openlock release #19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: openlock release | |
| # Fork-specific release workflow. Builds the openshell binaries that | |
| # openlock needs (openshell-gateway, openshell-sandbox, openshell CLI) | |
| # on public GitHub-hosted runners, attaches them to a GitHub Release. | |
| # | |
| # Distinct from upstream's release-tag.yml which targets NVIDIA's | |
| # self-hosted infrastructure (custom runners, NVIDIA GHCR, debian | |
| # packaging, fern docs, GitLab triggers). | |
| on: | |
| push: | |
| tags: | |
| - "v*.*.*" | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: "Git tag to release (e.g. v0.1.0)" | |
| required: true | |
| type: string | |
| permissions: | |
| contents: write | |
| env: | |
| RELEASE_TAG: ${{ inputs.tag || github.ref_name }} | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| build-linux: | |
| name: Build Linux ${{ matrix.arch }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-24.04 | |
| target: x86_64-unknown-linux-gnu | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| target: aarch64-unknown-linux-gnu | |
| runs-on: ${{ matrix.runner }} | |
| timeout-minutes: 60 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ inputs.tag || github.ref }} | |
| fetch-depth: 0 | |
| - name: Install system deps | |
| run: | | |
| sudo apt-get update -qq | |
| sudo apt-get install -y -qq pkg-config libssl-dev clang protobuf-compiler | |
| - name: Set up Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| # The CLI statically links z3 via --features bundled-z3 (no runtime | |
| # libz3.so.4). The vendored z3 source hits overload-resolution errors | |
| # under modern system clang, so — mirroring upstream release-dev.yml — | |
| # zig provides the C/C++ toolchain and linker for the z3 build. Only the | |
| # CLI build step opts into this (via that step's env:); the gateway and | |
| # sandbox supervisor don't link z3 and keep the default toolchain. | |
| - name: Set up zig | |
| uses: mlugg/setup-zig@v2 | |
| with: | |
| version: 0.14.1 | |
| - name: Configure zig C/C++ wrappers for z3 | |
| run: | | |
| set -euo pipefail | |
| ZIG="$(command -v zig)" | |
| mkdir -p /tmp/zig-cc | |
| # cc-rs injects --target=<rust-triple> (for example | |
| # x86_64-unknown-linux-gnu), which zig does not parse. Strip any | |
| # caller-provided --target and let zig use its native default. | |
| for tool in cc c++; do | |
| printf '#!/bin/bash\nargs=()\nfor arg in "$@"; do\n case "$arg" in\n --target=*) ;;\n *) args+=("$arg") ;;\n esac\ndone\nexec "%s" %s "${args[@]}"\n' \ | |
| "$ZIG" "$tool" > "/tmp/zig-cc/${tool}" | |
| chmod +x "/tmp/zig-cc/${tool}" | |
| done | |
| - name: Cache cargo target | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: openlock-release-${{ matrix.target }} | |
| - name: Build openshell-gateway | |
| run: cargo build --release --target ${{ matrix.target }} -p openshell-server | |
| - name: Build openshell-sandbox (supervisor) | |
| run: cargo build --release --target ${{ matrix.target }} -p openshell-sandbox --bin openshell-sandbox | |
| # CLI links z3; --features bundled-z3 vendors and statically links it | |
| # via the zig toolchain configured above, so the released binary has no | |
| # runtime libz3.so.4 dependency. The CC/CXX/LINKER and CXXSTDLIB=c++ | |
| # overrides are scoped to this step (z3 built with zig c++ uses libc++ | |
| # symbols, so z3-sys's default stdc++ must be overridden to match). | |
| - name: Build openshell CLI | |
| env: | |
| CC: /tmp/zig-cc/cc | |
| CXX: /tmp/zig-cc/c++ | |
| CXXSTDLIB: c++ | |
| # z3-sys --features bundled fetches the z3 source via the GitHub API; | |
| # authenticate so GitHub-hosted runners don't hit the unauthenticated | |
| # 60-req/hr rate limit (HTTP 403). z3-sys reads READ_ONLY_GITHUB_TOKEN. | |
| READ_ONLY_GITHUB_TOKEN: ${{ github.token }} | |
| run: | | |
| set -euo pipefail | |
| TARGET_ENV=$(echo "${{ matrix.target }}" | tr '-' '_') | |
| TARGET_ENV_UPPER=${TARGET_ENV^^} | |
| export "CC_${TARGET_ENV}=/tmp/zig-cc/cc" | |
| export "CXX_${TARGET_ENV}=/tmp/zig-cc/c++" | |
| export "CARGO_TARGET_${TARGET_ENV_UPPER}_LINKER=/tmp/zig-cc/cc" | |
| cargo build --release --target ${{ matrix.target }} -p openshell-cli --features bundled-z3 | |
| - name: Package binaries | |
| run: | | |
| set -euo pipefail | |
| mkdir -p artifacts | |
| cd target/${{ matrix.target }}/release | |
| tar -czf "${GITHUB_WORKSPACE}/artifacts/openshell-gateway-${{ matrix.target }}.tar.gz" openshell-gateway | |
| tar -czf "${GITHUB_WORKSPACE}/artifacts/openshell-sandbox-${{ matrix.target }}.tar.gz" openshell-sandbox | |
| tar -czf "${GITHUB_WORKSPACE}/artifacts/openshell-${{ matrix.target }}.tar.gz" openshell | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: linux-${{ matrix.arch }} | |
