Skip to content

feat(release): add Debian package publishing #1069

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
drew merged 2 commits into from
May 1, 2026
Merged

feat(release): add Debian package publishing #1069

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cf7aecc
feat(package): add Debian packaging support
drew May 1, 2026
4baeec0
chore(markdown): restore main lint config
drew May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 92 additions & 0 deletions .github/workflows/deb-package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
name: Debian Package

on:
workflow_call:
inputs:
deb-version:
required: true
type: string
checkout-ref:
required: true
type: string

permissions:
contents: read
packages: read

defaults:
run:
shell: bash

jobs:
build-deb-linux:
name: Build Debian Package (Linux ${{ matrix.arch }})
strategy:
matrix:
include:
- arch: amd64
runner: build-amd64
deb_arch: amd64
cli_target: x86_64-unknown-linux-musl
gnu_target: x86_64-unknown-linux-gnu
- arch: arm64
runner: build-arm64
deb_arch: arm64
cli_target: aarch64-unknown-linux-musl
gnu_target: aarch64-unknown-linux-gnu
runs-on: ${{ matrix.runner }}
timeout-minutes: 20
container:
image: ghcr.io/nvidia/openshell/ci:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v6
with:
ref: ${{ inputs['checkout-ref'] }}

- name: Download CLI artifact
uses: actions/download-artifact@v4
with:
name: cli-linux-${{ matrix.arch }}
path: package-input/

- name: Download gateway artifact
uses: actions/download-artifact@v4
with:
name: gateway-binary-linux-${{ matrix.arch }}
path: package-input/

- name: Download VM driver artifact
uses: actions/download-artifact@v4
with:
name: driver-vm-linux-${{ matrix.arch }}
path: package-input/

- name: Extract package inputs
run: |
set -euo pipefail
mkdir -p package-binaries
tar -xzf "package-input/openshell-${{ matrix.cli_target }}.tar.gz" -C package-binaries
tar -xzf "package-input/openshell-gateway-${{ matrix.gnu_target }}.tar.gz" -C package-binaries
tar -xzf "package-input/openshell-driver-vm-${{ matrix.gnu_target }}.tar.gz" -C package-binaries
ls -lah package-binaries

- name: Build Debian package
run: |
set -euo pipefail
OPENSHELL_CLI_BINARY="${PWD}/package-binaries/openshell" \
OPENSHELL_GATEWAY_BINARY="${PWD}/package-binaries/openshell-gateway" \
OPENSHELL_DRIVER_VM_BINARY="${PWD}/package-binaries/openshell-driver-vm" \
OPENSHELL_DEB_VERSION="${{ inputs['deb-version'] }}" \
OPENSHELL_DEB_ARCH="${{ matrix.deb_arch }}" \
OPENSHELL_OUTPUT_DIR=artifacts \
tasks/scripts/package-deb.sh

- name: Upload Debian package artifact
uses: actions/upload-artifact@v4
with:
name: deb-linux-${{ matrix.arch }}
path: artifacts/*.deb
retention-days: 5
254 changes: 254 additions & 0 deletions .github/workflows/driver-vm-linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,254 @@
name: Driver VM Linux

on:
workflow_call:
inputs:
cargo-version:
required: true
type: string
image-tag:
required: true
type: string
checkout-ref:
required: true
type: string

permissions:
contents: read
packages: read

defaults:
run:
shell: bash

jobs:
download-kernel-runtime:
name: Download Kernel Runtime
runs-on: build-amd64
timeout-minutes: 10
container:
image: ghcr.io/nvidia/openshell/ci:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs['checkout-ref'] }}

- name: Download Linux runtime tarballs
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
mkdir -p runtime-artifacts

for platform in linux-aarch64 linux-x86_64; do
asset="vm-runtime-${platform}.tar.zst"
echo "Downloading ${asset}..."
asset_url=$(curl -fsSL \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${GH_TOKEN}" \
"https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/vm-dev" \
| jq -r --arg asset "$asset" '.assets[] | select(.name == $asset) | .browser_download_url' \
| head -n1)
if [ -z "$asset_url" ]; then
echo "::error::No ${asset} asset found on vm-dev release"
exit 1
fi
curl -fL -o "runtime-artifacts/${asset}" "$asset_url"
done

ls -lah runtime-artifacts/

- name: Verify downloads
run: |
set -euo pipefail
for platform in linux-aarch64 linux-x86_64; do
test -f "runtime-artifacts/vm-runtime-${platform}.tar.zst"
done

