Skip to content

Commit 96ea886

Browse files
committed
feat(openshell): upgrade to 0.0.54, fix sandbox integration
- Install via deb package (CI runner default) - Fix sandbox download cmd broken by 0.0.54 API change - Set working/config dir to /sandbox/ for direct artifact download - Add UploadFile: works around upload-in-git-repo bug that placed schema at wrong sandbox path; self-corrects on path mismatch - Move credentials to /tmp/ (outside workspace, reduces confusion) - Fix review agent hardcoded /tmp/workspace path - Rename variables that caused implementation confusion - Update documentation Signed-off-by: Hector Martinez <hemartin@redhat.com>
1 parent 5faa79f commit 96ea886

32 files changed

Lines changed: 225 additions & 266 deletions

action.yml

Lines changed: 12 additions & 84 deletions
Original file line numberDiff line numberDiff line change
@@ -149,45 +149,6 @@ runs:
149149
shell: bash
150150
run: fullsend --version
151151

152-
- uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
153-
154-
- name: Set OpenShell version
155-
shell: bash
156-
run: echo "OPENSHELL_VERSION=0.0.38" >> "${GITHUB_ENV}"
157-
158-
- name: Install OpenShell CLI
159-
shell: bash
160-
run: |
161-
uv tool install openshell==${OPENSHELL_VERSION}
162-
openshell --version
163-
164-
- name: Download openshell-gateway
165-
shell: bash
166-
run: |
167-
set -euo pipefail
168-
169-
arch="$(uname -m)"
170-
case "${arch}" in
171-
x86_64) ;;
172-
aarch64|arm64) arch=aarch64 ;;
173-
*) echo "::error::Unsupported architecture for openshell-gateway: ${arch}"; exit 1 ;;
174-
esac
175-
176-
GATEWAY_ASSET="openshell-gateway-${arch}-unknown-linux-gnu.tar.gz"
177-
GATEWAY_URL="https://github.com/NVIDIA/OpenShell/releases/download/v${OPENSHELL_VERSION}/${GATEWAY_ASSET}"
178-
max_attempts=3; attempt=1; delay=5
179-
while true; do
180-
if curl -fsSL "${GATEWAY_URL}" -o "/tmp/${GATEWAY_ASSET}"; then break; fi
181-
if (( attempt >= max_attempts )); then
182-
echo "::error::Gateway download failed after ${max_attempts} attempts"
183-
exit 1
184-
fi
185-
echo "::warning::Gateway download attempt ${attempt}/${max_attempts} failed, retrying in ${delay}s..."
186-
sleep "${delay}"; (( attempt++ )); (( delay *= 3 ))
187-
done
188-
tar xzf "/tmp/${GATEWAY_ASSET}" -C "${RUNNER_TEMP}/fullsend"
189-
rm -f "/tmp/${GATEWAY_ASSET}"
190-
191152
- name: Install Podman
192153
shell: bash
193154
run: |
@@ -203,58 +164,25 @@ runs:
203164
grep -q "^${whoami_user}:" /etc/subuid || sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 "${whoami_user}"
204165
podman system migrate
205166
podman info
167+
systemctl --user start podman.socket
206168
207-
- name: Start Podman API service
169+
- name: Set OpenShell version
208170
shell: bash
209171
run: |
210-
SOCKET_PATH="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}/podman/podman.sock"
211-
if [ ! -S "${SOCKET_PATH}" ]; then
212-
mkdir -p "$(dirname "${SOCKET_PATH}")"
213-
podman system service --time=0 "unix://${SOCKET_PATH}" &
214-
for i in $(seq 1 30); do
215-
[ -S "${SOCKET_PATH}" ] && podman --url "unix://${SOCKET_PATH}" info >/dev/null 2>&1 && break
216-
sleep 1
217-
done
218-
[ -S "${SOCKET_PATH}" ] || { echo "::error::Podman socket not ready"; exit 1; }
219-
fi
220-
echo "Podman API service ready at ${SOCKET_PATH}"
172+
echo "OPENSHELL_VERSION=0.0.54" >> "${GITHUB_ENV}"
173+
# SHA corresponding to 0.0.54
174+
echo "OPENSHELL_SHA=79aa355dd008e496a7d8f97b361a7b2866066fbc" >> "${GITHUB_ENV}"
221175
222-
- name: Start openshell-gateway
176+
- name: Install OpenShell CLI
223177
shell: bash
224178
run: |
225-
set -euo pipefail
179+
mkdir -p $HOME/.config/openshell/
180+
cat > $HOME/.config/openshell/gateway.env << EOF
181+
OPENSHELL_BIND_ADDRESS=0.0.0.0
182+
EOF
226183
227-
GATEWAY_LOG="${GITHUB_WORKSPACE}/output/openshell-gateway.log"
228-
mkdir -p "${GITHUB_WORKSPACE}/output"
229-
230-
export OPENSHELL_SSH_HANDSHAKE_SECRET="ci-$(openssl rand -hex 16)"
231-
echo "::add-mask::${OPENSHELL_SSH_HANDSHAKE_SECRET}"
232-
# Version-tagged images start at 0.0.41; for 0.0.38 use the release commit SHA.
233-
# TODO: pass via --podman-supervisor-image flag when one exists (Docker driver has --docker-supervisor-image).
234-
export OPENSHELL_SUPERVISOR_IMAGE="ghcr.io/nvidia/openshell/supervisor:dfd47683e7da4f1a4a8fa5d77f92d3696e6a41f9"
235-
236-
"${RUNNER_TEMP}/fullsend/openshell-gateway" \
237-
--bind-address 0.0.0.0 \
238-
--health-port 8081 \
239-
--drivers podman \
240-
--disable-tls \
241-
--db-url "sqlite:/tmp/gateway.db?mode=rwc" \
242-
>"${GATEWAY_LOG}" 2>&1 &
243-
244-
for i in $(seq 1 30); do
245-
curl -sf http://127.0.0.1:8081/healthz >/dev/null 2>&1 && break
246-
sleep 2
247-
done
248-
curl -sf http://127.0.0.1:8081/healthz >/dev/null 2>&1 || {
249-
echo "::error::Gateway health check failed after 60s"
250-
echo "::group::Gateway logs"
251-
cat "${GATEWAY_LOG}" 2>/dev/null || echo "(no log file)"
252-
echo "::endgroup::"
253-
exit 1
254-
}
255-
256-
openshell gateway add http://127.0.0.1:8080 --local --name local
257-
openshell gateway select local
184+
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/${OPENSHELL_SHA}/install.sh | OPENSHELL_VERSION=v${OPENSHELL_VERSION} sh
185+
openshell --version
258186
259187
- name: Pre-pull sandbox image
260188
shell: bash

