ci: publish images to vamos-images repo (#104)

greatgitsby · mpurnell1 · commit e00514b46e75 · 2026-04-01T20:02:05.000-07:00
* ci: publish images to vamos-images repo, manifest as release Images are committed to {owner}/vamos-images with a version tag, so forks can publish to their own vamos-images repo. The manifest is published as a GitHub Release on vamOS itself. * build: restore chunking for large images in package_ota Files over 50 MB are split into chunks to stay under raw.githubusercontent.com's 100 MB limit. * build: derive default IMAGES_URL from VERSION file * ci: skip publish gracefully when deploy key is missing Shows setup instructions as workflow warnings instead of failing. * ci: fix profile workflow race with build-system check Upgrade wait-on-check-action to v1.6.0 and add checks-discovery-timeout so it waits up to 5 minutes for build-system to appear instead of immediately failing when the check doesn't exist yet. * Revert "ci: fix profile workflow race with build-system check" This reverts commit b1d74fd. * ci: fix ambiguous refspec when pushing images tag Use an unrelated orphan branch name and push with refs/tags/ prefix to avoid ambiguity between branch and tag with the same name. * ci: include chunked image files in vamos-images push The glob *.img missed chunk files (*.img.00, *.img.01, etc.) produced by the chunking logic for large images like system. * ci: include manifest in vamos-images, link from release Manifest needs CORS headers, which raw.githubusercontent.com provides but release-assets.githubusercontent.com does not. * ci: fix invalid YAML in release notes multiline string
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -87,16 +87,48 @@ jobs:
           name: system.erofs.img
           path: build/
 
+      - name: check deploy key
+        id: check-key
+        run: |
+          if [ -n "${{ secrets.VAMOS_IMAGES_DEPLOY_KEY }}" ]; then
+            echo "has_key=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_key=false" >> $GITHUB_OUTPUT
+            echo "::warning::VAMOS_IMAGES_DEPLOY_KEY secret is not set — skipping image publish and release."
+          fi
+
       - name: generate manifest
-        env:
-          RELEASE_URL: https://github.com/${{ github.repository }}/releases/download/v${{ env.VERSION }}
+        if: steps.check-key.outputs.has_key == 'true'
         run: |
           VERSION=$(cat userspace/root/VERSION)
           echo "VERSION=$VERSION" >> $GITHUB_ENV
-          RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}"
-          RELEASE_URL=$RELEASE_URL python3 tools/build/package_ota.py
+          IMAGES_URL="https://github.com/${{ github.repository_owner }}/vamos-images/raw/v${VERSION}"
+          IMAGES_URL=$IMAGES_URL python3 tools/build/package_ota.py
+
+      - name: push images to vamos-images
+        if: steps.check-key.outputs.has_key == 'true'
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.repository_owner }}/vamos-images
+          ssh-key: ${{ secrets.VAMOS_IMAGES_DEPLOY_KEY }}
+          path: vamos-images
+
+      - name: commit and tag images
+        if: steps.check-key.outputs.has_key == 'true'
+        run: |
+          TAG="v${VERSION}"
+          cd vamos-images
+          git checkout --orphan release
+          cp ../build/ota/*.img* .
+          cp ../build/ota/manifest.json .
+          git add .
+          git -c user.name="github-actions" -c user.email="actions@github.com" \
+            commit -m "release images for $TAG"
+          git tag "$TAG"
+          git push origin "refs/tags/$TAG" --force
 
       - name: create release
+        if: steps.check-key.outputs.has_key == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -107,10 +139,22 @@ jobs:
           git tag -d "$TAG" 2>/dev/null || true
           git push origin ":refs/tags/$TAG" 2>/dev/null || true
 
