web3infra-foundation · benjamin-747 · May 30, 2026 · May 30, 2026 · May 30, 2026 · May 30, 2026
diff --git a/.dockerignore b/.dockerignore
@@ -7,6 +7,10 @@ target
 moon
 moon/**
 
+# Not in workspace image; local targets/deps can be very large and slow `docker build` context transfer.
+tools
+tools/**
+
 docs
 
 scripts
@@ -18,6 +22,13 @@ tests
 
 # node
 **/node_modules/
+**/.next/
+**/.turbo/
+**/dist/
+**/build/
+**/out/
+**/coverage/
+**/.cargo/
 
 # IDE configurations
 .idea
@@ -40,10 +51,14 @@ buck-out
 # local docker build cache (huge, never needed in image)
 .buildx-cache
 .buildx-cache/**
+.buildx-cache*/
 
 # Dockderfile
 docker
 
 # git / ci metadata (not needed for docker builds, reduces build context)
 .git/
 .github/
+
+# logs
+*.log
diff --git a/.github/workflows/orion-release.yml b/.github/workflows/orion-release.yml
@@ -0,0 +1,208 @@
+name: Orion Release
+
+on:
+  push:
+    tags:
+      - "orion-v*"
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Override version tag (e.g. v0.1.1). Required for manual runs."
+        required: true
+        type: string
+
+permissions:
+  contents: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  build:
+    name: Build orion (linux-amd64)
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    outputs:
+      version: ${{ steps.meta.outputs.version }}
+      bundle_name: ${{ steps.meta.outputs.bundle_name }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Resolve version
+        id: meta
+        run: |
+          set -euo pipefail
+          if [[ "${GITHUB_REF}" == refs/tags/orion-* ]]; then
+            VERSION="${GITHUB_REF#refs/tags/orion-}"
+          else
+            VERSION="${{ inputs.version }}"
+          fi
+          if [[ -z "$VERSION" ]]; then
+            echo "::error::Could not resolve version. Push an orion-vX.Y.Z tag or supply 'version'."
+            exit 1
+          fi
+          SHORT_SHA=$(git rev-parse --short=8 HEAD)
+          BUNDLE_NAME="orion-${VERSION}-linux-amd64"
+          echo "version=$VERSION"           >> "$GITHUB_OUTPUT"
+          echo "short_sha=$SHORT_SHA"       >> "$GITHUB_OUTPUT"
+          echo "bundle_name=$BUNDLE_NAME"   >> "$GITHUB_OUTPUT"
+
+      - name: Install system build deps
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y --no-install-recommends \
+            build-essential \
+            clang \
+            fuse3 \
+            libfuse3-dev \
+            libssl-dev \
+            pkg-config \
+            protobuf-compiler
+
+      - name: Install Rust stable
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: x86_64-unknown-linux-gnu
+
+      - name: Cargo cache
+        uses: Swatinem/rust-cache@v2
+        with:
+          shared-key: orion-release-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
+          cache-on-failure: true
+
+      - name: Build orion (release)
+        run: cargo build --release -p orion --bin orion --target x86_64-unknown-linux-gnu
+
+      - name: Stage bundle
+        env:
+          BUNDLE_NAME: ${{ steps.meta.outputs.bundle_name }}
+          VERSION: ${{ steps.meta.outputs.version }}
+          SHORT_SHA: ${{ steps.meta.outputs.short_sha }}
+        run: |
+          set -euo pipefail
+          BUILT_AT=$(date -u +%FT%TZ)
+          BUNDLE_ROOT="dist/${BUNDLE_NAME}"
+          mkdir -p "${BUNDLE_ROOT}/runner-config" "${BUNDLE_ROOT}/systemd"
+
+          install -m 0755 \
+            target/x86_64-unknown-linux-gnu/release/orion \
+            "${BUNDLE_ROOT}/orion"
+          install -m 0644 \
+            orion/runner-config/.env.prod \
+            "${BUNDLE_ROOT}/runner-config/.env.prod"
+          install -m 0644 \
+            orion/runner-config/scorpio.toml \
+            "${BUNDLE_ROOT}/runner-config/scorpio.toml"
