exec-sandbox 0.1.0__tar.gz

exec_sandbox-0.1.0/.editorconfig

@@ -0,0 +1,18 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+# top-most EditorConfig file
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[Makefile]
+indent_size = 4
+indent_style = tab
+
+[*.py]
+indent_size = 4

exec_sandbox-0.1.0/.github/actions/build-guest-agent/action.yml

@@ -0,0 +1,56 @@
+name: Build guest-agent
+description: Build guest-agent Rust binary for specified architecture
+
+inputs:
+  arch:
+    description: Target architecture (x86_64 or aarch64)
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Expose GitHub Actions cache variables
+      uses: actions/github-script@v7
+      with:
+        script: |
+          core.exportVariable('ACTIONS_CACHE_URL', process.env['ACTIONS_CACHE_URL'] || '');
+          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env['ACTIONS_RUNTIME_TOKEN'] || '');
+          core.exportVariable('ACTIONS_RESULTS_URL', process.env['ACTIONS_RESULTS_URL'] || '');
+
+    # Try to restore from latest run on same branch (hash-based caching in build script will skip if unchanged)
+    - name: Get latest run ID
+      id: latest-run
+      shell: bash
+      run: |
+        RUN_ID=$(gh run list \
+          --workflow=test.yml \
+          --branch="${{ github.ref_name }}" \
+          --limit=100 \
+          --json databaseId,conclusion \
+          --jq '[.[] | select(.conclusion == "success" or .conclusion == "failure")] | .[0].databaseId // empty')
+        echo "run_id=$RUN_ID" >> "$GITHUB_OUTPUT"
+      env:
+        GH_TOKEN: ${{ github.token }}
+
+    - name: Download previous build
+      if: steps.latest-run.outputs.run_id != ''
+      uses: actions/download-artifact@v4
+      with:
+        name: guest-agent-${{ inputs.arch == 'x86_64' && 'x64' || 'arm64' }}
+        path: images/dist/
+        github-token: ${{ github.token }}
+        run-id: ${{ steps.latest-run.outputs.run_id }}
+      continue-on-error: true
+
+    - name: Build guest-agent
+      shell: bash
+      env:
+        BUILDX_CACHE_FROM: type=gha,ignore-error=true
+        BUILDX_CACHE_TO: type=gha,mode=max,ignore-error=true
+      run: ./scripts/build-guest-agent.sh ${{ inputs.arch }}

exec_sandbox-0.1.0/.github/actions/build-gvproxy-wrapper/action.yml

@@ -0,0 +1,29 @@
+name: Build gvproxy-wrapper
+description: Build gvproxy-wrapper Go binary
+
+inputs:
+  all-platforms:
+    description: Build for all platforms (linux/darwin × amd64/arm64)
+    required: false
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    - name: Install Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: "1.24"
+        cache-dependency-path: gvproxy-wrapper/go.sum
+
+    - name: Build (current platform)
+      if: inputs.all-platforms == 'false'
+      working-directory: gvproxy-wrapper
+      shell: bash
+      run: make build
+
+    - name: Build (all platforms)
+      if: inputs.all-platforms == 'true'
+      working-directory: gvproxy-wrapper
+      shell: bash
+      run: make build-all

