Merge 262d469df2 into b30bb5bedf

.cirrus.star

@@ -1,4 +0,0 @@
-load("github.com/cirrus-modules/golang@main", "lint_task")
-
-def main(ctx):
-    return [lint_task()]

.cirrus.yml

@@ -1,68 +0,0 @@
-task:
-  name: Test (macOS)
-  persistent_worker:
-    labels:
-      name: dev-mini
-    resources:
-      tart-vms: 2
-  pre_pull_script:
-    - tart pull ghcr.io/cirruslabs/macos-tahoe-base:latest
-  test_script:
-    - go test -timeout=20m -ldflags="-B gobuildid" -v -count=1 ./...
-  always:
-    cleanup_script:
-      - tart list
-      - rm -rf ~/.tart/vms/orchard-*
-
-task:
-  depends_on:
-    - Lint
-    - Test (macOS)
-  env:
-    MACOS_SIGN_P12: ENCRYPTED[!183482723ca1a95f9c4439f7a79c9d3b115472bb18c739ed1586e12d3914ccf94ade8169eeda7332fc204f8be9c27d9f!]
-    MACOS_SIGN_PASSWORD: ENCRYPTED[!417423346c567f12007f42d084bff1cfee30ee14f7e8258550157679a269c70d541c9f19224224ab0293b10f2c6d4c5e!]
-    MACOS_NOTARY_ISSUER_ID: ENCRYPTED[!74076906e9fa36bca3c1da1637b0759b58bb009eb1a707446896eefad3767e8dba1d0f87e71106b98cde98ac4b037a2a!]
-    MACOS_NOTARY_KEY_ID: ENCRYPTED[!af9e5da1010a6b04e548ef494acc77a6e0ce176549de98f81c5b5cdd72856de09f77e51cf0849e3c4b7a2d2c22f25ca8!]
-    MACOS_NOTARY_KEY: ENCRYPTED[!c70c53f3e6c163931c7cdf9d90aff8934ef21d5dd1090158688e00b94e97c68257d9cf4ae1df873e6ae0d949866aee72!]
-    GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!]
-    GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!]
-    FURY_TOKEN: ENCRYPTED[!97fe4497d9aca60a3d64904883b81e21f19706c6aedda625c97f62f67ec46b8efa74c55699956158bbf0a23726e7d9f6!]
-  container:
-    image: golang:latest
-    cpu: 4
-    memory: 12G
-  matrix:
-    - name: Release Binaries
-      only_if: $CIRRUS_TAG != ''
-      install_goreleaser_script:
-        - echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | tee /etc/apt/sources.list.d/goreleaser.list
-        - apt update && apt -y install goreleaser-pro
-      release_script: goreleaser
-    - name: Release Binaries (Dry Run)
-      only_if: $CIRRUS_TAG == ''
-      install_goreleaser_script:
-        - echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | tee /etc/apt/sources.list.d/goreleaser.list
-        - apt update && apt -y install goreleaser-pro
-      release_script: goreleaser release --skip=publish --snapshot --clean --verbose
-      binaries_artifacts:
-        path: "dist/orchard_*/orchard*"
-
-docker_builder:
-  name: Release Docker Image
-  only_if: $CIRRUS_TAG != ''
-  depends_on:
-    - Lint
-    - Test (macOS)
-  env:
-    GITHUB_TOKEN: ENCRYPTED[!82ed873afdf627284305afef4958c85a8f73127b09978a9786ac521559630ea6c9a5ab6e7f8315abf9ead09b6eff6eae!]
-  login_script:
-    - echo $GITHUB_TOKEN | docker login ghcr.io -u fkorotkov --password-stdin
-  setup_script:
-    - docker buildx create --name multibuilder
-    - docker buildx use multibuilder
-    - docker buildx inspect --bootstrap
-  deploy_script: |
-    docker buildx build --push --platform linux/amd64,linux/arm64 \
-      --tag ghcr.io/cirruslabs/orchard:$CIRRUS_TAG \
-      --tag ghcr.io/cirruslabs/orchard:latest \
-      .