+          install -m 0755 \
+            orion/runner-config/run.sh \
+            "${BUNDLE_ROOT}/runner-config/run.sh"
+          install -m 0755 \
+            orion/runner-config/preflight.sh \
+            "${BUNDLE_ROOT}/runner-config/preflight.sh"
+          install -m 0755 \
+            orion/runner-config/cleanup.sh \
+            "${BUNDLE_ROOT}/runner-config/cleanup.sh"
+          install -m 0644 \
+            orion/systemd/orion-runner.service \
+            "${BUNDLE_ROOT}/systemd/orion-runner.service"
+          install -m 0644 \
+            orion/systemd/orion-runner.env.example \
+            "${BUNDLE_ROOT}/systemd/orion-runner.env.example"
+
+          cat > "${BUNDLE_ROOT}/VERSION" <<EOF
+          version=${VERSION}
+          commit=${GITHUB_SHA}
+          commit_short=${SHORT_SHA}
+          built_at=${BUILT_AT}
+          target=x86_64-unknown-linux-gnu
+          EOF
+
+          tar -C dist -czf "dist/${BUNDLE_NAME}.tar.gz" "${BUNDLE_NAME}"
+          (cd dist && sha256sum "${BUNDLE_NAME}.tar.gz" \
+            > "${BUNDLE_NAME}.tar.gz.sha256")
+
+          ls -lh dist/
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.meta.outputs.bundle_name }}
+          include-hidden-files: true
+          path: |
+            dist/${{ steps.meta.outputs.bundle_name }}.tar.gz
+            dist/${{ steps.meta.outputs.bundle_name }}.tar.gz.sha256
+          if-no-files-found: error
+          retention-days: 7
+
+  release:
+    name: Publish GitHub Release
+    needs: build
+    if: startsWith(github.ref, 'refs/tags/orion-')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build.outputs.bundle_name }}
+          path: dist
+
+      - name: Render release notes
+        id: notes
+        env:
+          VERSION: ${{ needs.build.outputs.version }}
+          BUNDLE_NAME: ${{ needs.build.outputs.bundle_name }}
+        run: |
+          set -euo pipefail
+          SHA256=$(awk '{print $1}' "dist/${BUNDLE_NAME}.tar.gz.sha256")
+          {
+            echo "## orion ${VERSION}"
+            echo
+            echo "Linux amd64 runner bundle for the Orion Buck2 worker."
+            echo "The bundle contains the release binary, runner scripts,"
+            echo "Scorpio config, and the systemd unit used by orion-scheduler."
+            echo
+            echo "### Download"
+            echo
+            echo '```bash'
+            echo "curl -LO https://github.com/${{ github.repository }}/releases/download/orion-${VERSION}/${BUNDLE_NAME}.tar.gz"
+            echo "curl -LO https://github.com/${{ github.repository }}/releases/download/orion-${VERSION}/${BUNDLE_NAME}.tar.gz.sha256"
+            echo "sha256sum -c ${BUNDLE_NAME}.tar.gz.sha256"
+            echo "tar -xzf ${BUNDLE_NAME}.tar.gz"
+            echo '```'
+            echo
+            echo "Bundle layout:"
+            echo
+            echo '```text'
+            echo "${BUNDLE_NAME}/"
+            echo "├── orion"
+            echo "├── runner-config/"
+            echo "├── systemd/"
+            echo "└── VERSION"
+            echo '```'
+            echo
+            echo "### Checksum"
+            echo
+            echo '```'
+            echo "${SHA256}  ${BUNDLE_NAME}.tar.gz"
+            echo '```'
+          } > release-notes.md
+          echo "path=release-notes.md" >> "$GITHUB_OUTPUT"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ github.ref_name }}
+          name: orion ${{ needs.build.outputs.version }}
+          body_path: ${{ steps.notes.outputs.path }}
+          draft: false
+          prerelease: ${{ contains(needs.build.outputs.version, '-') }}
+          files: |
+            dist/${{ needs.build.outputs.bundle_name }}.tar.gz
+            dist/${{ needs.build.outputs.bundle_name }}.tar.gz.sha256