thaloco/pyro-mcp
1
Fork 0
Code Pull requests Releases Packages Activity Actions

Automate GHCR environment publishing

Browse source
This commit is contained in:
Thales Maciel 2026-03-08 18:30:11 -03:00
parent 6406f673c1
commit 89d0cb93bf
5 changed files with 78 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

46
.github/workflows/publish-environments.yml vendored Normal file
View file

@ -0,0 +1,46 @@
name: Publish Environments
on:
workflow_dispatch:
release:
types:
- published
permissions:
contents: read
packages: write
concurrency:
group: publish-environments-${{ github.ref }}
cancel-in-progress: false
jobs:
publish:
runs-on: ubuntu-24.04
env:
UV_CACHE_DIR: .uv-cache
OCI_REGISTRY_USERNAME: ${{ github.actor }}
OCI_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Check out source
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Set up uv
uses: astral-sh/setup-uv@v6
- name: Install project dependencies
run: make setup
- name: Run project checks
run: make check
- name: Build real runtime inputs
run: make runtime-materialize
- name: Publish official environments to GHCR
run: make runtime-publish-official-environments-oci

2
AGENTS.md
View file

@ -18,6 +18,7 @@ This repository ships `pyro-mcp`, an MCP-compatible package for ephemeral VM lif
- The packaged runtime images under `src/pyro_mcp/runtime_bundle/` are stored in Git LFS. - The packaged runtime images under `src/pyro_mcp/runtime_bundle/` are stored in Git LFS.
- Use `make runtime-bundle` to regenerate the packaged runtime bundle from `runtime_sources/`. - Use `make runtime-bundle` to regenerate the packaged runtime bundle from `runtime_sources/`.
- Use `make runtime-materialize` to build real runtime inputs into `build/runtime_sources/`. - Use `make runtime-materialize` to build real runtime inputs into `build/runtime_sources/`.
- Use `make runtime-publish-official-environments-oci` after materialization to push the official OCI environments to their configured registry targets.
- Use `make runtime-fetch-binaries`, `make runtime-build-kernel-real`, and `make runtime-build-rootfs-real` if you need to debug the real-source pipeline step by step. - Use `make runtime-fetch-binaries`, `make runtime-build-kernel-real`, and `make runtime-build-rootfs-real` if you need to debug the real-source pipeline step by step.
- Use `make runtime-boot-check` to run a direct Firecracker boot validation against the bundled runtime artifacts. - Use `make runtime-boot-check` to run a direct Firecracker boot validation against the bundled runtime artifacts.
- Use `make runtime-network-check` to validate outbound internet access from inside the guest. - Use `make runtime-network-check` to validate outbound internet access from inside the guest.
@ -30,6 +31,7 @@ This repository ships `pyro-mcp`, an MCP-compatible package for ephemeral VM lif
- After heavy runtime work, reclaim local space with `rm -rf build` and `git lfs prune`. - After heavy runtime work, reclaim local space with `rm -rf build` and `git lfs prune`.
- The pre-migration `pre-lfs-*` tag is local backup material only; do not push it or it will keep the old giant blobs reachable. - The pre-migration `pre-lfs-*` tag is local backup material only; do not push it or it will keep the old giant blobs reachable.
- Public contract documentation lives in `docs/public-contract.md`. - Public contract documentation lives in `docs/public-contract.md`.
- Official GHCR publication workflow lives in `.github/workflows/publish-environments.yml`.
## Quality Gates ## Quality Gates

