-
Notifications
You must be signed in to change notification settings - Fork 498
269 lines (230 loc) · 9.69 KB
/
release-vm-kernel.yml
File metadata and controls
269 lines (230 loc) · 9.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
name: Release VM Kernel
# Build custom libkrunfw (kernel firmware) + libkrun (VMM) + gvproxy for all
# supported openshell-vm platforms. Artifacts are uploaded to the rolling
# "vm-dev" GitHub Release and consumed by release-vm-dev.yml when building the
# openshell-vm binary.
#
# The Linux kernel is compiled once on aarch64 Linux. The resulting kernel.c
# (a C source file containing the kernel as a byte array) is shared with the
# macOS job, which only needs to compile it into a .dylib — no krunvm, no
# Fedora VM, no kernel rebuild. This cuts macOS CI from ~45 min to ~5 min.
#
# This workflow runs on-demand (or when kernel config / pins change). It is
# intentionally decoupled from the per-commit VM binary build because the
# kernel rarely changes and takes 15-45 minutes to compile.
on:
workflow_dispatch:
permissions:
contents: write
packages: read
# Serialize with release-vm-dev.yml — both update the vm-dev release.
concurrency:
group: vm-dev-release
cancel-in-progress: false
defaults:
run:
shell: bash
jobs:
# ---------------------------------------------------------------------------
# Linux ARM64 — native kernel + libkrun build (also exports kernel.c)
# ---------------------------------------------------------------------------
build-runtime-linux-arm64:
name: Build Runtime (Linux ARM64)
runs-on: build-arm64
timeout-minutes: 60
container:
image: ghcr.io/nvidia/openshell/ci:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
options: --privileged
env:
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4
- name: Mark workspace safe for git
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Build libkrunfw + libkrun from source
run: tasks/scripts/vm/build-libkrun.sh
- name: Package runtime tarball
run: |
tasks/scripts/vm/package-vm-runtime.sh \
--platform linux-aarch64 \
--build-dir target/libkrun-build \
--output artifacts/vm-runtime-linux-aarch64.tar.zst
- name: Upload runtime artifact
uses: actions/upload-artifact@v4
with:
name: vm-runtime-linux-arm64
path: artifacts/vm-runtime-linux-aarch64.tar.zst
retention-days: 5
# Export kernel.c + ABI_VERSION for the macOS job. kernel.c contains
# the aarch64 Linux kernel as a byte array — it is OS-agnostic and can
# be compiled into a .dylib by Apple's cc without rebuilding the kernel.
- name: Upload kernel.c for macOS build
uses: actions/upload-artifact@v4
with:
name: kernel-c-arm64
path: |
target/libkrun-build/kernel.c
target/libkrun-build/ABI_VERSION
retention-days: 1
# ---------------------------------------------------------------------------
# Linux AMD64 — native kernel + libkrun build
# ---------------------------------------------------------------------------
build-runtime-linux-amd64:
name: Build Runtime (Linux AMD64)
runs-on: build-amd64
timeout-minutes: 60
container:
image: ghcr.io/nvidia/openshell/ci:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
options: --privileged
env:
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4
- name: Mark workspace safe for git
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Build libkrunfw + libkrun from source
run: tasks/scripts/vm/build-libkrun.sh
- name: Package runtime tarball
run: |
tasks/scripts/vm/package-vm-runtime.sh \
--platform linux-x86_64 \
--build-dir target/libkrun-build \
--output artifacts/vm-runtime-linux-x86_64.tar.zst
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: vm-runtime-linux-amd64
path: artifacts/vm-runtime-linux-x86_64.tar.zst
retention-days: 5
# ---------------------------------------------------------------------------
# macOS ARM64 — uses pre-built kernel.c from Linux ARM64 job
# ---------------------------------------------------------------------------
build-runtime-macos-arm64:
name: Build Runtime (macOS ARM64)
needs: [build-runtime-linux-arm64]
runs-on: macos-latest-xlarge
