From 3a0919e081d7aefec2783908e52a5712467f9394 Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Tue, 19 May 2026 19:00:59 +0200 Subject: [PATCH 1/3] feat: build CLI during pull request Fixes #1454 Signed-off-by: Jeff MAURY --- .github/workflows/branch-e2e.yml | 12 ++++++++++++ .github/workflows/docker-build.yml | 21 ++++++++++++++++++--- .github/workflows/rust-native-build.yml | 21 ++++++++++++++++----- 3 files changed, 46 insertions(+), 8 deletions(-) diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml index de8bd5551..208bc3278 100644 --- a/.github/workflows/branch-e2e.yml +++ b/.github/workflows/branch-e2e.yml @@ -76,6 +76,18 @@ jobs: component: supervisor image-tag: ${{ github.sha }} + build-cli: + needs: [pr_metadata] + if: needs.pr_metadata.outputs.should_run == 'true' + permissions: + contents: read + packages: read + uses: ./.github/workflows/docker-build.yml + with: + component: cli + platform: linux/amd64 + secrets: inherit + e2e: needs: [pr_metadata, build-gateway, build-supervisor] if: needs.pr_metadata.outputs.should_run == 'true' && needs.pr_metadata.outputs.run_core_e2e == 'true' diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 3f98e7b6b..0acbe3da4 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -4,7 +4,7 @@ on: workflow_call: inputs: component: - description: "Component to build (gateway, supervisor)" + description: "Component to build (gateway, supervisor, cli)" required: true type: string timeout-minutes: @@ -71,6 +71,8 @@ jobs: binary_name: ${{ steps.resolve.outputs.binary_name }} artifact_prefix: ${{ steps.resolve.outputs.artifact_prefix }} image_tag_base: ${{ steps.resolve.outputs.image_tag_base }} + features: ${{ steps.resolve.outputs.features }} + has_image: ${{ steps.resolve.outputs.has_image }} steps: - name: Resolve component and platform matrix id: resolve @@ -82,10 +84,20 @@ jobs: gateway) binary_component=gateway binary_name=openshell-gateway + features="openshell-core/dev-settings" + has_image=true ;; supervisor) binary_component=sandbox binary_name=openshell-sandbox + features="openshell-core/dev-settings" + has_image=true + ;; + cli) + binary_component=cli + binary_name=openshell + features="bundled-z3" + has_image=false ;; *) echo "unsupported component: $component" >&2 @@ -144,6 +156,8 @@ jobs: echo "binary_name=$binary_name" echo "artifact_prefix=rust-binary-${component}-${binary_component}" echo "image_tag_base=$image_tag_base" + echo "features=$features" + echo "has_image=$has_image" } >> "$GITHUB_OUTPUT" rust-binary: @@ -162,13 +176,14 @@ jobs: cargo-version: ${{ inputs['cargo-version'] }} image-tag: ${{ needs.resolve.outputs.image_tag_base }} checkout-ref: ${{ inputs['checkout-ref'] }} - features: openshell-core/dev-settings + features: ${{ needs.resolve.outputs.features }} artifact-name: ${{ needs.resolve.outputs.artifact_prefix }}-linux-${{ matrix.arch }} secrets: inherit build: name: Build ${{ inputs.component }} (${{ matrix.arch }}) needs: [resolve, rust-binary] + if: needs.resolve.outputs.has_image == 'true' runs-on: ${{ matrix.runner }} timeout-minutes: ${{ inputs['timeout-minutes'] }} strategy: @@ -262,7 +277,7 @@ jobs: merge: name: Merge ${{ inputs.component }} manifest needs: [resolve, build] - if: ${{ inputs.push && inputs['publish-manifest'] }} + if: ${{ inputs.push && inputs['publish-manifest'] && needs.resolve.outputs.has_image == 'true' }} runs-on: linux-amd64-cpu8 timeout-minutes: 10 container: diff --git a/.github/workflows/rust-native-build.yml b/.github/workflows/rust-native-build.yml index 682d5eb88..c263ba76f 100644 --- a/.github/workflows/rust-native-build.yml +++ b/.github/workflows/rust-native-build.yml @@ -1,11 +1,11 @@ # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. # SPDX-License-Identifier: Apache-2.0 -name: Rust Image Binary Build (openshell-gateway / openshell-sandbox) +name: Rust Image Binary Build (openshell-gateway / openshell-sandbox / openshell-cli) # Build Rust binaries per Linux architecture before the Docker image build # consumes them