feat(builder): deny mgmt/container CIDRs via systemd IPAddressDeny #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Nightly Release | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| concurrency: | |
| group: nightly-${{ github.sha }} | |
| cancel-in-progress: false | |
| permissions: | |
| contents: write | |
| jobs: | |
| prep: | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| tag: ${{ steps.meta.outputs.tag }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Compute tag | |
| id: meta | |
| run: echo "tag=nightly-$(date -u +%Y%m%d)-$(git rev-parse --short=8 HEAD)" >> "$GITHUB_OUTPUT" | |
| build: | |
| needs: prep | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - runner: ubuntu-24.04 | |
| target: x86_64-unknown-linux-gnu | |
| arch: amd64 | |
| - runner: ubuntu-24.04-arm | |
| target: aarch64-unknown-linux-gnu | |
| arch: arm64 | |
| runs-on: ${{ matrix.runner }} | |
| env: | |
| COOLD_VERSION: ${{ needs.prep.outputs.tag }} | |
| BROKER_VERSION: ${{ needs.prep.outputs.tag }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dtolnay/rust-toolchain@stable | |
| with: | |
| targets: ${{ matrix.target }} | |
| - uses: Swatinem/rust-cache@v2 | |
| with: | |
| key: ${{ matrix.target }} | |
| cache-all-crates: true | |
| cache-on-failure: true | |
| save-if: ${{ github.ref == 'refs/heads/main' }} | |
| - name: Install protoc | |
| run: sudo apt-get update && sudo apt-get install -y protobuf-compiler | |
| - name: Build workspace | |
| run: cargo build --workspace --release --locked --target ${{ matrix.target }} | |
| - name: Package coold | |
| run: | | |
| mkdir -p dist | |
| cp target/${{ matrix.target }}/release/coold dist/coold | |
| tar -czf dist/coold-linux-${{ matrix.arch }}.tar.gz -C dist coold | |
| rm dist/coold | |
| (cd dist && sha256sum coold-linux-${{ matrix.arch }}.tar.gz > coold-linux-${{ matrix.arch }}.tar.gz.sha256) | |
| - name: Package broker | |
| run: | | |
| cp target/${{ matrix.target }}/release/broker dist/broker | |
| tar -czf dist/broker-linux-${{ matrix.arch }}.tar.gz -C dist broker | |
| rm dist/broker | |
| (cd dist && sha256sum broker-linux-${{ matrix.arch }}.tar.gz > broker-linux-${{ matrix.arch }}.tar.gz.sha256) | |
| - name: Package builder | |
| run: | | |
| cp target/${{ matrix.target }}/release/builder dist/builder | |
| tar -czf dist/builder-linux-${{ matrix.arch }}.tar.gz -C dist builder | |
| rm dist/builder | |
| (cd dist && sha256sum builder-linux-${{ matrix.arch }}.tar.gz > builder-linux-${{ matrix.arch }}.tar.gz.sha256) | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: coold-linux-${{ matrix.arch }} | |
| path: dist/* | |
| retention-days: 7 | |
| release: | |
| needs: [prep, build] | |
| runs-on: ubuntu-24.04 | |
| env: | |
| TAG: ${{ needs.prep.outputs.tag }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: dist | |
| merge-multiple: true | |
| - name: Compose release notes | |
| id: notes | |
| run: | | |
| PREV=$(git tag --list 'nightly-*' --sort=-creatordate | head -n1) | |
| { | |
| echo "body<<EOF" | |
| echo "Automated nightly build from \`${GITHUB_SHA}\`." | |
| echo | |
| echo "**Version:** \`${TAG}\`" | |
| echo "**Commit:** $(git log -1 --pretty=format:'%s')" | |
| echo | |
| echo "### Artifacts" | |
| echo "- \`coold\` — per-host agent (holds the single gRPC stream to broker; spawns builder subprocess per BuildRequest when COOLD_BUILDER_ENABLED=1)" | |
| echo "- \`broker\` — central-side gRPC stream broker (single listener on :6443; capability-aware routing)" | |
| echo "- \`builder\` — short-lived build subprocess invoked by coold under a \`systemd-run --scope\` transient unit" | |
| echo | |
| if [ -n "$PREV" ]; then | |
| echo "### Changes since $PREV" | |
| git log --pretty=format:'- %s (%h)' "$PREV"..HEAD | |
| echo | |
| fi | |
| echo "EOF" | |
| } >> "$GITHUB_OUTPUT" | |
| - name: Create per-commit release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ env.TAG }} | |
| name: Nightly ${{ env.TAG }} | |
| body: ${{ steps.notes.outputs.body }} | |
| prerelease: true | |
| make_latest: false | |
| files: | | |
| dist/coold-linux-amd64.tar.gz | |
| dist/coold-linux-amd64.tar.gz.sha256 | |
| dist/coold-linux-arm64.tar.gz | |
| dist/coold-linux-arm64.tar.gz.sha256 | |
| dist/broker-linux-amd64.tar.gz | |
| dist/broker-linux-amd64.tar.gz.sha256 | |
| dist/broker-linux-arm64.tar.gz | |
| dist/broker-linux-arm64.tar.gz.sha256 | |
| dist/builder-linux-amd64.tar.gz | |
| dist/builder-linux-amd64.tar.gz.sha256 | |
| dist/builder-linux-arm64.tar.gz | |
| dist/builder-linux-arm64.tar.gz.sha256 | |
| - name: Refresh rolling nightly release | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh release delete nightly --yes --cleanup-tag 2>/dev/null || true | |
| gh release create nightly \ | |
| --prerelease \ | |
| --title "Nightly (latest)" \ | |
| --target "${GITHUB_SHA}" \ | |
| --notes "Latest nightly build — mirrors [${TAG}](../../releases/tag/${TAG})." \ | |
| dist/coold-linux-amd64.tar.gz \ | |
| dist/coold-linux-amd64.tar.gz.sha256 \ | |
| dist/coold-linux-arm64.tar.gz \ | |
| dist/coold-linux-arm64.tar.gz.sha256 \ | |
| dist/broker-linux-amd64.tar.gz \ | |
| dist/broker-linux-amd64.tar.gz.sha256 \ | |
| dist/broker-linux-arm64.tar.gz \ | |
| dist/broker-linux-arm64.tar.gz.sha256 \ | |
| dist/builder-linux-amd64.tar.gz \ | |
| dist/builder-linux-amd64.tar.gz.sha256 \ | |
| dist/builder-linux-arm64.tar.gz \ | |
| dist/builder-linux-arm64.tar.gz.sha256 |