Skip to content

Commit 7c017bc

Browse files
MagicalTuxclaude
andcommitted
Add a headless Linux -server build (no GUI, no auto-update) to releases
Server operators can't run the default release binary: it's built with the gui feature and dynamically links GTK, so it won't start on a box without a display stack. Add a console variant. - New CI job build-server: cargo build --release (no gui) → decryptd-linux-x86_64-server.tar.gz, attached to the release. Only the archive is uploaded (no triple-named raw binary), so rsupd publish --ci ignores it and it stays out of the signed update package. - Gate the auto-updater behind the gui feature. The console build has no updater: the master channel carries the GTK-linked GUI binary, so a headless build must never pull from it. Operators update by re-downloading. (RSUPD_FINGERPRINT/build_updater are now gui-only.) - The console build keeps the CWD-relative ./decryptd-data default (the per-user data dir default is GUI-only, from 0.1.12). Both feature sets build clean; server binary smoke-run (claim → run). Bump version to 0.1.13. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent dfc7246 commit 7c017bc

4 files changed

Lines changed: 51 additions & 7 deletions

File tree

.github/workflows/build.yml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,3 +90,41 @@ jobs:
9090
name: ${{ matrix.target }}
9191
path: target/release/${{ matrix.bin }}
9292
if-no-files-found: error
93+
94+
# Headless console build for servers: no GUI/tray, and — by design — no
95+
# auto-updater (the `master` update channel carries the GTK-linked GUI binary,
96+
# which won't start on a headless box). Shipped as a download-only release asset;
97+
# operators upgrade by re-downloading. Only the .tar.gz is uploaded (no
98+
# triple-named raw binary), so `rsupd publish --ci` never stages it into the
99+
# signed update package.
100+
build-server:
101+
name: linux-x86_64-server
102+
runs-on: ubuntu-latest
103+
steps:
104+
- uses: actions/checkout@v4
105+
106+
- uses: dtolnay/rust-toolchain@stable
107+
108+
- uses: Swatinem/rust-cache@v2
109+
110+
# build.rs links libcuda regardless of the GUI feature, so the CUDA toolkit
111+
# is still needed to resolve the driver symbols at link time.
112+
- name: Install CUDA toolkit
113+
uses: Jimver/cuda-toolkit@v0.2.35
114+
id: cuda
115+
with:
116+
cuda: "12.6.0"
117+
118+
- name: Build (console, no GUI)
119+
run: cargo build --release --locked
120+
121+
- name: Package (→ tar.gz)
122+
run: |
123+
mkdir -p dist
124+
tar -czf "dist/decryptd-linux-x86_64-server.tar.gz" -C target/release decryptd
125+
126+
- uses: actions/upload-artifact@v4
127+
with:
128+
name: decryptd-linux-x86_64-server.tar.gz
129+
path: dist/decryptd-linux-x86_64-server.tar.gz
130+
if-no-files-found: error

Cargo.lock

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "decryptd"
3-
version = "0.1.12"
3+
version = "0.1.13"
44
edition = "2024"
55
license = "Proprietary"
66
authors = ["Karpeles Lab Inc"]

src/main.rs

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -921,13 +921,15 @@ fn upload_loop(ctx: RestContext, inflight: InFlight, done: Arc<Mutex<Receiver<Fi
921921
/// Trust anchor for self-updates: the SHA-256 fingerprint of the decryptd
922922
/// release signing key (`rsupd id export`). It's a hash of a public key, so it's
923923
/// safe to embed; the updater refuses any manifest not signed by the matching
924-
/// private identity.
924+
/// private identity. GUI-build only — the console `-server` build has no updater.
925+
#[cfg(feature = "gui")]
925926
const RSUPD_FINGERPRINT: &str = "80b9edc7e6eaebf10b2a25bb10556b9b7fa6abc9fbe556706a2b680cefa4a0fc";
926927

927928
/// Build the signed auto-updater. The transport (dist-go over rsurl) and channel
928929
/// (`master`) default from the fingerprint, so the anchor is the only required
929930
/// input. The git stamps from `build.rs` let it also spot a newer build of the
930-
/// same version (and never reinstall the identical build).
931+
/// same version (and never reinstall the identical build). GUI-build only.
932+
#[cfg(feature = "gui")]
931933
fn build_updater() -> rsupd::Result<rsupd::Updater> {
932934
rsupd::Updater::builder(env!("CARGO_PKG_NAME"), env!("CARGO_PKG_VERSION"))
933935
.fingerprint_hex(RSUPD_FINGERPRINT)
@@ -943,9 +945,13 @@ fn main() -> Result<()> {
943945
let args = RunArgs::parse();
944946
let status = Status::default();
945947

946-
// Long-lived workers keep themselves current: check hourly in the background
947-
// and restart into each new signed build. `--once` is short-lived, so it
948-
// skips the updater.
948+
// Self-update is a GUI-build feature only. The headless `-server` build ships
949+
// without it (operators update by re-downloading) — the master update channel
950+
// carries the GTK-linked GUI binary, which wouldn't even start on a server, so
951+
// a console build must never pull from it. Long-lived GUI workers keep
952+
// themselves current: check hourly in the background and restart into each new
953+
// signed build. `--once` is short-lived, so it skips the updater.
954+
#[cfg(feature = "gui")]
949955
if !args.once {
950956
match build_updater() {
951957
Ok(updater) => {

0 commit comments

Comments
 (0)