docs/architecture.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -556,10 +556,10 @@ GitHub event ──► SHIM WORKFLOW (fullsend.yml in enrolled repo)
556556
║ │ │ │ │ ║
557557
║ │ │ Created with --from image, --policy code.yaml. │ │ ║
558558
║ │ │ Bootstrapped via openshell upload/exec: │ │ ║
559-
║ │ │ agent def → /tmp/claude-config/agents/ │ │ ║
560-
║ │ │ skills → /tmp/claude-config/skills/ │ │ ║
559+
║ │ │ agent def → /sandbox/claude-config/agents/ │ │ ║
560+
║ │ │ skills → /sandbox/claude-config/skills/ │ │ ║
561561
║ │ │ .env, host files (GCP creds), security hooks │ │ ║
562-
║ │ │ target repo → /tmp/workspace/target-repo/ │ │ ║
562+
║ │ │ target repo → /sandbox/workspace/target-repo/ │ │ ║
563563
║ │ │ │ │ ║
564564
║ │ │ Network policy enforced (L7, per-binary): │ │ ║
565565
║ │ │ Vertex AI → claude, node only │ │ ║
@@ -585,7 +585,7 @@ GitHub event ──► SHIM WORKFLOW (fullsend.yml in enrolled repo)
585585
║ │ └───────────────────────────────────────────────────────┘ │ ║
586586
║ │ │ ║
587587
║ │ Extracts from destroyed sandbox: │ ║
588-
║ │ /tmp/workspace/output/, JSONL transcripts, │ ║
588+
║ │ /sandbox/workspace/output/, JSONL transcripts, │ ║
589589
║ │ rsync repo back (--no-links, exclude .git/hooks/) │ ║
590590
║ │ │ ║
591591
║ │ Post-agent secret scan (redact from extracted output). │ ║

