Add pre-built runtime artifacts infrastructure

Add builder container image, release workflow, and Taskfile tasks
for building and distributing propolis-runner, libkrun, and
libkrunfw as pre-built artifacts. Consumers can fetch via GitHub
Releases or OCI registry instead of building from source.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

.github/workflows/builder.yaml

@@ -0,0 +1,61 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Builder Image
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'images/builder/**'
+      - 'versions.env'
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Source versions.env
+        run: |
+          source versions.env
+          echo "LIBKRUN_VERSION=${LIBKRUN_VERSION}" >> $GITHUB_ENV
+          echo "LIBKRUNFW_VERSION=${LIBKRUNFW_VERSION}" >> $GITHUB_ENV
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: images/builder
+          file: images/builder/Containerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          build-args: |
+            LIBKRUN_VERSION=${{ env.LIBKRUN_VERSION }}
+            LIBKRUNFW_VERSION=${{ env.LIBKRUNFW_VERSION }}
+          tags: |
+            ghcr.io/stacklok/propolis-builder:${{ env.LIBKRUN_VERSION }}
+            ghcr.io/stacklok/propolis-builder:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/ci.yaml

@@ -11,6 +11,7 @@ on:
 
 permissions:
   contents: read
+  packages: read
 
 env:
   GO_VERSION: "1.25"
@@ -140,3 +141,42 @@ jobs:
       - name: Sign runner with entitlements
         run: |
           codesign --entitlements assets/entitlements.plist --force -s - bin/propolis-runner
+
+  build-cgo:
+    name: Build (Linux CGO)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Read builder image version
+        id: versions
+        run: |
+          source versions.env
+          echo "LIBKRUN_VERSION=${LIBKRUN_VERSION}" >> "$GITHUB_OUTPUT"
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull builder image
+        run: |
+          docker pull ghcr.io/stacklok/propolis-builder:${{ steps.versions.outputs.LIBKRUN_VERSION }}
+
+      - name: Build CGO packages
+        run: |
+          docker run --rm -v "${{ github.workspace }}:/src:z" -w /src \
+            -e CGO_ENABLED=1 \
+            ghcr.io/stacklok/propolis-builder:${{ steps.versions.outputs.LIBKRUN_VERSION }} \
+            go build ./krun/...
+
+      - name: Build runner binary
+        run: |
+          docker run --rm -v "${{ github.workspace }}:/src:z" -w /src \
+            -e CGO_ENABLED=1 \
+            ghcr.io/stacklok/propolis-builder:${{ steps.versions.outputs.LIBKRUN_VERSION }} \
+            go build -ldflags "-X github.com/stacklok/propolis/internal/version.Version=ci" \
+            -o bin/propolis-runner ./runner/cmd/propolis-runner

