OpenShell/.github/workflows/release-canary.yml at main · linuxdevel/OpenShell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
name: Release Canary

on:
  workflow_dispatch:
    inputs:
      tag:
        description: "Release tag to test (e.g. devel, v1.2.3)"
        required: true
        type: string
  workflow_run:
    workflows: ["Release Dev", "Release Tag"]
    types: [completed]

permissions:
  contents: read
  packages: read

defaults:
  run:
    shell: bash

jobs:
  # ---------------------------------------------------------------------------
  # Verify the default install path (no OPENSHELL_VERSION) resolves to latest
  # ---------------------------------------------------------------------------
  install-default:
    name: Install default (${{ matrix.arch }})
    if: >-
      github.event.workflow_run.conclusion == 'success'
      && github.event.workflow_run.name == 'Release Tag'
    strategy:
      fail-fast: false
      matrix:
        include:
          - arch: amd64
            runner: build-amd64
          - arch: arm64
            runner: build-arm64
    runs-on: ${{ matrix.runner }}
    timeout-minutes: 10
    container:
      image: ghcr.io/nvidia/openshell/ci:latest
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Install CLI (default / latest)
        run: |
          set -euo pipefail
          curl -LsSf https://raw.githubusercontent.com/linuxdevel/OpenShell/main/install.sh | sh

      - name: Verify CLI installation
        run: |
          set -euo pipefail
          command -v openshell
          ACTUAL="$(openshell --version)"
          echo "Installed: $ACTUAL"
          # This job only runs after Release Tag, so the triggering tag
          # should match the latest release the default installer resolves to.
          TAG="${{ github.event.workflow_run.head_branch }}"
          if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            EXPECTED="${TAG#v}"
            if [[ "$ACTUAL" != *"$EXPECTED"* ]]; then
              echo "::error::Version mismatch: expected '$EXPECTED' in '$ACTUAL'"
              exit 1
            fi
            echo "Version check passed: found $EXPECTED in output"
          fi

  canary:
    name: Canary ${{ matrix.mode }} (${{ matrix.arch }})
    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
    strategy:
      fail-fast: false
      matrix:
        arch:
          - amd64
          - arm64
        mode:
          - auto-bootstrap
          - two-step
        include:
          - arch: amd64
            runner: build-amd64
            target: x86_64-unknown-linux-musl
          - arch: arm64
            runner: build-arm64
            target: aarch64-unknown-linux-musl
    runs-on: ${{ matrix.runner }}
    timeout-minutes: 30
    container:
      image: ghcr.io/nvidia/openshell/ci:latest
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
      options: --privileged
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
    env:
      OPENSHELL_REGISTRY_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      # The CI container mounts the host Docker socket, so the gateway
      # container is a sibling — not reachable at 127.0.0.1 from inside
      # this container. OPENSHELL_GATEWAY_HOST tells the auto-bootstrap
      # to advertise a reachable address instead.
      OPENSHELL_GATEWAY_HOST: host.docker.internal
    steps:
      - uses: actions/checkout@v4

      - name: Determine release tag
        id: release
        run: |
          set -euo pipefail
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            echo "tag=${{ inputs.tag }}" >> "$GITHUB_OUTPUT"
          else
            WORKFLOW_NAME="${{ github.event.workflow_run.name }}"
            if [ "$WORKFLOW_NAME" = "Release Dev" ]; then
              echo "tag=devel" >> "$GITHUB_OUTPUT"
            elif [ "$WORKFLOW_NAME" = "Release Tag" ]; then
              TAG="${{ github.event.workflow_run.head_branch }}"
              if [ -z "$TAG" ]; then
                echo "::error::Could not determine release tag from workflow_run"
                exit 1
              fi
              echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
            else
              echo "::error::Unexpected triggering workflow: ${WORKFLOW_NAME}"
              exit 1
            fi
          fi

      - name: Install CLI from published install script
        run: |
          set -euo pipefail
          curl -LsSf https://raw.githubusercontent.com/linuxdevel/OpenShell/main/install.sh | OPENSHELL_VERSION=${{ steps.release.outputs.tag }} OPENSHELL_INSTALL_DIR=/usr/local/bin sh

      - name: Verify CLI installation
        run: |
          set -euo pipefail
          command -v openshell
          ACTUAL="$(openshell --version)"
          echo "Installed: $ACTUAL"
          TAG="${{ steps.release.outputs.tag }}"
          # For tagged releases (v1.2.3), verify the semver appears in the version string
          if [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            EXPECTED="${TAG#v}"
            if [[ "$ACTUAL" != *"$EXPECTED"* ]]; then
              echo "::error::Version mismatch: expected '$EXPECTED' in '$ACTUAL'"
              exit 1
            fi
            echo "Version check passed: found $EXPECTED in output"
          else
            echo "Non-release tag ($TAG), skipping version check"
          fi

      - name: Resolve gateway host
        run: |
          # On Linux CI runners host.docker.internal is not set automatically
          # (it's a Docker Desktop feature). Add it via the Docker bridge IP.
          if ! getent hosts host.docker.internal >/dev/null 2>&1; then
            BRIDGE_IP=$(docker network inspect bridge --format '{{(index .IPAM.Config 0).Gateway}}')
            echo "Adding /etc/hosts entry: ${BRIDGE_IP} host.docker.internal"
            echo "${BRIDGE_IP} host.docker.internal" >> /etc/hosts
          fi

      # Two-step mode: explicitly start the gateway before creating a sandbox.
      # --gateway-host is required because the gateway container is a Docker
      # sibling (not in the same network namespace). Without it the metadata
      # stores 127.0.0.1 which is unreachable from this CI container.
      - name: Start gateway
        if: matrix.mode == 'two-step'
        run: |
          set -euo pipefail
          echo "Starting gateway..."
          openshell gateway start --gateway-host "$OPENSHELL_GATEWAY_HOST"

      - name: Run canary test
        run: |
          set -euo pipefail

          echo "Creating sandbox and running 'echo hello world'..."
          OUTPUT=$(openshell sandbox create --no-keep --no-tty -- echo "hello world" 2>&1) || {
            EXIT_CODE=$?
            echo "::error::openshell sandbox create failed with exit code ${EXIT_CODE}"
            echo "$OUTPUT"
            exit $EXIT_CODE
          }

          echo "$OUTPUT"

          if echo "$OUTPUT" | grep -q "hello world"; then
            echo "Canary test passed: 'hello world' found in output"
          else
            echo "::error::Canary test failed: 'hello world' not found in output"
            exit 1
          fi