From 89d0cb93bfb0f0c75da71b0f051fd560adda0ccd Mon Sep 17 00:00:00 2001 From: Thales Maciel Date: Sun, 8 Mar 2026 18:30:11 -0300 Subject: [PATCH] Automate GHCR environment publishing --- .github/workflows/publish-environments.yml | 46 ++++++++++++++++++++++ AGENTS.md | 2 + Makefile | 16 +++++++- README.md | 10 +++++ runtime_sources/README.md | 5 +++ 5 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/publish-environments.yml diff --git a/.github/workflows/publish-environments.yml b/.github/workflows/publish-environments.yml new file mode 100644 index 0000000..6089bbd --- /dev/null +++ b/.github/workflows/publish-environments.yml @@ -0,0 +1,46 @@ +name: Publish Environments + +on: + workflow_dispatch: + release: + types: + - published + +permissions: + contents: read + packages: write + +concurrency: + group: publish-environments-${{ github.ref }} + cancel-in-progress: false + +jobs: + publish: + runs-on: ubuntu-24.04 + env: + UV_CACHE_DIR: .uv-cache + OCI_REGISTRY_USERNAME: ${{ github.actor }} + OCI_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + steps: + - name: Check out source + uses: actions/checkout@v4 + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + + - name: Set up uv + uses: astral-sh/setup-uv@v6 + + - name: Install project dependencies + run: make setup + + - name: Run project checks + run: make check + + - name: Build real runtime inputs + run: make runtime-materialize + + - name: Publish official environments to GHCR + run: make runtime-publish-official-environments-oci diff --git a/AGENTS.md b/AGENTS.md index b6bba17..2b3f6b1 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -18,6 +18,7 @@ This repository ships `pyro-mcp`, an MCP-compatible package for ephemeral VM lif - The packaged runtime images under `src/pyro_mcp/runtime_bundle/` are stored in Git LFS. - Use `make runtime-bundle` to regenerate the packaged runtime bundle from `runtime_sources/`. - Use `make runtime-materialize` to build real runtime inputs into `build/runtime_sources/`. +- Use `make runtime-publish-official-environments-oci` after materialization to push the official OCI environments to their configured registry targets. - Use `make runtime-fetch-binaries`, `make runtime-build-kernel-real`, and `make runtime-build-rootfs-real` if you need to debug the real-source pipeline step by step. - Use `make runtime-boot-check` to run a direct Firecracker boot validation against the bundled runtime artifacts. - Use `make runtime-network-check` to validate outbound internet access from inside the guest. @@ -30,6 +31,7 @@ This repository ships `pyro-mcp`, an MCP-compatible package for ephemeral VM lif - After heavy runtime work, reclaim local space with `rm -rf build` and `git lfs prune`. - The pre-migration `pre-lfs-*` tag is local backup material only; do not push it or it will keep the old giant blobs reachable. - Public contract documentation lives in `docs/public-contract.md`. +- Official GHCR publication workflow lives in `.github/workflows/publish-environments.yml`. ## Quality Gates diff --git a/Makefile b/Makefile index 0429b54..975796c 100644 --- a/Makefile +++ b/Makefile @@ -10,8 +10,9 @@ RUNTIME_BUNDLE_DIR ?= src/pyro_mcp/runtime_bundle RUNTIME_MATERIALIZED_DIR ?= build/runtime_sources RUNTIME_OCI_LAYOUT_DIR ?= build/oci_layouts RUNTIME_ENVIRONMENT ?= debian:12-base +RUNTIME_ENVIRONMENTS ?