exec_sandbox-0.1.0/.github/actions/build-vm-images/action.yml

@@ -0,0 +1,64 @@
+name: Build VM images
+description: Build kernel and qcow2 images for specified architecture
+
+inputs:
+  arch:
+    description: Target architecture (x86_64 or aarch64)
+    required: true
+  variant:
+    description: Image variant (python, node, raw, or all)
+    required: false
+    default: "all"
+
+runs:
+  using: composite
+  steps:
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Expose GitHub Actions cache variables
+      uses: actions/github-script@v7
+      with:
+        script: |
+          core.exportVariable('ACTIONS_CACHE_URL', process.env['ACTIONS_CACHE_URL'] || '');
+          core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env['ACTIONS_RUNTIME_TOKEN'] || '');
+          core.exportVariable('ACTIONS_RESULTS_URL', process.env['ACTIONS_RESULTS_URL'] || '');
+
+    # Try to restore from latest run on same branch (hash-based caching in build script will skip if unchanged)
+    - name: Get latest run ID
+      id: latest-run
+      shell: bash
+      run: |
+        RUN_ID=$(gh run list \
+          --workflow=test.yml \
+          --branch="${{ github.ref_name }}" \
+          --limit=100 \
+          --json databaseId,conclusion \
+          --jq '[.[] | select(.conclusion == "success" or .conclusion == "failure")] | .[0].databaseId // empty')
+        echo "run_id=$RUN_ID" >> "$GITHUB_OUTPUT"
+      env:
+        GH_TOKEN: ${{ github.token }}
+
+    - name: Download previous build
+      if: steps.latest-run.outputs.run_id != ''
+      uses: actions/download-artifact@v4
+      with:
+        name: vm-images-${{ inputs.arch == 'x86_64' && 'x64' || 'arm64' }}
+        path: images/dist/
+        github-token: ${{ github.token }}
+        run-id: ${{ steps.latest-run.outputs.run_id }}
+      continue-on-error: true
+
+    - name: Extract kernel
+      shell: bash
+      run: ./scripts/extract-kernel.sh ${{ inputs.arch }}
+
+    - name: Build qcow2
+      shell: bash
+      env:
+        BUILDX_CACHE_FROM: type=gha,ignore-error=true
+        BUILDX_CACHE_TO: type=gha,mode=max,ignore-error=true
+      run: ./scripts/build-qcow2.sh ${{ inputs.variant }} ${{ inputs.arch }}

