thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions
banger/AGENTS.md
Thales Maciel 759fa20602
docs: add release-process runbook 
Captures the cut-and-publish workflow currently encoded only in
scripts/publish-banger-release.sh and the CHANGELOG patterns. Covers:

- Release artefacts + R2 paths + the install.sh-at-bucket-root
  contract.
- Trust model recap (cosign pubkey pinned in both verify_signature.go
  and scripts/install.sh; drift check enforced by the publish script).
- Pre-flight checklist: green smoke, CHANGELOG entry with the right
  Keep-a-Changelog headings, link-table bump, explicit callout when
  unit files changed (banger update swaps binaries, not units).
- Cut order: publish first, tag after, verify from a clean machine.
- Verification-release rule: any fix to runUpdate / unit templates /
  helper-daemon restart sequencing requires an immediate no-op +1
  release so a host on the buggy version can update to it and observe
  the fix live with the new binary in the driver seat. v0.1.3 and
  v0.1.5 are the existing examples.
- Patch vs minor: minor = exposed API/contract change (vsock guest-
  agent protocol, CLI flag removal, RPC shape, non-forward-compatible
  store schema); everything else is patch.
- Sibling catalogs: kernel + golden-image entries are go:embed-ed,
  so they piggyback on the next banger release.
- Mid-release recovery for signature drift, partial rclone, re-cut,
  and bad-tag cleanup (never reuse a version).

AGENTS.md gets a one-liner pointer so the maintainer guide surfaces
the runbook without duplicating it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 12:25:36 -03:00

4.1 KiB
Raw Permalink Blame History

Repository Guidelines

Always run make build before commit.

Project Structure

  • cmd/banger, cmd/bangerd, and cmd/banger-vsock-agent are the three binaries. The first two are user-facing; the third is a companion that ships inside each guest VM.
  • internal/ contains the daemon, CLI, RPC, storage, Firecracker integration, and guest helpers.
  • internal/daemon/ is the composition root; pure helpers live in its subpackages (opstate, dmsnap, fcproc, imagemgr, workspace). See internal/daemon/ARCHITECTURE.md.
  • internal/imagecat/ and internal/kernelcat/ embed the image + kernel catalogs.
  • images/golden/ is the Dockerfile for the debian-bookworm catalog entry.
  • scripts/ contains manual helper workflows for rootfs, kernel, and bundle preparation.
  • build/bin/ is the canonical source-checkout build output.
  • build/manual/ is the canonical source-checkout location for manual rootfs/kernel artifacts.

Build and Test

  • make build builds ./build/bin/banger, ./build/bin/bangerd, and ./build/bin/banger-vsock-agent.
  • make test runs go test ./....
  • make lint runs gofmt -l, go vet ./..., and shellcheck --severity=error on scripts/*.sh. Run before commits.
  • ./build/bin/banger doctor checks host readiness.
  • ./build/bin/banger vm run is the primary user-facing entry point — auto-pulls the default image + kernel from the catalogs if missing.
  • ./build/bin/banger image pull <name> uses the bundle catalog (fast) when <name> is a catalog entry, or falls through to the OCI path for arbitrary registry refs. See docs/image-catalog.md and docs/oci-import.md.
  • ./build/bin/banger image register ... registers an unmanaged host-side image stack.
  • ./build/bin/banger image promote <image> copies an unmanaged image into daemon-owned managed artifacts.
  • scripts/make-generic-kernel.sh builds a Firecracker-optimized vmlinux from upstream sources. scripts/publish-kernel.sh <name> publishes it to the kernel catalog.
  • scripts/publish-golden-image.sh rebuilds + publishes the golden image bundle and patches the image catalog.
  • scripts/publish-banger-release.sh <vX.Y.Z> cuts a banger release. Full runbook in docs/release-process.md.

Image Model

  • Managed images own the full boot set: rootfs, optional work-seed, kernel, optional initrd, and optional modules.
  • The image catalog ships pre-built bundles. vm run auto-pulls the default catalog entry; image pull <name> can be invoked explicitly.
  • default_image_name defaults to debian-bookworm. On miss, the daemon auto-pulls from imagecat before surfacing "not found".
  • Kernel references follow the same auto-pull pattern against kernelcat.

Config

  • Config lives at ~/.config/banger/config.toml.
  • Firecracker comes from PATH by default, or firecracker_bin.
  • SSH uses ssh_key_path or an auto-managed default key at ~/.local/state/banger/ssh/id_ed25519.

Coding Style

  • Prefer small, direct Go code and standard library solutions.
  • Keep shell scripts strict with set -euo pipefail.
  • Use gofmt for Go formatting.
  • When a CLI accepts either an inline string or a file input, always prefer the file-based form.
  • For shell commands and AI/LLM tooling, prefer passing files as input whenever the CLI allows it.
  • Create temporary files as needed to follow the file-first rule.
  • Examples: use git commit -F <file> instead of git commit -m <message>, and use prompt files instead of inline prompt strings when invoking LLM CLIs.

Testing Guidance

  • Primary automated coverage is go test ./... (wired through make test).
  • make coverage runs the suite with -coverpkg=./... and prints per-package averages plus a total; make coverage-html writes a browsable report to coverage.html; make coverage-total prints just the total (for scripts/CI).
  • For lifecycle changes, smoke-test with vm run end-to-end (covers create + start + boot + ssh).
  • If guest provisioning changes, document whether existing images must be rebuilt or recreated.

Security

  • Do not commit secrets.
  • VM workflows require sudo and /dev/kvm.
  • The default SSH key is local configuration, not a checked-in runtime artifact.