.github/workflows/ci.yml

@@ -0,0 +1,75 @@
+name: CI
+
+on:
+  merge_group:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+      - uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.12.0
+          only-new-issues: true
+
+  test-linux:
+    name: Test (Linux)
+    runs-on: ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Check out Vetu
+        uses: actions/checkout@v6
+        with:
+          repository: openai/vetu
+          path: _vetu
+      - name: Build Vetu
+        working-directory: _vetu
+        run: |
+          go build -o "$RUNNER_TEMP/vetu" cmd/vetu/main.go
+          sudo setcap cap_net_raw,cap_net_admin+eip "$RUNNER_TEMP/vetu"
+          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
+      - name: Pre-pull default Vetu image
+        run: vetu pull ghcr.io/cirruslabs/ubuntu-runner-amd64:latest
+      - name: Run tests
+        run: go test -v -count=1 ./...
+
+  test-macos:
+    name: Test (macOS)
+    runs-on: ghcr.io/cirruslabs/macos-runner:tahoe
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Pre-pull default Tart image
+        run: tart pull ghcr.io/cirruslabs/macos-tahoe-base:latest
+      - name: Run tests
+        run: go test -timeout=20m -ldflags="-B gobuildid" -v -count=1 ./...
+      - name: Clean up test VMs
+        if: always()
+        run: |
+          tart list
+          rm -rf ~/.tart/vms/orchard-*

.github/workflows/main.yml

@@ -1,24 +0,0 @@
-name: Main
-
-on:
-  push:
-
-jobs:
-  test:
-    name: Test (Linux)
-    runs-on: ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
-        with:
-          go-version: stable
-      - name: Install Vetu
-        run: |
-          sudo apt-get update && sudo apt-get -y install apt-transport-https ca-certificates
-          echo "deb [trusted=yes] https://apt.fury.io/cirruslabs/ /" | sudo tee /etc/apt/sources.list.d/cirruslabs.list
-          sudo apt-get update && sudo apt-get -y install vetu
-      - name: Pre-pull default Vetu image for use in tests
-        run: |
-          vetu pull ghcr.io/cirruslabs/ubuntu-runner-amd64:latest
-      - name: Run tests
-        run: go test -v -count=1 ./...

.github/workflows/release.yml

@@ -0,0 +1,81 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "*"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    name: ${{ github.ref_type == 'tag' && 'Release Binaries' || 'Release Binaries (Dry Run)' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    env:
+      GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+      GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+      MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+      MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+      MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+      MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Release
+        if: github.ref_type == 'tag'
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          distribution: goreleaser-pro
+          version: "~> v2"
+          args: release --clean
+      - name: Release dry run
+        if: github.ref_type != 'tag'
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          distribution: goreleaser-pro
+          version: "~> v2"
+          args: release --skip=publish --snapshot --clean
+      - name: Upload dry-run artifacts
+        if: github.ref_type != 'tag'
+        uses: actions/upload-artifact@v6
+        with:
+          name: orchard-snapshot
+          path: dist/**
+
+  docker:
+    name: Release Docker Image
+    if: github.ref_type == 'tag'
+    needs: release
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v6
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+      - uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/openai/orchard:${{ github.ref_name }}
+            ghcr.io/openai/orchard:latest
+          build-args: |
+            VERSION=${{ github.ref_name }}
+            COMMIT=${{ github.sha }}

.golangci.yml

@@ -1,24 +1,30 @@
-version: 2
+version: "2"
 
 run:
   timeout: 5m
 
-linters-settings:
-  # Even in Rust you can get away with partial matching,
-  # so make sure that the linter respects the programmer's
-  # intent expressed in the form of "default" case.
-  exhaustive:
-    default-signifies-exhaustive: true
-
-  gosec:
-    excludes:
-      - G115
-
 formatters:
-  enable-all: true
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+    - golines
+    - swaggo
 
 linters:
-  enable-all: true
+  default: all
+
+  settings:
+    # Even in Rust you can get away with partial matching,
+    # so make sure that the linter respects the programmer's
+    # intent expressed in the form of "default" case.
+    exhaustive:
+      default-signifies-exhaustive: true
+
+    gosec:
+      excludes:
+        - G115
 
   disable:
     # We don't have high-performance requirements at this moment, so sacrificing

.goreleaser.yml

@@ -23,7 +23,8 @@ builds:
 
 archives:
   - id: binary
-    format: binary
+    formats:
+      - binary
     name_template: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
   - id: regular
     name_template: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
@@ -31,28 +32,6 @@ archives:
 release:
   prerelease: auto
 
