diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index b643ae12fc..0660c61b0c 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -24,34 +24,34 @@ concurrency: group: docker-${{ github.ref }} cancel-in-progress: false +env: + IMAGE_NAME: nousresearch/hermes-agent + jobs: - build-and-push: + # --------------------------------------------------------------------------- + # Build amd64 natively. This job also runs the smoke tests (basic --help + # and the dashboard subcommand regression guard from #9153), because amd64 + # is the only arch we can `load` into the local daemon on an amd64 runner. + # --------------------------------------------------------------------------- + build-amd64: # Only run on the upstream repository, not on forks if: github.repository == 'NousResearch/hermes-agent' runs-on: ubuntu-latest - timeout-minutes: 60 + timeout-minutes: 45 outputs: - pushed_sha_tag: ${{ steps.mark_pushed.outputs.pushed }} + digest: ${{ steps.push.outputs.digest }} steps: - name: Checkout code uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: recursive - # Fetch enough history to run `git merge-base --is-ancestor` in the - # move-latest job. That job reuses this checkout via its own - # actions/checkout call, but commits reachable from main up to ~1000 - # back are plenty for any realistic race window. - fetch-depth: 1000 - - - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - # Build amd64 only so we can `load` the image for smoke testing. - # `load: true` cannot export a multi-arch manifest to the local daemon. - # The multi-arch build follows on push to main / release. + # Build once, load into the local daemon for smoke testing. Cached + # to gha with a per-arch scope; the push step below reuses every + # layer from this build. - name: Build image (amd64, smoke test) uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: @@ -59,9 +59,9 @@ jobs: file: Dockerfile load: true platforms: linux/amd64 - tags: nousresearch/hermes-agent:test - cache-from: type=gha - cache-to: type=gha,mode=max + tags: ${{ env.IMAGE_NAME }}:test + cache-from: type=gha,scope=docker-amd64 + cache-to: type=gha,mode=max,scope=docker-amd64 - name: Test image starts run: | @@ -76,7 +76,7 @@ jobs: docker run --rm \ -v /tmp/hermes-test:/opt/data \ --entrypoint /opt/hermes/docker/entrypoint.sh \ - nousresearch/hermes-agent:test --help + ${{ env.IMAGE_NAME }}:test --help - name: Test dashboard subcommand run: | @@ -88,7 +88,7 @@ jobs: docker run --rm \ -v /tmp/hermes-test:/opt/data \ --entrypoint /opt/hermes/docker/entrypoint.sh \ - nousresearch/hermes-agent:test dashboard --help + ${{ env.IMAGE_NAME }}:test dashboard --help - name: Log in to Docker Hub if: github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'release' @@ -97,61 +97,205 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - # Always push a per-commit SHA tag on main. This is race-free because - # every commit has a unique SHA — concurrent runs can't clobber each - # other here. We also embed the git SHA as an OCI label so the - # move-latest job (below) can read it back off the registry's `:latest`. - - name: Push multi-arch image with SHA tag (main branch) - id: push_sha - if: github.event_name == 'push' && github.ref == 'refs/heads/main' + # Push amd64 by digest only (no tag). The merge job assembles the + # tagged manifest list. `push-by-digest=true` is docker's recommended + # pattern for multi-runner multi-platform builds. + # + # We apply the OCI revision label here (and again on arm64) because + # the move-latest job reads it off the linux/amd64 sub-manifest config + # of `:latest` to decide whether it's safe to advance. The label must + # be on each per-arch image — manifest lists themselves don't carry + # image config labels. + - name: Push amd64 by digest + id: push + if: github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'release' uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: context: . file: Dockerfile - push: true - platforms: linux/amd64,linux/arm64 - tags: nousresearch/hermes-agent:sha-${{ github.sha }} + platforms: linux/amd64 labels: | org.opencontainers.image.revision=${{ github.sha }} - cache-from: type=gha - cache-to: type=gha,mode=max + outputs: type=image,name=${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true + cache-from: type=gha,scope=docker-amd64 + cache-to: type=gha,mode=max,scope=docker-amd64 + # Write the digest to a file and upload it as an artifact so the + # merge job can stitch both per-arch digests into a manifest list. + - name: Export digest + if: github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'release' + run: | + mkdir -p /tmp/digests + digest="${{ steps.push.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest artifact + if: github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'release' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: digest-amd64 + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + # --------------------------------------------------------------------------- + # Build arm64 natively on GitHub's free arm64 runner. This replaces the + # previous QEMU-emulated arm64 build, which was ~5-10x slower and shared + # a cache scope with amd64. + # --------------------------------------------------------------------------- + build-arm64: + if: github.repository == 'NousResearch/hermes-agent' && (github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'release') + runs-on: ubuntu-24.04-arm + timeout-minutes: 45 + outputs: + digest: ${{ steps.push.outputs.digest }} + steps: + - name: Checkout code + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + with: + submodules: recursive + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + + - name: Log in to Docker Hub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Push arm64 by digest + id: push + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 + with: + context: . + file: Dockerfile + platforms: linux/arm64 + labels: | + org.opencontainers.image.revision=${{ github.sha }} + outputs: type=image,name=${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true + cache-from: type=gha,scope=docker-arm64 + cache-to: type=gha,mode=max,scope=docker-arm64 + + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.push.