From 262d469df27624a301f56cdd7a173f37d2292015 Mon Sep 17 00:00:00 2001 From: Fedor Korotkov Date: Fri, 5 Jun 2026 10:12:53 -0700 Subject: [PATCH] Migrate CI to GitHub Actions --- .cirrus.star | 4 -- .cirrus.yml | 68 ----------------------- .github/workflows/ci.yml | 75 ++++++++++++++++++++++++++ .github/workflows/main.yml | 24 --------- .github/workflows/release.yml | 81 ++++++++++++++++++++++++++++ .golangci.yml | 34 +++++++----- .goreleaser.yml | 27 ++-------- Dockerfile | 25 +++++---- packaging/orchard-controller.service | 12 ----- packaging/postinstall.sh | 17 ------ packaging/postremove.sh | 20 ------- packaging/preremove.sh | 14 ----- 12 files changed, 195 insertions(+), 206 deletions(-) delete mode 100644 .cirrus.star delete mode 100644 .cirrus.yml create mode 100644 .github/workflows/ci.yml delete mode 100644 .github/workflows/main.yml create mode 100644 .github/workflows/release.yml delete mode 100644 packaging/orchard-controller.service delete mode 100644 packaging/postinstall.sh delete mode 100644 packaging/postremove.sh delete mode 100644 packaging/preremove.sh diff --git a/.cirrus.star b/.cirrus.star deleted file mode 100644 index 0a13153..0000000 --- a/.cirrus.star +++ /dev/null @@ -1,4 +0,0 @@ -load("github.com/cirrus-modules/golang@main", "lint_task") - -def main(ctx): - return [lint_task()] diff --git a/.cirrus.yml b/.cirrus.yml deleted file mode 100644 index ab467cf..0000000 --- a/.cirrus.yml +++ /dev/null @@ -1,68 +0,0 @@ -task: - name: Test (macOS) - persistent_worker: - labels: - name: dev-mini - resources: - tart-vms: 2 - pre_pull_script: - - tart pull ghcr.io/cirruslabs/macos-tahoe-base:latest - test_script: - - go test -timeout=20m -ldflags="-B gobuildid" -v -count=1 ./... - always: - cleanup_script: - - tart list - - rm -rf ~/.tart/vms/orchard-* - -task: - depends_on: - - Lint - - Test (macOS) - env: - MACOS_SIGN_P12: ENCRYPTED[!183482723ca1a95f9c4439f7a79c9d3b115472bb18c739ed1586e12d3914ccf94ade8169eeda7332fc204f8be9c27d9f!] - MACOS_SIGN_PASSWORD: ENCRYPTED[!417423346c567f12007f42d084bff1cfee30ee14f7e8258550157679a269c70d541c9f19224224ab0293b10f2c6d4c5e!] - MACOS_NOTARY_ISSUER_ID: ENCRYPTED[!74076906e9fa36bca3c1da1637b0759b58bb009eb1a707446896eefad3767e8dba1d0f87e71106b98cde98ac4b037a2a!] - MACOS_NOTARY_KEY_ID: ENCRYPTED[!af9e5da1010a6b04e548ef494acc77a6e0ce176549de98f81c5b5cdd72856de09f77e51cf0849e3c4b7a2d2c22f25ca8!] - MACOS_NOTARY_KEY: ENCRYPTED[!c70c53f3e6c163931c7cdf9d90aff8934ef21d5dd1090158688e00b94e97c68257d9cf4ae1df873e6ae0d949866aee72!] - GITHUB_TOKEN: ENCRYPTED[!98ace8259c6024da912c14d5a3c5c6aac186890a8d4819fad78f3e0c41a4e0cd3a2537dd6e91493952fb056fa434be7c!] - GORELEASER_KEY: ENCRYPTED[!9b80b6ef684ceaf40edd4c7af93014ee156c8aba7e6e5795f41c482729887b5c31f36b651491d790f1f668670888d9fd!] - FURY_TOKEN: ENCRYPTED[!97fe4497d9aca60a3d64904883b81e21f19706c6aedda625c97f62f67ec46b8efa74c55699956158bbf0a23726e7d9f6!] - container: - image: golang:latest - cpu: 4 - memory: 12G - matrix: - - name: Release Binaries - only_if: $CIRRUS_TAG != '' - install_goreleaser_script: - - echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | tee /etc/apt/sources.list.d/goreleaser.list - - apt update && apt -y install goreleaser-pro - release_script: goreleaser - - name: Release Binaries (Dry Run) - only_if: $CIRRUS_TAG == '' - install_goreleaser_script: - - echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | tee /etc/apt/sources.list.d/goreleaser.list - - apt update && apt -y install goreleaser-pro - release_script: goreleaser release --skip=publish --snapshot --clean --verbose - binaries_artifacts: - path: "dist/orchard_*/orchard*" - -docker_builder: - name: Release Docker Image - only_if: $CIRRUS_TAG != '' - depends_on: - - Lint - - Test (macOS) - env: - GITHUB_TOKEN: ENCRYPTED[!82ed873afdf627284305afef4958c85a8f73127b09978a9786ac521559630ea6c9a5ab6e7f8315abf9ead09b6eff6eae!] - login_script: - - echo $GITHUB_TOKEN | docker login ghcr.io -u fkorotkov --password-stdin - setup_script: - - docker buildx create --name multibuilder - - docker buildx use multibuilder - - docker buildx inspect --bootstrap - deploy_script: | - docker buildx build --push --platform linux/amd64,linux/arm64 \ - --tag ghcr.io/cirruslabs/orchard:$CIRRUS_TAG \ - --tag ghcr.io/cirruslabs/orchard:latest \ - . diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..e7a7dc2 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,75 @@ +name: CI + +on: + merge_group: + pull_request: + push: + branches: + - main + workflow_dispatch: + +permissions: + contents: read + pull-requests: read + +jobs: + lint: + name: Lint + runs-on: ubuntu-latest + timeout-minutes: 15 + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod + cache: true + - uses: golangci/golangci-lint-action@v9 + with: + version: v2.12.0 + only-new-issues: true + + test-linux: + name: Test (Linux) + runs-on: ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md + timeout-minutes: 60 + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod + cache: true + - name: Check out Vetu + uses: actions/checkout@v6 + with: + repository: openai/vetu + path: _vetu + - name: Build Vetu + working-directory: _vetu + run: | + go build -o "$RUNNER_TEMP/vetu" cmd/vetu/main.go + sudo setcap cap_net_raw,cap_net_admin+eip "$RUNNER_TEMP/vetu" + echo "$RUNNER_TEMP" >> "$GITHUB_PATH" + - name: Pre-pull default Vetu image + run: vetu pull ghcr.io/cirruslabs/ubuntu-runner-amd64:latest + - name: Run tests + run: go test -v -count=1 ./... + + test-macos: + name: Test (macOS) + runs-on: ghcr.io/cirruslabs/macos-runner:tahoe + timeout-minutes: 45 + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod + cache: true + - name: Pre-pull default Tart image + run: tart pull ghcr.io/cirruslabs/macos-tahoe-base:latest + - name: Run tests + run: go test -timeout=20m -ldflags="-B gobuildid" -v -count=1 ./... + - name: Clean up test VMs + if: always() + run: | + tart list + rm -rf ~/.tart/vms/orchard-* diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 5c878ac..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Main - -on: - push: - -jobs: - test: - name: Test (Linux) - runs-on: ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md - steps: - - uses: actions/checkout@v4 - - uses: actions/setup-go@v5 - with: - go-version: stable - - name: Install Vetu - run: | - sudo apt-get update && sudo apt-get -y install apt-transport-https ca-certificates - echo "deb [trusted=yes] https://apt.fury.io/cirruslabs/ /" | sudo tee /etc/apt/sources.list.d/cirruslabs.list - sudo apt-get update && sudo apt-get -y install vetu - - name: Pre-pull default Vetu image for use in tests - run: | - vetu pull ghcr.io/cirruslabs/ubuntu-runner-amd64:latest - - name: Run tests - run: go test -v -count=1 ./... diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..620a859 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,81 @@ +name: Release + +on: + push: + tags: + - "*" + workflow_dispatch: + +permissions: + contents: write + packages: write + +jobs: + release: + name: ${{ github.ref_type == 'tag' && 'Release Binaries' || 'Release Binaries (Dry Run)' }} + runs-on: ubuntu-latest + timeout-minutes: 60 + env: + GITHUB_TOKEN: ${{ secrets.GH_PAT }} + GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} + MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} + MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }} + MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} + MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }} + MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }} + steps: + - uses: actions/checkout@v6 + with: + fetch-depth: 0 + - uses: actions/setup-go@v6 + with: + go-version-file: go.mod + cache: true + - name: Release + if: github.ref_type == 'tag' + uses: goreleaser/goreleaser-action@v7 + with: + distribution: goreleaser-pro + version: "~> v2" + args: release --clean + - name: Release dry run + if: github.ref_type != 'tag' + uses: goreleaser/goreleaser-action@v7 + with: + distribution: goreleaser-pro + version: "~> v2" + args: release --skip=publish --snapshot --clean + - name: Upload dry-run artifacts + if: github.ref_type != 'tag' + uses: actions/upload-artifact@v6 + with: + name: orchard-snapshot + path: dist/** + + docker: + name: Release Docker Image + if: github.ref_type == 'tag' + needs: release + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - uses: actions/checkout@v6 + - uses: docker/setup-qemu-action@v4 + - uses: docker/setup-buildx-action@v4 + - uses: docker/login-action@v4 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} + - name: Build and push + uses: docker/build-push-action@v7 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: | + ghcr.io/openai/orchard:${{ github.ref_name }} + ghcr.io/openai/orchard:latest + build-args: | + VERSION=${{ github.ref_name }} + COMMIT=${{ github.sha }} diff --git a/.golangci.yml b/.golangci.yml index 367df6e..1354c27 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,24 +1,30 @@ -version: 2 +version: "2" run: timeout: 5m -linters-settings: - # Even in Rust you can get away with partial matching, - # so make sure that the linter respects the programmer's - # intent expressed in the form of "default" case. - exhaustive: - default-signifies-exhaustive: true - - gosec: - excludes: - - G115 - formatters: - enable-all: true + enable: + - gci + - gofmt + - gofumpt + - goimports + - golines + - swaggo linters: - enable-all: true + default: all + + settings: + # Even in Rust you can get away with partial matching, + # so make sure that the linter respects the programmer's + # intent expressed in the form of "default" case. + exhaustive: + default-signifies-exhaustive: true + + gosec: + excludes: + - G115 disable: # We don't have high-performance requirements at this moment, so sacrificing diff --git a/.goreleaser.yml b/.goreleaser.yml index b53d35c..3643afb 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -23,7 +23,8 @@ builds: archives: - id: binary - format: binary + formats: + - binary name_template: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}" - id: regular name_template: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}" @@ -31,28 +32,6 @@ archives: release: prerelease: auto -nfpms: - - package_name: orchard-controller - vendor: Cirrus Labs, Inc. - homepage: https://github.com/cirruslabs/orchard - maintainer: support@cirruslabs.org - description: Orchestrator for running Tart Virtual Machines on a cluster of Apple Silicon devices - section: misc - formats: - - deb - - rpm - contents: - - src: packaging/orchard-controller.service - dst: /lib/systemd/system/orchard-controller.service - type: config - scripts: - postinstall: packaging/postinstall.sh - preremove: packaging/preremove.sh - postremove: packaging/postremove.sh - -furies: - - account: cirruslabs - notarize: macos: - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}' @@ -75,6 +54,6 @@ brews: bin.install "orchard" generate_completions_from_executable(bin/"orchard", "completion") caveats: See the Github repository for more information - homepage: https://github.com/cirruslabs/orchard + homepage: https://github.com/openai/orchard description: Orchestrator for running Tart Virtual Machines on a cluster of Apple Silicon devices skip_upload: auto diff --git a/Dockerfile b/Dockerfile index 3fd1aef..7a5df4d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,29 @@ -FROM golang:latest AS builder +FROM golang:1.25 AS builder -# Install