exec_sandbox-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,265 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  actions: read        # Required for artifact caching (gh run list)
+  attestations: write  # Required for GitHub attestations
+  contents: write      # Required for release asset upload
+  id-token: write      # Required for PyPI trusted publishing + Sigstore signing
+
+jobs:
+  # ==========================================================================
+  # Python Package
+  # ==========================================================================
+
+  python-package:
+    name: Python Package
+    runs-on: linux-arm64-ubuntu2404-small-private
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v6.0.1
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7.1.6
+        with:
+          enable-cache: true
+          cache-dependency-glob: uv.lock
+
+      - name: Set up Python
+        uses: actions/setup-python@v6.1.0
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: make install-deps
+
+      - name: Inject version from git tag
+        run: |
+          VERSION=$(./cicd/version.sh -g .)
+          VERSION_FULL=$(./cicd/version.sh -g . -c -m)
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "VERSION_FULL=$VERSION_FULL" >> $GITHUB_ENV
+          echo "Injecting version: $VERSION (full: $VERSION_FULL)"
+          sed -i "s/^version = .*/version = \"$VERSION\"/" pyproject.toml
+
+      - name: Build package
+        run: uv build
+
+      - name: Verify build artifacts
+        run: |
+          ls -la dist/
+          test -f dist/exec_sandbox-*.whl
+          test -f dist/exec_sandbox-*.tar.gz
+          uv run twine check dist/*
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v3.1.0
+        with:
+          subject-path: dist/*
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-dist
+          path: dist/
+          retention-days: 30
+
+  publish-testpypi:
+    name: Publish to TestPyPI
+    needs: python-package
+    runs-on: linux-x64-ubuntu2404-small-private  # x64 required: pypi-publish action is amd64 only
+    timeout-minutes: 10
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/exec_sandbox
+    permissions:
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: python-dist
+          path: dist/
+
+      - name: Publish to TestPyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          attestations: true
+          print-hash: true
+
+  publish-pypi:
+    name: Publish to PyPI
+    needs: [python-package, publish-testpypi]
+    runs-on: linux-x64-ubuntu2404-small-private  # x64 required: pypi-publish action is amd64 only
+    timeout-minutes: 10
+    environment:
+      name: pypi
+      url: https://pypi.org/p/exec_sandbox
+    permissions:
+      id-token: write
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: python-dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestations: true
+          print-hash: true
+
+  # ==========================================================================
+  # Binary Builds
+  # ==========================================================================
+
+  gvproxy-wrapper:
+    name: gvproxy-wrapper
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6.0.1
+
+      - name: Build gvproxy-wrapper (all platforms)
+        uses: ./.github/actions/build-gvproxy-wrapper
+        with:
+          all-platforms: "true"
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: gvproxy-wrapper
+          path: gvproxy-wrapper/bin/gvproxy-wrapper-*
+
+  guest-agent:
+    name: guest-agent (${{ matrix.arch }})
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch: [x86_64, aarch64]
+    steps:
+      - uses: actions/checkout@v6.0.1
+
+      - name: Build guest-agent
+        uses: ./.github/actions/build-guest-agent
+        with:
+          arch: ${{ matrix.arch }}
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: guest-agent-${{ matrix.arch }}
+          path: images/dist/guest-agent-linux-${{ matrix.arch }}
+
+  # ==========================================================================
+  # VM Images
+  # ==========================================================================
+
+  vm-images:
+    name: VM Images (${{ matrix.arch }})
+    runs-on: ubuntu-latest
+    needs: [guest-agent]
+    strategy:
+      matrix:
+        arch: [x86_64, aarch64]
+    steps:
+      - uses: actions/checkout@v6.0.1
+
+      - name: Download guest-agent
+        uses: actions/download-artifact@v4
+        with:
+          name: guest-agent-${{ matrix.arch }}
+          path: images/dist/
+
+      - name: Build VM images
+        uses: ./.github/actions/build-vm-images
+        with:
+          arch: ${{ matrix.arch }}
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: vm-images-${{ matrix.arch }}
+          path: |
+            images/dist/vmlinuz-${{ matrix.arch }}
+            images/dist/initramfs-${{ matrix.arch }}
+            images/dist/*-${{ matrix.arch }}.qcow2
+
+  # ==========================================================================
+  # GitHub Release
+  # ==========================================================================
+
+  release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    needs: [publish-pypi, gvproxy-wrapper, guest-agent, vm-images]
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v6.0.1
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts/
+
+      - name: Prepare release files
+        run: |
+          mkdir -p release
+
+          # Python package
+          cp artifacts/python-dist/*.whl release/
+          cp artifacts/python-dist/*.tar.gz release/
+
+          # gvproxy-wrapper
+          cp artifacts/gvproxy-wrapper/* release/
+
+          # guest-agent
+          cp artifacts/guest-agent-x86_64/* release/
+          cp artifacts/guest-agent-aarch64/* release/
+
+          # VM images (kernel + initramfs + qcow2)
+          cp artifacts/vm-images-x86_64/* release/
+          cp artifacts/vm-images-aarch64/* release/
+
+          # Compress large files
+          cd release
+          for f in *.qcow2 vmlinuz-* initramfs-*; do
+            zstd -19 --rm "$f"
+          done
+
+          # Generate checksums
+          sha256sum * > SHA256SUMS
+
+          ls -lh
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2.5.0
+        with:
+          files: release/*
+          generate_release_notes: true
+          fail_on_unmatched_files: true
+
+      - name: Generate job summary
+        run: |
+          echo "## Release Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Published To" >> $GITHUB_STEP_SUMMARY
+          echo "- [TestPyPI](https://test.pypi.org/p/exec_sandbox)" >> $GITHUB_STEP_SUMMARY
+          echo "- [PyPI](https://pypi.org/p/exec_sandbox)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Artifacts" >> $GITHUB_STEP_SUMMARY
+          echo "- Python wheel + sdist" >> $GITHUB_STEP_SUMMARY
+          echo "- gvproxy-wrapper (4 platforms)" >> $GITHUB_STEP_SUMMARY
+          echo "- guest-agent (2 architectures)" >> $GITHUB_STEP_SUMMARY
+          echo "- Kernel + initramfs (2 architectures)" >> $GITHUB_STEP_SUMMARY
+          echo "- qcow2 images (6 variants)" >> $GITHUB_STEP_SUMMARY