feat(release): version live-image, skip rebuild+redownload when unchanged

Splits the release workflow into three jobs (detect, build-live-image, bundle) so the ~9 min mkosi build only runs when live-image/VERSION bumps. The slim bundle (~30 MB: orchestrator + agent + deploy scripts + a live-image/VERSION pointer) rebuilds every push; the ~300 MB vmlinuz+initrd.img are published separately under the immutable live-image/<version>/ path. install.sh compares the pointer to /var/lib/vetting/live/VERSION and fetches the files only on mismatch, cutting repeat-install wall-clock from ~30 s + 300 MB to ~10 s + 0 MB on the common no-live-image-change release. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 21:04:14 -04:00
parent 4c153bb115
commit 211abdf08f
7 changed files with 309 additions and 108 deletions
@@ -1,13 +1,20 @@
 name: Release

-# Builds the full release tarball (orchestrator + agent + live image +
-# deploy scripts) and publishes it to the Gitea generic package
-# registry under two versions:
-#   - sha-<short-sha>  immutable, per-commit pin
-#   - latest           rolling alias (DELETE+PUT on each run)
+# Publishes two artifact streams to the Gitea generic package registry:
 #
-# The LXC installer (deploy/proxmox-install.sh) curls the "latest"
-# version by default; operators can pin via VETTING_VERSION=sha-abc1234.
+#   vetting/latest/vetting-bundle.tar.gz          slim bundle (orchestrator +
+#                                                 agent + deploy scripts + a
+#                                                 live-image/VERSION pointer),
+#                                                 DELETE+PUT every release.
+#   live-image/<li_version>/vmlinuz               immutable kernel/initrd,
+#   live-image/<li_version>/initrd.img            one set per live-image
+#                                                 VERSION bump.
+#
+# The slow mkosi build (~9 min) only runs when live-image/VERSION changes;
+# the slim bundle always rebuilds since its inputs (orchestrator + agent +
+# deploy scripts) are cheap. On the instance, install.sh compares the
+# bundle's pointer to /var/lib/vetting/live/VERSION and fetches the
+# immutable artifacts only when they differ.

 on:
  push:
@@ -31,9 +38,48 @@ permissions:
  contents: read

 jobs:
-  release:
+  detect:
+    runs-on: ubuntu-latest
+    outputs:
+      li_version: ${{ steps.out.outputs.li_version }}
+      li_changed: ${{ steps.out.outputs.li_changed }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - id: out
+        run: |
+          set -euo pipefail
+          v="$(tr -d '[:space:]' < live-image/VERSION)"
+          if [[ ! "${v}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "::error::live-image/VERSION must match v<major>.<minor>.<patch>, got '${v}'"
+            exit 1
+          fi
+          echo "li_version=${v}" >> "$GITHUB_OUTPUT"
+          # li_changed = VERSION file differs between HEAD^ and HEAD. On
+          # the initial commit that introduces the file, HEAD^ is absent
+          # and we fall through to "changed" so the first release
+          # publishes the live image.
+          if git rev-parse --verify HEAD^ >/dev/null 2>&1; then
+            if git diff --name-only HEAD^..HEAD | grep -qx 'live-image/VERSION'; then
+              echo "li_changed=true" >> "$GITHUB_OUTPUT"
+            else
+              echo "li_changed=false" >> "$GITHUB_OUTPUT"
+            fi
+          else
+            echo "li_changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  build-live-image:
+    needs: detect
+    if: ${{ needs.detect.outputs.li_changed == 'true' }}
    runs-on: ubuntu-latest
    timeout-minutes: 45
+    env:
+      LI_VERSION:     ${{ needs.detect.outputs.li_version }}
+      REGISTRY_URL:   ${{ vars.REGISTRY_URL }}
+      REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+      OWNER:          ${{ gitea.repository_owner }}
    steps:
      - uses: actions/checkout@v4

@@ -43,6 +89,9 @@ jobs:
          go-version: "1.26.x"
          cache: false

+      - name: Build agent (baked into initrd)
+        run: make agent-linux
+
      - name: Install live-image build dependencies
        run: |
          sudo apt-get update
@@ -58,46 +107,88 @@ jobs:
          sudo pip install --break-system-packages \
            "git+https://github.com/systemd/mkosi.git@v25.3"

