u

Signed-off-by: Joe Isaacs <[email protected]>

Author: joseph-isaacs

.github/actions/build-ami/action.yml

@@ -0,0 +1,203 @@
+name: "Build Vortex CI AMI"
+description: "Build a custom Amazon Machine Image for Vortex CI runners"
+
+inputs:
+  arch:
+    description: "Target architecture: x64 or arm64"
+    required: true
+  aws-region:
+    description: "AWS region to build AMI in"
+    required: false
+    default: "us-east-1"
+  ami-prefix:
+    description: "Prefix for AMI name"
+    required: false
+    default: "vortex-ci"
+  retention-days:
+    description: "Number of days before AMI is deprecated"
+    required: false
+    default: "30"
+  rust-toolchain:
+    description: "Rust toolchain version (reads from rust-toolchain.toml if empty)"
+    required: false
+    default: ""
+  protoc-version:
+    description: "Protocol Buffers compiler version"
+    required: false
+    default: "29.3"
+  flatc-version:
+    description: "FlatBuffers compiler version"
+    required: false
+    default: "25.9.23"
+
+outputs:
+  ami-id:
+    description: "The ID of the built AMI"
+    value: ${{ steps.create-ami.outputs.ami_id }}
+  ami-name:
+    description: "The name of the built AMI"
+    value: ${{ steps.create-ami.outputs.ami_name }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Resolve Rust Toolchain
+      id: toolchain
+      shell: bash
+      run: |
+        if [ -n "${{ inputs.rust-toolchain }}" ]; then
+          echo "version=${{ inputs.rust-toolchain }}" >> $GITHUB_OUTPUT
+        elif [ -f rust-toolchain.toml ]; then
+          VERSION=$(grep channel rust-toolchain.toml | awk -F'"' '{print $2}')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+        else
+          echo "version=stable" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Install dependencies
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+          build-essential \
+          curl \
+          git \
+          ca-certificates \
+          pkg-config \
+          libssl-dev \
+          cmake \
+          ninja-build \
+          clang \
+          lld \
+          llvm \
+          jq \
+          unzip \
+          zip \
+          zstd \
+          python3 \
+          python3-pip \
+          python3-venv \
+          libicu74 \
+          libkrb5-3 \
+          zlib1g \
+          libcurl4-openssl-dev
+
+    - name: Install mold linker
+      shell: bash
+      run: |
+        MOLD_VERSION=$(curl -s https://api.github.com/repos/rui314/mold/releases/latest | jq -r .tag_name | sed 's/v//')
+        ARCH=$(uname -m)
+        curl -fsSL "https://github.com/rui314/mold/releases/download/v${MOLD_VERSION}/mold-${MOLD_VERSION}-${ARCH}-linux.tar.gz" \
+          | sudo tar -xz -C /usr/local --strip-components=1
+        mold --version
+
+    - name: Install Rust
+      shell: bash
+      env:
+        RUST_TOOLCHAIN: ${{ steps.toolchain.outputs.version }}
+      run: |
+        curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "$RUST_TOOLCHAIN"
+        source "$HOME/.cargo/env"
+        rustup component add clippy rustfmt
+        rustup toolchain install nightly --component rustfmt clippy rust-src miri llvm-tools-preview
+        cargo --version
+        rustc --version
+
+    - name: Install protoc
+      shell: bash
+      env:
+        PROTOC_VERSION: ${{ inputs.protoc-version }}
+      run: |
+        ARCH=$(uname -m)
+        if [ "$ARCH" = "x86_64" ]; then PROTOC_ARCH=linux-x86_64; else PROTOC_ARCH=linux-aarch_64; fi
+        curl -fsSL -o /tmp/protoc.zip "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-${PROTOC_ARCH}.zip"
+        sudo unzip -o /tmp/protoc.zip -d /usr/local bin/protoc 'include/*'
