Release VM Kernel #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release VM Kernel | |
| # Build custom libkrunfw (kernel firmware) + libkrun (VMM) + gvproxy for all | |
| # supported openshell-vm platforms. Artifacts are uploaded to the rolling | |
| # "vm-dev" GitHub Release and consumed by release-vm-dev.yml when building the | |
| # openshell-vm binary. | |
| # | |
| # The Linux kernel is compiled once on aarch64 Linux. The resulting kernel.c | |
| # (a C source file containing the kernel as a byte array) is shared with the | |
| # macOS job, which only needs to compile it into a .dylib — no krunvm, no | |
| # Fedora VM, no kernel rebuild. This cuts macOS CI from ~45 min to ~5 min. | |
| # | |
| # This workflow runs on-demand (or when kernel config / pins change). It is | |
| # intentionally decoupled from the per-commit VM binary build because the | |
| # kernel rarely changes and takes 15-45 minutes to compile. | |
| on: | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| packages: read | |
| # Serialize with release-vm-dev.yml — both update the vm-dev release. | |
| concurrency: | |
| group: vm-dev-release | |
| cancel-in-progress: false | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| # --------------------------------------------------------------------------- | |
| # Linux ARM64 — native kernel + libkrun build (also exports kernel.c) | |
| # --------------------------------------------------------------------------- | |
| build-runtime-linux-arm64: | |
| name: Build Runtime (Linux ARM64) | |
| runs-on: build-arm64 | |
| timeout-minutes: 60 | |
| container: | |
| image: ghcr.io/nvidia/openshell/ci:latest | |
| credentials: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| options: --privileged | |
| env: | |
| MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Mark workspace safe for git | |
| run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
| - name: Build libkrunfw + libkrun from source | |
| run: tasks/scripts/vm/build-libkrun.sh | |
| - name: Package runtime tarball | |
| run: | | |
| tasks/scripts/vm/package-vm-runtime.sh \ | |
| --platform linux-aarch64 \ | |
| --build-dir target/libkrun-build \ | |
| --output artifacts/vm-runtime-linux-aarch64.tar.zst | |
| - name: Upload runtime artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: vm-runtime-linux-arm64 | |
| path: artifacts/vm-runtime-linux-aarch64.tar.zst | |
| retention-days: 5 | |
| # Export kernel.c + ABI_VERSION for the macOS job. kernel.c contains | |
| # the aarch64 Linux kernel as a byte array — it is OS-agnostic and can | |
| # be compiled into a .dylib by Apple's cc without rebuilding the kernel. | |
| - name: Upload kernel.c for macOS build | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: kernel-c-arm64 | |
| path: | | |
| target/libkrun-build/kernel.c | |
| target/libkrun-build/ABI_VERSION | |
| retention-days: 1 | |
| # --------------------------------------------------------------------------- | |
| # Linux AMD64 — native kernel + libkrun build | |
| # --------------------------------------------------------------------------- | |
| build-runtime-linux-amd64: | |
| name: Build Runtime (Linux AMD64) | |
| runs-on: build-amd64 | |
| timeout-minutes: 60 | |
| container: | |
| image: ghcr.io/nvidia/openshell/ci:latest | |
| credentials: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| options: --privileged | |
| env: | |
| MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Mark workspace safe for git | |
| run: git config --global --add safe.directory "$GITHUB_WORKSPACE" | |
| - name: Build libkrunfw + libkrun from source | |
| run: tasks/scripts/vm/build-libkrun.sh | |
| - name: Package runtime tarball | |
| run: | | |
| tasks/scripts/vm/package-vm-runtime.sh \ | |
| --platform linux-x86_64 \ | |
| --build-dir target/libkrun-build \ | |
| --output artifacts/vm-runtime-linux-x86_64.tar.zst | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: vm-runtime-linux-amd64 | |
| path: artifacts/vm-runtime-linux-x86_64.tar.zst | |
| retention-days: 5 | |
| # --------------------------------------------------------------------------- | |
| # macOS ARM64 — uses pre-built kernel.c from Linux ARM64 job | |
| # --------------------------------------------------------------------------- | |
| build-runtime-macos-arm64: | |
| name: Build Runtime (macOS ARM64) | |
| needs: [build-runtime-linux-arm64] | |
| runs-on: macos-latest-xlarge | |
