19 KiB
BEP-0009 - Release Infrastructure and Store Upload Pipeline
Status: Draft
Proposal: BEP-0009
Authors: gpt-5.5
Coordinator: gpt-5.5
Reviewers: Pending
Constitution Sections: II, III, IV, V
Implementation PRs: Pending
Decision Date: Pending
Summary
Burrow needs a release pipeline that behaves like the project infrastructure it is replacing: release eligibility is detected from forge build tags, build artifacts are produced per platform, upload lanes are separate from build lanes, and store credentials are explicit automation inputs rather than hidden local state.
The first implementation creates the release spine now: release-if-needed dispatches a build when HEAD has not been tagged as released, build-release packages current artifacts on Namespace-backed runners, and publish-store-uploads performs guarded upload steps for App Store Connect, Sparkle, Microsoft Store, and storage-backed public channels after Authentik-backed Google WIF authentication.
The same change also makes the forge itself the release authority: release tags prefer the Burrow Forgejo remote, dispatch helpers talk to Forgejo directly with a live-host fallback, runner identity is discoverable from persistent host state, repository mirror sync is disabled for the canonical Burrow repository, nix.burrow.net provides a Burrow-owned Nix cache for workers, and Grafana observability is bootstrapped with Nix-owned Prometheus/OpenTelemetry/Jaeger service state plus OpenTofu-owned dashboards.
Motivation
- Burrow already controls its forge and runner infrastructure, but the release path only produced a Linux CLI tarball.
- Apple, Linux, Sparkle, and future Windows outputs need the same build-number and artifact layout so release evidence is inspectable.
- The Namespace account should be part of the live runner surface, including macOS and Windows lanes, instead of sitting idle behind unused configuration.
- Authentication and store credentials should be named and checked at lane boundaries so dedicated accounts can be added without rewriting workflows.
Detailed Design
- Use lightweight
builds/<number>tags as the authoritative release watermark. - Keep
Scripts/version.sh statusas the release-needed check:cleanmeans HEAD is exactly the latest authoritative build tag.dirtymeans the release workflow should create a new build number.
- Split workflows:
.forgejo/workflows/release-if-needed.ymlchecks release status and dispatchesbuild-release.yml..forgejo/workflows/build-release.ymlbuilds and stages artifacts..forgejo/workflows/publish-store-uploads.ymluploads staged artifacts to external stores and public channels.
- Stage artifacts under
dist/builds/<build-number>/<platform>/. - Publish generic release assets to a Forgejo release named
Build <number>. - Upload release artifacts through
Scripts/ci/upload-release-storage.sh. The wrapper requires Garage as the primary S3-compatible target by default, then mirrors to theburrow-net-releasesGCS backup bucket unlessBURROW_RELEASE_GCS_BACKUP=false. - Publish signed package repository trees through
Scripts/ci/upload-package-storage.sh. The wrapper requires Garage as the primary S3-compatible target by default, then mirrors to theburrow-net-packagesGCS backup bucket unlessBURROW_PACKAGE_GCS_BACKUP=false. - Publish selected Nix closures through
.forgejo/workflows/publish-nix-cache.ymlandScripts/ci/publish-nix-cache.sh. The workflow logs intonix.burrow.netwith the scopedBURROW_NIX_CACHE_PUSH_TOKENgenerated by host bootstrap and skips when the token is absent unless explicitly required. - Mirror Garage buckets through
.forgejo/workflows/backup-garage-storage.ymlandScripts/ci/backup-garage-to-gcs.sh. The scheduled workflow uses the host-generated Garage read-only backup key, Authentik-backed Google WIF, andgcloud storage rsyncto back upburrow-releases,burrow-packages, andatticto GCS. - Build Apple artifacts on
namespace-profile-macos-largethrough Bazel wrapper targets://bazel/apple:release_ios_stamp//bazel/apple:release_macos_stampThese targets wrap the existing Xcode project and give the workflow one stable entrypoint that shares the same Bazel/Nix cache setup while Burrow decides whether deeperrules_appletargets are worth the migration.
