Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
518 changes: 518 additions & 0 deletions .github/workflows/release-vm-dev.yml

Large diffs are not rendered by default.

247 changes: 247 additions & 0 deletions .github/workflows/release-vm-kernel.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,247 @@
name: Release VM Kernel

# Build custom libkrunfw (kernel firmware) + libkrun (VMM) + gvproxy for all
# supported openshell-vm platforms. Artifacts are uploaded to the rolling
# "vm-dev" GitHub Release and consumed by release-vm-dev.yml when building the
# openshell-vm binary.
#
# This workflow runs on-demand (or when kernel config / pins change). It is
# intentionally decoupled from the per-commit VM binary build because the
# kernel rarely changes and takes 15-45 minutes to compile.

on:
workflow_dispatch:

permissions:
contents: write

# Serialize with release-vm-dev.yml — both update the vm-dev release.
concurrency:
group: vm-dev-release
cancel-in-progress: false

defaults:
run:
shell: bash

jobs:
# ---------------------------------------------------------------------------
# Linux ARM64 — native kernel + libkrun build
# ---------------------------------------------------------------------------
build-runtime-linux-arm64:
name: Build Runtime (Linux ARM64)
runs-on: build-arm64
timeout-minutes: 60
container:
image: ghcr.io/nvidia/openshell/ci:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
options: --privileged
env:
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4

- name: Mark workspace safe for git
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

- name: Build libkrunfw + libkrun from source
run: tasks/scripts/vm/build-libkrun.sh

- name: Package runtime tarball
run: |
tasks/scripts/vm/package-vm-runtime.sh \
--platform linux-aarch64 \
--build-dir target/libkrun-build \
--output artifacts/vm-runtime-linux-aarch64.tar.zst

- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: vm-runtime-linux-arm64
path: artifacts/vm-runtime-linux-aarch64.tar.zst
retention-days: 5

# ---------------------------------------------------------------------------
# Linux AMD64 — native kernel + libkrun build
# ---------------------------------------------------------------------------
build-runtime-linux-amd64:
name: Build Runtime (Linux AMD64)
runs-on: build-amd64
timeout-minutes: 60
container:
image: ghcr.io/nvidia/openshell/ci:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
options: --privileged
env:
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v4

- name: Mark workspace safe for git
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

- name: Build libkrunfw + libkrun from source
run: tasks/scripts/vm/build-libkrun.sh

- name: Package runtime tarball
run: |
tasks/scripts/vm/package-vm-runtime.sh \
--platform linux-x86_64 \
--build-dir target/libkrun-build \
--output artifacts/vm-runtime-linux-x86_64.tar.zst

- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: vm-runtime-linux-amd64
path: artifacts/vm-runtime-linux-x86_64.tar.zst
retention-days: 5

# ---------------------------------------------------------------------------
# macOS ARM64 — kernel built via krunvm, libkrun built natively
# ---------------------------------------------------------------------------
build-runtime-macos-arm64:
name: Build Runtime (macOS ARM64)
runs-on: macos-latest-xlarge
timeout-minutes: 90
steps:
- uses: actions/checkout@v4

- name: Install dependencies
run: |
set -euo pipefail
brew install rust lld dtc xz
# libkrunfw from Homebrew (used as a fallback/reference by build scripts)
brew install libkrunfw
# krunvm is needed to build the Linux kernel inside a Fedora VM
brew tap slp/krun
brew install krunvm

- name: Build custom libkrunfw (kernel)
run: crates/openshell-vm/runtime/build-custom-libkrunfw.sh

- name: Build portable libkrun
run: tasks/scripts/vm/build-libkrun-macos.sh

- name: Package runtime tarball
env:
CUSTOM_PROVENANCE_DIR: target/custom-runtime
run: |
tasks/scripts/vm/package-vm-runtime.sh \
--platform darwin-aarch64 \
--build-dir target/libkrun-build \
--output artifacts/vm-runtime-darwin-aarch64.tar.zst

- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: vm-runtime-macos-arm64
path: artifacts/vm-runtime-darwin-aarch64.tar.zst
retention-days: 5

# ---------------------------------------------------------------------------
# Upload all runtime tarballs to the vm-dev rolling release
# ---------------------------------------------------------------------------
release-kernel:
name: Release Kernel Runtime
needs: [build-runtime-linux-arm64, build-runtime-linux-amd64, build-runtime-macos-arm64]
runs-on: build-amd64
timeout-minutes: 10
steps:
- uses: actions/checkout@v4