| path: artifacts/*.tar.gz | |
| retention-days: 5 | |
| build-macos: | |
| name: Build macOS aarch64 | |
| runs-on: macos-14 | |
| timeout-minutes: 60 | |
| env: | |
| TARGET: aarch64-apple-darwin | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ inputs.tag || github.ref }} | |
| fetch-depth: 0 | |
| - name: Install build deps | |
| run: brew install protobuf | |
| - name: Set up Rust | |
| uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: aarch64-apple-darwin | |
| # The CLI statically links z3 via --features bundled-z3 (no runtime libz3 | |
| # dylib). The vendored z3 source hits overload-resolution errors under the | |
| # runner's older Apple clang, so — mirroring the Linux job and upstream | |
| # release-dev.yml — zig provides the C/C++ compiler for the z3 build. zig | |
| # only COMPILES z3 (built static); the final binary is linked by the | |
| # default system linker (ld64), because zig cannot link a macOS | |
| # executable. Only the CLI build step opts in (via its env:); the gateway | |
| # doesn't link z3 and keeps the default toolchain. | |
| - name: Set up zig | |
| uses: mlugg/setup-zig@v2 | |
| with: | |
| version: 0.14.1 | |
| - name: Configure zig C/C++ wrappers for z3 | |
| run: | | |
| set -euo pipefail | |
| ZIG="$(command -v zig)" | |
| mkdir -p /tmp/zig-cc | |
| # cc-rs injects --target=<rust-triple>, which zig does not parse; | |
| # strip it and let zig use its native default. -fno-sanitize=all | |
| # disables zig cc's default UBSan instrumentation, whose | |
| # __ubsan_handle_* symbols are otherwise unresolved when the system | |
| # linker links the final Rust binary. | |
| for tool in cc c++; do | |
| printf '#!/bin/bash\nargs=()\nfor arg in "$@"; do\n case "$arg" in\n --target=*) ;;\n *) args+=("$arg") ;;\n esac\ndone\nexec "%s" %s -fno-sanitize=all "${args[@]}"\n' \ | |
| "$ZIG" "$tool" > "/tmp/zig-cc/${tool}" | |
| chmod +x "/tmp/zig-cc/${tool}" | |
| done | |
| - name: Cache cargo target | |
| uses: Swatinem/rust-cache@v2 | |
| with: | |
| shared-key: openlock-release-aarch64-apple-darwin | |
| - name: Build openshell-gateway | |
| run: cargo build --release --target "$TARGET" -p openshell-server | |
| # --features bundled-z3 vendors and statically links z3 via the zig | |
| # toolchain configured above, so the released binary has no runtime libz3 | |
| # dylib and works on a clean Mac with no Homebrew z3. CC/CXX and the | |
| # target-scoped CC_<triple>/CXX_<triple> point cc-rs (z3-sys's builder) at | |
| # the zig wrappers; CXXSTDLIB=c++ matches macOS's libc++. The linker is | |
| # deliberately NOT overridden — zig cannot link a macOS executable, so | |
| # ld64 links the final binary against the zig-compiled static z3. | |
| - name: Build openshell CLI | |
| env: | |
| CC: /tmp/zig-cc/cc | |
| CXX: /tmp/zig-cc/c++ | |
| CC_aarch64_apple_darwin: /tmp/zig-cc/cc | |
| CXX_aarch64_apple_darwin: /tmp/zig-cc/c++ | |
| CXXSTDLIB: c++ | |
| MACOSX_DEPLOYMENT_TARGET: "11.0" | |
| # z3-sys --features bundled fetches the z3 source via the GitHub API; | |
| # authenticate so the runner doesn't hit the unauthenticated | |
| # 60-req/hr rate limit (HTTP 403). z3-sys reads READ_ONLY_GITHUB_TOKEN. | |
| READ_ONLY_GITHUB_TOKEN: ${{ github.token }} | |
| run: cargo build --release --target "$TARGET" -p openshell-cli --features bundled-z3 | |
| - name: Package binaries | |
| run: | | |
| set -euo pipefail | |
| mkdir -p artifacts | |
| cd target/"$TARGET"/release | |
| tar -czf "${GITHUB_WORKSPACE}/artifacts/openshell-gateway-${TARGET}.tar.gz" openshell-gateway | |
| tar -czf "${GITHUB_WORKSPACE}/artifacts/openshell-${TARGET}.tar.gz" openshell | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: macos-aarch64 | |
| path: artifacts/*.tar.gz | |
| retention-days: 5 | |
| release: | |
| name: Release | |
| needs: [build-linux, build-macos] | |
| runs-on: ubuntu-24.04 | |
| timeout-minutes: 10 | |
| steps: | |
| - uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ inputs.tag || github.ref }} | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: release/ | |
| merge-multiple: true | |
| - name: Compute checksums | |
| working-directory: release | |
| run: | | |
| set -euo pipefail | |
| ls -lh | |
| sha256sum *.tar.gz > checksums-sha256.txt | |
| cat checksums-sha256.txt | |
| - name: Publish GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ env.RELEASE_TAG }} | |
| name: ${{ env.RELEASE_TAG }} | |
| generate_release_notes: true | |
| prerelease: ${{ contains(env.RELEASE_TAG, '-rc') || contains(env.RELEASE_TAG, '-beta') || contains(env.RELEASE_TAG, '-alpha') }} | |
| files: | | |
| release/*.tar.gz | |
| release/checksums-sha256.txt |