as prebuilt artifacts. Gateway images use GNU-linked binaries -# for the NVIDIA distroless C/C++ runtime; supervisor images use musl/static +# for the NVIDIA distroless C/C++ runtime; supervisor and cli images use musl/static # binaries so the final image can remain scratch. Gateway GNU binaries are # built with an explicit glibc 2.31 floor so image, package, and tarball # artifacts share the same host portability contract. @@ -14,7 +14,7 @@ on: workflow_call: inputs: component: - description: "Binary component to build (gateway or sandbox)" + description: "Binary component to build (gateway, sandbox, or cli)" required: true type: string arch: @@ -121,6 +121,11 @@ jobs: binary=openshell-sandbox zig_target= ;; + cli) + crate=openshell-cli + binary=openshell + zig_target= + ;; *) echo "unsupported component: $COMPONENT" >&2 exit 1 @@ -129,7 +134,7 @@ jobs: case "$ARCH" in amd64) - if [[ "$COMPONENT" == "sandbox" ]]; then + if [[ "$COMPONENT" == "sandbox" || "$COMPONENT" == "cli" ]]; then target=x86_64-unknown-linux-musl zig_target=x86_64-linux-musl else @@ -138,7 +143,7 @@ jobs: fi ;; arm64) - if [[ "$COMPONENT" == "sandbox" ]]; then + if [[ "$COMPONENT" == "sandbox" || "$COMPONENT" == "cli" ]]; then target=aarch64-unknown-linux-musl zig_target=aarch64-linux-musl else @@ -207,6 +212,12 @@ jobs: echo "CARGO_TARGET_${TARGET_ENV_UPPER}_RUSTFLAGS=-Clink-self-contained=no" >> "$GITHUB_ENV" - name: Build ${{ steps.target.outputs.binary }} (${{ steps.target.outputs.zig_target || steps.target.outputs.target }}) + # z3 built with zig c++ uses libc++ symbols (std::__1::*). + # Override z3-sys default (stdc++) so Rust links the matching runtime. + if [[ "$COMPONENT" == "cli" ]]; then + echo "CXXSTDLIB=c++" >> "$GITHUB_ENV" + fi + env: # Preserve the release-codegen setting used by the old Dockerfile # Rust build path so image artifacts keep the same release profile. From ea96b912802242cd911ae82f3735913a863228bd Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Tue, 26 May 2026 08:58:25 +0200 Subject: [PATCH 2/3] fix: removed secrets passing Signed-off-by: Jeff MAURY --- .github/workflows/branch-e2e.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml index 208bc3278..a47018bbe 100644 --- a/.github/workflows/branch-e2e.yml +++ b/.github/workflows/branch-e2e.yml @@ -86,7 +86,6 @@ jobs: with: component: cli platform: linux/amd64 - secrets: inherit e2e: needs: [pr_metadata, build-gateway, build-supervisor] From abe182df1199b3b3873458d5975d82ff4fe8bfdd Mon Sep 17 00:00:00 2001 From: Jeff MAURY Date: Tue, 26 May 2026 10:20:47 +0200 Subject: [PATCH 3/3] fix: fix wrong conflict resolution Signed-off-by: Jeff MAURY --- .github/workflows/rust-native-build.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/rust-native-build.yml b/.github/workflows/rust-native-build.yml index c263ba76f..dbedb15e5 100644 --- a/.github/workflows/rust-native-build.yml +++ b/.github/workflows/rust-native-build.yml @@ -212,12 +212,6 @@ jobs: echo "CARGO_TARGET_${TARGET_ENV_UPPER}_RUSTFLAGS=-Clink-self-contained=no" >> "$GITHUB_ENV" - name: Build ${{ steps.target.outputs.binary }} (${{ steps.target.outputs.zig_target || steps.target.outputs.target }}) - # z3 built with zig c++ uses libc++ symbols (std::__1::*). - # Override z3-sys default (stdc++) so Rust links the matching runtime. - if [[ "$COMPONENT" == "cli" ]]; then - echo "CXXSTDLIB=c++" >> "$GITHUB_ENV" - fi - env: # Preserve the release-codegen setting used by the old Dockerfile # Rust build path so image artifacts keep the same release profile. @@ -225,6 +219,12 @@ jobs: OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }} run: | set -euo pipefail + # z3 built with zig c++ uses libc++ symbols (std::__1::*). + # Override z3-sys default (stdc++) so Rust links the matching runtime. + if [[ ""${{ inputs.component }}" == "cli" ]]; then + echo "CXXSTDLIB=c++" >> "$GITHUB_ENV" + fi + mise x -- rustup target add "${{ steps.target.outputs.target }}" cargo_cmd=(cargo build) build_target="${{ steps.target.outputs.target }}"