
     runs-on: linux-amd64-cpu8
     timeout-minutes: 10
     container:
diff --git a/.github/workflows/rust-native-build.yml b/.github/workflows/rust-native-build.yml
@@ -1,11 +1,11 @@
 # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-name: Rust Image Binary Build (openshell-gateway / openshell-sandbox)
+name: Rust Image Binary Build (openshell-gateway / openshell-sandbox / openshell-cli)
 
 # Build Rust binaries per Linux architecture before the Docker image build
 # consumes them as prebuilt artifacts. Gateway images use GNU-linked binaries
-# for the NVIDIA distroless C/C++ runtime; supervisor images use musl/static
+# for the NVIDIA distroless C/C++ runtime; supervisor and cli images use musl/static
 # binaries so the final image can remain scratch. Gateway GNU binaries are
 # built with an explicit glibc 2.31 floor so image, package, and tarball
 # artifacts share the same host portability contract.
@@ -14,7 +14,7 @@ on:
   workflow_call:
     inputs:
       component:
-        description: "Binary component to build (gateway or sandbox)"
+        description: "Binary component to build (gateway, sandbox, or cli)"
         required: true
         type: string
       arch:
@@ -121,6 +121,11 @@ jobs:
               binary=openshell-sandbox
               zig_target=
               ;;
+            cli)
+              crate=openshell-cli
+              binary=openshell
+              zig_target=
+              ;;
             *)
               echo "unsupported component: $COMPONENT" >&2
               exit 1
@@ -129,7 +134,7 @@ jobs:
 
           case "$ARCH" in
             amd64)
-              if [[ "$COMPONENT" == "sandbox" ]]; then
+              if [[ "$COMPONENT" == "sandbox" || "$COMPONENT" == "cli" ]]; then
                 target=x86_64-unknown-linux-musl
                 zig_target=x86_64-linux-musl
               else
@@ -138,7 +143,7 @@ jobs:
               fi
               ;;
             arm64)
-              if [[ "$COMPONENT" == "sandbox" ]]; then
+              if [[ "$COMPONENT" == "sandbox" || "$COMPONENT" == "cli" ]]; then
                 target=aarch64-unknown-linux-musl
                 zig_target=aarch64-linux-musl
               else
@@ -214,6 +219,12 @@ jobs:
           OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }}
         run: |
           set -euo pipefail
+          # z3 built with zig c++ uses libc++ symbols (std::__1::*).
+          # Override z3-sys default (stdc++) so Rust links the matching runtime.
+          if [[ "${{ inputs.component }}" == "cli" ]]; then
+            echo "CXXSTDLIB=c++" >> "$GITHUB_ENV"
+          fi
+
           mise x -- rustup target add "${{ steps.target.outputs.target }}"
           cargo_cmd=(cargo build)
           build_target="${{ steps.target.outputs.target }}"
diff --git a/mise.lock b/mise.lock