timeout-minutes: 30
env:
RUSTC_WRAPPER: ""
steps:
- uses: actions/checkout@v4
- name: Install dependencies
run: |
set -euo pipefail
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
brew install lld dtc xz
- name: Download pre-built kernel.c
uses: actions/download-artifact@v4
with:
name: kernel-c-arm64
path: target/kernel-artifact
- name: Build libkrunfw + libkrun from pre-built kernel
run: tasks/scripts/vm/build-libkrun-macos.sh --kernel-dir target/kernel-artifact
- name: Package runtime tarball
run: |
tasks/scripts/vm/package-vm-runtime.sh \
--platform darwin-aarch64 \
--build-dir target/libkrun-build \
--output artifacts/vm-runtime-darwin-aarch64.tar.zst
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: vm-runtime-macos-arm64
path: artifacts/vm-runtime-darwin-aarch64.tar.zst
retention-days: 5
# ---------------------------------------------------------------------------
# Upload all runtime tarballs to the vm-dev rolling release
# ---------------------------------------------------------------------------
release-kernel:
name: Release Kernel Runtime
needs: [build-runtime-linux-arm64, build-runtime-linux-amd64, build-runtime-macos-arm64]
runs-on: build-amd64
timeout-minutes: 10
steps:
- uses: actions/checkout@v4
- name: Download all runtime artifacts
uses: actions/download-artifact@v4
with:
pattern: vm-runtime-*
path: release/
merge-multiple: true
- name: Generate checksums
run: |
set -euo pipefail
cd release
sha256sum vm-runtime-*.tar.zst > vm-runtime-checksums-sha256.txt
cat vm-runtime-checksums-sha256.txt
- name: Ensure vm-dev tag exists
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git tag -fa vm-dev -m "VM Development Build" "${GITHUB_SHA}"
git push --force origin vm-dev
- name: Prune stale runtime assets from vm-dev release
uses: actions/github-script@v7
with:
script: |
const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
let release;
try {
release = await github.rest.repos.getReleaseByTag({ owner, repo, tag: 'vm-dev' });
} catch (err) {
if (err.status === 404) {
core.info('No existing vm-dev release; will create fresh.');
return;
}
throw err;
}
// Delete old runtime tarballs and checksums (keep vm binary assets)
for (const asset of release.data.assets) {
if (asset.name.startsWith('vm-runtime-')) {
core.info(`Deleting stale asset: ${asset.name}`);
await github.rest.repos.deleteReleaseAsset({ owner, repo, asset_id: asset.id });
}
}
- name: Create / update vm-dev GitHub Release
uses: softprops/action-gh-release@v2
with:
name: OpenShell VM Development Build
prerelease: true
tag_name: vm-dev
target_commitish: ${{ github.sha }}
body: |
Rolling development build of **openshell-vm** — the MicroVM runtime for OpenShell.
> **NOTE**: This is a development build, not a tagged release, and may be unstable.
> The VM implementation itself is also experimental and may change or break without
> notice.
### Kernel Runtime Artifacts
Pre-built kernel runtime (libkrunfw + libkrun + gvproxy) for embedding into
the openshell-vm binary. These are rebuilt when the kernel config or pinned
dependency versions change.
| Platform | Artifact |
|----------|----------|
| Linux ARM64 | `vm-runtime-linux-aarch64.tar.zst` |
| Linux x86_64 | `vm-runtime-linux-x86_64.tar.zst` |
| macOS ARM64 | `vm-runtime-darwin-aarch64.tar.zst` |
### VM Binaries
Self-extracting openshell-vm binaries with embedded kernel runtime and base
rootfs. These are rebuilt on every push to main.
| Platform | Artifact |
|----------|----------|
| Linux ARM64 | `openshell-vm-aarch64-unknown-linux-gnu.tar.gz` |
| Linux x86_64 | `openshell-vm-x86_64-unknown-linux-gnu.tar.gz` |
| macOS ARM64 | `openshell-vm-aarch64-apple-darwin.tar.gz` |
### Quick install
```
curl -fsSL https://raw.githubusercontent.com/NVIDIA/OpenShell/main/install-vm.sh | sh
```
Auto-detects your platform, verifies checksums, and codesigns on macOS.
files: |
release/vm-runtime-linux-aarch64.tar.zst
release/vm-runtime-linux-x86_64.tar.zst
release/vm-runtime-darwin-aarch64.tar.zst
release/vm-runtime-checksums-sha256.txt