- Use Namespace cache setup before Bazel/Nix work. Prefer the Namespace Bazel remote cache when
nscis authenticated and fall back to a local disk/repository cache when remote setup is unavailable. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under
secrets/. - Persist the forge runner SSH key as
/var/lib/forgejo-runner-agent/age_keystoreand exportBURROW_RUNNER_AGE_IDENTITY_PATHso jobs can resolve agenix identities without embedding long-lived material in every workflow. - Add
Scripts/forgejo-dispatch.shandScripts/forgejo-dispatch-via-host.sh:- local dispatch uses an explicit token, local intake token, or the sealed forgejo-nsc dispatcher config when available;
- host fallback SSHes to the live forge and reads the agenix-materialized dispatcher config there;
- neither path relies on a GitHub remote or GitHub workflow API.
- Default build tag reads and pushes to the Burrow Forgejo remote when that remote exists.
BURROW_VERSION_REMOTEremains the override for unusual migrations. - Keep the canonical Forgejo repo as an ordinary source repository, not a mirror. The host config disables new mirror creation and removes mirror/push-mirror rows for the canonical Burrow repository at activation time.
- Add
.forgejo/workflows/infra-opentofu.ymlandScripts/grafana-tofu.shfor Grafana API-managed folders and dashboards. NixOS owns the Grafana service, SSO, reverse proxy, datasources, Prometheus, OpenTelemetry collector, Jaeger, secrets, and boot-time configuration; OpenTofu owns API-created dashboard objects. - Sync provisioning profiles from App Store Connect in CI using the decrypted API key:
- iOS App Store profiles for
net.burrow.appandnet.burrow.app.network. - macOS Developer ID profiles for the same bundle identifiers.
Provisioning profile
.agefiles are not part of the normal release path.
- iOS App Store profiles for
- Add a non-exportable Google KMS RSA-2048/SHA-256 key named
apple-developer-id-applicationin the Burrow identity key ring. The manualapple-developer-id-kms-csr.ymlworkflow uses Authentik-backed Google WIF to generate a standard Developer ID Application CSR without exporting private key material. - Treat Developer ID certificate issuance as a Developer website or Xcode step
until Apple documents App Store Connect API creation for Developer ID
certificates. The returned
.ceris public release material; the private key remains in Google KMS and must not be converted into.p12form. - The first KMS-backed G2 Developer ID Application certificate is
9JKN6HXBHC, stored atApple/Certificates/developer-id-application-9JKN6HXBHC.cer, and expires on2031-06-08. - Add a non-exportable Google KMS RSA-2048/SHA-256 key named
apple-ios-distributionin the Burrow identity key ring. The KMS-backed CSR can be submitted through the App Store Connect API withScripts/apple/create-asc-certificate.mjs. - The first KMS-backed iOS Distribution certificate is
3G42677598, stored atApple/Certificates/ios-distribution-3G42677598.cer, and expires on2027-06-07. - When
BURROW_IOS_DISTRIBUTION_CERTIFICATE_IDis set, provisioning-profile sync must verify App Store profiles reference that certificate. Stale profiles with the same name may be deleted and recreated so CI does not silently sign against an older distribution identity. - Apple release signing uses a staged KMS flow because Google publishes the
Cloud KMS PKCS#11 library for Linux release runners, not macOS runners:
- macOS Namespace builders compile unsigned iOS device and macOS app bundles with the existing Xcode project.
- Linux release runners download those staged artifacts, authenticate to
Google through Authentik WIF, verify the Apple
.cerpublic key matches the intended Google KMS key version, embed the synced provisioning profiles, and sign the app/extension bundles with the patchedrcodesignPKCS#11 path. - The signed iOS IPA is uploaded to App Store Connect, and the signed macOS ZIP is used as the Sparkle tester artifact.
- Add a non-exportable Google KMS key named
sparkle-ed25519for Sparkle appcast signatures. It usesEC_SIGN_ED25519with software protection level because Google KMS rejects Ed25519 for HSM protection. macOS builds embed public EdDSA keyMyv9ZNZT6YGKMtMezh52ra4WqaeEKc4VlvVU0evhJeI=. - Use Namespace labels for platform lanes:
namespace-profile-linux-mediumnamespace-profile-macos-largenamespace-profile-windows-large
- Use dedicated Apple distribution labels for the focused tester-distribution
workflow so stale generic Namespace jobs cannot consume Apple release runners:
namespace-profile-linux-medium-apple-v2namespace-profile-macos-large-apple-v2Label revisions are allowed when earlier accepted workflows have stale queued jobs; the autoscaler should serve only the current focused label set.