+        sudo chmod +x /usr/local/bin/protoc
+        rm /tmp/protoc.zip
+        protoc --version
+
+    - name: Install flatc
+      shell: bash
+      env:
+        FLATC_VERSION: ${{ inputs.flatc-version }}
+      run: |
+        ARCH=$(uname -m)
+        if [ "$ARCH" = "x86_64" ]; then
+          curl -fsSL -o /tmp/flatc.zip "https://github.com/nicholasguan/flatbuffers/releases/download/v${FLATC_VERSION}/Linux.flatc.binary.clang++-18.zip"
+          sudo unzip -o /tmp/flatc.zip -d /usr/local/bin
+          sudo chmod +x /usr/local/bin/flatc
+          rm /tmp/flatc.zip
+        else
+          git clone --depth 1 --branch "v${FLATC_VERSION}" https://github.com/google/flatbuffers.git /tmp/flatbuffers
+          cd /tmp/flatbuffers && cmake -G Ninja -DCMAKE_BUILD_TYPE=Release && ninja
+          sudo cp flatc /usr/local/bin/
+          rm -rf /tmp/flatbuffers
+        fi
+        flatc --version
+
+    - name: Install sccache
+      shell: bash
+      run: |
+        SCCACHE_VERSION=$(curl -s https://api.github.com/repos/mozilla/sccache/releases/latest | jq -r .tag_name | sed 's/v//')
+        ARCH=$(uname -m)
+        if [ "$ARCH" = "x86_64" ]; then SCCACHE_ARCH=x86_64-unknown-linux-musl; else SCCACHE_ARCH=aarch64-unknown-linux-musl; fi
+        curl -fsSL "https://github.com/mozilla/sccache/releases/download/v${SCCACHE_VERSION}/sccache-v${SCCACHE_VERSION}-${SCCACHE_ARCH}.tar.gz" \
+          | sudo tar -xz -C /usr/local/bin --strip-components=1 "sccache-v${SCCACHE_VERSION}-${SCCACHE_ARCH}/sccache"
+        sudo chmod +x /usr/local/bin/sccache
+        sccache --version
+
+    - name: Install cargo tools
+      shell: bash
+      run: |
+        source "$HOME/.cargo/env"
+        cargo install cargo-nextest --locked
+        cargo install cargo-hack --locked
+        cargo install grcov --locked
+
+    - name: Setup environment
+      shell: bash
+      run: |
+        echo 'source $HOME/.cargo/env' >> "$HOME/.bashrc"
+        echo 'export PATH=$HOME/.cargo/bin:/usr/local/bin:$PATH' >> "$HOME/.bashrc"
+
+    - name: Get instance ID
+      id: instance
+      shell: bash
+      run: |
+        INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
+        echo "instance_id=$INSTANCE_ID" >> $GITHUB_OUTPUT
+
+    - name: Create AMI
+      id: create-ami
+      shell: bash
+      env:
+        AWS_REGION: ${{ inputs.aws-region }}
+        AMI_PREFIX: ${{ inputs.ami-prefix }}
+        ARCH: ${{ inputs.arch }}
+        RETENTION_DAYS: ${{ inputs.retention-days }}
+      run: |
+        TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+        AMI_NAME="${AMI_PREFIX}-${ARCH}-${TIMESTAMP}"
+        DEPRECATION_TIME=$(date -u -d "+${RETENTION_DAYS} days" +%Y-%m-%dT%H:%M:%SZ)
+
+        echo "Creating AMI: $AMI_NAME"
+        AMI_ID=$(aws ec2 create-image \
+          --instance-id "${{ steps.instance.outputs.instance_id }}" \
+          --name "$AMI_NAME" \
+          --description "Vortex CI runner image for ${ARCH}" \
+          --no-reboot \
+          --tag-specifications "ResourceType=image,Tags=[{Key=Name,Value=$AMI_NAME},{Key=Environment,Value=ci},{Key=Arch,Value=$ARCH},{Key=ManagedBy,Value=github-actions}]" \
+          --query 'ImageId' \
+          --output text)
+
+        echo "Waiting for AMI to be available..."
+        aws ec2 wait image-available --image-ids "$AMI_ID"
+
+        echo "Setting deprecation time to $DEPRECATION_TIME"
+        aws ec2 enable-image-deprecation \
+          --image-id "$AMI_ID" \
+          --deprecate-at "$DEPRECATION_TIME"
+
+        echo "ami_id=$AMI_ID" >> $GITHUB_OUTPUT
+        echo "ami_name=$AMI_NAME" >> $GITHUB_OUTPUT
+        echo "AMI created: $AMI_ID ($AMI_NAME)"