+      - name: Build live image
+        run: make live-image
+
+      - name: Publish live-image/${{ env.LI_VERSION }}/
+        run: |
+          set -euo pipefail
+          # Gitea's generic registry treats each version path as
+          # immutable. A re-upload returns 409. Bumping VERSION is the
+          # only way to publish new artifacts here.
+          for f in vmlinuz initrd.img; do
+            curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
+              --upload-file "live-image/build/${f}" \
+              "${REGISTRY_URL}/api/packages/${OWNER}/generic/live-image/${LI_VERSION}/${f}"
+          done
+
+  bundle:
+    # Always runs. If build-live-image was skipped, the prior upload at
+    # live-image/<li_version>/ is the one install.sh will fetch. The
+    # bundle itself never carries vmlinuz/initrd — only the VERSION
+    # pointer — so it's cheap to rebuild every push.
+    needs: [detect, build-live-image]
+    if: >-
+      ${{ always()
+          && needs.detect.result == 'success'
+          && (needs.build-live-image.result == 'success'
+              || needs.build-live-image.result == 'skipped') }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    env:
+      LI_VERSION:     ${{ needs.detect.outputs.li_version }}
+      REGISTRY_URL:   ${{ vars.REGISTRY_URL }}
+      REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+      OWNER:          ${{ gitea.repository_owner }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.26.x"
+          cache: false
+
      - name: Install templ
        run: go install github.com/a-h/templ/cmd/templ@v0.3.1001

-      - name: Build release bundle
-        run: make release
+      - name: Build orchestrator + agent
+        run: make orchestrator-linux agent-linux

-      - name: Resolve bundle path + short sha
-        id: meta
+      - name: Assemble slim bundle
        run: |
-          short_sha=$(git rev-parse --short HEAD)
-          echo "short_sha=${short_sha}" >> "$GITHUB_OUTPUT"
-          echo "bundle=bin/vetting-bundle-${short_sha}.tar.gz" >> "$GITHUB_OUTPUT"
+          set -euo pipefail
+          stamp="vetting-bundle"
+          rm -rf "build/${stamp}" "bin/${stamp}.tar.gz"
+          mkdir -p "build/${stamp}/bin" "build/${stamp}/live-image"
+          cp bin/vetting-linux-amd64 bin/vetting-agent.linux-amd64 \
+             "build/${stamp}/bin/"
+          cp deploy/install.sh deploy/pxe-setup.sh deploy/vetting.service \
+             deploy/vetting.production.yaml deploy/ipxe-shas.txt \
+             "build/${stamp}/"
+          # Embed only the live-image VERSION pointer. install.sh on
+          # the target will compare this against /var/lib/vetting/live/VERSION
+          # and curl the actual files from live-image/<v>/ in the
+          # registry when they differ.
+          printf '%s\n' "${LI_VERSION}" > "build/${stamp}/live-image/VERSION"
+          # Root-level VERSION keeps the orchestrator's git-short-sha
+          # visible to operators (proxmox-install.sh cats it at the end
+          # of the install).
+          git rev-parse --short HEAD > "build/${stamp}/VERSION"
+          tar -C build -czf "bin/${stamp}.tar.gz" "${stamp}"
+          echo "wrote bin/${stamp}.tar.gz ($(du -h "bin/${stamp}.tar.gz" | cut -f1))"

-      - name: Publish sha-pinned bundle
-        env:
-          REGISTRY_URL:   ${{ vars.REGISTRY_URL }}
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
-          OWNER:          ${{ gitea.repository_owner }}
-          SHORT_SHA:      ${{ steps.meta.outputs.short_sha }}
-          BUNDLE:         ${{ steps.meta.outputs.bundle }}
-        run: |
-          curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
-            --upload-file "${BUNDLE}" \
-            "${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/sha-${SHORT_SHA}/vetting-bundle.tar.gz"
-
-      - name: Replace latest alias
-        env:
-          REGISTRY_URL:   ${{ vars.REGISTRY_URL }}
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
-          OWNER:          ${{ gitea.repository_owner }}
-          BUNDLE:         ${{ steps.meta.outputs.bundle }}
+      - name: Replace vetting/latest/ bundle
        run: |
          set -euo pipefail
          # Delete the whole "latest" version, not the file inside it.
-          # Deleting the file leaves a ghost version that makes PUT 404.
+          # Deleting just the file leaves a ghost version that makes
+          # PUT 404.
          status=$(curl -sS -o /dev/null -w '%{http_code}' \
            -H "Authorization: token ${REGISTRY_TOKEN}" \
            -X DELETE \
            "${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest")
-          echo "DELETE latest -> ${status}"
+          echo "DELETE vetting/latest -> ${status}"
          case "${status}" in
            204|404) ;;
            *) echo "unexpected DELETE status ${status}"; exit 1 ;;
@@ -106,5 +197,5 @@ jobs:
          # the upload re-creates it under the same name.
          sleep 2
          curl -fsSL -H "Authorization: token ${REGISTRY_TOKEN}" \
-            --upload-file "${BUNDLE}" \
+            --upload-file bin/vetting-bundle.tar.gz \
            "${REGISTRY_URL}/api/packages/${OWNER}/generic/vetting/latest/vetting-bundle.tar.gz"