Migrate CI from Cirrus CI to GitHub Actions

.github/workflows/ci.yml

@@ -0,0 +1,75 @@
+name: CI
+
+on:
+  merge_group:
+  pull_request:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+      - uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.12.0
+          only-new-issues: true
+
+  test-linux:
+    name: Test (Linux)
+    runs-on: ghcr.io/cirruslabs/ubuntu-runner-amd64:24.04-md
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Check out Vetu
+        uses: actions/checkout@v6
+        with:
+          repository: openai/vetu
+          path: _vetu
+      - name: Build Vetu
+        working-directory: _vetu
+        run: |
+          go build -o "$RUNNER_TEMP/vetu" cmd/vetu/main.go
+          sudo setcap cap_net_raw,cap_net_admin+eip "$RUNNER_TEMP/vetu"
+          echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
+      - name: Pre-pull default Vetu image
+        run: vetu pull ghcr.io/cirruslabs/ubuntu-runner-amd64:latest
+      - name: Run tests
+        run: go test -v -count=1 ./...
+
+  test-macos:
+    name: Test (macOS)
+    runs-on: ghcr.io/cirruslabs/macos-runner:tahoe
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Pre-pull default Tart image
+        run: tart pull ghcr.io/cirruslabs/macos-tahoe-base:latest
+      - name: Run tests
+        run: go test -timeout=20m -ldflags="-B gobuildid" -v -count=1 ./...
+      - name: Clean up test VMs
+        if: always()
+        run: |
+          tart list
+          rm -rf ~/.tart/vms/orchard-*

.github/workflows/release.yml

@@ -0,0 +1,81 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "*"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    name: ${{ github.ref_type == 'tag' && 'Release Binaries' || 'Release Binaries (Dry Run)' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    env:
+      GITHUB_TOKEN: ${{ secrets.GH_PAT }}
+      GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+      MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
+      MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
+      MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
+      MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
+      MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+      - name: Release
+        if: github.ref_type == 'tag'
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          distribution: goreleaser-pro
+          version: "~> v2"
+          args: release --clean
+      - name: Release dry run
+        if: github.ref_type != 'tag'
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          distribution: goreleaser-pro
+          version: "~> v2"
+          args: release --skip=publish --snapshot --clean
+      - name: Upload dry-run artifacts
+        if: github.ref_type != 'tag'
+        uses: actions/upload-artifact@v6
+        with:
+          name: orchard-snapshot
+          path: dist/**
+
+  docker:
+    name: Release Docker Image
+    if: github.ref_type == 'tag'
+    needs: release
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v6
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+      - uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/openai/orchard:${{ github.ref_name }}
+            ghcr.io/openai/orchard:latest
+          build-args: |
+            VERSION=${{ github.ref_name }}
+            COMMIT=${{ github.sha }}

.golangci.yml

@@ -1,24 +1,30 @@
-version: 2
+version: "2"
 
 run:
   timeout: 5m
 
-linters-settings:
-  # Even in Rust you can get away with partial matching,
-  # so make sure that the linter respects the programmer's
-  # intent expressed in the form of "default" case.
-  exhaustive:
-    default-signifies-exhaustive: true
-
-  gosec:
-    excludes:
-      - G115
-
 formatters:
-  enable-all: true
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+    - golines
+    - swaggo
 
 linters:
-  enable-all: true
+  default: all
+
+  settings:
+    # Even in Rust you can get away with partial matching,
+    # so make sure that the linter respects the programmer's
+    # intent expressed in the form of "default" case.
+    exhaustive:
+      default-signifies-exhaustive: true
+
+    gosec:
+      excludes:
+        - G115
 
   disable:
     # We don't have high-performance requirements at this moment, so sacrificing

.goreleaser.yml

@@ -23,36 +23,15 @@ builds:
 
 archives:
   - id: binary
-    format: binary
+    formats:
+      - binary
     name_template: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
   - id: regular
     name_template: "{{ .ProjectName }}-{{ .Os }}-{{ .Arch }}"
 
 release:
   prerelease: auto
 
-nfpms:
-  - package_name: orchard-controller
-    vendor: Cirrus Labs, Inc.
-    homepage: https://github.com/cirruslabs/orchard
-    maintainer: support@cirruslabs.org
-    description: Orchestrator for running Tart Virtual Machines on a cluster of Apple Silicon devices
-    section: misc
-    formats:
-      - deb
-      - rpm
-    contents:
-      - src: packaging/orchard-controller.service
-        dst: /lib/systemd/system/orchard-controller.service
-        type: config
-    scripts:
-      postinstall: packaging/postinstall.sh
-      preremove: packaging/preremove.sh
-      postremove: packaging/postremove.sh
-
-furies:
-  - account: cirruslabs
-
 notarize:
   macos:
     - enabled: '{{ isEnvSet "MACOS_SIGN_P12" }}'
@@ -75,6 +54,6 @@ brews:
       bin.install "orchard"
       generate_completions_from_executable(bin/"orchard", "completion")
     caveats: See the Github repository for more information
-    homepage: https://github.com/cirruslabs/orchard
+    homepage: https://github.com/openai/orchard
     description: Orchestrator for running Tart Virtual Machines on a cluster of Apple Silicon devices
     skip_upload: auto

Dockerfile

@@ -1,22 +1,29 @@
-FROM golang:latest AS builder
+FROM golang:1.25 AS builder
 
-# Install GoReleaser Pro
-RUN echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | tee /etc/apt/sources.list.d/goreleaser.list
-RUN apt update && apt -y install goreleaser-pro
+WORKDIR /src
 
-WORKDIR /tmp/orchard
-ADD . /tmp/orchard/
+COPY go.mod go.sum ./
+RUN go mod download
 
-RUN goreleaser build --single-target --snapshot --timeout 60m
+COPY . .
+
+ARG VERSION=dev
+ARG COMMIT=unknown
+
+RUN CGO_ENABLED=0 go build \
+    -trimpath \
+    -ldflags="-X github.com/cirruslabs/orchard/internal/version.Version=${VERSION} -X github.com/cirruslabs/orchard/internal/version.Commit=${COMMIT} -B gobuildid" \
+    -o /out/orchard \
+    cmd/orchard/main.go
 
 FROM gcr.io/distroless/base
 
-LABEL org.opencontainers.image.source=https://github.com/cirruslabs/orchard
+LABEL org.opencontainers.image.source=https://github.com/openai/orchard
 ENV GIN_MODE=release
 ENV ORCHARD_HOME=/data
 EXPOSE 6120
 
-COPY --from=builder /tmp/orchard/dist/linux_*/orchard_linux_*/orchard /bin/orchard
+COPY --from=builder /out/orchard /bin/orchard
 
 ENTRYPOINT ["/bin/orchard"]