docs/guides/dev/cli-internals.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -280,8 +280,8 @@ Per-repo mode does not use the layer stack — it runs the same phases inline in
280280
│ │ └── security hooks │ │
281281
│ │ │ │
282282
│ │ bootstrapEnv() writes: │ │
283-
│ │ ├── PATH=/tmp/workspace/bin:$PATH │
284-
│ │ ├── CLAUDE_CONFIG_DIR=/tmp/claude-config│
283+
│ │ ├── PATH=/sandbox/workspace/bin:$PATH │ │
284+
│ │ ├── CLAUDE_CONFIG_DIR=/sandbox/claude-config│ │
285285
│ │ ├── FULLSEND_OUTPUT_DIR=... │ │
286286
│ │ └── sources .env.d/*.env files │ │
287287
│ └──────────┬───────────────────────────────┘ │
@@ -342,8 +342,8 @@ Per-repo mode does not use the layer stack — it runs the same phases inline in
342342
### Sandbox Constants
343343

344344
```go
345-
SandboxWorkspace = "/tmp/workspace"
346-
SandboxClaudeConfig = "/tmp/claude-config"
345+
SandboxWorkspace = "/sandbox/workspace"
346+
SandboxClaudeConfig = "/sandbox/claude-config"
347347
```
348348

349349
### Key Sandbox Operations

docs/guides/dev/local-dev.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ This guide walks through running fullsend agents locally on macOS and Linux. PR
77
| Requirement | macOS | Linux |
88
|-------------|-------|-------|
99
| Container runtime | Podman Desktop with a running machine | Podman |
10-
| OpenShell | 0.0.37-dev+ (Podman support) | 0.0.37-dev+ |
10+
| OpenShell | 0.0.54 (Podman support) | 0.0.54 |
1111
| GCP credentials | Service account key (`Vertex AI User` role) | Same |
1212
| GitHub PAT | `repo` scope for the target org | Same |
1313
| Go toolchain | Optional — only needed when building the CLI from source | Same |

docs/guides/user/customizing-agents.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,12 @@ plugins:
2525

2626
host_files:
2727
- src: env/gcp-vertex.env
28-
dest: /tmp/workspace/.env.d/gcp-vertex.env
28+
dest: /sandbox/workspace/.env.d/gcp-vertex.env
2929
expand: true
3030
- src: ${GOOGLE_APPLICATION_CREDENTIALS}
31-
dest: /tmp/workspace/.gcp-credentials.json
31+
dest: /tmp/.gcp-credentials.json
3232
- src: ${GCP_OIDC_TOKEN_FILE}
33-
dest: /tmp/workspace/.gcp-oidc-token
33+
dest: /sandbox/workspace/.gcp-oidc-token
3434
optional: true
3535

3636
pre_script: scripts/pre-code.sh
@@ -259,12 +259,12 @@ plugins:
259259

260260
host_files:
261261
- src: env/gcp-vertex.env
262-
dest: /tmp/workspace/.env.d/gcp-vertex.env
262+
dest: /sandbox/workspace/.env.d/gcp-vertex.env
263263
expand: true
264264
- src: ${GOOGLE_APPLICATION_CREDENTIALS}
265-
dest: /tmp/workspace/.gcp-credentials.json
265+
dest: /tmp/.gcp-credentials.json
266266
- src: ${GCP_OIDC_TOKEN_FILE}
267-
dest: /tmp/workspace/.gcp-oidc-token
267+
dest: /sandbox/workspace/.gcp-oidc-token
268268
optional: true
269269

270270
pre_script: scripts/pre-code.sh

docs/guides/user/running-agents-locally.md

Lines changed: 8 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -48,25 +48,13 @@ fullsend --version
4848

4949
[OpenShell](https://github.com/NVIDIA/OpenShell) provides the sandbox runtime. There are multiple ways
5050
to install it, here we use one similar to how we download it on Fullsend. Use the same version
51-
printed on your Fullsend workflow for better reproducibility. Install the CLI and download
52-
the gateway binary:
51+
printed on your Fullsend workflow for better reproducibility.
5352

5453
```bash
55-
# Install the CLI (requires uv — https://docs.astral.sh/uv/)
56-
uv tool install openshell==0.0.38
57-
54+
curl -LsSf https://raw.githubusercontent.com/NVIDIA/OpenShell/v${OPENSHELL_VERSION}/install.sh | OPENSHELL_VERSION=v${OPENSHELL_VERSION} sh
5855
openshell --version
5956
```
6057