.github/runs-on.yml

@@ -1,11 +1,17 @@
+# Custom AMIs for Vortex CI runners
+# These AMIs are automatically rebuilt every 15 days by the ami-prebuild.yml workflow
+# to keep the GitHub Actions runner agent up to date (required to be <30 days old).
+#
+# AMI naming pattern: vortex-ci-{arch}-{timestamp}
+# Built with: .github/actions/build-ami and .github/packer/vortex-ci.pkr.hcl
 images:
   vortex-ci-amd64:
     platform: "linux"
     arch: "x64"
-    name: "vortex-ci-*"
+    name: "vortex-ci-x64-*"
     owner: "375504701696"
   vortex-ci-arm64:
     platform: "linux"
     arch: "arm64"
-    name: "vortex-ci-*"
+    name: "vortex-ci-arm64-*"
     owner: "375504701696"

.github/workflows/ami-prebuild.yml

@@ -0,0 +1,109 @@
+name: AMI Prebuild
+
+# Schedule to run every 15 days to keep runner agent up to date
+# GitHub stops routing jobs to runners with agents older than 30 days
+on:
+  schedule:
+    # Run at 00:00 UTC on the 1st and 16th of each month (~15 days apart)
+    - cron: "0 0 1,16 * *"
+  workflow_dispatch:
+    inputs:
+      arch:
+        description: "Architecture to build (leave empty for both)"
+        required: false
+        type: choice
+        options:
+          - ""
+          - x64
+          - arm64
+      retention-days:
+        description: "Days until AMI deprecation"
+        required: false
+        type: number
+        default: 30
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  AWS_REGION: us-east-1
+
+jobs:
+  build-x64:
+    name: "Build AMI (x64)"
+    if: ${{ github.event.inputs.arch == '' || github.event.inputs.arch == 'x64' }}
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - family=m7i+m7i-flex+m7a
+      - cpu=4
+      - image=ubuntu24-full-x64
+      - tag=ami-prebuild-x64
+    timeout-minutes: 60
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::375504701696:role/GitHubAMIBuilderRole
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Build AMI
+        id: build
+        uses: ./.github/actions/build-ami
+        with:
+          arch: x64
+          aws-region: ${{ env.AWS_REGION }}
+          retention-days: ${{ inputs.retention-days || '30' }}
+
+      - name: Summary
+        run: |
+          echo "## AMI Build Complete (x64)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **AMI ID:** ${{ steps.build.outputs.ami-id }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **AMI Name:** ${{ steps.build.outputs.ami-name }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Deprecation:** ${{ inputs.retention-days || '30' }} days" >> $GITHUB_STEP_SUMMARY
+
+  build-arm64:
+    name: "Build AMI (arm64)"
+    if: ${{ github.event.inputs.arch == '' || github.event.inputs.arch == 'arm64' }}
+    runs-on:
+      - runs-on=${{ github.run_id }}
+      - family=m7g
+      - cpu=4
+      - image=ubuntu24-full-arm64
+      - tag=ami-prebuild-arm64
+    timeout-minutes: 60
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::375504701696:role/GitHubAMIBuilderRole
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Build AMI
+        id: build
+        uses: ./.github/actions/build-ami
+        with:
+          arch: arm64
+          aws-region: ${{ env.AWS_REGION }}
+          retention-days: ${{ inputs.retention-days || '30' }}
+
+      - name: Summary
+        run: |
+          echo "## AMI Build Complete (arm64)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **AMI ID:** ${{ steps.build.outputs.ami-id }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **AMI Name:** ${{ steps.build.outputs.ami-name }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Deprecation:** ${{ inputs.retention-days || '30' }} days" >> $GITHUB_STEP_SUMMARY