ci(vm): cleanup vm build infra

.github/workflows/driver-vm-linux.yml

@@ -32,7 +32,7 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ inputs['checkout-ref'] }}
 
@@ -46,17 +46,14 @@ jobs:
           for platform in linux-aarch64 linux-x86_64; do
             asset="vm-runtime-${platform}.tar.zst"
             echo "Downloading ${asset}..."
-            asset_url=$(curl -fsSL \
-              -H "Accept: application/vnd.github+json" \
-              -H "Authorization: Bearer ${GH_TOKEN}" \
-              "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/vm-dev" \
-              | jq -r --arg asset "$asset" '.assets[] | select(.name == $asset) | .browser_download_url' \
-              | head -n1)
-            if [ -z "$asset_url" ]; then
-              echo "::error::No ${asset} asset found on vm-dev release"
+            if ! gh release download vm-runtime \
+              --repo "${GITHUB_REPOSITORY}" \
+              --pattern "${asset}" \
+              --dir runtime-artifacts \
+              --clobber; then
+              echo "::error::No ${asset} asset found on vm-runtime release"
               exit 1
             fi
-            curl -fL -o "runtime-artifacts/${asset}" "$asset_url"
           done
 
           ls -lah runtime-artifacts/
@@ -71,7 +68,7 @@ jobs:
       - name: Upload runtime artifacts
         uses: actions/upload-artifact@v4
         with:
-          name: driver-vm-kernel-runtime-tarballs
+          name: vm-driver-kernel-runtime-tarballs
           path: runtime-artifacts/vm-runtime-*.tar.zst
           retention-days: 1
 
@@ -103,7 +100,7 @@ jobs:
       MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ inputs['checkout-ref'] }}
           fetch-depth: 0
@@ -130,7 +127,7 @@ jobs:
       - name: Download kernel runtime tarball
         uses: actions/download-artifact@v4
         with:
-          name: driver-vm-kernel-runtime-tarballs
+          name: vm-driver-kernel-runtime-tarballs
           path: runtime-download/
 
       - name: Stage compressed runtime for embedding
@@ -186,6 +183,13 @@ jobs:
           OPENSHELL_VM_RUNTIME_COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed" \
             mise x -- cargo build --release -p openshell-driver-vm
 
+      - name: Verify packaged binary
+        run: |
+          set -euo pipefail
+          OUTPUT="$(target/release/openshell-driver-vm --version)"
+          echo "$OUTPUT"
+          grep -q '^openshell-driver-vm ' <<<"$OUTPUT"
+
       - name: sccache stats
         if: always()
         run: mise x -- sccache --show-stats

.github/workflows/driver-vm-macos.yml

@@ -0,0 +1,186 @@
+name: Driver VM macOS
+
+on:
+  workflow_call:
+    inputs:
+      cargo-version:
+        required: true
+        type: string
+      image-tag:
+        required: true
+        type: string
+      checkout-ref:
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: read
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  download-kernel-runtime:
+    name: Download Kernel Runtime
+    runs-on: linux-amd64-cpu8
+    timeout-minutes: 10
+    container:
+      image: ghcr.io/nvidia/openshell/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs['checkout-ref'] }}
+
+      - name: Download macOS runtime tarball
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          mkdir -p runtime-artifacts
+
+          asset="vm-runtime-darwin-aarch64.tar.zst"
+          echo "Downloading ${asset}..."
+          if ! gh release download vm-runtime \
+            --repo "${GITHUB_REPOSITORY}" \
+            --pattern "${asset}" \
+            --dir runtime-artifacts \
+            --clobber; then
+            echo "::error::No ${asset} asset found on vm-runtime release"
+            exit 1
+          fi
+
+          ls -lah runtime-artifacts/
+
+      - name: Verify download
+        run: test -f runtime-artifacts/vm-runtime-darwin-aarch64.tar.zst
+
+      - name: Upload runtime artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: vm-driver-macos-kernel-runtime-tarball
+          path: runtime-artifacts/vm-runtime-darwin-aarch64.tar.zst
+          retention-days: 1
+
+  build-driver-vm-macos:
+    name: Build Driver VM (macOS)
+    needs: [download-kernel-runtime]
+    runs-on: linux-amd64-cpu8
+    timeout-minutes: 60
+    container:
+      image: ghcr.io/nvidia/openshell/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+      options: --privileged
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
+    env:
+      MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      SCCACHE_MEMCACHED_ENDPOINT: ${{ vars.SCCACHE_MEMCACHED_ENDPOINT }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs['checkout-ref'] }}
+          fetch-depth: 0
+
+      - name: Mark workspace safe for git
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      - name: Fetch tags
+        run: git fetch --tags --force
+
+      - name: Log in to GHCR
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
+
+      - name: Set up Docker Buildx
+        uses: ./.github/actions/setup-buildx
+
+      - name: Install zstd
+        run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/*
+
+      - name: Download kernel runtime tarball
+        uses: actions/download-artifact@v4
+        with:
+          name: vm-driver-macos-kernel-runtime-tarball
+          path: runtime-download/
+
+      - name: Prepare compressed runtime directory
+        run: |
+          set -euo pipefail
+          COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed-macos"
+          mkdir -p "$COMPRESSED_DIR"
+
+          EXTRACT_DIR=$(mktemp -d)
+          zstd -d "runtime-download/vm-runtime-darwin-aarch64.tar.zst" --stdout \
+            | tar -xf - -C "$EXTRACT_DIR"
+
+          echo "Extracted darwin runtime files:"
+          ls -lah "$EXTRACT_DIR"
+
+          for file in "$EXTRACT_DIR"/*; do
+            [ -f "$file" ] || continue
+            name=$(basename "$file")
+            [ "$name" = "provenance.json" ] && continue
+            zstd -19 -f -q -T0 -o "${COMPRESSED_DIR}/${name}.zst" "$file"
+          done
+
+          echo "Staged macOS compressed runtime artifacts:"
+          ls -lah "$COMPRESSED_DIR"
+
+      - name: Build bundled supervisor
+        run: |
+          set -euo pipefail
+          docker buildx build \
+            --file deploy/docker/Dockerfile.images \
+            --platform linux/arm64 \
+            --build-arg OPENSHELL_CARGO_VERSION="${{ inputs['cargo-version'] }}" \
+            --build-arg OPENSHELL_IMAGE_TAG="${{ inputs['image-tag'] }}" \
+            --target supervisor-output \
+            --output type=local,dest=supervisor-out/ \
+            .
+
+          zstd -19 -T0 -f supervisor-out/openshell-sandbox \
+            -o "${PWD}/target/vm-runtime-compressed-macos/openshell-sandbox.zst"
+
+      - name: Verify embedded driver inputs
+        run: |
+          set -euo pipefail
+          for file in libkrun.dylib.zst libkrunfw.5.dylib.zst gvproxy.zst openshell-sandbox.zst; do
+            test -s "target/vm-runtime-compressed-macos/${file}"
+          done
+
+      - name: Build macOS binary via Docker
+        run: |
+          set -euo pipefail
+          docker buildx build \
+            --file deploy/docker/Dockerfile.driver-vm-macos \
+            --build-arg OPENSHELL_CARGO_VERSION="${{ inputs['cargo-version'] }}" \
+            --build-arg OPENSHELL_IMAGE_TAG="${{ inputs['image-tag'] }}" \
+            --build-arg CARGO_TARGET_CACHE_SCOPE="${{ github.sha }}" \
+            --build-context vm-runtime-compressed="${PWD}/target/vm-runtime-compressed-macos" \
+            --target binary \
+            --output type=local,dest=out/ \
+            .
+
+      - name: Verify packaged binary shape
+        run: test -x out/openshell-driver-vm
+
+      - name: Package binary
+        run: |
+          set -euo pipefail
+          mkdir -p artifacts
+          tar -czf artifacts/openshell-driver-vm-aarch64-apple-darwin.tar.gz \
+            -C out openshell-driver-vm
+          ls -lh artifacts/
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: driver-vm-macos
+          path: artifacts/*.tar.gz
+          retention-days: 5

.github/workflows/release-canary.yml

@@ -67,6 +67,79 @@ jobs:
             echo "Version check passed: found $EXPECTED in output"
           fi
 
+  install-dev:
+    name: Install Debian package (${{ matrix.arch }})
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: build-amd64
+          - arch: arm64
+            runner: build-arm64
+    runs-on: ${{ matrix.runner }}
+    timeout-minutes: 10
+    container:
+      image: ghcr.io/nvidia/openshell/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Determine release tag
+        id: release
+        run: |
+          set -euo pipefail
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "tag=${{ inputs.tag }}" >> "$GITHUB_OUTPUT"
+          else
+            WORKFLOW_NAME="${{ github.event.workflow_run.name }}"
+            if [ "$WORKFLOW_NAME" = "Release Dev" ]; then
+              echo "tag=dev" >> "$GITHUB_OUTPUT"
+            elif [ "$WORKFLOW_NAME" = "Release Tag" ]; then
+              TAG="${{ github.event.workflow_run.head_branch }}"
+              if [ -z "$TAG" ]; then
+                echo "::error::Could not determine release tag from workflow_run"
+                exit 1
+              fi
+              echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+            else
+              echo "::error::Unexpected triggering workflow: ${WORKFLOW_NAME}"
+              exit 1
+            fi
+          fi
+
+      - name: Install Debian package
+        run: |
+          set -euo pipefail
+          curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install-dev.sh \
+            | OPENSHELL_VERSION=${{ steps.release.outputs.tag }} sh
+
+      - name: Verify gateway and VM driver versions
+        run: |
+          set -euo pipefail
+          command -v openshell-gateway
+          test -x /usr/libexec/openshell/openshell-driver-vm
+
+          GATEWAY_ACTUAL="$(openshell-gateway --version)"
+          DRIVER_ACTUAL="$(/usr/libexec/openshell/openshell-driver-vm --version)"
+          echo "Gateway: ${GATEWAY_ACTUAL}"
+          echo "Driver:  ${DRIVER_ACTUAL}"
+
+          TAG="${{ steps.release.outputs.tag }}"
+          if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            EXPECTED="${TAG#v}"
+            for actual in "$GATEWAY_ACTUAL" "$DRIVER_ACTUAL"; do
+              if [[ "$actual" != *"$EXPECTED"* ]]; then
+                echo "::error::Version mismatch: expected '$EXPECTED' in '$actual'"
+                exit 1
+              fi
+            done
+            echo "Version check passed: found $EXPECTED in both binaries"
+          else
+            echo "Non-release tag ($TAG), skipping version check"
+          fi
+
   canary:
     name: Canary ${{ matrix.mode }} (${{ matrix.arch }})
     if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}