| timeout-minutes: 30 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install dependencies | |
| run: | | |
| set -euo pipefail | |
| brew install rust lld dtc xz | |
| - name: Download pre-built kernel.c | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: kernel-c-arm64 | |
| path: target/kernel-artifact | |
| - name: Build libkrunfw + libkrun from pre-built kernel | |
| run: tasks/scripts/vm/build-libkrun-macos.sh --kernel-dir target/kernel-artifact | |
| - name: Package runtime tarball | |
| run: | | |
| tasks/scripts/vm/package-vm-runtime.sh \ | |
| --platform darwin-aarch64 \ | |
| --build-dir target/libkrun-build \ | |
| --output artifacts/vm-runtime-darwin-aarch64.tar.zst | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: vm-runtime-macos-arm64 | |
| path: artifacts/vm-runtime-darwin-aarch64.tar.zst | |
| retention-days: 5 | |
| # --------------------------------------------------------------------------- | |
| # Upload all runtime tarballs to the vm-dev rolling release | |
| # --------------------------------------------------------------------------- | |
| release-kernel: | |
| name: Release Kernel Runtime | |
| needs: [build-runtime-linux-arm64, build-runtime-linux-amd64, build-runtime-macos-arm64] | |
| runs-on: build-amd64 | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download all runtime artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: vm-runtime-* | |
| path: release/ | |
| merge-multiple: true | |
| - name: Generate checksums | |
| run: | | |
| set -euo pipefail | |
| cd release | |
| sha256sum vm-runtime-*.tar.zst > vm-runtime-checksums-sha256.txt | |
| cat vm-runtime-checksums-sha256.txt | |
| - name: Ensure vm-dev tag exists | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git tag -fa vm-dev -m "VM Development Build" "${GITHUB_SHA}" | |
| git push --force origin vm-dev | |
| - name: Prune stale runtime assets from vm-dev release | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/'); | |
| let release; | |
| try { | |
| release = await github.rest.repos.getReleaseByTag({ owner, repo, tag: 'vm-dev' }); | |
| } catch (err) { | |
| if (err.status === 404) { | |
| core.info('No existing vm-dev release; will create fresh.'); | |
| return; | |
| } | |
| throw err; | |
| } | |
| // Delete old runtime tarballs and checksums (keep vm binary assets) | |
| for (const asset of release.data.assets) { | |
| if (asset.name.startsWith('vm-runtime-')) { | |
| core.info(`Deleting stale asset: ${asset.name}`); | |
| await github.rest.repos.deleteReleaseAsset({ owner, repo, asset_id: asset.id }); | |
| } | |
| } | |
| - name: Create / update vm-dev GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| name: OpenShell VM Development Build | |
| prerelease: true | |
| tag_name: vm-dev | |
| target_commitish: ${{ github.sha }} | |
| body: | | |
| Rolling development build of **openshell-vm** — the MicroVM runtime for OpenShell. | |
| > **NOTE**: This is a development build, not a tagged release, and may be unstable. | |
| > The VM implementation itself is also experimental and may change or break without | |
| > notice. | |
| ### Kernel Runtime Artifacts | |
| Pre-built kernel runtime (libkrunfw + libkrun + gvproxy) for embedding into | |
| the openshell-vm binary. These are rebuilt when the kernel config or pinned | |
| dependency versions change. | |
| | Platform | Artifact | | |
| |----------|----------| | |
| | Linux ARM64 | `vm-runtime-linux-aarch64.tar.zst` | | |
| | Linux x86_64 | `vm-runtime-linux-x86_64.tar.zst` | | |
| | macOS ARM64 | `vm-runtime-darwin-aarch64.tar.zst` | | |
| ### VM Binaries | |
| Self-extracting openshell-vm binaries with embedded kernel runtime and base | |
| rootfs. These are rebuilt on every push to main. | |
| | Platform | Artifact | | |
| |----------|----------| | |
| | Linux ARM64 | `openshell-vm-aarch64-unknown-linux-gnu.tar.gz` | | |
| | Linux x86_64 | `openshell-vm-x86_64-unknown-linux-gnu.tar.gz` | | |
| | macOS ARM64 | `openshell-vm-aarch64-apple-darwin.tar.gz` | | |
| **macOS users:** The binary must be codesigned with the Hypervisor entitlement: | |
| ```bash | |
| codesign --entitlements crates/openshell-vm/entitlements.plist --force -s - ./openshell-vm | |
| ``` | |
| files: | | |
| release/vm-runtime-linux-aarch64.tar.zst | |
| release/vm-runtime-linux-x86_64.tar.zst | |
| release/vm-runtime-darwin-aarch64.tar.zst | |
| release/vm-runtime-checksums-sha256.txt |