.github/workflows/release.yaml

@@ -0,0 +1,152 @@
+# SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  packages: write
+
+env:
+  GO_VERSION: "1.25"
+
+jobs:
+  build-artifacts:
+    name: Build (${{ matrix.arch }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-latest
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Source versions.env
+        run: |
+          set -euo pipefail
+          source versions.env
+          echo "LIBKRUN_VERSION=${LIBKRUN_VERSION}" >> "$GITHUB_ENV"
+
+      - name: Pull builder image
+        run: |
+          docker pull ghcr.io/stacklok/propolis-builder:${LIBKRUN_VERSION}
+
+      - name: Extract libraries from builder image
+        run: |
+          id=$(docker create ghcr.io/stacklok/propolis-builder:${LIBKRUN_VERSION})
+          docker cp $id:/opt/libkrun-built/libkrun.so.1 .
+          docker cp $id:/opt/libkrun-built/libkrunfw.so.5 .
+          docker rm $id
+
+      - name: Build propolis-runner
+        run: |
+          docker run --rm -v $(pwd):/src:z -w /src \
+            -e CGO_ENABLED=1 \
+            ghcr.io/stacklok/propolis-builder:${LIBKRUN_VERSION} \
+            go build -ldflags "-X github.com/stacklok/propolis/internal/version.Version=${{ github.ref_name }} -X github.com/stacklok/propolis/internal/version.Commit=${GITHUB_SHA::8} -X github.com/stacklok/propolis/internal/version.BuildDate=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+              -o bin/propolis-runner ./runner/cmd/propolis-runner
+
+      - name: Package runtime tarball
+        run: |
+          staging="propolis-runtime-linux-${{ matrix.arch }}"
+          mkdir -p "${staging}"
+          cp bin/propolis-runner libkrun.so.1 "${staging}/"
+          echo "${{ github.ref_name }}" > "${staging}/VERSION"
+          tar czf "${staging}.tar.gz" "${staging}"
+
+      - name: Package firmware tarball
+        run: |
+          staging="propolis-firmware-linux-${{ matrix.arch }}"
+          mkdir -p "${staging}"
+          cp libkrunfw.so.5 "${staging}/"
+          echo "${{ github.ref_name }}" > "${staging}/VERSION"
+          cat > "${staging}/LICENSE-GPL" <<'EOF'
+          libkrunfw is licensed under the GNU General Public License v2.0 (GPL-2.0).
+          See https://github.com/containers/libkrunfw for full license text.
+          EOF
+          tar czf "${staging}.tar.gz" "${staging}"
+
+      - name: Upload runtime artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: propolis-runtime-linux-${{ matrix.arch }}
+          path: propolis-runtime-linux-${{ matrix.arch }}.tar.gz
+
+      - name: Upload firmware artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: propolis-firmware-linux-${{ matrix.arch }}
+          path: propolis-firmware-linux-${{ matrix.arch }}.tar.gz
+
+  create-release:
+    name: Create Release
+    runs-on: ubuntu-latest
+    needs: build-artifacts
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
+
+      - name: Generate checksums
+        run: |
+          sha256sum propolis-*.tar.gz > sha256sums.txt
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          files: |
+            propolis-runtime-linux-amd64.tar.gz
+            propolis-runtime-linux-arm64.tar.gz
+            propolis-firmware-linux-amd64.tar.gz
+            propolis-firmware-linux-arm64.tar.gz
+            sha256sums.txt
+
+  push-oci:
+    name: Push OCI (${{ matrix.arch }})
+    runs-on: ubuntu-latest
+    needs: build-artifacts
+    strategy:
+      matrix:
+        include:
+          - arch: amd64
+          - arch: arm64
+    steps:
+      - name: Download runtime artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: propolis-runtime-linux-${{ matrix.arch }}
+
+      - name: Download firmware artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: propolis-firmware-linux-${{ matrix.arch }}
+
+      - name: Install oras
+        uses: oras-project/setup-oras@v1
+
+      - name: Login to ghcr.io
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | oras login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push runtime OCI artifact
+        run: |
+          oras push ghcr.io/stacklok/propolis/runtime:${{ github.ref_name }}-linux-${{ matrix.arch }} \
+            --artifact-type application/vnd.stacklok.propolis.runtime \
+            propolis-runtime-linux-${{ matrix.arch }}.tar.gz:application/gzip
+
+      - name: Push firmware OCI artifact
+        run: |
+          oras push ghcr.io/stacklok/propolis/firmware:${{ github.ref_name }}-linux-${{ matrix.arch }} \
+            --artifact-type application/vnd.stacklok.propolis.firmware \
+            propolis-firmware-linux-${{ matrix.arch }}.tar.gz:application/gzip

CLAUDE.md

@@ -6,15 +6,19 @@ Two-process model: pure-Go library spawns a CGO runner subprocess. Module: `gith
 ## Commands
 
 ```bash
-task build-dev          # Build runner (requires libkrun-devel, Linux)
-task build-dev-darwin   # Build runner (macOS, requires Homebrew libkrun, signs entitlements)
-task test               # go test -v -race ./...
-task lint               # golangci-lint run ./...
-task lint-fix           # Auto-fix lint issues
-task fmt                # go fmt + goimports
-task verify             # fmt + lint + test (CI pipeline)
-task tidy               # go mod tidy
-task clean              # Remove bin/ and coverage files
+task build-dev            # Build runner (requires libkrun-devel, Linux)
+task build-dev-darwin     # Build runner (macOS, requires Homebrew libkrun, signs entitlements)
+task build-runner         # Build runner + libs using builder container (no system libkrun needed)
+task fetch-runtime        # Download pre-built runtime from GitHub Release
+task fetch-firmware       # Download pre-built firmware from GitHub Release
+task builder-image-build  # Build the builder container image locally
+task test                 # go test -v -race ./...
+task lint                 # golangci-lint run ./...
+task lint-fix             # Auto-fix lint issues
+task fmt                  # go fmt + goimports
+task verify               # fmt + lint + test (CI pipeline)
+task tidy                 # go mod tidy
+task clean                # Remove bin/ and coverage files
 ```
 
 Run a single test: `go test -v -race -run TestName ./path/to/package`