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: digest-arm64 + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + # --------------------------------------------------------------------------- + # Stitch both per-arch digests into a single tagged multi-arch manifest. + # This is a registry-side operation — no building, no layer re-push — + # so it runs in ~30 seconds. On main pushes it produces :sha-. + # On releases it produces :. + # --------------------------------------------------------------------------- + merge: + if: github.repository == 'NousResearch/hermes-agent' && (github.event_name == 'push' && github.ref == 'refs/heads/main' || github.event_name == 'release') + runs-on: ubuntu-latest + needs: [build-amd64, build-arm64] + timeout-minutes: 10 + outputs: + pushed_sha_tag: ${{ steps.mark_pushed.outputs.pushed }} + steps: + - name: Download digests + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + with: + path: /tmp/digests + pattern: digest-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 + + - name: Log in to Docker Hub + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + # Compute the tag for this run. Main pushes use sha- (so every + # commit gets its own immutable tag); releases use the release tag name. + - name: Compute tag + id: tag + run: | + if [ "${{ github.event_name }}" = "release" ]; then + echo "tag=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT" + else + echo "tag=sha-${{ github.sha }}" >> "$GITHUB_OUTPUT" + fi + + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + set -euo pipefail + # Build the arg array from each digest file (filename = the digest + # hex, with no sha256: prefix; empty file content, only the name + # matters). Using an array avoids shellcheck SC2046 and keeps + # every digest a single argv token even under pathological names. + args=() + for digest_file in *; do + args+=("${IMAGE_NAME}@sha256:${digest_file}") + done + docker buildx imagetools create \ + -t "${IMAGE_NAME}:${TAG}" \ + "${args[@]}" + env: + IMAGE_NAME: ${{ env.IMAGE_NAME }} + TAG: ${{ steps.tag.outputs.tag }} + + - name: Inspect image + run: | + docker buildx imagetools inspect "${IMAGE_NAME}:${TAG}" + env: + IMAGE_NAME: ${{ env.IMAGE_NAME }} + TAG: ${{ steps.tag.outputs.tag }} + + # Signal to move-latest that the SHA tag is live. Only on main pushes; + # releases don't trigger move-latest (they use their own release tag). - name: Mark SHA tag pushed id: mark_pushed if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: echo "pushed=true" >> "$GITHUB_OUTPUT" - - name: Push multi-arch image (release) - if: github.event_name == 'release' - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 - with: - context: . - file: Dockerfile - push: true - platforms: linux/amd64,linux/arm64 - tags: nousresearch/hermes-agent:${{ github.event.release.tag_name }} - cache-from: type=gha - cache-to: type=gha,mode=max - - # Second job: moves `:latest` to point at the SHA tag the first job pushed. + # --------------------------------------------------------------------------- + # Move :latest to point at the SHA tag the merge job pushed. # - # Has its own concurrency group with `cancel-in-progress: true`, which - # gives us the serialization we need: if a newer push arrives while an - # older run is mid-way through this job, the older run is cancelled - # before it can clobber `:latest`. Combined with the ancestor check - # below, this means `:latest` only ever moves forward in git history. + # The real serialization guarantee comes from the top-level concurrency + # group (`docker-${{ github.ref }}` with `cancel-in-progress: false`), + # which ensures at most one workflow run for this ref executes at a time. + # That means two move-latest steps for the same ref cannot overlap. + # + # This job has its own concurrency group as defense-in-depth: if the + # top-level group is ever loosened, queued move-latests will run serially + # in arrival order, each one running the ancestor check below and either + # advancing :latest or skipping. `cancel-in-progress: false` matches the + # top-level setting — we don't want rapid pushes to cancel a queued + # move-latest, because the ancestor check is the real safety mechanism + # and queueing is cheap (move-latest is a ~30s registry op). + # + # Combined with the ancestor check, this means :latest only ever moves + # forward in git history. + # --------------------------------------------------------------------------- move-latest: if: | github.repository == 'NousResearch/hermes-agent' && github.event_name == 'push' && github.ref == 'refs/heads/main' - && needs.build-and-push.outputs.pushed_sha_tag == 'true' - needs: build-and-push + && needs.merge.outputs.pushed_sha_tag == 'true' + needs: merge runs-on: ubuntu-latest timeout-minutes: 10 concurrency: group: docker-move-latest-${{ github.ref }} - cancel-in-progress: true + cancel-in-progress: false steps: - name: Checkout code uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 @@ -167,11 +311,11 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - # Read the git revision label off the current `:latest` manifest, then + # Read the git revision label off the current :latest manifest, then # use `git merge-base --is-ancestor` to check whether our commit is a - # descendant of it. If `:latest` doesn't exist yet, or its label is + # descendant of it. If :latest doesn't exist yet, or its label is # missing, we treat that as "safe to publish". If another run already - # advanced `:latest` past us (or diverged), we skip and leave it alone. + # advanced :latest past us (or diverged), we skip and leave it alone. - name: Decide whether to move :latest id: latest_check run: |