- Configure macOS Namespace targets with the Compute API CPU-by-memory shape
format.
12x28is the Burrow large macOS baseline; platform-prefixed values such asmacos/arm64:8x16are not accepted by the macOS launcher. - Keep the shared Linux runner work directory out of macOS bootstraps. The
dispatcher normalizes macOS runners to
/tmp/forgejo-runnerwhen the shared config points at Linux state paths such as/var/lib/forgejo-runner. - Do not destroy Namespace Linux runners until
nsc describeshows a real terminal container state or tombstone. Empty describe payloads mean the environment is still starting, not that the one-job runner has finished. - Keep the autoscaler-to-dispatcher HTTP timeout longer than the runner TTL. Dispatch requests intentionally block until the one-job runner exits, so short HTTP client timeouts cancel macOS provisioning mid-bootstrap.
- Run forge Namespace services with the repo-owned
nscpackage and keep it current with the token format expected by Namespace.nsc 0.0.520is the first required baseline for revokable token-file auth. The dispatcher and autoscaler systemd units must also use the repo-built packages so runner fixes ship with Burrow deploys instead of staying pinned to the module input. - Render the sealed Namespace runner token with
nsc token create --token_fileinstead ofnsc auth generate-dev-token. The dev-token output is for direct API/registry access, while the dispatcher needs the JSON token-file format consumed bynsc run. - Add a Rust
burrow-windows-stubbinary so the Windows lane can validate packaging and upload mechanics before native Windows networking support is implemented. - Treat Sparkle as a macOS public-channel upload lane:
- Generate staged appcast content from the signed macOS artifact when present.
- Publish
sparkle/<channel>/,sparkle/appcast.xml, andsparkle/default/pointers frompublish-store-uploads. - The macOS app embeds Sparkle and consumes the
https://releases.burrow.net/sparkle/appcast.xmlfeed.
- Add
infra/releasesas the OpenTofu boundary for the GCS release and package repository backup buckets. Garage is the required S3-compatible primary distribution target after host bootstrap.infra/identityremains the boundary for Google KMS signing keys, the Authentik WIF pool/provider, and the runner service account.
Security and Operational Considerations
- Store credentials are consumed only by signed build or upload jobs, not by ordinary build/test jobs.
- GCS backup and Google KMS access must use Authentik-backed Workload Identity Federation against project
project-88c23ce9-918a-470a-b33; workflows must not use Google service-account JSON keys. - Garage uploads use S3-compatible access keys scoped to release/package buckets. They are required by default; GCS is a backup mirror, not the success fallback.
- Garage backup uses a separate read-only key spanning the release, package, and Attic buckets. That key may be sealed into Forgejo/OpenBao for backup jobs, but it must not be reused for release/package writes.
- Attic cache publishing uses a scoped CI push token for the
burrowcache instead of the bootstrap admin token. - rclone is not part of the release path. Multi-cloud failover should be added through provider-specific or S3-compatible wrappers with explicit credentials and evidence.
- Required upload credentials are checked explicitly after
./.forgejo/actions/decrypt-release-secretsmaterializes them from age:secrets/apple/appstore-connect.env.age:ASC_API_KEY_ID,ASC_API_ISSUER_ID, and base64-encoded.p8key material.- KMS-backed Apple signing must not use
.p12private-key material. The legacysecrets/apple/distribution-signing.env.agepath remains accepted only for emergency keychain signing and should not be used for the normal tester release lane. - Sparkle appcasts are signed with Google KMS by default; the legacy
secrets/apple/sparkle.env.agepath remains accepted only for emergency local EdDSA signing. - future Microsoft Partner Center credentials
- The temporary CI keychain password is always the distribution certificate password; there is no separate keychain-password release secret.
- KMS-backed Apple certificates do not satisfy the existing Xcode/keychain import path. Shipping with these certificates requires a signer that can delegate Apple code-signing operations to Google KMS.
- If the first key ring or Developer ID key is bootstrapped before the
OpenTofu remote state backend is available locally, the live resources must be
imported into
infra/identitybefore enabling managed identity applies. - Dedicated store accounts should be sealed with agenix before enabling always-on uploads. The runner only needs an age identity such as
/var/lib/forgejo-runner-agent/age_keystore;AGE_FORGE_SSH_KEYis a fallback bootstrap secret, not a place for release material. - The canonical identity registry reserves
release@burrow.netfor release automation andnamespace@burrow.netfor Namespace runner capacity credentials; secrets stay outsidecontributors.nix. - Grafana starts with a sealed admin password and a pending OIDC client secret. Local admin login remains available until the real OIDC secret is rotated and the Authentik reconciliation service creates the Grafana provider.
- OpenTofu apply/import modes require an explicit confirmation and remote state. Validation may run without remote state.
- Build tags are pushed only after artifacts have been assembled for the build number.
- External TestFlight distribution and public app-store rollout must stay explicit; internal or private lanes can be defaulted only after credentials and metadata are verified.
Contributor Playbook
- Check whether a release is needed:
Scripts/version.sh status - Build local artifacts:
BUILD_NUMBER=local Scripts/ci/build-release-artifacts.sh all - Build Apple release validation artifacts on macOS:
BUILD_NUMBER=local bazel build //bazel/apple:release_ios_stamp //bazel/apple:release_macos_stamp - Verify the Windows stub still builds:
cargo test --locked -p burrow-windows-stub - Validate BEP metadata:
python3 Scripts/check-bep-metadata.py - Before turning on an upload lane, seal the dedicated service-account secret and run:
Scripts/seal-release-secrets.sh --source-dir intake/release Scripts/ci/check-release-config.sh app-store Scripts/ci/check-release-config.sh apple-signing Scripts/ci/check-release-config.sh gcs - Treat successful Forgejo release asset publication and successful store upload jobs as separate evidence points.
- Validate Grafana OpenTofu syntax locally:
Scripts/grafana-tofu.sh init -backend=false Scripts/grafana-tofu.sh validate - Validate release storage OpenTofu syntax locally:
Scripts/releases-tofu.sh init -backend=false Scripts/releases-tofu.sh validate - Validate release storage wrapper syntax:
bash -n Scripts/ci/upload-release-storage.sh Scripts/ci/upload-package-storage.sh Scripts/ci/backup-garage-to-gcs.sh Scripts/ci/publish-nix-cache.sh
- Dispatch a Forgejo workflow without GitHub:
Scripts/forgejo-dispatch.sh build-release.yml --ref main
- After deploying the forge host, seal:
BURROW_NIX_CACHE_PUSH_TOKEN from /var/lib/burrow/nix-cache/ci-push-token BURROW_GARAGE_BACKUP_ACCESS_KEY_ID from /var/lib/burrow/garage/env BURROW_GARAGE_BACKUP_SECRET_ACCESS_KEY from /var/lib/burrow/garage/env
Alternatives Considered
- Keep one monolithic release workflow. Rejected because build failures, upload failures, and credential gaps become hard to distinguish.
- Wait for native Windows support before adding a Windows lane. Rejected because packaging and Microsoft Store authentication can be validated with a Rust stub first.
- Add Sparkle to the Apple app in the same change. Rejected because Sparkle changes the client update trust boundary and should be reviewed separately from release plumbing.
Impact on Other Work
- Future Apple release work can fill in signed archive/export details without changing release numbering.
- Future Windows work can replace the stub package with the native client while preserving upload shape.
- Identity and credential follow-up should derive long-lived automation accounts from
contributors.nixwhere they represent Burrow-operated identities.
Decision
Pending.
References
CONSTITUTION.mdcontributors.nix.forgejo/workflows/release-if-needed.yml.forgejo/workflows/build-release.yml.forgejo/workflows/publish-store-uploads.ymlScripts/version.shScripts/ci/nscloud-cache.shScripts/ci/ensure-nix.shScripts/ci/package-apple-artifacts.shScripts/ci/upload-release-storage.shScripts/ci/upload-package-storage.shScripts/ci/publish-nix-cache.shScripts/ci/backup-garage-to-gcs.shbazel/apple/BUILD.bazelScripts/forgejo-dispatch.shScripts/forgejo-dispatch-via-host.shScripts/grafana-tofu.shScripts/releases-tofu.sh.forgejo/workflows/infra-opentofu.yml.forgejo/workflows/publish-nix-cache.yml.forgejo/workflows/backup-garage-storage.ymlinfra/grafana/infra/releases/nixos/modules/burrow-garage.nixnixos/modules/burrow-observability.nixservices/grafana/dashboards/burrow-overview.jsonservices/grafana/dashboards/headscale.jsonservices/grafana/dashboards/observability.json