ci: publish busybox binaries to GCS public builds bucket

.github/workflows/build.yml

@@ -6,6 +6,7 @@ on:
       - "v*"
 
 permissions:
+  id-token: write
   contents: write
 
 jobs:
@@ -44,39 +45,70 @@ jobs:
           name: busybox_${{ steps.version.outputs.tag }}_${{ matrix.arch }}
           path: builds/${{ steps.version.outputs.busybox_version }}/${{ matrix.arch }}/busybox
 
-  release:
-    name: Release
+  publish:
+    name: Publish
     needs: build
     runs-on: ubuntu-24.04
     steps:
       - name: Extract version from tag
         id: version
-        run: echo "tag=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
+        run: |
+          TAG="${GITHUB_REF_NAME}"
+          BUSYBOX_VERSION="${TAG#v}"
+          BUSYBOX_VERSION="${BUSYBOX_VERSION%%-*}"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "busybox_version=${BUSYBOX_VERSION}" >> "$GITHUB_OUTPUT"
 
       - name: Download artifacts
         uses: actions/download-artifact@v5
         with:
           path: artifacts
 
-      - name: Prepare release
+      - name: Prepare GCS upload
+        run: |
+          # Restructure to {version}/{arch}/busybox with SHA256 sidecar for GCS bucket layout
+          VERSION="${{ steps.version.outputs.busybox_version }}"
+          mkdir -p "gcs-upload/${VERSION}/amd64" "gcs-upload/${VERSION}/arm64"
+          for dir in artifacts/busybox_*; do
+            arch="${dir##*_}"
+            cp "$dir/busybox" "gcs-upload/${VERSION}/${arch}/busybox"
+            chmod +x "gcs-upload/${VERSION}/${arch}/busybox"
+            # Generate SHA256 sidecar for downstream verification
+            (cd "gcs-upload/${VERSION}/${arch}" && sha256sum busybox > busybox.sha256)
+          done
+          ls -laR gcs-upload/
+
+      - name: Setup GCP auth
+        id: gcp-auth
+        uses: google-github-actions/auth@v3
+        continue-on-error: true
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
+
+      - name: Upload to GCS
+        if: steps.gcp-auth.outcome == 'success'
+        uses: google-github-actions/upload-cloud-storage@v3
+        continue-on-error: true
+        with:
+          path: gcs-upload
+          destination: ${{ vars.GCP_BUCKET_NAME }}/busybox
+          gzip: false
+          parent: false
+
+      - name: Prepare GitHub release
         run: |
           TAG="${{ steps.version.outputs.tag }}"
           mkdir release
           for dir in artifacts/busybox_*; do
-            # dir name: busybox_v1.36.1-20260401_amd64
             arch="${dir##*_}"
             cp "$dir/busybox" "release/busybox_${TAG}_${arch}"
             chmod +x "release/busybox_${TAG}_${arch}"
           done
-          ls -la release/
-          for f in release/*; do
-            echo "$(basename "$f"): $(file "$f" | cut -d: -f2)"
-          done
-          # Generate checksums file for downstream verification
           cd release && sha256sum busybox_* > SHA256SUMS
           cat SHA256SUMS
 
-      - name: Create release
+      - name: Create GitHub release
         uses: softprops/action-gh-release@v2
         with:
           name: BusyBox ${{ steps.version.outputs.tag }}

.gitignore

@@ -0,0 +1,3 @@
+.env
+.tfplan
+.terraform

terraform/.env.template

@@ -0,0 +1,2 @@
+GCP_PROJECT_ID=
+PREFIX=

terraform/Makefile

@@ -0,0 +1,30 @@
+-include .env
+
+TERRAFORM_STATE_BUCKET ?= $(GCP_PROJECT_ID)-terraform-state
+
+tf_vars := TF_VAR_gcp_project_id=$(GCP_PROJECT_ID) \
+	TF_VAR_prefix=$(PREFIX)
+
+
+.PHONY: init
+init:
+	@ printf "Initializing Terraform\n\n"
+	terraform init -reconfigure -input=false -backend-config="bucket=${TERRAFORM_STATE_BUCKET}"
+
+.PHONY: plan
+plan:
+	@ printf "Planning Terraform\n\n"
+	terraform fmt -recursive
+	$(tf_vars) terraform plan -out=.tfplan -compact-warnings -detailed-exitcode
+
+.PHONY: apply
+apply:
+	@ printf "Applying Terraform\n\n"
+	$(tf_vars) \
+	terraform apply \
+	-auto-approve \
+	-input=false \
+	-compact-warnings \
+	-parallelism=20 \
+	.tfplan
+	@ rm .tfplan