GoReleaser Pro -RUN echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | tee /etc/apt/sources.list.d/goreleaser.list -RUN apt update && apt -y install goreleaser-pro +WORKDIR /src -WORKDIR /tmp/orchard -ADD . /tmp/orchard/ +COPY go.mod go.sum ./ +RUN go mod download -RUN goreleaser build --single-target --snapshot --timeout 60m +COPY . . + +ARG VERSION=dev +ARG COMMIT=unknown + +RUN CGO_ENABLED=0 go build \ + -trimpath \ + -ldflags="-X github.com/cirruslabs/orchard/internal/version.Version=${VERSION} -X github.com/cirruslabs/orchard/internal/version.Commit=${COMMIT} -B gobuildid" \ + -o /out/orchard \ + cmd/orchard/main.go FROM gcr.io/distroless/base -LABEL org.opencontainers.image.source=https://github.com/cirruslabs/orchard +LABEL org.opencontainers.image.source=https://github.com/openai/orchard ENV GIN_MODE=release ENV ORCHARD_HOME=/data EXPOSE 6120 -COPY --from=builder /tmp/orchard/dist/linux_*/orchard_linux_*/orchard /bin/orchard +COPY --from=builder /out/orchard /bin/orchard ENTRYPOINT ["/bin/orchard"] diff --git a/packaging/orchard-controller.service b/packaging/orchard-controller.service deleted file mode 100644 index 96a93ab..0000000 --- a/packaging/orchard-controller.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Orchard Controller -Wants=network-online.target -After=network-online.target - -[Service] -Type=simple -User=orchard-controller -ExecStart=/usr/bin/orchard controller run - -[Install] -WantedBy=multi-user.target diff --git a/packaging/postinstall.sh b/packaging/postinstall.sh deleted file mode 100644 index 5464371..0000000 --- a/packaging/postinstall.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -# Set shell options to enable fail-fast behavior -# -# * -e: fail the script when an error occurs or command fails -# * -u: fail the script when attempting to reference unset parameters -# * -o pipefail: by default an exit status of a pipeline is that of its -# last command, this fails the pipe early if an error in -# any of its commands occurs -# -set -euo pipefail - -# Create "orchard-controller" user and group -useradd --system --create-home --home-dir /var/lib/orchard-controller --user-group orchard-controller - -# Now that the orchard-controller.service file is installed, reflect the changes in systemd -systemctl daemon-reload diff --git a/packaging/postremove.sh b/packaging/postremove.sh deleted file mode 100644 index 743ea46..0000000 --- a/packaging/postremove.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Set shell options to enable fail-fast behavior -# -# * -e: fail the script when an error occurs or command fails -# * -u: fail the script when attempting to reference unset parameters -# * -o pipefail: by default an exit status of a pipeline is that of its -# last command, this fails the pipe early if an error in -# any of its commands occurs -# -set -euo pipefail - -# Delete "orchard-controller" user and group -if id "orchard-controller" &>/dev/null -then - userdel orchard-controller -fi - -# Now that the orchard-controller.service file is removed, reflect the changes in systemd -systemctl daemon-reload diff --git a/packaging/preremove.sh b/packaging/preremove.sh deleted file mode 100644 index 687c57e..0000000 --- a/packaging/preremove.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/bash - -# Set shell options to enable fail-fast behavior -# -# * -e: fail the script when an error occurs or command fails -# * -u: fail the script when attempting to reference unset parameters -# * -o pipefail: by default an exit status of a pipeline is that of its -# last command, this fails the pipe early if an error in -# any of its commands occurs -# -set -euo pipefail - -# Stop the service, otherwise we won't be able to remove the "orchard-controller" user -systemctl stop orchard-controller.service