josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(release): version live-image, skip rebuild+redownload when unchanged
CI / Lint + build + test (push) Successful in 1m41s
Details
Release / detect (push) Successful in 7s
Details
Release / build-live-image (push) Failing after 3m58s
Details
Release / bundle (push) Has been skipped
Details

Browse Source 
Splits the release workflow into three jobs (detect, build-live-image,
bundle) so the ~9 min mkosi build only runs when live-image/VERSION
bumps. The slim bundle (~30 MB: orchestrator + agent + deploy scripts
+ a live-image/VERSION pointer) rebuilds every push; the ~300 MB
vmlinuz+initrd.img are published separately under the immutable
live-image/<version>/ path. install.sh compares the pointer to
/var/lib/vetting/live/VERSION and fetches the files only on mismatch,
cutting repeat-install wall-clock from ~30 s + 300 MB to ~10 s + 0 MB
on the common no-live-image-change release.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Josh Wright
2026-04-20 21:04:14 -04:00
parent 4c153bb115
commit 211abdf08f
7 changed files with 309 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files
deploy/proxmox-install.sh
+42 -30
View File
@@ -3,26 +3,42 @@
# any Debian/Ubuntu host). Fetches a prebuilt release bundle from the
# Gitea package registry, extracts it, and hands off to install.sh.
#
# The bundle itself is slim (~30 MB: orchestrator + agent + deploy
# scripts + a live-image/VERSION pointer). install.sh compares that
# pointer against /var/lib/vetting/live/VERSION and fetches the
# ~300 MB vmlinuz+initrd.img from the registry only when they differ,
# so repeated runs cost ~10 s on no-live-image-change releases.
#
# Usage:
# curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy/proxmox-install.sh | sudo bash
#
# To pin a specific build instead of "latest":
# VETTING_VERSION=sha-abc1234 curl -fsSL .../proxmox-install.sh | sudo bash
#
# Env overrides:
# REGISTRY_URL base URL of the Gitea instance hosting the package
# registry (default: https://gitea.thewrightserver.net)
# PACKAGE_OWNER Gitea owner who owns the `vetting` package
# (default: josh)
# VETTING_VERSION package version — either "latest" (rolling) or
# "sha-<short-sha>" (immutable). Default: "latest".
# Flags / env overrides:
# REGISTRY_URL base URL of the Gitea instance hosting the
# package registry (default: https://gitea.thewrightserver.net)
# PACKAGE_OWNER Gitea owner of the `vetting` package
# (default: josh)
# FORCE_LIVE_IMAGE=1 or --force-live-image — re-download the live
# image even when the on-disk version matches
# (useful when the local files got corrupted).
set -euo pipefail
REGISTRY_URL="${REGISTRY_URL:-https://gitea.thewrightserver.net}"
PACKAGE_OWNER="${PACKAGE_OWNER:-josh}"
VETTING_VERSION="${VETTING_VERSION:-latest}"
FORCE_LIVE_IMAGE="${FORCE_LIVE_IMAGE:-0}"
BUNDLE_URL="${REGISTRY_URL}/api/packages/${PACKAGE_OWNER}/generic/vetting/${VETTING_VERSION}/vetting-bundle.tar.gz"
for arg in "$@"; do
case "${arg}" in
--force-live-image) FORCE_LIVE_IMAGE=1 ;;
*) echo "unknown arg: ${arg}" >&2; exit 2 ;;
esac
done
# Exported so install.sh (run as a child process inside the extracted
# bundle dir) sees them when deciding whether to fetch the live image
# and where to fetch it from.
export REGISTRY_URL PACKAGE_OWNER FORCE_LIVE_IMAGE
BUNDLE_URL="${REGISTRY_URL}/api/packages/${PACKAGE_OWNER}/generic/vetting/latest/vetting-bundle.tar.gz"
if [[ $EUID -ne 0 ]]; then
echo "proxmox-install.sh must be run as root (try: sudo bash)" >&2
@@ -38,25 +54,22 @@ apt-get install -y --no-install-recommends \
tmp="$(mktemp -d)"
trap 'rm -rf "${tmp}"' EXIT
echo "==> fetching bundle (${VETTING_VERSION}) from ${BUNDLE_URL}"
# Default curl meter (no -s, no --progress-bar) shows transfer rate
# and ETA, which matters now that bundles are ~300 MB — the live
# image ships the full firmware+rootfs, so a bare percentage bar
# with no speed/ETA makes slow links look like hangs.
# -f fails on HTTP errors; -L follows redirects.
echo "==> fetching bundle from ${BUNDLE_URL}"
# -f fails on HTTP errors; -L follows redirects. Default meter (rate +
# ETA) is fine now that the bundle is ~30 MB.
curl -fL "${BUNDLE_URL}" -o "${tmp}/vetting-bundle.tar.gz"
bundle_size="$(du -h "${tmp}/vetting-bundle.tar.gz" | cut -f1)"
echo "==> extracting (${bundle_size})"
tar -C "${tmp}" -xzf "${tmp}/vetting-bundle.tar.gz"
# Bundle extracts to vetting-bundle-<sha>/; glob-match the single
# top-level directory.
# New bundle extracts to vetting-bundle/; legacy bundles used
# vetting-bundle-<sha>/. Match both so a downgrade-pin still works.
shopt -s nullglob
candidates=( "${tmp}"/vetting-bundle-* )
candidates=( "${tmp}"/vetting-bundle "${tmp}"/vetting-bundle-* )
shopt -u nullglob
if [[ ${#candidates[@]} -ne 1 || ! -d "${candidates[0]}" ]]; then
echo "unexpected bundle layout: expected exactly one vetting-bundle-*/ dir" >&2
echo "unexpected bundle layout: expected exactly one vetting-bundle* dir" >&2
exit 1
fi
bundle_dir="${candidates[0]}"
@@ -67,17 +80,16 @@ bash install.sh \
--binary "${bundle_dir}/bin/vetting-linux-amd64" \
--agent-binary "${bundle_dir}/bin/vetting-agent.linux-amd64"
orch_ver="$(cat "${bundle_dir}/VERSION" 2>/dev/null || echo unknown)"
li_ver="$(cat "${bundle_dir}/live-image/VERSION" 2>/dev/null || echo unknown)"
cat <<EOF
vetting is installed from bundle $(cat "${bundle_dir}/VERSION" 2>/dev/null || echo unknown).
vetting installed: orchestrator ${orch_ver}, live-image ${li_ver}.
To upgrade later, just rerun this one-liner; it always pulls "latest"
unless VETTING_VERSION is set.
To pin a specific build:
VETTING_VERSION=sha-abc1234 curl -fsSL \\
${REGISTRY_URL}/${PACKAGE_OWNER}/Vetting/raw/branch/main/deploy/proxmox-install.sh \\
| sudo bash
To upgrade later, rerun this one-liner. It always pulls the current
latest bundle; the live image is re-downloaded only when its VERSION
has bumped (override with --force-live-image).
For PXE support, run:
sudo vetting-pxe-setup \\