ci: add GitHub Actions CI workflow with lint, test, and image build#1
Merged
ci: add GitHub Actions CI workflow with lint, test, and image build#1
Conversation
drew
force-pushed
the
dn/ci-tests
branch
3 times, most recently
from
2698555 to
bda31e5
Compare
…action Use docker/setup-buildx-action@v3 wrapped in a local composite action to create the multi-arch remote BuildKit builder. This ensures automatic cleanup of builder nodes when the job finishes, preventing leaked BuildKit instances on self-hosted runners.
Declare the ARG before mise install so authenticated GitHub API requests avoid rate limits when fetching tool versions.
This was referenced Mar 5, 2026
drew
added a commit
that referenced
this pull request
Mar 16, 2026
TylerBarkley
added a commit
to TylerBarkley/OpenShell
that referenced
this pull request
Mar 24, 2026
Implement the final integration for GPU passthrough support:
- Add put_vfio_device() API function for PUT /vfio/{device_id}
- Wire prepare_gpu_attachment() into do_create_inner()
- Enable supports_gpu in Firecracker capabilities
- Update spec compatibility checks and tests
This completes blockers NVIDIA#1 (GPU attachment not wired) and NVIDIA#2
(VFIO device attachment API not implemented).
Signed-off-by: OpenCode Agent <opencode@nvidia.com>
10 tasks
3 tasks
factory-octavian
pushed a commit
to factory-octavian/OpenShell
that referenced
this pull request
Mar 31, 2026
…DIA#5) - Add SPDX copyright header to .github/workflows/dco.yml - Add DCO sign-off requirement section to CONTRIBUTING.md - Create THIRD-PARTY-NOTICES with all third-party dependencies - Include .github/ in license header CI check scope
2 tasks
Closed
3 tasks
ben-alkov
pushed a commit
to ben-alkov/OpenShell
that referenced
this pull request
Apr 13, 2026
feat(podman): add Podman support as alternative container runtime
ben-alkov
pushed a commit
to ben-alkov/OpenShell
that referenced
this pull request
Apr 13, 2026
docs(podman): Add macOS installation guide and Podman build compatibility
mrunalp
added a commit
to mrunalp/OpenShell
that referenced
this pull request
Apr 18, 2026
1. Separate client_id from audience (Critical/High, findings NVIDIA#1/NVIDIA#3): - Add oidc_audience field to GatewayMetadata separate from oidc_client_id - Bootstrap stores client_id and audience independently - Fixes the conflation that made the docs overstate provider portability 2. Skip list risk documentation (Critical, finding NVIDIA#2): - The skip list is by design for sandbox supervisor RPCs which use SSH handshake secrets. Noted for future hardening with per-sandbox credentials. 3. Reject partial-empty RBAC config (Medium, finding NVIDIA#4): - AuthzPolicy::validate() rejects configs where only one of admin_role/user_role is set - Server validates at startup before accepting requests - Prevents silently opening admin endpoints to any authenticated user 4. Preserve refresh token on refresh (Medium, finding NVIDIA#5): - oidc_refresh_token() keeps the old refresh_token when the server doesn't return a new one, per OAuth 2.0 spec 5. Additional concerns: - Percent-decode callback query parameters (code, state, error) - Drop scope=openid from client_credentials flow - Use /dev/urandom for PKCE verifier/state on Unix - Validate discovery issuer matches configured issuer (both server and CLI) to prevent SSRF/misdirection - Wire RBAC config (rolesClaim, adminRole, userRole) through Helm values and statefulset template
mrunalp
added a commit
to mrunalp/OpenShell
that referenced
this pull request
Apr 18, 2026
1. Critical: sandbox RPCs now require x-sandbox-secret header (NVIDIA#1): - Split skip list into unauthenticated (health/reflection) and sandbox-secret (supervisor RPCs) categories - Sandbox RPCs require x-sandbox-secret header matching the server's SSH handshake secret - Sandbox gRPC client injects the secret via SandboxSecretInterceptor - Unauthenticated network callers can no longer reach sandbox RPCs 2. High: complete client_id vs audience separation (NVIDIA#2): - Add --oidc-audience flag to gateway add (separate from --oidc-client-id) - Store oidc_audience in gateway metadata independently - Thread audience through bootstrap metadata correctly 3. Medium: propagate RBAC settings through bootstrap (NVIDIA#3): - Add oidc_roles_claim, oidc_admin_role, oidc_user_role to DeployOptions - Pass OIDC_ROLES_CLAIM, OIDC_ADMIN_ROLE, OIDC_USER_ROLE env vars through Docker container → cluster-entrypoint.sh → HelmChart manifest - Full provider-neutral RBAC config now works via gateway start 4. Low: cross-platform CSPRNG (NVIDIA#4): - Replace /dev/urandom + RandomState fallback with getrandom crate - Works correctly on all platforms (Linux, macOS, Windows)
mrunalp
added a commit
to mrunalp/OpenShell
that referenced
this pull request
Apr 18, 2026
1. High: UpdateConfig dual-auth for sandbox policy sync (NVIDIA#1): - Add DUAL_AUTH_METHODS list for RPCs that accept either Bearer token (CLI users) or sandbox secret (supervisor) - UpdateConfig now works for both CLI policy mutations and sandbox startup policy sync in OIDC deployments 2. Medium: end-to-end client_id vs audience separation (NVIDIA#2): - Thread optional audience parameter through oidc_browser_auth_flow and oidc_client_credentials_flow - gateway login reads oidc_audience from metadata and passes it to the auth/token requests - Adds audience parameter to authorization URL for providers that require it (Entra ID) 3. Medium: gateway start exposes full OIDC RBAC config (NVIDIA#3): - Add --oidc-client-id, --oidc-roles-claim, --oidc-admin-role, --oidc-user-role flags to gateway start - Thread all values through gateway_admin_deploy into DeployOptions - Stop hardcoding "openshell-cli" as client_id in bootstrap metadata
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/ci.ymlwith lint, rust-test, python-test, and CI image build jobsbuild/scripts/ci-image.shfor local + CI docker image buildsdocker:buildx:setupmise task for multi-arch remote BuildKit configurationdocker:build:cimise task to use the new script