ql4b · skunxicat · Jul 29, 2025 · Jul 28, 2025 · Jul 28, 2025 · Jul 28, 2025
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
@@ -0,0 +1,159 @@
+name: Build and Release
+
+on:
+  push:
+    branches:
+      - develop
+      - main
+  pull_request:
+    branches:
+      - main
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-base:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - name: Log in to Public ECR
+        run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+      - name: Build and push base
+        run: |
+          echo "${{ secrets.GHCR_PAT }}" > github_token
+          docker buildx build \
+            --platform linux/arm64,linux/amd64 \
+            --provenance=false \
+            --secret id=github_token,src=github_token \
+            --target base \
+            --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:base \
+            --tag public.ecr.aws/j5r7n1v7/lambda-shell-runtime:base \
+            --push \
+            .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHCR_PAT }}
+
+  build:
+    needs: build-base
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.draft == false || github.event_name != 'pull_request'
+    env:
+      HTTP_CLI_VERSION: v1.0.1
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      - uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+      - run: npm ci
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Create and use buildx builder
+        run: |
+          docker buildx create --name shell-runtime-builder --driver docker-container --use
+          docker buildx inspect shell-runtime-builder --bootstrap
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+      - name: Set version
+        id: version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            # For PRs, use pr-NUMBER format
+            echo "VERSION=pr-${{ github.event.number }}" >> $GITHUB_ENV
+            echo "SHOULD_RELEASE=false" >> $GITHUB_ENV
+          elif [ "${{ github.ref_name }}" = "main" ]; then
+            # Get semantic version for main branch
+            VERSION=$(npx semantic-release --no-ci --dry-run --branch main 2>&1 | grep -oP 'The next release version is \K[0-9]+\.[0-9]+\.[0-9]+' || echo "")
+            if [ -z "$VERSION" ]; then
+              echo "No release needed"
+              echo "VERSION=develop" >> $GITHUB_ENV
+              echo "SHOULD_RELEASE=false" >> $GITHUB_ENV
+            else
+              echo "VERSION=$VERSION" >> $GITHUB_ENV
+              echo "SHOULD_RELEASE=true" >> $GITHUB_ENV
+            fi
+          else
+            # Use branch name for develop (sanitize it)
+            CLEAN_BRANCH=$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9.-]/-/g')
+            echo "VERSION=$CLEAN_BRANCH" >> $GITHUB_ENV
+            echo "SHOULD_RELEASE=false" >> $GITHUB_ENV
+          fi
+          echo "Detected VERSION: $VERSION"
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - name: Log in to GHCR
+        run: echo "${{ secrets.GHCR_PAT }}" | docker login ghcr.io -u skunxicat --password-stdin
+      - name: Log in to Public ECR
+        run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+      - name: Build and push images
+        run: |
+          echo "${{ secrets.GHCR_PAT }}" > github_token
+          export GITHUB_TOKEN="${{ secrets.GHCR_PAT }}"
+
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            # For PRs, only build (don't push)
+            echo "PR build - testing only, not pushing"
+            ./build-enhanced --load --platform linux/arm64 tiny micro full
+          else
+            # For push events, build and push to both registries
+            ./build-enhanced --push --ghcr --public-ecr --platform linux/arm64,linux/amd64 tiny micro full
+          fi
+
+          # Also tag latest for main branch releases
+          if [ "${{ github.ref_name }}" = "main" ] && [ "$SHOULD_RELEASE" = "true" ]; then
+            for VARIANT in tiny micro full; do
+              docker buildx imagetools create \
+                ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:$VARIANT \
+                --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:$VARIANT-latest
+              docker buildx imagetools create \
+                public.ecr.aws/j5r7n1v7/lambda-shell-runtime:$VARIANT \
+                --tag public.ecr.aws/j5r7n1v7/lambda-shell-runtime:$VARIANT-latest
+            done
+          fi
+        shell: bash
+      - name: Create release
+        if: env.SHOULD_RELEASE == 'true'
+        run: npx semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GHCR_PAT: ${{ secrets.GHCR_PAT }}
diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml
@@ -0,0 +1,56 @@
+name: Build Base Image
+
+on:
+  push:
+    branches: [ main, develop ]
+    paths:
+      - 'Dockerfile'
+      - 'runtime/**'
+      - 'task/handler.sh'
+      - '.github/workflows/build-base.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'Dockerfile'
+      - 'runtime/**'
+      - 'task/handler.sh'
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+  packages: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-base:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+
+      - name: Build and push base
+        run: |
+          echo "${{ secrets.GHCR_PAT }}" > github_token
+          docker buildx build \
+            --platform linux/arm64 \
+            --provenance=false \
+            --secret id=github_token,src=github_token \
+            --target base \
+            --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:base \
+            --push \
+            .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHCR_PAT }}
diff --git a/.github/workflows/build-installers.yml b/.github/workflows/build-installers.yml
@@ -0,0 +1,72 @@
+name: Build Installers
+
+on:
+  push:
+    branches: [ main, develop ]
+    paths:
+      - 'Dockerfile'
+      - '.github/workflows/build-installers.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'Dockerfile'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-installers:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+      - name: Log in to Public ECR
+        run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+
+      - name: Build and push installers
+        run: |
+          # Build awscurl-installer
+          docker buildx build \
+            --platform linux/arm64 \
+            --provenance=false \
+            --target awscurl-installer \
+            --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:awscurl-installer \
+            --tag public.ecr.aws/j5r7n1v7/lambda-shell-runtime:awscurl-installer \
+            --push \
+            -f - . << 'EOF'
+          FROM public.ecr.aws/lambda/provided:al2023 AS awscurl-installer
+          RUN dnf install -y unzip python3-pip findutils && dnf clean all
+          RUN pip3 install --no-cache-dir --target /tmp/awscurl awscurl && \
+              find /tmp/awscurl -type d -name '__pycache__' -exec rm -rf {} + && \
+              find /tmp/awscurl -type f -name '*.pyc' -delete && \
+              find /tmp/awscurl -type d -name '*.dist-info' -exec rm -rf {} +
+          EOF
+
+          # Build awscli-installer
+          docker buildx build \
+            --platform linux/arm64 \
+            --provenance=false \
+            --target awscli-installer \
+            --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:awscli-installer \
+            --tag public.ecr.aws/j5r7n1v7/lambda-shell-runtime:awscli-installer \
+            --push \
+            -f - . << 'EOF'
+          FROM public.ecr.aws/lambda/provided:al2023 AS awscli-installer
+          RUN dnf install -y aws-cli && dnf clean all
+          EOF
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,17 @@
+# Docker artifacts
+*.tar
+*.tar.gz
+*.tar.xz
+*.tgz
+*.img
+
+# Build output
+.DS_Store
+build/
+dist/
+*.log
+node_modules/
+
+# VSCode settings
+.vscode/
+#examples/