Revert CI images in GitHub (#101)

greatgitsby · mpurnell1 · commit da110a91a42b · 2026-04-19T12:08:21.000-05:00
* Revert "use versioned branch names for release images (#93)" This reverts commit a4842a7. * Revert "ci: push release images to branch instead of GitHub release (#90)" This reverts commit c937d27.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -64,6 +64,48 @@ jobs:
             build/rootfs-profile.md
           if-no-files-found: error
 
+      - name: download master baseline
+        if: github.event_name == 'pull_request'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir -p baseline
+          RUN_ID=$(gh run list --workflow=build.yml --branch=master \
+            --status=success --limit=1 --json databaseId --jq '.[0].databaseId')
+          if [ -n "$RUN_ID" ]; then
+            gh run download "$RUN_ID" --name rootfs-profile --dir baseline/ || true
+          fi
+
+      - name: post PR comment
+        if: github.event_name == 'pull_request'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Generate diff (gracefully handles missing baseline)
+          DIFF_MD=$(./vamos profile diff baseline/rootfs-profile.json build/rootfs-profile.json 2>/dev/null || echo "No baseline available")
+          PROFILE_MD=$(cat build/rootfs-profile.md)
+
+          # Assemble comment with hidden marker for find-and-update
+          printf -v COMMENT_BODY '%s\n%s\n\n%s\n%s\n\n---\n\n%s' \
+            '<!-- rootfs-profile-bot -->' \
+            '## vamOS System Profile' \
+            '### Changes vs master' \
+            "$DIFF_MD" \
+            "$PROFILE_MD"
+
+          # Find existing comment by marker
+          COMMENT_ID=$(gh api \
+            "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            --jq '.[] | select(.body | contains("<!-- rootfs-profile-bot -->")) | .id' \
+            | head -1)
+
+          if [ -n "$COMMENT_ID" ]; then
+            gh api "repos/${{ github.repository }}/issues/comments/$COMMENT_ID" \
+              -X PATCH -f body="$COMMENT_BODY"
+          else
+            gh pr comment "${{ github.event.pull_request.number }}" --body "$COMMENT_BODY"
+          fi
+
   release:
     if: github.event_name == 'push'
     needs: [build-kernel, build-system]
@@ -87,48 +129,16 @@ jobs:
           name: system.erofs.img
           path: build/
 
-      - name: check deploy key
-        id: check-key
-        run: |
-          if [ -n "${{ secrets.VAMOS_IMAGES_DEPLOY_KEY }}" ]; then
-            echo "has_key=true" >> $GITHUB_OUTPUT
-          else
-            echo "has_key=false" >> $GITHUB_OUTPUT
-            echo "::warning::VAMOS_IMAGES_DEPLOY_KEY secret is not set — skipping image publish and release."
-          fi
-
       - name: generate manifest
-        if: steps.check-key.outputs.has_key == 'true'
+        env:
+          RELEASE_URL: https://github.com/${{ github.repository }}/releases/download/v${{ env.VERSION }}
         run: |
           VERSION=$(cat userspace/root/VERSION)
           echo "VERSION=$VERSION" >> $GITHUB_ENV
-          IMAGES_URL="https://github.com/${{ github.repository_owner }}/vamos-images/raw/v${VERSION}"
-          IMAGES_URL=$IMAGES_URL python3 tools/build/package_ota.py
-
-      - name: push images to vamos-images
-        if: steps.check-key.outputs.has_key == 'true'
-        uses: actions/checkout@v4
-        with:
-          repository: ${{ github.repository_owner }}/vamos-images
-          ssh-key: ${{ secrets.VAMOS_IMAGES_DEPLOY_KEY }}
-          path: vamos-images
-
-      - name: commit and tag images
-        if: steps.check-key.outputs.has_key == 'true'
-        run: |
-          TAG="v${VERSION}"
-          cd vamos-images
-          git checkout --orphan release
-          cp ../build/ota/*.img* .
-          cp ../build/ota/manifest.json .
-          git add .
-          git -c user.name="github-actions" -c user.email="actions@github.com" \
-            commit -m "release images for $TAG"
-          git tag "$TAG"
-          git push origin "refs/tags/$TAG" --force
+          RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}"
+          RELEASE_URL=$RELEASE_URL python3 tools/build/package_ota.py
 
       - name: create release
-        if: steps.check-key.outputs.has_key == 'true'
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
@@ -139,22 +149,10 @@ jobs:
           git tag -d "$TAG" 2>/dev/null || true
           git push origin ":refs/tags/$TAG" 2>/dev/null || true
 
-          MANIFEST_URL="https://github.com/${{ github.repository_owner }}/vamos-images/raw/${TAG}/manifest.json"
-
-          # Create release linking to manifest
-          NOTES="Automated release from commit ${{ github.sha }}
-
-          Manifest: ${MANIFEST_URL}"
+          # Create release with all images and manifest
           gh release create "$TAG" \
             --title "vamOS $TAG" \
             --target "${{ github.sha }}" \
-            --notes "$NOTES"
-
-      - name: post setup instructions
-        if: steps.check-key.outputs.has_key == 'false'
-        run: |
-          echo "::warning::VAMOS_IMAGES_DEPLOY_KEY is not configured. To enable image publishing:"
-          echo "::warning::1. Create a ${{ github.repository_owner }}/vamos-images repo"
-          echo "::warning::2. Generate an SSH deploy key: ssh-keygen -t ed25519 -f vamos-images-deploy-key -N \"\""
-          echo "::warning::3. Add the public key to ${{ github.repository_owner }}/vamos-images as a deploy key with write access"
-          echo "::warning::4. Add the private key as VAMOS_IMAGES_DEPLOY_KEY secret in ${{ github.repository }}"
+            --notes "Automated release from commit ${{ github.sha }}" \
+            build/ota/*.img \
+            build/ota/manifest.json
diff --git a/tools/build/package_ota.py b/tools/build/package_ota.py
@@ -12,10 +12,8 @@
 OTA_OUTPUT_DIR = OUTPUT_DIR / "ota"
 
 SECTOR_SIZE = 4096
-CHUNK_SIZE = 52_428_800  # 50 MB - must be under raw.githubusercontent.com's 100 MB limit
 
-VERSION = open(ROOT / "userspace" / "root" / "VERSION").read().strip()
-IMAGES_URL = os.environ.get("IMAGES_URL", f"https://github.com/commaai/vamos-images/raw/v{VERSION}")
+RELEASE_URL = os.environ.get("RELEASE_URL", "https://github.com/commaai/vamos/releases/download/untagged")
 
 GPT = namedtuple('GPT', ['lun', 'name', 'path', 'start_sector', 'num_sectors', 'has_ab', 'full_check'])
 GPTS = [
@@ -75,30 +73,14 @@ def process_file(entry):
   sha256.update(b'\x00' * ((SECTOR_SIZE - (size % SECTOR_SIZE)) % SECTOR_SIZE))
   ondevice_hash = sha256.hexdigest()
 
-  base_name = f"{entry.name}-{hash_raw}.img"
-
-  # Write file(s) to output directory, splitting into chunks if needed
-  chunks = None
-  if size > CHUNK_SIZE:
-    chunks = []
-    chunk_idx = 0
-    with open(entry.path, 'rb') as f:
-      while True:
-        data = f.read(CHUNK_SIZE)
-        if not data:
-          break
-        chunk_name = f"{base_name}.{chunk_idx:02d}"
-        (OTA_OUTPUT_DIR / chunk_name).write_bytes(data)
-        chunks.append({"url": f"{IMAGES_URL}/{chunk_name}", "size": len(data)})
-        print(f"  chunk {chunk_idx}: {chunk_name} ({len(data)} bytes)")
-        chunk_idx += 1
-  else:
-    print(f"  copying to {base_name}")
-    shutil.copy(entry.path, OTA_OUTPUT_DIR / base_name)
+  # Copy to output directory
+  out_fn = OTA_OUTPUT_DIR / f"{entry.name}-{hash_raw}.img"
+  print(f"  copying to {out_fn.name}")
+  shutil.copy(entry.path, out_fn)
 
   ret = {
     "name": entry.name,
-    "url": f"{IMAGES_URL}/{base_name}",
+    "url": f"{RELEASE_URL}/{out_fn.name}",
     "hash": hash,
     "hash_raw": hash_raw,
     "size": size,
@@ -108,10 +90,6 @@ def process_file(entry):
     "ondevice_hash": ondevice_hash,
   }
 
-  if chunks:
-    ret["url"] = ""
-    ret["chunks"] = chunks
-
   if isinstance(entry, GPT):
     ret["gpt"] = {
       "lun": entry.lun,