= debian:12-base debian:12 debian:12-build -.PHONY: help setup lint format typecheck test check dist-check demo network-demo doctor ollama ollama-demo run-server install-hooks runtime-bundle runtime-binaries runtime-kernel runtime-rootfs runtime-agent runtime-validate runtime-manifest runtime-sync runtime-clean runtime-fetch-binaries runtime-build-kernel-real runtime-build-rootfs-real runtime-materialize runtime-export-environment-oci runtime-publish-environment-oci runtime-boot-check runtime-network-check +.PHONY: help setup lint format typecheck test check dist-check demo network-demo doctor ollama ollama-demo run-server install-hooks runtime-bundle runtime-binaries runtime-kernel runtime-rootfs runtime-agent runtime-validate runtime-manifest runtime-sync runtime-clean runtime-fetch-binaries runtime-build-kernel-real runtime-build-rootfs-real runtime-materialize runtime-export-environment-oci runtime-export-official-environments-oci runtime-publish-environment-oci runtime-publish-official-environments-oci runtime-boot-check runtime-network-check help: @printf '%s\n' \ @@ -43,7 +44,9 @@ help: ' runtime-build-rootfs-real Materialize the real guest rootfs images' \ ' runtime-materialize Run all real-source materialization steps' \ ' runtime-export-environment-oci Export one environment as a local OCI layout' \ + ' runtime-export-official-environments-oci Export all official environments as OCI layouts' \ ' runtime-publish-environment-oci Publish one exported OCI layout to its registry target' \ + ' runtime-publish-official-environments-oci Publish all official environments to their registry targets' \ ' runtime-boot-check Validate direct Firecracker boot from the bundled runtime' \ ' runtime-network-check Validate outbound guest networking from the bundled runtime' \ ' runtime-clean Remove generated runtime build artifacts' @@ -133,9 +136,20 @@ runtime-materialize: runtime-export-environment-oci: uv run python -m pyro_mcp.runtime_build export-environment-oci --platform "$(RUNTIME_PLATFORM)" --source-dir "$(RUNTIME_SOURCE_DIR)" --build-dir "$(RUNTIME_BUILD_DIR)" --bundle-dir "$(RUNTIME_BUNDLE_DIR)" --materialized-dir "$(RUNTIME_MATERIALIZED_DIR)" --environment "$(RUNTIME_ENVIRONMENT)" --output-dir "$(RUNTIME_OCI_LAYOUT_DIR)" +runtime-export-official-environments-oci: + @for environment in $(RUNTIME_ENVIRONMENTS); do \ + $(MAKE) runtime-export-environment-oci RUNTIME_ENVIRONMENT="$$environment"; \ + done + runtime-publish-environment-oci: uv run python -m pyro_mcp.runtime_build publish-environment-oci --platform "$(RUNTIME_PLATFORM)" --source-dir "$(RUNTIME_SOURCE_DIR)" --build-dir "$(RUNTIME_BUILD_DIR)" --bundle-dir "$(RUNTIME_BUNDLE_DIR)" --materialized-dir "$(RUNTIME_MATERIALIZED_DIR)" --environment "$(RUNTIME_ENVIRONMENT)" --layout-root "$(RUNTIME_OCI_LAYOUT_DIR)" +runtime-publish-official-environments-oci: + @for environment in $(RUNTIME_ENVIRONMENTS); do \ + $(MAKE) runtime-export-environment-oci RUNTIME_ENVIRONMENT="$$environment"; \ + $(MAKE) runtime-publish-environment-oci RUNTIME_ENVIRONMENT="$$environment"; \ + done + runtime-boot-check: uv run python -m pyro_mcp.runtime_boot_check diff --git a/README.md b/README.md index 6965699..143588d 100644 --- a/README.md +++ b/README.md @@ -192,3 +192,13 @@ make dist-check ``` Contributor runtime source artifacts are still maintained under `src/pyro_mcp/runtime_bundle/` and `runtime_sources/`. + +Official environment publication is automated through +`.github/workflows/publish-environments.yml`. +For a local publish dry run against GHCR-compatible credentials: + +```bash +make runtime-materialize +OCI_REGISTRY_USERNAME="$GITHUB_USER" OCI_REGISTRY_PASSWORD="$GITHUB_TOKEN" \ + make runtime-publish-official-environments-oci +``` diff --git a/runtime_sources/README.md b/runtime_sources/README.md index 372c47e..5dc4849 100644 --- a/runtime_sources/README.md +++ b/runtime_sources/README.md @@ -15,6 +15,11 @@ Materialization workflow: 3. `make runtime-build-rootfs-real` 4. `make runtime-bundle` +Official environment publication workflow: +1. `make runtime-materialize` +2. `OCI_REGISTRY_USERNAME=... OCI_REGISTRY_PASSWORD=... make runtime-publish-official-environments-oci` +3. or run the repo workflow at `.github/workflows/publish-environments.yml` + Build requirements for the real path: - `docker` - outbound network access to GitHub and Debian snapshot mirrors