terraform/main.tf

@@ -0,0 +1,91 @@
+terraform {
+  required_version = ">= 1.5.0, < 1.6.0"
+  backend "gcs" {
+    prefix = "terraform/fc-busybox-github/state"
+  }
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "5.6.0"
+    }
+    github = {
+      source  = "integrations/github"
+      version = "5.42.0"
+    }
+  }
+}
+
+provider "google" {
+  project = var.gcp_project_id
+}
+
+data "google_project" "gcp_project" {}
+
+// Workload Identity Federation for GitHub Actions
+resource "google_iam_workload_identity_pool" "github_actions_deployment" {
+  workload_identity_pool_id = "${var.prefix}gha-fc-busybox"
+  display_name              = "GHA for ${var.github_repository} FC BusyBox"
+  description               = "OIDC identity pool for build FC BusyBox ${var.github_repository} via GitHub Actions"
+}
+
+resource "google_iam_workload_identity_pool_provider" "gha_identity_pool_provider" {
+  workload_identity_pool_id          = google_iam_workload_identity_pool.github_actions_deployment.workload_identity_pool_id
+  workload_identity_pool_provider_id = "${var.prefix}gh-provider"
+  display_name                       = "E2B GHA identity pool provider"
+  attribute_mapping = {
+    "google.subject"             = "assertion.sub"
+    "attribute.actor"            = "assertion.actor"
+    "attribute.repository"       = "assertion.repository"
+    "attribute.repository_owner" = "assertion.repository_owner"
+  }
+  attribute_condition = "assertion.repository == \"${var.github_organization}/${var.github_repository}\""
+
+  oidc {
+    issuer_uri = "https://token.actions.githubusercontent.com"
+  }
+}
+
+resource "google_service_account" "fc_busybox" {
+  account_id   = "${var.prefix}fc-busybox"
+  display_name = "Service account for ${var.github_repository} FC BusyBox"
+}
+
+resource "google_storage_bucket_iam_member" "fc_busybox_bucket_iam" {
+  bucket = var.gcs_bucket_name
+  role   = "roles/storage.objectUser"
+  member = "serviceAccount:${google_service_account.fc_busybox.email}"
+}
+
+resource "google_service_account_iam_member" "gha_service_account_wif_tokencreator_iam_member" {
+  service_account_id = google_service_account.fc_busybox.name
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "principalSet://iam.googleapis.com/projects/${data.google_project.gcp_project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github_actions_deployment.workload_identity_pool_id}/attribute.repository/${var.github_organization}/${var.github_repository}"
+}
+
+// GitHub secrets and variables
+data "google_secret_manager_secret_version" "github_token" {
+  secret = "${var.prefix}github-repo-token"
+}
+
+provider "github" {
+  owner = var.github_organization
+  token = data.google_secret_manager_secret_version.github_token.secret_data
+}
+
+resource "github_actions_secret" "workload_identity_provider_secret" {
+  repository      = var.github_repository
+  secret_name     = "GCP_WORKLOAD_IDENTITY_PROVIDER"
+  plaintext_value = "projects/${data.google_project.gcp_project.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.github_actions_deployment.workload_identity_pool_id}/providers/${google_iam_workload_identity_pool_provider.gha_identity_pool_provider.workload_identity_pool_provider_id}"
+}
+
+resource "github_actions_secret" "service_account_email_secret" {
+  repository      = var.github_repository
+  secret_name     = "GCP_SERVICE_ACCOUNT_EMAIL"
+  plaintext_value = google_service_account.fc_busybox.email
+}
+
+resource "github_actions_variable" "gcs_bucket_name" {
+  repository    = var.github_repository
+  value         = var.gcs_bucket_name
+  variable_name = "GCP_BUCKET_NAME"
+}

terraform/variables.tf

@@ -0,0 +1,25 @@
+variable "github_organization" {
+  type    = string
+  default = "e2b-dev"
+}
+
+variable "github_repository" {
+  type    = string
+  default = "fc-busybox"
+}
+
+variable "gcp_project_id" {
+  description = "The project to deploy the cluster in"
+  type        = string
+}
+
+variable "prefix" {
+  description = "The prefix to use for all resources in this module"
+  type        = string
+}
+
+variable "gcs_bucket_name" {
+  description = "The name of the GCS bucket to store the busybox binaries"
+  type        = string
+  default     = "e2b-prod-public-builds"
+}