16
Makefile
View file

@ -10,8 +10,9 @@ RUNTIME_BUNDLE_DIR ?= src/pyro_mcp/runtime_bundle
RUNTIME_MATERIALIZED_DIR ?= build/runtime_sources RUNTIME_MATERIALIZED_DIR ?= build/runtime_sources
RUNTIME_OCI_LAYOUT_DIR ?= build/oci_layouts RUNTIME_OCI_LAYOUT_DIR ?= build/oci_layouts
RUNTIME_ENVIRONMENT ?= debian:12-base RUNTIME_ENVIRONMENT ?= debian:12-base
RUNTIME_ENVIRONMENTS ?= debian:12-base debian:12 debian:12-build
.PHONY: help setup lint format typecheck test check dist-check demo network-demo doctor ollama ollama-demo run-server install-hooks runtime-bundle runtime-binaries runtime-kernel runtime-rootfs runtime-agent runtime-validate runtime-manifest runtime-sync runtime-clean runtime-fetch-binaries runtime-build-kernel-real runtime-build-rootfs-real runtime-materialize runtime-export-environment-oci runtime-publish-environment-oci runtime-boot-check runtime-network-check .PHONY: help setup lint format typecheck test check dist-check demo network-demo doctor ollama ollama-demo run-server install-hooks runtime-bundle runtime-binaries runtime-kernel runtime-rootfs runtime-agent runtime-validate runtime-manifest runtime-sync runtime-clean runtime-fetch-binaries runtime-build-kernel-real runtime-build-rootfs-real runtime-materialize runtime-export-environment-oci runtime-export-official-environments-oci runtime-publish-environment-oci runtime-publish-official-environments-oci runtime-boot-check runtime-network-check
help: help:
@printf '%s\n' \ @printf '%s\n' \
@ -43,7 +44,9 @@ help:
' runtime-build-rootfs-real Materialize the real guest rootfs images' \ ' runtime-build-rootfs-real Materialize the real guest rootfs images' \
' runtime-materialize Run all real-source materialization steps' \ ' runtime-materialize Run all real-source materialization steps' \
' runtime-export-environment-oci Export one environment as a local OCI layout' \ ' runtime-export-environment-oci Export one environment as a local OCI layout' \
' runtime-export-official-environments-oci Export all official environments as OCI layouts' \
' runtime-publish-environment-oci Publish one exported OCI layout to its registry target' \ ' runtime-publish-environment-oci Publish one exported OCI layout to its registry target' \
' runtime-publish-official-environments-oci Publish all official environments to their registry targets' \
' runtime-boot-check Validate direct Firecracker boot from the bundled runtime' \ ' runtime-boot-check Validate direct Firecracker boot from the bundled runtime' \
' runtime-network-check Validate outbound guest networking from the bundled runtime' \ ' runtime-network-check Validate outbound guest networking from the bundled runtime' \
' runtime-clean Remove generated runtime build artifacts' ' runtime-clean Remove generated runtime build artifacts'
@ -133,9 +136,20 @@ runtime-materialize:
runtime-export-environment-oci: runtime-export-environment-oci:
uv run python -m pyro_mcp.runtime_build export-environment-oci --platform "$(RUNTIME_PLATFORM)" --source-dir "$(RUNTIME_SOURCE_DIR)" --build-dir "$(RUNTIME_BUILD_DIR)" --bundle-dir "$(RUNTIME_BUNDLE_DIR)" --materialized-dir "$(RUNTIME_MATERIALIZED_DIR)" --environment "$(RUNTIME_ENVIRONMENT)" --output-dir "$(RUNTIME_OCI_LAYOUT_DIR)" uv run python -m pyro_mcp.runtime_build export-environment-oci --platform "$(RUNTIME_PLATFORM)" --source-dir "$(RUNTIME_SOURCE_DIR)" --build-dir "$(RUNTIME_BUILD_DIR)" --bundle-dir "$(RUNTIME_BUNDLE_DIR)" --materialized-dir "$(RUNTIME_MATERIALIZED_DIR)" --environment "$(RUNTIME_ENVIRONMENT)" --output-dir "$(RUNTIME_OCI_LAYOUT_DIR)"
runtime-export-official-environments-oci:
@for environment in $(RUNTIME_ENVIRONMENTS); do \
$(MAKE) runtime-export-environment-oci RUNTIME_ENVIRONMENT="$$environment"; \
done
runtime-publish-environment-oci: runtime-publish-environment-oci:
uv run python -m pyro_mcp.runtime_build publish-environment-oci --platform "$(RUNTIME_PLATFORM)" --source-dir "$(RUNTIME_SOURCE_DIR)" --build-dir "$(RUNTIME_BUILD_DIR)" --bundle-dir "$(RUNTIME_BUNDLE_DIR)" --materialized-dir "$(RUNTIME_MATERIALIZED_DIR)" --environment "$(RUNTIME_ENVIRONMENT)" --layout-root "$(RUNTIME_OCI_LAYOUT_DIR)" uv run python -m pyro_mcp.runtime_build publish-environment-oci --platform "$(RUNTIME_PLATFORM)" --source-dir "$(RUNTIME_SOURCE_DIR)" --build-dir "$(RUNTIME_BUILD_DIR)" --bundle-dir "$(RUNTIME_BUNDLE_DIR)" --materialized-dir "$(RUNTIME_MATERIALIZED_DIR)" --environment "$(RUNTIME_ENVIRONMENT)" --layout-root "$(RUNTIME_OCI_LAYOUT_DIR)"
runtime-publish-official-environments-oci:
@for environment in $(RUNTIME_ENVIRONMENTS); do \
$(MAKE) runtime-export-environment-oci RUNTIME_ENVIRONMENT="$$environment"; \
$(MAKE) runtime-publish-environment-oci RUNTIME_ENVIRONMENT="$$environment"; \
done
runtime-boot-check: runtime-boot-check:
uv run python -m pyro_mcp.runtime_boot_check uv run python -m pyro_mcp.runtime_boot_check

10
README.md
View file

@ -192,3 +192,13 @@ make dist-check
``` ```
Contributor runtime source artifacts are still maintained under `src/pyro_mcp/runtime_bundle/` and `runtime_sources/`. Contributor runtime source artifacts are still maintained under `src/pyro_mcp/runtime_bundle/` and `runtime_sources/`.
Official environment publication is automated through
`.github/workflows/publish-environments.yml`.
For a local publish dry run against GHCR-compatible credentials:
```bash
make runtime-materialize
OCI_REGISTRY_USERNAME="$GITHUB_USER" OCI_REGISTRY_PASSWORD="$GITHUB_TOKEN" \
make runtime-publish-official-environments-oci
```

5
runtime_sources/README.md
View file

@ -15,6 +15,11 @@ Materialization workflow:
3. `make runtime-build-rootfs-real` 3. `make runtime-build-rootfs-real`
4. `make runtime-bundle` 4. `make runtime-bundle`
Official environment publication workflow:
1. `make runtime-materialize`
2. `OCI_REGISTRY_USERNAME=... OCI_REGISTRY_PASSWORD=... make runtime-publish-official-environments-oci`
3. or run the repo workflow at `.github/workflows/publish-environments.yml`
Build requirements for the real path: Build requirements for the real path:
- `docker` - `docker`
- outbound network access to GitHub and Debian snapshot mirrors - outbound network access to GitHub and Debian snapshot mirrors