feat: port podvm build/deploy workflows from fortress#23
Merged
alhassankhedr-cohere merged 15 commits intocoherefrom Apr 22, 2026
Conversation
Migrates the PodVM build and GCP deploy workflows from the private fortress repo so the CI pipeline and artifacts are open-source. Key changes from the fortress originals: - No longer clones CAA externally (runs from within the repo) - Uses cvm-measure CLI for UKI extraction and RTMR2 prediction - Guest-components repo/ref/features are workflow_dispatch inputs - Reads tool versions (ORAS, etc.) from src/cloud-api-adaptor/versions.yaml - OCI image path is ghcr.io/cohere-ai/cloud-api-adaptor/podvm - Requires WIF setup from CC-193 for GCP auth Ref: CC-192
alhassankhedr-cohere
requested review from
a team,
shariqahmed-cohere and
yousef-cohere
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- Add persist-credentials: false to checkout actions
- Replace ${{ github.repository }} and ${{ github.sha }} template
expansions in run: blocks with GITHUB_REPOSITORY/GITHUB_SHA env vars
to prevent code injection via template expansion
- Add explanatory comments to all permission declarations
- Replace secrets: inherit with explicit secret passthrough
(GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT)
- Declare required secrets in deploy-gcp-cohere workflow_call
Ref: CC-192
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Temporarily point at alhassankhedr/cc-167-tdx-measurement-toolkit instead of main. Revert once cvm-measure PR #12 lands. Ref: CC-192
Will revert before merge.
cvm-measure is private; persist-credentials: false means the runner has no git credentials for external clones. Pass the token explicitly until the repo is made public. Ref: CC-192
GITHUB_TOKEN is scoped to the current repo and cannot access cvm-measure. Use a fine-grained PAT stored as CVM_MEASURE_TOKEN. Ref: CC-192
- Branch pushes to cohere use a stable image name (cohere-latest) and overwrite the existing GCP image each time - Tag pushes (podvm-v*) create a new GCP image per tag version - workflow_dispatch respects the replace_existing_image input Ref: CC-192
- Use matrix strategy to build release and debug profiles concurrently - Add meta job to compute image names/tags for both profiles - Two explicit deploy jobs (release + debug) to GCP - Branch pushes overwrite cohere-latest images, tag pushes create new ones - Always inject DEBUG_SSH_PUBLIC_KEY into debug builds - Remove image_profile input (both profiles always built) Ref: CC-192
PEP 668 enforcement on Ubuntu 24.04 runners blocks bare pip install into system Python. Add the flag to work around the externally-managed environment check. Ref: CC-192
|
|
||
| - name: Install cvm-measure | ||
| env: | ||
| CVM_TOKEN: ${{ secrets.CVM_MEASURE_TOKEN }} |
yousef-cohere
previously approved these changes
Apr 22, 2026
…t-podvm-builddeploy-workflows-from
Replace the two separate deploy jobs with a single deploy-gcp job using a matrix strategy over [release, debug], as suggested in PR review. Ref: CC-192
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 098eb08. Configure here.
The OR expression always short-circuited on branch dispatches because meta.replace_image is unconditionally "true" for non-tag refs. Gate each source on the event type so push events use the computed flag while workflow_dispatch honours the user's input. Ref: CC-192
yousef-cohere
approved these changes
Apr 22, 2026
alhassankhedr-cohere
deleted the
alhassankhedr/cc-192-cloud-api-adaptor-port-podvm-builddeploy-workflows-from
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates the PodVM build and GCP deploy workflows from the private fortress repo so the CI pipeline and artifacts are open-source.
Key changes from the fortress originals:
Ref: CC-192
Note
Medium Risk
Adds new CI workflows that build and publish PodVM images to GHCR and optionally create/replace GCP compute images via Workload Identity; misconfig or tagging/replacement logic could overwrite images or break releases.
Overview
Adds a new
build-podvm-cohere.yamlworkflow that builds release and debug PodVM images (ubuntu/fedora), optionally injects an SSH key into debug builds, computes UKI-derived RTMR2 measurements, and publishes the disk +measurements.jsonas an ORAS OCI artifact to GHCR with build provenance attestation.Adds a reusable
deploy-gcp-cohere.yamlworkflow that verifies the GHCR attestation, pulls the artifact/measurements, uploads the disk to GCS, and creates (optionally replacing) a labeled TDX-capable GCP compute image, with the build workflow wiring an automatic deploy step after successful builds.Reviewed by Cursor Bugbot for commit 5f6b5c5. Bugbot is set up for automated code reviews on this repo. Configure here.