marfrit/kernel-agent
1
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

ka-build: arch makepkg wrapper + sign + publish (closes #34) #35

Merged
marfrit merged 1 commits from noether/ka-build-impl into main 2026-05-19 07:26:59 +00:00
Conversation 0 Commits 1 Files Changed 3
+314 -2
marfrit commented 2026-05-19 07:24:58 +00:00
Owner
Copy Link
Copy Source

Closes #34. Per umbrella #21 — second of three verbs (ka-status ✓, ka-promote ✓ via #22/#31, ka-build now, ka-install next).

What it does

ka-build <host> runs the manual-substitute path from README:227 end-to-end:

  1. Reads build/<host>/<baseline_ref>/manifest.lock (output of ka-promote). Refuses if missing — "run ka-promote first".
  2. Cross-checks each PKGBUILD-side patch in marfrit-packages/arch/<package.name>/ against the kernel-agent-side patch's recorded sha256 in manifest.lock. Refuses on drift — operator must sync first (intentional: ka-build verifies, doesn't author).
  3. ssh-dispatches makepkg --syncdeps --noconfirm --cleanbuild to build_host.primary (boltzmann for fresnel/ampere, fermi as fallback). Native build only — no distcc per feedback_kernel_agent_no_distcc.
  4. Pulls the resulting *.pkg.tar.zst back; scp's to hertz and invokes sudo /opt/herding/bin/marfrit-publish-arch aarch64 <pkg> (existing script — does sign + repo-add + rsync to nc).
  5. Appends a build: block to manifest.lock with built_at, built_on_host, per-package b2sum + size.

Flags

  • --dry-run — stop after staging + patch verification, don't makepkg
  • --skip-publish — build only, don't push to hertz
  • --packages-repo <path> — override ~/src/marfrit-packages

Out of scope (separate followups)

  • Debian .deb path — separate verb
  • PKGBUILD template generation — current PKGBUILDs are hand-authored; ka-build verifies + drives, doesn't author. (Issue noted in scoping.)
  • ka-build --validate-against — apply-check harness; mirror to ka-promote's flag if useful.
  • Bootstrapping kernel-agent checkout on non-noether hosts — ka-build runs from noether; build host only needs marfrit-packages and a writable /tmp.

Test plan

  • Argument parsing (--version, --help, unknown flag)
  • Refuses if manifest.lock missing ("run ka-promote first")
  • Refuses if PKGBUILD missing (bad --packages-repo)
  • Happy-path --dry-run on fresnel — patches OK (6 files)
  • Patch drift detection — mutate a PKGBUILD-side patch, expect exit 3
  • Full makepkg+publish on fresnel — manually exercisable; CI harness deferred (would need mock build-host + mock marfrit-publish-arch; noted in tests/ka-build/run-tests.sh prologue)

