From b045b1c138705ab5e33407ba41fc28480104ba90 Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Tue, 19 May 2026 19:00:59 +0200 Subject: [PATCH 1/6] feat: build CLI during pull request Fixes #1454 Signed-off-by: Jeff MAURY --- .github/workflows/branch-e2e.yml | 12 ++++++++++++ .github/workflows/docker-build.yml | 21 ++++++++++++++++++--- .github/workflows/rust-native-build.yml | 21 ++++++++++++++++----- 3 files changed, 46 insertions(+), 8 deletions(-) diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml index 6bb65acc7..c89e47222 100644 --- a/.github/workflows/branch-e2e.yml +++ b/.github/workflows/branch-e2e.yml @@ -80,6 +80,18 @@ jobs: component: supervisor image-tag: ${{ github.sha }} + build-cli: + needs: [pr_metadata] + if: needs.pr_metadata.outputs.should_run == 'true' + permissions: + contents: read + packages: read + uses: ./.github/workflows/docker-build.yml + with: + component: cli + platform: linux/amd64 + secrets: inherit + e2e: needs: [pr_metadata, build-gateway, build-supervisor] if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true' diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 4ff8f501d..258087774 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -4,7 +4,7 @@ on: workflow_call: inputs: component: - description: "Component to build (gateway, supervisor)" + description: "Component to build (gateway, supervisor, cli)" required: true type: string timeout-minutes: @@ -71,6 +71,8 @@ jobs: binary_name: ${{ steps.resolve.outputs.binary_name }} artifact_prefix: ${{ steps.resolve.outputs.artifact_prefix }} image_tag_base: ${{ steps.resolve.outputs.image_tag_base }} + features: ${{ steps.resolve.outputs.features }} + has_image: ${{ steps.resolve.outputs.has_image }} steps: - name: Resolve component and platform matrix id: resolve @@ -82,10 +84,20 @@ jobs: gateway) binary_component=gateway binary_name=openshell-gateway + features="openshell-core/dev-settings bundled-z3" + has_image=true ;; supervisor) binary_component=sandbox binary_name=openshell-sandbox + features="openshell-core/dev-settings" + has_image=true + ;; + cli) + binary_component=cli + binary_name=openshell + features="bundled-z3" + has_image=false ;; *) echo "unsupported component: $component" >&2 @@ -144,6 +156,8 @@ jobs: echo "binary_name=$binary_name" echo "artifact_prefix=rust-binary-${component}-${binary_component}" echo "image_tag_base=$image_tag_base" + echo "features=$features" + echo "has_image=$has_image" } >> "$GITHUB_OUTPUT" rust-binary: @@ -162,13 +176,14 @@ jobs: cargo-version: ${{ inputs['cargo-version'] }} image-tag: ${{ needs.resolve.outputs.image_tag_base }} checkout-ref: ${{ inputs['checkout-ref'] }} - features: ${{ inputs.component == 'gateway' && 'openshell-core/dev-settings bundled-z3' || 'openshell-core/dev-settings' }} + features: ${{ needs.resolve.outputs.features }} artifact-name: ${{ needs.resolve.outputs.artifact_prefix }}-linux-${{ matrix.arch }} secrets: inherit build: name: Build ${{ inputs.component }} (${{ matrix.arch }}) needs: [resolve, rust-binary] + if: needs.resolve.outputs.has_image == 'true' runs-on: ${{ matrix.runner }} timeout-minutes: ${{ inputs['timeout-minutes'] }} strategy: @@ -262,7 +277,7 @@ jobs: merge: name: Merge ${{ inputs.component }} manifest needs: [resolve, build] - if: ${{ inputs.push && inputs['publish-manifest'] }} + if: ${{ inputs.push && inputs['publish-manifest'] && needs.resolve.outputs.has_image == 'true' }} runs-on: linux-amd64-cpu8 timeout-minutes: 10 container: diff --git a/.github/workflows/rust-native-build.yml b/.github/workflows/rust-native-build.yml index 439083328..e63702900 100644 --- a/.github/workflows/rust-native-build.yml +++ b/.github/workflows/rust-native-build.yml @@ -1,11 +1,11 @@ # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: Apache-2.0 -name: Rust Image Binary Build (openshell-gateway / openshell-sandbox) +name: Rust Image Binary Build (openshell-gateway / openshell-sandbox / openshell-cli) # Build Rust binaries per Linux architecture before the Docker image build # consumes them as prebuilt artifacts. Gateway images use GNU-linked binaries -# for the NVIDIA distroless C/C++ runtime; supervisor images use musl/static +# for the NVIDIA distroless C/C++ runtime; supervisor and cli images use musl/static # binaries so the final image can remain scratch. Gateway GNU binaries are # built with an explicit glibc 2.31 floor so image, package, and tarball # artifacts share the same host portability contract. @@ -14,7 +14,7 @@ on: workflow_call: inputs: component: - description: "Binary component to build (gateway or sandbox)" + description: "Binary component to build (gateway, sandbox, or cli)" required: true type: string arch: @@ -121,6 +121,11 @@ jobs: binary=openshell-sandbox zig_target= ;; + cli) + crate=openshell-cli + binary=openshell + zig_target= + ;; *) echo "unsupported component: $COMPONENT" >&2 exit 1 @@ -129,7 +134,7 @@ jobs: case "$ARCH" in amd64) - if [[ "$COMPONENT" == "sandbox" ]]; then + if [[ "$COMPONENT" == "sandbox" || "$COMPONENT" == "cli" ]]; then target=x86_64-unknown-linux-musl zig_target=x86_64-linux-musl else @@ -138,7 +143,7 @@ jobs: fi ;; arm64) - if [[ "$COMPONENT" == "sandbox" ]]; then + if [[ "$COMPONENT" == "sandbox" || "$COMPONENT" == "cli" ]]; then target=aarch64-unknown-linux-musl zig_target=aarch64-linux-musl else @@ -207,6 +212,12 @@ jobs: echo "CARGO_TARGET_${TARGET_ENV_UPPER}_RUSTFLAGS=-Clink-self-contained=no" >> "$GITHUB_ENV" - name: Build ${{ steps.target.outputs.binary }} (${{ steps.target.outputs.zig_target || steps.target.outputs.target }}) + # z3 built with zig c++ uses libc++ symbols (std::__1::*). + # Override z3-sys default (stdc++) so Rust links the matching runtime. + if [[ "$COMPONENT" == "cli" ]]; then + echo "CXXSTDLIB=c++" >> "$GITHUB_ENV" + fi + env: # Preserve the release-codegen setting used by the old Dockerfile # Rust build path so image artifacts keep the same release profile. From 3cfcf5bc0515dba81a66490326e96ce721637a95 Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Tue, 26 May 2026 08:58:25 +0200 Subject: [PATCH 2/6] fix: removed secrets passing Signed-off-by: Jeff MAURY --- .github/workflows/branch-e2e.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml index c89e47222..37aefe9ed 100644 --- a/.github/workflows/branch-e2e.yml +++ b/.github/workflows/branch-e2e.yml @@ -90,7 +90,6 @@ jobs: with: component: cli platform: linux/amd64 - secrets: inherit e2e: needs: [pr_metadata, build-gateway, build-supervisor] From 3882e060c2062611edbd372fbbcce38f66828b28 Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Tue, 26 May 2026 10:20:47 +0200 Subject: [PATCH 3/6] fix: fix wrong conflict resolution Signed-off-by: Jeff MAURY --- .github/workflows/rust-native-build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/rust-native-build.yml b/.github/workflows/rust-native-build.yml index e63702900..d26b7f8ba 100644 --- a/.github/workflows/rust-native-build.yml +++ b/.github/workflows/rust-native-build.yml @@ -212,12 +212,6 @@ jobs: echo "CARGO_TARGET_${TARGET_ENV_UPPER}_RUSTFLAGS=-Clink-self-contained=no" >> "$GITHUB_ENV" - name: Build ${{ steps.target.outputs.binary }} (${{ steps.target.outputs.zig_target || steps.target.outputs.target }}) - # z3 built with zig c++ uses libc++ symbols (std::__1::*). - # Override z3-sys default (stdc++) so Rust links the matching runtime. - if [[ "$COMPONENT" == "cli" ]]; then - echo "CXXSTDLIB=c++" >> "$GITHUB_ENV" - fi - env: # Preserve the release-codegen setting used by the old Dockerfile # Rust build path so image artifacts keep the same release profile. @@ -225,6 +219,12 @@ jobs: OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }} run: | set -euo pipefail + # z3 built with zig c++ uses libc++ symbols (std::__1::*). + # Override z3-sys default (stdc++) so Rust links the matching runtime. + if [[ ""${{ inputs.component }}" == "cli" ]]; then + echo "CXXSTDLIB=c++" >> "$GITHUB_ENV" + fi + mise x -- rustup target add "${{ steps.target.outputs.target }}" cargo_cmd=(cargo build) build_target="${{ steps.target.outputs.target }}" From 5a6e49e447c3e89c6e2edb04aaa04c9b0bcf8937 Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Fri, 29 May 2026 09:04:11 +0200 Subject: [PATCH 4/6] fix: apply suggestion from @TaylorMutch Co-authored-by: Taylor Mutch --- .github/workflows/branch-e2e.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml index 37aefe9ed..d73c7786d 100644 --- a/.github/workflows/branch-e2e.yml +++ b/.github/workflows/branch-e2e.yml @@ -85,7 +85,7 @@ jobs: if: needs.pr_metadata.outputs.should_run == 'true' permissions: contents: read - packages: read + packages: write uses: ./.github/workflows/docker-build.yml with: component: cli From 41f3fab5721a6be66e26469e4d2d44766dc4a967 Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Fri, 29 May 2026 16:44:56 +0200 Subject: [PATCH 5/6] fix: remove doubled quote Signed-off-by: Jeff MAURY --- .github/workflows/rust-native-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/rust-native-build.yml b/.github/workflows/rust-native-build.yml index d26b7f8ba..1cb186eee 100644 --- a/.github/workflows/rust-native-build.yml +++ b/.github/workflows/rust-native-build.yml @@ -221,7 +221,7 @@ jobs: set -euo pipefail # z3 built with zig c++ uses libc++ symbols (std::__1::*). # Override z3-sys default (stdc++) so Rust links the matching runtime. - if [[ ""${{ inputs.component }}" == "cli" ]]; then + if [[ "${{ inputs.component }}" == "cli" ]]; then echo "CXXSTDLIB=c++" >> "$GITHUB_ENV" fi From fe602fbde4e2c0e388f6ecc977fcde44351e43de Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Fri, 5 Jun 2026 15:56:09 +0200 Subject: [PATCH 6/6] fix: sync mise.lock Signed-off-by: Jeff MAURY --- mise.lock | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/mise.lock b/mise.lock index 4bbd4f34c..3e4b80cb5 100644 --- a/mise.lock +++ b/mise.lock @@ -30,16 +30,19 @@ backend = "github:anchore/syft" checksum = "sha256:6f6cdcdc695721d91ce756e3b5bc3e3416599c464101f5e32e9c3f33054ee6d9" url = "https://github.com/anchore/syft/releases/download/v1.44.0/syft_1.44.0_linux_arm64.tar.gz" url_api = "https://api.github.com/repos/anchore/syft/releases/assets/410001182" +provenance = "github-attestations" [tools."github:anchore/syft"."platforms.linux-x64"] checksum = "sha256:0e91737aee2b5baf1d255b959630194a302335d848ff97bb07921eb6205b5f5a" url = "https://github.com/anchore/syft/releases/download/v1.44.0/syft_1.44.0_linux_amd64.tar.gz" url_api = "https://api.github.com/repos/anchore/syft/releases/assets/410001183" +provenance = "github-attestations" [tools."github:anchore/syft"."platforms.macos-arm64"] checksum = "sha256:24e4d34078ae81da7c82539616f0ccac3e226cf4f74a38ce6fb3463619e50a55" url = "https://github.com/anchore/syft/releases/download/v1.44.0/syft_1.44.0_darwin_arm64.tar.gz" url_api = "https://api.github.com/repos/anchore/syft/releases/assets/410001187" +provenance = "github-attestations" [[tools."github:mozilla/sccache"]] version = "0.14.0" @@ -60,6 +63,18 @@ checksum = "sha256:a781e8018260ab128e7690d8497736fa231b6ca895d57131d5b5b966ca987 url = "https://github.com/mozilla/sccache/releases/download/v0.14.0/sccache-v0.14.0-aarch64-apple-darwin.tar.gz" url_api = "https://api.github.com/repos/mozilla/sccache/releases/assets/353135984" +[[tools."github:mozilla/sccache"]] +version = "0.14.0" +backend = "github:mozilla/sccache" + +[tools."github:mozilla/sccache".options] +asset_pattern = "sccache-v*x86_64*linux*.tar.gz" + +[tools."github:mozilla/sccache"."platforms.linux-x64"] +checksum = "sha256:8424b38cda4ecce616a1557d81328f3d7c96503a171eab79942fad618b42af44" +url = "https://github.com/mozilla/sccache/releases/download/v0.14.0/sccache-v0.14.0-x86_64-unknown-linux-musl.tar.gz" +url_api = "https://api.github.com/repos/mozilla/sccache/releases/assets/353136108" + [[tools."github:rust-cross/cargo-zigbuild"]] version = "0.22.3" backend = "github:rust-cross/cargo-zigbuild" @@ -187,18 +202,18 @@ backend = "core:python" precompiled_flavor = "install_only_stripped" [tools.python."platforms.linux-arm64"] -checksum = "sha256:bea1aa66159eaf97ade1225e40b7060d709154da961aa37792bb8066d8f6af49" -url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.14.5+20260510-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz" +checksum = "sha256:1d3ea1b3cd9b8f3d53afb629e82e9bc8f6dab6cbb1a7d23524bd86ba5bc22570" +url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260602/cpython-3.14.5+20260602-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz" provenance = "github-attestations" [tools.python."platforms.linux-x64"] -checksum = "sha256:dc10977b0db3bef1ee2275107fde6fe9c148135b556fa352e83c6baa67d17ed6" -url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.14.5+20260510-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz" +checksum = "sha256:982a60fc7f11bbe405ab54afcd4eb145f1134797bbbffac9f5c49df4ec98b13e" +url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260602/cpython-3.14.5+20260602-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz" provenance = "github-attestations" [tools.python."platforms.macos-arm64"] -checksum = "sha256:1bb0b3d45448dfe7e916dc62144cfd7d7a611dc6ccf05b8bb71662cc5c2a1ad2" -url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.14.5+20260510-aarch64-apple-darwin-install_only_stripped.tar.gz" +checksum = "sha256:3a0373cc39fefd494754ef555267f245c720cddbaaabf63a7c9a4269f1e56532" +url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260602/cpython-3.14.5+20260602-aarch64-apple-darwin-install_only_stripped.tar.gz" provenance = "github-attestations" [[tools.rust]]