-          # Create release with all images and manifest
+          MANIFEST_URL="https://github.com/${{ github.repository_owner }}/vamos-images/raw/${TAG}/manifest.json"
+
+          # Create release linking to manifest
+          NOTES="Automated release from commit ${{ github.sha }}
+
+          Manifest: ${MANIFEST_URL}"
           gh release create "$TAG" \
             --title "vamOS $TAG" \
             --target "${{ github.sha }}" \
-            --notes "Automated release from commit ${{ github.sha }}" \
-            build/ota/*.img \
-            build/ota/manifest.json
+            --notes "$NOTES"
+
+      - name: post setup instructions
+        if: steps.check-key.outputs.has_key == 'false'
+        run: |
+          echo "::warning::VAMOS_IMAGES_DEPLOY_KEY is not configured. To enable image publishing:"
+          echo "::warning::1. Create a ${{ github.repository_owner }}/vamos-images repo"
+          echo "::warning::2. Generate an SSH deploy key: ssh-keygen -t ed25519 -f vamos-images-deploy-key -N \"\""
+          echo "::warning::3. Add the public key to ${{ github.repository_owner }}/vamos-images as a deploy key with write access"
+          echo "::warning::4. Add the private key as VAMOS_IMAGES_DEPLOY_KEY secret in ${{ github.repository }}"
diff --git a/tools/build/package_ota.py b/tools/build/package_ota.py
@@ -12,8 +12,10 @@
 OTA_OUTPUT_DIR = OUTPUT_DIR / "ota"
 
 SECTOR_SIZE = 4096
+CHUNK_SIZE = 52_428_800  # 50 MB - must be under raw.githubusercontent.com's 100 MB limit
 
-RELEASE_URL = os.environ.get("RELEASE_URL", "https://github.com/commaai/vamos/releases/download/untagged")
+VERSION = open(ROOT / "userspace" / "root" / "VERSION").read().strip()
+IMAGES_URL = os.environ.get("IMAGES_URL", f"https://github.com/commaai/vamos-images/raw/v{VERSION}")
 
 GPT = namedtuple('GPT', ['lun', 'name', 'path', 'start_sector', 'num_sectors', 'has_ab', 'full_check'])
 GPTS = [
@@ -73,14 +75,30 @@ def process_file(entry):
   sha256.update(b'\x00' * ((SECTOR_SIZE - (size % SECTOR_SIZE)) % SECTOR_SIZE))
   ondevice_hash = sha256.hexdigest()
 
-  # Copy to output directory
-  out_fn = OTA_OUTPUT_DIR / f"{entry.name}-{hash_raw}.img"
-  print(f"  copying to {out_fn.name}")
-  shutil.copy(entry.path, out_fn)
+  base_name = f"{entry.name}-{hash_raw}.img"
+
+  # Write file(s) to output directory, splitting into chunks if needed
+  chunks = None
+  if size > CHUNK_SIZE:
+    chunks = []
+    chunk_idx = 0
+    with open(entry.path, 'rb') as f:
+      while True:
+        data = f.read(CHUNK_SIZE)
+        if not data:
+          break
+        chunk_name = f"{base_name}.{chunk_idx:02d}"
+        (OTA_OUTPUT_DIR / chunk_name).write_bytes(data)
+        chunks.append({"url": f"{IMAGES_URL}/{chunk_name}", "size": len(data)})
+        print(f"  chunk {chunk_idx}: {chunk_name} ({len(data)} bytes)")
+        chunk_idx += 1
+  else:
+    print(f"  copying to {base_name}")
+    shutil.copy(entry.path, OTA_OUTPUT_DIR / base_name)
 
   ret = {
     "name": entry.name,
-    "url": f"{RELEASE_URL}/{out_fn.name}",
+    "url": f"{IMAGES_URL}/{base_name}",
     "hash": hash,
     "hash_raw": hash_raw,
     "size": size,
@@ -90,6 +108,10 @@ def process_file(entry):
     "ondevice_hash": ondevice_hash,
   }
 
+  if chunks:
+    ret["url"] = ""
+    ret["chunks"] = chunks
+
   if isinstance(entry, GPT):
     ret["gpt"] = {
       "lun": entry.lun,