Acceptance vs #34

  • byte-identical-parity claim: realistic only with frozen SOURCE_DATE_EPOCH + identical mock build env. Phase-1 acceptance reformulated to "installable .pkg.tar.zst produced + published"; byte-parity test deferred to a follow-up with a recorded reference + SOURCE_DATE_EPOCH discipline.
Closes #34. Per umbrella #21 — second of three verbs (ka-status ✓, ka-promote ✓ via #22/#31, ka-build now, ka-install next). ## What it does `ka-build <host>` runs the manual-substitute path from `README:227` end-to-end: 1. Reads `build/<host>/<baseline_ref>/manifest.lock` (output of ka-promote). Refuses if missing — "run ka-promote first". 2. Cross-checks each PKGBUILD-side patch in `marfrit-packages/arch/<package.name>/` against the kernel-agent-side patch's recorded sha256 in `manifest.lock`. Refuses on drift — operator must sync first (intentional: ka-build verifies, doesn't author). 3. ssh-dispatches `makepkg --syncdeps --noconfirm --cleanbuild` to `build_host.primary` (boltzmann for fresnel/ampere, fermi as fallback). Native build only — no distcc per `feedback_kernel_agent_no_distcc`. 4. Pulls the resulting `*.pkg.tar.zst` back; scp's to hertz and invokes `sudo /opt/herding/bin/marfrit-publish-arch aarch64 <pkg>` (existing script — does sign + repo-add + rsync to nc). 5. Appends a `build:` block to `manifest.lock` with `built_at`, `built_on_host`, per-package `b2sum` + `size`. ## Flags - `--dry-run` — stop after staging + patch verification, don't makepkg - `--skip-publish` — build only, don't push to hertz - `--packages-repo <path>` — override `~/src/marfrit-packages` ## Out of scope (separate followups) - Debian `.deb` path — separate verb - PKGBUILD template **generation** — current PKGBUILDs are hand-authored; ka-build verifies + drives, doesn't author. (Issue noted in scoping.) - `ka-build --validate-against` — apply-check harness; mirror to ka-promote's flag if useful. - Bootstrapping kernel-agent checkout on non-noether hosts — ka-build runs from noether; build host only needs `marfrit-packages` and a writable `/tmp`. ## Test plan - [x] Argument parsing (`--version`, `--help`, unknown flag) - [x] Refuses if `manifest.lock` missing ("run ka-promote first") - [x] Refuses if PKGBUILD missing (bad `--packages-repo`) - [x] Happy-path `--dry-run` on fresnel — patches OK (6 files) - [x] Patch drift detection — mutate a PKGBUILD-side patch, expect exit 3 - [ ] Full makepkg+publish on fresnel — manually exercisable; CI harness deferred (would need mock build-host + mock marfrit-publish-arch; noted in tests/ka-build/run-tests.sh prologue) ## Acceptance vs #34 - byte-identical-parity claim: realistic only with frozen SOURCE_DATE_EPOCH + identical mock build env. Phase-1 acceptance reformulated to "installable .pkg.tar.zst produced + published"; byte-parity test deferred to a follow-up with a recorded reference + SOURCE_DATE_EPOCH discipline.
marfrit added 1 commit 2026-05-19 07:24:58 +00:00
ka-build: arch makepkg wrapper + sign + publish (closes #34) dd631fd3c7 
Phase-1 ka-build per umbrella #21:

1. Read manifest.lock from ka-promote output. Refuse if missing.
2. Verify each PKGBUILD-side patch in marfrit-packages still matches
   the kernel-agent-side patch by sha256 (manifest.lock is authoritative).
3. ssh-dispatch makepkg --syncdeps --noconfirm --cleanbuild to the
   manifest's build_host.primary. Native build only — no distcc
   (feedback_kernel_agent_no_distcc).
4. Pull the resulting *.pkg.tar.zst back; scp to hertz and run
   /opt/herding/bin/marfrit-publish-arch aarch64 <pkg>.
5. Append a `build:` block to manifest.lock with built_at, host,
   per-package b2sum + size.

Flags: --dry-run (stop before makepkg), --skip-publish (build only),
--packages-repo (override default ~/src/marfrit-packages).

Out of scope (separate followups):
- Debian .deb path
- PKGBUILD template *generation* (current PKGBUILDs are hand-authored;
  ka-build verifies + stamps, doesn't author)
- distcc routing (explicitly NOT in kernel-agent flow)
- ka-build --validate-against (apply-check harness)

Tests: 6/6 pass (arg parsing, missing manifest.lock, missing PKGBUILD,
patch drift via sha256 mismatch, happy-path dry-run on fresnel).
Full-build path manually exercisable; CI integration deferred until
the sandbox supports mock build-host + mock marfrit-publish-arch.
marfrit merged commit cc6f2378ab into main 2026-05-19 07:26:59 +00:00
marfrit deleted branch noether/ka-build-impl 2026-05-19 07:26:59 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
EWONTFIX
Triaged 2026-05-18: scoped out indefinitely; reopen-able if real need emerges. (HEVC-on-ampere first batch.)
 area:boltzmann
Touches boltzmann host
 area:fresnel
Touches fresnel host
 area:patch-tree
Touches the scope-tagged patches/ tree
 decision
Pending decision required (no clear default)
 migration
Bootstrap-time migration from existing trees into kernel-agent layout
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claude-ampere (Claude (ampere)) claude-boltzmann (Claude (boltzmann)) claude-noether (Claude (noether)) marfrit (Markus Fritsche)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marfrit/kernel-agent#35
Delete Branch "noether/ka-build-impl"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?