- name: Upload runtime artifacts
uses: actions/upload-artifact@v4
with:
name: driver-vm-kernel-runtime-tarballs
path: runtime-artifacts/vm-runtime-*.tar.zst
retention-days: 1

build-rootfs:
name: Build Rootfs (${{ matrix.arch }})
strategy:
matrix:
include:
- arch: arm64
runner: build-arm64
guest_arch: aarch64
- arch: amd64
runner: build-amd64
guest_arch: x86_64
runs-on: ${{ matrix.runner }}
timeout-minutes: 30
container:
image: ghcr.io/nvidia/openshell/ci:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
options: --privileged
volumes:
- /var/run/docker.sock:/var/run/docker.sock
env:
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs['checkout-ref'] }}

- name: Mark workspace safe for git
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

- name: Log in to GHCR
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin

- name: Install tools
run: mise install --locked

- name: Install zstd
run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/*

- name: Build base rootfs tarball
run: |
set -euo pipefail
crates/openshell-vm/scripts/build-rootfs.sh \
--base \
--arch ${{ matrix.guest_arch }} \
target/rootfs-build

mkdir -p target/vm-runtime-compressed
tar -C target/rootfs-build -cf - . \
| zstd -19 -T0 -o target/vm-runtime-compressed/rootfs.tar.zst

- name: Upload rootfs artifact
uses: actions/upload-artifact@v4
with:
name: driver-vm-rootfs-${{ matrix.arch }}
path: target/vm-runtime-compressed/rootfs.tar.zst
retention-days: 1

build-driver-vm-linux:
name: Build Driver VM (Linux ${{ matrix.arch }})
needs: [download-kernel-runtime, build-rootfs]
strategy:
matrix:
include:
- arch: arm64
runner: build-arm64
target: aarch64-unknown-linux-gnu
platform: linux-aarch64
- arch: amd64
runner: build-amd64
target: x86_64-unknown-linux-gnu
platform: linux-x86_64
runs-on: ${{ matrix.runner }}
timeout-minutes: 30
container:
image: ghcr.io/nvidia/openshell/ci:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
options: --privileged
env:
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SCCACHE_MEMCACHED_ENDPOINT: ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs['checkout-ref'] }}
fetch-depth: 0

- name: Mark workspace safe for git
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

- name: Fetch tags
run: git fetch --tags --force

- name: Install tools
run: mise install --locked

- name: Cache Rust target and registry
uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2
with:
shared-key: driver-vm-linux-${{ matrix.arch }}
cache-directories: .cache/sccache
cache-targets: "true"

- name: Install zstd
run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/*

- name: Download kernel runtime tarball
uses: actions/download-artifact@v4
with:
name: driver-vm-kernel-runtime-tarballs
path: runtime-download/

- name: Download rootfs tarball
uses: actions/download-artifact@v4
with:
name: driver-vm-rootfs-${{ matrix.arch }}
path: rootfs-download/

- name: Stage compressed runtime for embedding
run: |
set -euo pipefail
COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed"
mkdir -p "$COMPRESSED_DIR"

EXTRACT_DIR=$(mktemp -d)
zstd -d "runtime-download/vm-runtime-${{ matrix.platform }}.tar.zst" --stdout \
| tar -xf - -C "$EXTRACT_DIR"

for file in "$EXTRACT_DIR"/*; do
[ -f "$file" ] || continue
name=$(basename "$file")
[ "$name" = "provenance.json" ] && continue
zstd -19 -f -q -T0 -o "${COMPRESSED_DIR}/${name}.zst" "$file"
done

cp rootfs-download/rootfs.tar.zst "${COMPRESSED_DIR}/rootfs.tar.zst"
ls -lah "$COMPRESSED_DIR"

- name: Scope workspace to driver-vm crates
run: |
set -euo pipefail
sed -i 's|members = \["crates/\*"\]|members = ["crates/openshell-driver-vm", "crates/openshell-core"]|' Cargo.toml

- name: Patch workspace version
if: ${{ inputs['cargo-version'] != '' }}
run: |
set -euo pipefail
sed -i -E '/^\[workspace\.package\]/,/^\[/{s/^version[[:space:]]*=[[:space:]]*".*"/version = "'"${{ inputs['cargo-version'] }}"'"/}' Cargo.toml

- name: Build openshell-driver-vm
run: |
set -euo pipefail
OPENSHELL_VM_RUNTIME_COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed" \
mise x -- cargo build --release -p openshell-driver-vm

- name: sccache stats
if: always()
run: mise x -- sccache --show-stats

- name: Package binary
run: |
set -euo pipefail
mkdir -p artifacts
tar -czf "artifacts/openshell-driver-vm-${{ matrix.target }}.tar.gz" \
-C target/release openshell-driver-vm

- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: driver-vm-linux-${{ matrix.arch }}
path: artifacts/*.tar.gz
retention-days: 5
Loading
Loading