sandbox-agent/.github/workflows/release.yaml

name: release

on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Version'
        required: true
        type: string
      latest:
        description: 'Latest'
        required: true
        type: boolean
        default: true
      reuse_engine_version:
        description: 'Reuse artifacts from this version (skips building)'
        required: false
        type: string

defaults:
  run:
    # Enable fail-fast behavior
    shell: bash -e {0}

env:
  # Disable incremental compilation for faster from-scratch builds
  CARGO_INCREMENTAL: 0
  # Skip OpenAPI generation in CI (use pre-committed docs/openapi.json)
  SKIP_OPENAPI_GEN: 1

jobs:
  setup:
    name: "Setup"
    runs-on: ubuntu-24.04
    permissions:
      # Allow pushing to GitHub
      contents: write
      # Allows authentication
      id-token: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: dtolnay/rust-toolchain@stable

      - uses: actions/setup-node@v4
        with:
          node-version: 20

      - run: corepack enable

      - name: Setup
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          R2_RELEASES_ACCESS_KEY_ID: ${{ secrets.R2_RELEASES_ACCESS_KEY_ID }}
          R2_RELEASES_SECRET_ACCESS_KEY: ${{ secrets.R2_RELEASES_SECRET_ACCESS_KEY }}
        run: |
          # Configure Git
          git config --global user.name "github-actions[bot]"
          git config --global user.email "github-actions[bot]@users.noreply.github.com"

          # Authenticate with NPM
          cat << EOF > ~/.npmrc
          //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}
          EOF

          # Install dependencies
          pnpm install --no-frozen-lockfile

          # Install tsx globally
          npm install -g tsx

          # Build command based on inputs
          CMD="./scripts/release/main.ts --version \"${{ github.event.inputs.version }}\" --phase setup-ci"

          if [ "${{ inputs.latest }}" != "true" ]; then
            CMD="$CMD --no-latest"
          fi

          if [ -n "${{ inputs.reuse_engine_version }}" ]; then
            CMD="$CMD --reuse-engine-version \"${{ inputs.reuse_engine_version }}\""
          fi

          eval "$CMD"

  binaries:
    name: "Build & Upload Binaries"
    needs: [setup]
    if: ${{ !inputs.reuse_engine_version }}
    strategy:
      matrix:
        include:
          - platform: linux
            runner: depot-ubuntu-24.04-8
            target: x86_64-unknown-linux-musl
            binary_ext: ""
            arch: x86_64
          - platform: windows
            runner: depot-ubuntu-24.04-8
            target: x86_64-pc-windows-gnu
            binary_ext: ".exe"
            arch: x86_64
          - platform: macos
            runner: depot-ubuntu-24.04-8
            target: x86_64-apple-darwin
            binary_ext: ""
            arch: x86_64
          - platform: macos
            runner: depot-ubuntu-24.04-8
            target: aarch64-apple-darwin
            binary_ext: ""
            arch: aarch64
    runs-on: ${{ matrix.runner }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build binary
        run: |
          # Use Docker BuildKit
          export DOCKER_BUILDKIT=1

          # Build the binary using our Dockerfile with version
          docker/release/build.sh ${{ matrix.target }} ${{ github.event.inputs.version }}

          # Make sure dist directory exists and binary is there
          ls -la dist/

      - name: Upload to R2
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.R2_RELEASES_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_RELEASES_SECRET_ACCESS_KEY }}
        run: |
          # Install dependencies for AWS CLI
          sudo apt-get update
          sudo apt-get install -y unzip curl

          # Install AWS CLI
          curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
          unzip awscliv2.zip
          sudo ./aws/install --update

          COMMIT_SHA_SHORT="${GITHUB_SHA::7}"
          BINARY_PATH="dist/sandbox-agent-${{ matrix.target }}${{ matrix.binary_ext }}"

          # Must specify --checksum-algorithm for compatibility with R2
          aws s3 cp \
            "${BINARY_PATH}" \
            "s3://rivet-releases/sandbox-agent/${COMMIT_SHA_SHORT}/binaries/sandbox-agent-${{ matrix.target }}${{ matrix.binary_ext }}" \
            --region auto \
            --endpoint-url https://2a94c6a0ced8d35ea63cddc86c2681e7.r2.cloudflarestorage.com \
            --checksum-algorithm CRC32

  docker:
    name: "Build & Push Docker Images"
    needs: [setup]
    if: ${{ !inputs.reuse_engine_version }}
    strategy:
      matrix:
        include:
          - platform: linux/arm64
            runner: depot-ubuntu-24.04-arm-8
            arch_suffix: -arm64
          - platform: linux/amd64
            runner: depot-ubuntu-24.04-8
            arch_suffix: -amd64
    runs-on: ${{ matrix.runner }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set outputs
        id: vars
        run: echo "sha_short=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT

      - uses: ./.github/actions/docker-setup
        with:
          docker_username: ${{ secrets.DOCKER_CI_USERNAME }}
          docker_password: ${{ secrets.DOCKER_CI_ACCESS_TOKEN }}
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Build & Push
        uses: docker/build-push-action@v4
        with:
          context: .
          push: true
          tags: rivetdev/sandbox-agent:${{ steps.vars.outputs.sha_short }}${{ matrix.arch_suffix }}
          file: docker/runtime/Dockerfile
          platforms: ${{ matrix.platform }}
          build-args: |
            TARGETARCH=${{ contains(matrix.platform, 'arm64') && 'arm64' || 'amd64' }}

  complete:
    name: "Complete"
    needs: [setup, docker, binaries]
    if: ${{ always() && !cancelled() && needs.setup.result == 'success' && (needs.docker.result == 'success' || needs.docker.result == 'skipped') && (needs.binaries.result == 'success' || needs.binaries.result == 'skipped') }}
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: dtolnay/rust-toolchain@stable

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          registry-url: "https://registry.npmjs.org"

      - run: corepack enable

      - uses: ./.github/actions/docker-setup
        continue-on-error: true
        with:
          docker_username: ${{ secrets.DOCKER_CI_USERNAME }}
          docker_password: ${{ secrets.DOCKER_CI_ACCESS_TOKEN }}
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Complete
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
          R2_RELEASES_ACCESS_KEY_ID: ${{ secrets.R2_RELEASES_ACCESS_KEY_ID }}
          R2_RELEASES_SECRET_ACCESS_KEY: ${{ secrets.R2_RELEASES_SECRET_ACCESS_KEY }}
        run: |
          # Authenticate with NPM
          cat << EOF > ~/.npmrc
          //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}
          EOF

          # Install dependencies
          pnpm install --no-frozen-lockfile

          # Install tsx globally
          npm install -g tsx

          # Build command based on inputs
          CMD="./scripts/release/main.ts --version \"${{ github.event.inputs.version }}\" --phase complete-ci --no-validate-git"

          if [ "${{ inputs.latest }}" != "true" ]; then
            CMD="$CMD --no-latest"
          fi

          if [ -n "${{ inputs.reuse_engine_version }}" ]; then
            CMD="$CMD --reuse-engine-version \"${{ inputs.reuse_engine_version }}\""
          fi

          eval "$CMD"