refactor(craft): simplify ACP session management — single resume_or_c… #19
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Push Sandbox Image on Tag | |
| on: | |
| push: | |
| tags: | |
| - "experimental-cc4a.*" | |
| # Restrictive defaults; jobs declare what they need. | |
| permissions: {} | |
| jobs: | |
| check-sandbox-changes: | |
| runs-on: ubuntu-slim | |
| timeout-minutes: 10 | |
| permissions: | |
| contents: read | |
| outputs: | |
| sandbox-changed: ${{ steps.check.outputs.sandbox-changed }} | |
| new-version: ${{ steps.version.outputs.new-version }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 0 | |
| - name: Check for sandbox-relevant file changes | |
| id: check | |
| run: | | |
| # Get the previous tag to diff against | |
| CURRENT_TAG="${GITHUB_REF_NAME}" | |
| PREVIOUS_TAG=$(git tag --sort=-creatordate | grep '^experimental-cc4a\.' | grep -v "^${CURRENT_TAG}$" | head -n 1) | |
| if [ -z "$PREVIOUS_TAG" ]; then | |
| echo "No previous experimental-cc4a tag found, building unconditionally" | |
| echo "sandbox-changed=true" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| fi | |
| echo "Comparing ${PREVIOUS_TAG}..${CURRENT_TAG}" | |
| # Check if any sandbox-relevant files changed | |
| SANDBOX_PATHS=( | |
| "backend/onyx/server/features/build/sandbox/" | |
| ) | |
| CHANGED=false | |
| for path in "${SANDBOX_PATHS[@]}"; do | |
| if git diff --name-only "${PREVIOUS_TAG}..${CURRENT_TAG}" -- "$path" | grep -q .; then | |
| echo "Changes detected in: $path" | |
| CHANGED=true | |
| break | |
| fi | |
| done | |
| echo "sandbox-changed=$CHANGED" >> "$GITHUB_OUTPUT" | |
| - name: Determine new sandbox version | |
| id: version | |
| if: steps.check.outputs.sandbox-changed == 'true' | |
| run: | | |
| # Query Docker Hub for the latest versioned tag | |
| LATEST_TAG=$(curl -s "https://hub.docker.com/v2/repositories/onyxdotapp/sandbox/tags?page_size=100" \ | |
| | jq -r '.results[].name' \ | |
| | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ | |
| | sort -V \ | |
| | tail -n 1) | |
| if [ -z "$LATEST_TAG" ]; then | |
| echo "No existing version tags found on Docker Hub, starting at 0.1.1" | |
| NEW_VERSION="0.1.1" | |
| else | |
| CURRENT_VERSION="${LATEST_TAG#v}" | |
| echo "Latest version on Docker Hub: $CURRENT_VERSION" | |
| # Increment patch version | |
| MAJOR=$(echo "$CURRENT_VERSION" | cut -d. -f1) | |
| MINOR=$(echo "$CURRENT_VERSION" | cut -d. -f2) | |
| PATCH=$(echo "$CURRENT_VERSION" | cut -d. -f3) | |
| NEW_PATCH=$((PATCH + 1)) | |
| NEW_VERSION="${MAJOR}.${MINOR}.${NEW_PATCH}" | |
| fi | |
| echo "New version: $NEW_VERSION" | |
| echo "new-version=$NEW_VERSION" >> "$GITHUB_OUTPUT" | |
| build-sandbox-amd64: | |
| needs: check-sandbox-changes | |
| if: needs.check-sandbox-changes.outputs.sandbox-changed == 'true' | |
| runs-on: | |
| - runs-on | |
| - runner=4cpu-linux-x64 | |
| - run-id=${{ github.run_id }}-sandbox-amd64 | |
| - extras=ecr-cache | |
| timeout-minutes: 90 | |
| environment: release | |
| permissions: | |
| contents: read | |
| id-token: write | |
| outputs: | |
| digest: ${{ steps.build.outputs.digest }} | |
| env: | |
| REGISTRY_IMAGE: onyxdotapp/sandbox | |
| steps: | |
| - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2 | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} | |
| aws-region: us-east-2 | |
| - name: Get AWS Secrets | |
| uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 | |
| with: | |
| secret-ids: | | |
| DOCKER_USERNAME, deploy/docker-username | |
| DOCKER_TOKEN, deploy/docker-token | |
| parse-json-secrets: true | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # ratchet:docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY_IMAGE }} | |
| flavor: | | |
| latest=false | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # ratchet:docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # ratchet:docker/login-action@v3 | |
| with: | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_TOKEN }} | |
| - name: Build and push AMD64 | |
| id: build | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # ratchet:docker/build-push-action@v6 | |
| with: | |
| context: ./backend/onyx/server/features/build/sandbox/kubernetes/docker | |