61-
Download the gateway binary from the [OpenShell releases](https://github.com/NVIDIA/OpenShell/releases/tag/v0.0.38) page. Pick the archive matching your platform and extract it:
62-
63-
```bash
64-
# Example for macOS (Apple Silicon)
65-
curl -fsSL https://github.com/NVIDIA/OpenShell/releases/download/v0.0.38/openshell-gateway-aarch64-apple-darwin.tar.gz \
66-
-o /tmp/openshell-gateway.tar.gz
67-
tar xzf /tmp/openshell-gateway.tar.gz -C $HOME/.local/bin/
68-
```
69-
7058
## Get Google Cloud Platform credentials
7159

7260
Fullsend uses GCP's VertexAI to run inference, so you need a GCP project. After authenticating on `gcloud` run:
@@ -122,47 +110,13 @@ clone Fullsend's repository. To learn more about custom agents visit
122110
git clone --depth 1 https://github.com/fullsend-ai/fullsend.git /tmp/fullsend-ai_fullsend/
123111
```
124112

125-
## Start the OpenShell gateway
126-
127-
OpenShell requires a gateway to work, start one on a different terminal using Podman:
128-
129-
```bash
130-
# On arm64 hosts (Apple Silicon, Graviton), uncomment these lines:
131-
# export FULLSEND_SANDBOX_IMAGE=ghcr.io/fullsend-ai/fullsend-sandbox:dev
132-
# podman machine start
133-
134-
export OPENSHELL_SSH_HANDSHAKE_SECRET="local-$(openssl rand -hex 16)"
135-
# v0.0.38 requires an explicit supervisor image (version-tagged images start at 0.0.41)
136-
export OPENSHELL_SUPERVISOR_IMAGE="ghcr.io/nvidia/openshell/supervisor:dfd47683e7da4f1a4a8fa5d77f92d3696e6a41f9"
137-
138-
openshell-gateway \
139-
--bind-address 0.0.0.0 \
140-
--health-port 8081 \
141-
--drivers podman \
142-
--disable-tls \
143-
--db-url "sqlite:/tmp/gateway.db?mode=rwc"
144-
```
145-
146-
Wait for the health check to pass, then register the gateway:
147-
148-
```bash
149-
# Health endpoint is on port 8081, API on port 8080
150-
for i in $(seq 1 15); do
151-
curl -sf http://127.0.0.1:8081/healthz >/dev/null 2>&1 && break
152-
sleep 2
153-
done
154-
155-
# Register and select the local gateway
156-
openshell gateway add http://127.0.0.1:8080 --local --name local
157-
openshell gateway select local
158-
```
159-
160113
## Run default agents
161114

162115
Depending on the agent you want to run you need a different set of environment variables.
163116
Check the variables they need in their environment files, referenced in their harness files.
164117

165-
**Tip**: use `--no-post-script` in the `fullsend run` calls to avoid side-effects.
118+
**Tip**: use `--no-post-script` in the `fullsend run` calls to avoid side-effects. You
119+
can also use `--keep-sandbox` to debug failures (but remember to remove them).
166120

167121
**Note**: to run custom agents set `--fullsend-dir` to the directory where your
168122
custom agent definitions exist.
@@ -300,6 +254,10 @@ When you execute `fullsend run`, pass `--fullsend-dir` as `/tmp/agents/`.
300254
### Linux
301255

302256
- **Rootless Podman**: Podman runs rootless by default. Ensure your user has subuids/subgids configured (`grep $USER /etc/subuid`). If not, run `sudo usermod --add-subuids 100000-165535 --add-subgids 100000-165535 $USER && podman system migrate`.
257+
- **Rootless Podman**: The sandbox does not move to Ready state and its logs say that it can't connect
258+
to the server (gateway). It is likely that you need to bind the gateway to `0.0.0.0`. Add
259+
`OPENSHELL_BIND_ADDRESS` on `$HOME/.config/openshell/gateway.env` and restart the
260+
`openshell-gateway` service.
303261
- **SELinux**: on Fedora/RHEL, bind-mounted volumes may need the `:z` suffix for standalone `podman run`. OpenShell handles this automatically.
304262

305263
## Troubleshooting

docs/plans/universal-harness-access.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ pre_script: scripts/pre-code.sh
3535
post_script: scripts/post-code.sh
3636
host_files:
3737
- src: env/gcp-vertex.env
38-
dest: /tmp/workspace/.env.d/gcp-vertex.env
38+
dest: /sandbox/workspace/.env.d/gcp-vertex.env
3939
```
4040
4141
Resolution logic (`internal/harness/harness.go`):

0 commit comments

Comments
 (0)