Skip to content

chore: update registry app token workflows#13

Open
ericwang401 wants to merge 8 commits into
mainfrom
chore/registry-app-token-workflows
Open

chore: update registry app token workflows#13
ericwang401 wants to merge 8 commits into
mainfrom
chore/registry-app-token-workflows

Conversation

@ericwang401

Copy link
Copy Markdown
Contributor

This pull request introduces improvements to how VMID (Virtual Machine ID) information is managed and exported for builds, especially for parallel and cluster template scenarios. It also updates GitHub Actions workflows to use a GitHub App token for improved security and replaces an action with direct git commands for committing. Additionally, it removes outdated documentation and clarifies script comments to match the new VMID handling.

VMID Handling and Export Improvements:

  • The build process now exports both CF_BUILT_VMID (slot-derived build ID) and CF_RECIPE_BASE_VMID (base VMID), ensuring downstream scripts and consumers can reliably reference the correct base VMID without reverse-engineering. This affects environment variable exports in src/build/packer.ts, the build invocation in src/build.ts, and usage in builds/_shared/post/vzdump-and-cleanup.sh and scripts/cf-cluster-templates.sh. [1] [2] [3] [4] [5] [6] [7] [8]

GitHub Actions Workflow Updates:

  • Both build.yml and check-upstream.yml workflows now use actions/create-github-app-token@v2 to generate a GitHub App token for secure repository access, and pass this token to actions/checkout@v7. [1] [2]
  • The commit step in build.yml is rewritten to use direct git commands instead of the git-auto-commit-action, and commits are now attributed to cofoundry-registry-writer[bot] for clarity and consistency.
  • The author for checksum commits in check-upstream.yml is also updated to cofoundry-registry-writer[bot].

Documentation Cleanup:

  • The obsolete CLAUDE.md and docs/phase-3-verification.md files are removed, as their content is either outdated or superseded by other documentation. [1] [2]

Comment and Usage Clarifications:

  • Comments in scripts/cf-cluster-templates.sh are updated to explain the new VMID export logic, clarifying the roles of CF_BUILT_VMID and CF_RECIPE_BASE_VMID for both parallel and plain builds. [1] [2] [3]

These changes make the build and deployment process more robust, secure, and maintainable by improving variable management, workflow authentication, and documentation.

gabbelitoV2 and others added 8 commits June 24, 2026 10:27
cf now builds each VM under a slot-derived id (recipe base * 100 + slot
index) so parallel builds don't collide. The post-processor passes that
large id as CF_BUILT_VMID, but this script used it directly as the
per-node template base and its `>= OFFSET` guard then aborted with
exit 1 -- which, under `set -e` in vzdump-and-cleanup.sh, killed the
post-processor before the sidecar was written, so the whole build was
reported as "no artifacts created" despite a good .vma.zst.

Recover the recipe base (RAW / 100 when >= OFFSET) before computing
per-node VMIDs. A plain non-slot build still passes the base directly.
Header comment still described CF_BUILT_VMID as the per-node base and
example (build_vmid 4001 -> node1=14001). Post-merge, CF_BUILT_VMID is
the slot-derived id and BASE_VMID is recovered from it; update the
comment to match.
The build VMID is slot-derived (recipe base * 100 + slot index) so
parallel builds don't collide. cf-cluster-templates.sh then needed the
recipe base back, and recovered it by dividing by 100 — gated on a
>= OFFSET heuristic that coupled the slot multiplier (100) to an
unrelated, user-tunable knob (CF_TEMPLATE_VMID_OFFSET). Raising the
offset above a recipe's slot-derived id silently skipped the divide.

The base is known at the source, so stop throwing it away: cf now
exports CF_RECIPE_BASE_VMID (recipe.buildVmid) via buildRemoteEnv, which
the shell-local post-processor and CF_UPLOAD_CMD inherit. The script
reads it directly and falls back to CF_BUILT_VMID for plain non-slot
builds (where the two are equal). Removes the /100 + OFFSET decode.
suggested_vmid was set to CF_BUILT_VMID, which is the slot-derived build
id (base*100+slot) for parallel builds — so the published sidecar
suggested an absurd clone target (e.g. 400100) instead of the recipe
base. Use CF_RECIPE_BASE_VMID (falling back to CF_BUILT_VMID for plain
builds), matching the base values the manifest fixtures expect. VM ops
(vzdump/qm) keep using CF_BUILT_VMID — the actual built VM.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants