ci: add installer ISO build + release workflows#34
Open
phorcys420 wants to merge 16 commits into
Open
Conversation
Add two GitHub Actions workflows: - build.yml: builds make installer/iso for x86_64-linux and aarch64-linux on native runners (push/PR/manual), uploading each ISO as a short-lived artifact. - release.yml: same per-arch build matrix, triggered by a v* tag or manual dispatch, then publishes both ISOs (plus sha256 checksums) as assets on a GitHub Release.
- Build each arch natively (bare `make installer/iso` resolves to the runner's currentSystem) inside the nixos/nix container. - Bring in gnumake + git through nix-shell. - Correct ISO path to out/installer-iso/iso/coder-box-installer-<arch>-linux.iso.
The nixos/nix image has no standard glibc loader, so GitHub's bundled Node fails (exec /__e/node24/bin/node: no such file or directory) when the whole job uses container:. Instead run checkout/upload on the host runner and execute only `make installer/iso` inside the nixos/nix container via docker run, copying the ISO out of the ephemeral container store into the mounted workspace before upload.
- Build both installer/iso and appliance/iso per arch (matrix target). - Bump checkout/upload/download actions to v5 (Node 24; clears the Node 20 deprecation warning). - Rename workflows: 'Build ISO' and 'Build and release ISO'. - PR builds only on ready-for-review (opened/reopened/ready_for_review, no synchronize) + draft guard; still manually dispatchable for an arbitrary ref/commit. - Upload ISOs from a host mktemp dir bind-mounted into the container instead of a tracked dist/ folder. - build.yml artifact retention dropped to 1 day.
…ommit/PR Runs on every push and pull_request (cheap, unlike the gated full image builds). Evaluates the flake and instantiates the installer ISO derivation for both arches via 'nix eval ... .drvPath' (writes the .drv, no realisation), catching Nix typos/type errors in seconds without building the multi-GB ISO. Both arches instantiate on one x86_64 runner since evaluation needs no native builder; eval runs in the nixos/nix container via docker run, checkout stays on the host.
Bare pull_request already defaults to opened/synchronize/reopened; list the types explicitly so per-commit re-eval intent is clear.
Add a box_instantiate helper (box_build's sibling) that evaluates the image derivation's .drvPath — fully evaluating the Nix and writing the .drv to the store without realising the multi-GB image. Expose it as installer/drv and appliance/drv (bare + arch-suffixed). Eval Nix workflow now just calls these make targets for both arches instead of an inline nix eval expression.
box_build and box_instantiate duplicated the entire 'let f = builtins.getFlake ... config.system.build' expression. Extract it into a box_cfg $(call) function so the two can't drift; box_build appends the build attr, box_instantiate appends .drvPath. Verified the expanded recipes are byte-identical to before via make --dry-run.
Eval Nix now does two no-build checks: nix flake check --no-build --all-systems (evaluates every flake output for all declared systems) followed by the */drv ISO derivation instantiation. Reworded a comment to drop an apostrophe that would break the single-quoted docker-run shell block.
Replace the explicit two-arg 'cp /out/coder-box-<kind>-<arch>.iso' with a /dist volume (host mktemp dir) bind-mounted into the container; the build dereferences its store symlink into /dist via 'cp -L $outlink/*.iso /dist/'. This drops the hardcoded filename (and the now-unused kind/SYSTEM shell vars + env), and uploads from /dist. Release computes per-file sha256 over /dist/*.iso.
Add a box_iso helper that runs box_build then writes out/<name>.iso.sha256 (bare basename, so 'sha256sum -c' verifies against the ISO beside it). installer/iso and appliance/iso now use it. Both workflows drop their inline sha256sum and just copy the make-produced sidecar from out/ into the /dist volume.
- Rename Build ISO matrix jobs to 'Installer (<arch>)' / 'Appliance (<arch>)' (check shows as 'Build ISO / Installer (...)'); same for the release build jobs. Restructured the matrix to explicit include entries carrying kind/target/label. - On PRs the full ISO for a kind builds only when its label is applied (test-installer-iso / test-appliance-iso); otherwise the job just instantiates the .drv (no image, no artifact). Added the 'labeled' PR trigger so applying a label starts the build. push/main and manual dispatch still always build the full ISO. - Use bare make <kind>/iso (native arch per runner) so the out-link path stays out/<kind>-iso/iso.
Replace the runtime 'plan' shell step + single combined build with a job-level FULL env (label check) and two if:-gated steps: 'Build full ISO' (if env.FULL == true) and 'Instantiate ISO derivation' (if env.FULL != true). Upload also keys off env.FULL.
phorcys420
force-pushed
the
ci/installer-iso-workflows
branch
from
ada2539 to
f007c36
Compare
- Drop '(in nixos/nix container)' from step names. - In Build ISO, run the drv instantiation step before the full ISO build step. - Upload the ISO and its .sha256 as two separate artifacts (was a single *.iso* artifact that zipped both together) in both workflows.
Restructure Build ISO from a kind×arch matrix into one job per arch that builds BOTH kinds in the SAME container (installer first, appliance later). Each kind is full-built or drv-instantiated independently based on its label. The job title reflects which kinds get a full build: 'Installer + Appliance', 'Installer', 'Appliance', or 'Derivations'. Per-kind ISO + sha256 artifacts uploaded only for full-built kinds.
New commits on a labelled PR were only producing derivations: Build ISO omitted 'synchronize', so pushes never re-triggered it (only eval.yml, which builds drv only, ran). Add synchronize so each commit re-runs the build and re-evaluates labels, rebuilding the full ISO for labelled kinds.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds two GitHub Actions workflows for the installer ISO.
build.yml— verification CImain, all PRs, and manual dispatch.make installer/iso/<arch>for both supported arches on native runners (ubuntu-24.04forx86_64-linux,ubuntu-24.04-armforaarch64-linux) — avoids slow QEMU emulation for full ISO builds.nix-command, needed by the Makefile'snix build --impure), caches the store, then resolves and uploads eachcoder-box-installer-<arch>.isoas a 7-day artifact.concurrencycancels superseded runs;fail-fast: falseso one arch failing doesn't kill the other.release.yml— release triggerv*tag, or manual dispatch with ataginput (and optionalprereleaseflag).releasejob downloads both ISOs +.sha256checksums and publishes them as assets on a GitHub Release (auto-generated notes,contents: write).Notes
x86_64-linux,aarch64-linux) and the ISO output path (out/installer-iso-<arch>/iso/coder-box-installer-<arch>.iso) derived fromflake.nix, theMakefile, andnixos/_images/installer/iso.nix.ubuntu-24.04-armrunners are free for public repos; private repos consume ARM runner minutes or need a self-hosted ARM runner.Validation