- name: Download all runtime artifacts
uses: actions/download-artifact@v4
with:
pattern: vm-runtime-*
path: release/
merge-multiple: true

- name: Generate checksums
run: |
set -euo pipefail
cd release
sha256sum vm-runtime-*.tar.zst > vm-runtime-checksums-sha256.txt
cat vm-runtime-checksums-sha256.txt

- name: Ensure vm-dev tag exists
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git tag -fa vm-dev -m "VM Development Build" "${GITHUB_SHA}"
git push --force origin vm-dev

- name: Prune stale runtime assets from vm-dev release
uses: actions/github-script@v7
with:
script: |
const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
let release;
try {
release = await github.rest.repos.getReleaseByTag({ owner, repo, tag: 'vm-dev' });
} catch (err) {
if (err.status === 404) {
core.info('No existing vm-dev release; will create fresh.');
return;
}
throw err;
}
// Delete old runtime tarballs and checksums (keep vm binary assets)
for (const asset of release.data.assets) {
if (asset.name.startsWith('vm-runtime-')) {
core.info(`Deleting stale asset: ${asset.name}`);
await github.rest.repos.deleteReleaseAsset({ owner, repo, asset_id: asset.id });
}
}

- name: Create / update vm-dev GitHub Release
uses: softprops/action-gh-release@v2
with:
name: OpenShell VM Development Build
prerelease: true
tag_name: vm-dev
target_commitish: ${{ github.sha }}
body: |
Rolling development build of **openshell-vm** — the MicroVM runtime for OpenShell.

> **NOTE**: This is a development build, not a tagged release, and may be unstable.
> The VM implementation itself is also experimental and may change or break without
> notice.

### Kernel Runtime Artifacts

Pre-built kernel runtime (libkrunfw + libkrun + gvproxy) for embedding into
the openshell-vm binary. These are rebuilt when the kernel config or pinned
dependency versions change.

| Platform | Artifact |
|----------|----------|
| Linux ARM64 | `vm-runtime-linux-aarch64.tar.zst` |
| Linux x86_64 | `vm-runtime-linux-x86_64.tar.zst` |
| macOS ARM64 | `vm-runtime-darwin-aarch64.tar.zst` |

### VM Binaries

Self-extracting openshell-vm binaries with embedded kernel runtime and base
rootfs. These are rebuilt on every push to main.

| Platform | Artifact |
|----------|----------|
| Linux ARM64 | `openshell-vm-aarch64-unknown-linux-gnu.tar.gz` |
| Linux x86_64 | `openshell-vm-x86_64-unknown-linux-gnu.tar.gz` |
| macOS ARM64 | `openshell-vm-aarch64-apple-darwin.tar.gz` |

**macOS users:** The binary must be codesigned with the Hypervisor entitlement:
```bash
codesign --entitlements crates/openshell-vm/entitlements.plist --force -s - ./openshell-vm
```

files: |
release/vm-runtime-linux-aarch64.tar.zst
release/vm-runtime-linux-x86_64.tar.zst
release/vm-runtime-darwin-aarch64.tar.zst
release/vm-runtime-checksums-sha256.txt
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,9 @@ kubeconfig
# Documentation build output
_build/

# Gateway microVM rootfs build artifacts
rootfs/

# Docker build artifacts (image tarballs, packaged helm charts)
deploy/docker/.build/

Expand Down
1 change: 1 addition & 0 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ These pipelines connect skills into end-to-end workflows. Individual skill files
| `crates/openshell-core/` | Shared core | Common types, configuration, error handling |
| `crates/openshell-providers/` | Provider management | Credential provider backends |
| `crates/openshell-tui/` | Terminal UI | Ratatui-based dashboard for monitoring |
| `crates/openshell-vm/` | MicroVM runtime | Experimental, work-in-progress libkrun-based VM execution |
| `python/openshell/` | Python SDK | Python bindings and CLI packaging |
| `proto/` | Protobuf definitions | gRPC service contracts |
| `deploy/` | Docker, Helm, K8s | Dockerfiles, Helm chart, manifests |
Expand Down
Loading
Loading