ci: release diagnostic VM code volume via amend STORE#947
Conversation
Publishes a STORE message that amends the code volume currently referenced by the diagnostic VM PROGRAM, so supervisors with `use_latest=True` pick up the new code on their next refresh without republishing the program. Triggered by `diagnostic-vm/v*.*.*` tags (or manual dispatch). Reads the PROGRAM hash and owner from repository variables and the delegated signer key from the `vms` GitHub Environment. Uses the Rust `aleph` CLI (apt.aleph.im) for the upload, with `--on-behalf-of $OWNER` so the new STORE carries the owner's `content.address` while being signed by the CI key. Depends on supervisors picking the right address — see PR #946 (fix: resolve amends by owner, not signer).
foxpatch-aleph
left a comment
There was a problem hiding this comment.
Clean, well-structured workflow for publishing a STORE amend on the diagnostic VM's code volume. The design correctly resolves the current PROGRAM to get the code ref and channel, verifies owner match as a safety check, uses delegated authorization via --on-behalf-of with hold payment, and handles error cases gracefully. Security posture is good with minimal permissions and proper secret handling.
.github/workflows/release-diagnostic-vm-code-volume.yml (line 22): Consider using ubuntu-24.04 instead of ubuntu-22.04. The 22.04 images are being phased out by GitHub.
foxpatch-aleph
left a comment
There was a problem hiding this comment.
Click Re-request review to retry.
Summary
Mirrors PR #854 but instead of publishing a new PROGRAM, this workflow publishes a new STORE that amends the existing code volume of the diagnostic VM. Supervisors that resolve
use_latest=Trueon the code volume will then pick up the new code on their next refresh, so the live diagnostic VM hash (CHECK_FASTAPI_VM_ID) does not have to change.Depends on #946 — without that fix, supervisors look up amends by signer rather than by
content.address, so a CI-signed amend on behalf of the owner would not be discovered.How it works
diagnostic-vm/v*.*.*(or manualworkflow_dispatch).DIAGNOSTIC_VM_PROGRAM_HASH,DIAGNOSTIC_VM_OWNER) and the delegated signer's private key from the environment secretALEPH_DIAGNOSTIC_VM_SIGNER_KEYin environmentvms.aleph message getresolves the currentcontent.code.refandchannelfrom the live PROGRAM message. The workflow fails fast if the program's declared owner doesn't match the GH variable.examples/example_fastapi(same as Implement Automatic Diagnostic Release #854).aleph file upload --ref <code.ref> --on-behalf-of $OWNER --chain eth --payment-type hold. Locked-stake (holder tier) payment, on the owner address — the CI key never holds funds.Operator prerequisites (one-time setup)
DIAGNOSTIC_VM_PROGRAM_HASH(e.g.d2b74aa29898457bde0560e47f7cdd4e77287e9f1f7a1456161d2fd7d5c855d7),DIAGNOSTIC_VM_OWNER(the owner ETH address).vmsEnvironment in repo settings; add secretALEPH_DIAGNOSTIC_VM_SIGNER_KEY(hex private key of the CI delegate). Optionally restrict deployments to the tag pattern.aleph authorization grantfor the CI delegate (the address derived fromALEPH_DIAGNOSTIC_VM_SIGNER_KEY) authorizing STORE messages.Why this approach
diagnostic-vm/v*.*.*namespaces this away from the supervisor's own futurev*.*.*tags.Test plan
workflow_dispatchwithdry_run=trueonce env/vars/secret are configured — verifies the resolve step and signs without publishing.diagnostic-vm/v0.0.1(or run dispatch withdry_run=false) and confirm the new STORE item hash appears in the job summary.aleph message get <new_hash>should showcontent.address == owner,content.ref == <original code volume hash>,type == STORE.