-nfpms:
-  - package_name: orchard-controller
-    vendor: Cirrus Labs, Inc.
-    homepage: https://github.com/cirruslabs/orchard
-    maintainer: support@cirruslabs.org
-    description: Orchestrator for running Tart Virtual Machines on a cluster of Apple Silicon devices
-    section: misc
-    formats:
-      - deb
-      - rpm
-    contents:
-      - src: packaging/orchard-controller.service
-        dst: /lib/systemd/system/orchard-controller.service
-        type: config
-    scripts:
-      postinstall: packaging/postinstall.sh
-      preremove: packaging/preremove.sh
-      postremove: packaging/postremove.sh
-
-furies:
-  - account: cirruslabs
-
 notarize:
   macos:
     - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}'
@@ -75,6 +54,6 @@ brews:
       bin.install "orchard"
       generate_completions_from_executable(bin/"orchard", "completion")
     caveats: See the Github repository for more information
-    homepage: https://github.com/cirruslabs/orchard
+    homepage: https://github.com/openai/orchard
     description: Orchestrator for running Tart Virtual Machines on a cluster of Apple Silicon devices
     skip_upload: auto

Dockerfile

@@ -1,22 +1,29 @@
-FROM golang:latest AS builder
+FROM golang:1.25 AS builder
 
-# Install GoReleaser Pro
-RUN echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | tee /etc/apt/sources.list.d/goreleaser.list
-RUN apt update && apt -y install goreleaser-pro
+WORKDIR /src
 
-WORKDIR /tmp/orchard
-ADD . /tmp/orchard/
+COPY go.mod go.sum ./
+RUN go mod download
 
-RUN goreleaser build --single-target --snapshot --timeout 60m
+COPY . .
+
+ARG VERSION=dev
+ARG COMMIT=unknown
+
+RUN CGO_ENABLED=0 go build \
+    -trimpath \
+    -ldflags="-X github.com/cirruslabs/orchard/internal/version.Version=${VERSION} -X github.com/cirruslabs/orchard/internal/version.Commit=${COMMIT} -B gobuildid" \
+    -o /out/orchard \
+    cmd/orchard/main.go
 
 FROM gcr.io/distroless/base
 
-LABEL org.opencontainers.image.source=https://github.com/cirruslabs/orchard
+LABEL org.opencontainers.image.source=https://github.com/openai/orchard
 ENV GIN_MODE=release
 ENV ORCHARD_HOME=/data
 EXPOSE 6120
 
-COPY --from=builder /tmp/orchard/dist/linux_*/orchard_linux_*/orchard /bin/orchard
+COPY --from=builder /out/orchard /bin/orchard
 
 ENTRYPOINT ["/bin/orchard"]
 

packaging/orchard-controller.service

@@ -1,12 +0,0 @@
-[Unit]
-Description=Orchard Controller
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-Type=simple
-User=orchard-controller
-ExecStart=/usr/bin/orchard controller run
-
-[Install]
-WantedBy=multi-user.target

packaging/postinstall.sh

@@ -1,17 +0,0 @@
-#!/bin/bash
-
-# Set shell options to enable fail-fast behavior
-#
-# * -e: fail the script when an error occurs or command fails
-# * -u: fail the script when attempting to reference unset parameters
-# * -o pipefail: by default an exit status of a pipeline is that of its
-#                last command, this fails the pipe early if an error in
-#                any of its commands occurs
-#
-set -euo pipefail
-
-# Create "orchard-controller" user and group
-useradd --system --create-home --home-dir /var/lib/orchard-controller --user-group orchard-controller
-
-# Now that the orchard-controller.service file is installed, reflect the changes in systemd
-systemctl daemon-reload

packaging/postremove.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-# Set shell options to enable fail-fast behavior
-#
-# * -e: fail the script when an error occurs or command fails
-# * -u: fail the script when attempting to reference unset parameters
-# * -o pipefail: by default an exit status of a pipeline is that of its
-#                last command, this fails the pipe early if an error in
-#                any of its commands occurs
-#
-set -euo pipefail
-
-# Delete "orchard-controller" user and group
-if id "orchard-controller" &>/dev/null
-then
-  userdel orchard-controller
-fi
-
-# Now that the orchard-controller.service file is removed, reflect the changes in systemd
-systemctl daemon-reload

packaging/preremove.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-
-# Set shell options to enable fail-fast behavior
-#
-# * -e: fail the script when an error occurs or command fails
-# * -u: fail the script when attempting to reference unset parameters
-# * -o pipefail: by default an exit status of a pipeline is that of its
-#                last command, this fails the pipe early if an error in
-#                any of its commands occurs
-#
-set -euo pipefail
-
-# Stop the service, otherwise we won't be able to remove the "orchard-controller" user
-systemctl stop orchard-controller.service