| file: ./backend/onyx/server/features/build/sandbox/kubernetes/docker/Dockerfile | |
| platforms: linux/amd64 | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: | | |
| type=registry,ref=${{ env.REGISTRY_IMAGE }}:latest | |
| cache-to: | | |
| type=inline | |
| outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true | |
| build-sandbox-arm64: | |
| needs: check-sandbox-changes | |
| if: needs.check-sandbox-changes.outputs.sandbox-changed == 'true' | |
| runs-on: | |
| - runs-on | |
| - runner=4cpu-linux-arm64 | |
| - run-id=${{ github.run_id }}-sandbox-arm64 | |
| - extras=ecr-cache | |
| timeout-minutes: 90 | |
| environment: release | |
| permissions: | |
| contents: read | |
| id-token: write | |
| outputs: | |
| digest: ${{ steps.build.outputs.digest }} | |
| env: | |
| REGISTRY_IMAGE: onyxdotapp/sandbox | |
| steps: | |
| - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2 | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 | |
| with: | |
| persist-credentials: false | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} | |
| aws-region: us-east-2 | |
| - name: Get AWS Secrets | |
| uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 | |
| with: | |
| secret-ids: | | |
| DOCKER_USERNAME, deploy/docker-username | |
| DOCKER_TOKEN, deploy/docker-token | |
| parse-json-secrets: true | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # ratchet:docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY_IMAGE }} | |
| flavor: | | |
| latest=false | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # ratchet:docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # ratchet:docker/login-action@v3 | |
| with: | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_TOKEN }} | |
| - name: Build and push ARM64 | |
| id: build | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # ratchet:docker/build-push-action@v6 | |
| with: | |
| context: ./backend/onyx/server/features/build/sandbox/kubernetes/docker | |
| file: ./backend/onyx/server/features/build/sandbox/kubernetes/docker/Dockerfile | |
| platforms: linux/arm64 | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: | | |
| type=registry,ref=${{ env.REGISTRY_IMAGE }}:latest | |
| cache-to: | | |
| type=inline | |
| outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true | |
| merge-sandbox: | |
| needs: | |
| - check-sandbox-changes | |
| - build-sandbox-amd64 | |
| - build-sandbox-arm64 | |
| runs-on: | |
| - runs-on | |
| - runner=2cpu-linux-x64 | |
| - run-id=${{ github.run_id }}-merge-sandbox | |
| - extras=ecr-cache | |
| timeout-minutes: 30 | |
| environment: release | |
| permissions: | |
| id-token: write | |
| env: | |
| REGISTRY_IMAGE: onyxdotapp/sandbox | |
| steps: | |
| - uses: runs-on/action@cd2b598b0515d39d78c38a02d529db87d2196d1e # ratchet:runs-on/action@v2 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }} | |
| aws-region: us-east-2 | |
| - name: Get AWS Secrets | |
| uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 | |
| with: | |
| secret-ids: | | |
| DOCKER_USERNAME, deploy/docker-username | |
| DOCKER_TOKEN, deploy/docker-token | |
| parse-json-secrets: true | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # ratchet:docker/setup-buildx-action@v3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # ratchet:docker/login-action@v3 | |
| with: | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_TOKEN }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # ratchet:docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY_IMAGE }} | |
| flavor: | | |
| latest=false | |
| tags: | | |
| type=raw,value=v${{ needs.check-sandbox-changes.outputs.new-version }} | |
| type=raw,value=latest | |
| - name: Create and push manifest | |
| env: | |
| IMAGE_REPO: ${{ env.REGISTRY_IMAGE }} | |
| AMD64_DIGEST: ${{ needs.build-sandbox-amd64.outputs.digest }} | |
| ARM64_DIGEST: ${{ needs.build-sandbox-arm64.outputs.digest }} | |
| META_TAGS: ${{ steps.meta.outputs.tags }} | |
| run: | | |
| IMAGES="${IMAGE_REPO}@${AMD64_DIGEST} ${IMAGE_REPO}@${ARM64_DIGEST}" | |
| docker buildx imagetools create \ | |
| $(printf '%s\n' "${META_TAGS}" | xargs -I {} echo -t {}) \ | |
| $IMAGES |