vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-19 16:39:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

fix: add sprite-keep-running.sh, remove Hetzner from Packer, cleanup on cancel (#2869)
Some checks are pending
CLI Release / Build and release CLI (push) Waiting to run
Details
Lint / ShellCheck (push) Waiting to run
Details
Lint / Biome Lint (push) Waiting to run
Details
Lint / macOS Compatibility (push) Waiting to run
Details

Browse source 
* fix: destroy orphaned Packer builder instances on workflow cancel

When a Packer Snapshots workflow is cancelled mid-build, Packer's process
is killed before it can clean up its temporary builder droplet/server.
This leaves orphaned packer-* instances running and costing money.

Add `if: cancelled()` cleanup steps for both DigitalOcean and Hetzner
that destroy any packer-* prefixed instances after cancellation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: remove Hetzner cleanup step — only DO needed

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: remove Hetzner from Packer snapshots, add cancel cleanup

Remove Hetzner from the Packer workflow entirely — only DigitalOcean
snapshots are built. Deletes packer/hetzner.pkr.hcl and simplifies the
workflow by removing all Hetzner-specific steps and cloud conditionals.

Also adds a cancelled() cleanup step that destroys orphaned packer-*
builder droplets when a workflow run is cancelled mid-build.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add missing sprite-keep-running.sh script

The keep-alive install was 404ing because sh/shared/sprite-keep-running.sh
never existed in the repo. The TypeScript code downloaded it from the CDN
(which maps to sh/shared/) but the file was never created.

The script wraps a command and pings the sprite's own public URL every 30s
to prevent inactivity shutdown. It resolves the URL via sprite-env info
(available on all sprites) and falls back to exec without keep-alive if
the URL can't be determined.

Also removes Hetzner from the Packer snapshots workflow entirely — only
DigitalOcean snapshots are built.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address security review — scope cleanup filter, fix JSON injection

1. Add `spawn-packer` tag to DO builder droplets in Packer template and
   filter cleanup by tag instead of broad `packer-` name prefix. Prevents
   accidentally destroying builder instances from other concurrent builds.

2. Use `jq --arg` for SINGLE_AGENT_INPUT instead of string interpolation
   to prevent JSON injection via crafted agent names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ahmed Abushagur 2026-03-22 11:13:38 -07:00 committed by GitHub
parent 87f49eba48
commit 66a1749b4b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 82 additions and 231 deletions
Download patch file Download diff file Expand all files Collapse all files

99
.github/workflows/packer-snapshots.yml vendored
View file

@ -10,14 +10,6 @@ on:
description: "Single agent to build (leave empty for all)"
required: false
type: string
cloud:
description: "Cloud to build for (leave empty for all)"
required: false
type: choice
options:
- ""
- digitalocean
- hetzner
permissions:
contents: read
@ -33,30 +25,22 @@ jobs:
- id: set
run: |
SINGLE_AGENT="${SINGLE_AGENT_INPUT}"
SINGLE_CLOUD="${SINGLE_CLOUD_INPUT}"
if [ -n "$SINGLE_AGENT" ]; then
AGENTS="[\"${SINGLE_AGENT}\"]"
AGENTS=$(jq -nc --arg agent "$SINGLE_AGENT" '[$agent]')
else
AGENTS=$(jq -c 'keys' packer/agents.json)
fi
if [ -n "$SINGLE_CLOUD" ]; then
CLOUDS="[\"${SINGLE_CLOUD}\"]"
else
CLOUDS='["digitalocean","hetzner"]'
fi
# Build a flat include array: [{agent, cloud}, ...]
INCLUDE=$(jq -nc --argjson agents "$AGENTS" --argjson clouds "$CLOUDS" \
'[$agents[] as $a | $clouds[] as $c | {agent: $a, cloud: $c}]')
INCLUDE=$(jq -nc --argjson agents "$AGENTS" \
'[$agents[] as $a | {agent: $a, cloud: "digitalocean"}]')
echo "include=${INCLUDE}" >> "$GITHUB_OUTPUT"
env:
SINGLE_AGENT_INPUT: ${{ inputs.agent }}
SINGLE_CLOUD_INPUT: ${{ inputs.cloud }}
build:
name: "${{ matrix.cloud }}/${{ matrix.agent }}"
name: "digitalocean/${{ matrix.agent }}"
needs: matrix
runs-on: ubuntu-latest
strategy:
@ -82,10 +66,9 @@ jobs:
version: latest
- name: Init Packer plugins
run: packer init packer/${{ matrix.cloud }}.pkr.hcl
run: packer init packer/digitalocean.pkr.hcl
- name: Generate variables file (DigitalOcean)
if: matrix.cloud == 'digitalocean'
- name: Generate variables file
run: |
jq -n \
--arg token "$DO_API_TOKEN" \
@ -104,31 +87,34 @@ jobs:
TIER: ${{ steps.config.outputs.tier }}
INSTALL_COMMANDS: ${{ steps.config.outputs.install }}
- name: Generate variables file (Hetzner)
if: matrix.cloud == 'hetzner'
run: |
jq -n \
--arg token "$HCLOUD_TOKEN" \
--arg agent "$AGENT_NAME" \
--arg tier "$TIER" \
--argjson install "$INSTALL_COMMANDS" \
'{
hcloud_token: $token,
agent_name: $agent,
cloud_init_tier: $tier,
install_commands: $install
}' > packer/auto.pkrvars.json
env:
HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
AGENT_NAME: ${{ matrix.agent }}
TIER: ${{ steps.config.outputs.tier }}
INSTALL_COMMANDS: ${{ steps.config.outputs.install }}
- name: Build snapshot
run: packer build -var-file=packer/auto.pkrvars.json packer/${{ matrix.cloud }}.pkr.hcl
run: packer build -var-file=packer/auto.pkrvars.json packer/digitalocean.pkr.hcl
- name: Cleanup old DO snapshots
if: success() && matrix.cloud == 'digitalocean'
# When a workflow is cancelled, Packer is killed before it can destroy
# the temporary builder droplet — leaving orphaned instances.
- name: Destroy orphaned builder droplets
if: cancelled()
run: |
# Filter by spawn-packer tag to avoid destroying builder droplets from other workflows
DROPLET_IDS=$(curl -s -H "Authorization: Bearer ${DO_API_TOKEN}" \
"https://api.digitalocean.com/v2/droplets?per_page=200&tag_name=spawn-packer" \
| jq -r '.droplets[].id')
if [ -z "$DROPLET_IDS" ]; then
echo "No orphaned packer builder droplets found"
exit 0
fi
for ID in $DROPLET_IDS; do
echo "Destroying orphaned builder droplet: ${ID}"
curl -s -X DELETE -H "Authorization: Bearer ${DO_API_TOKEN}" \
"https://api.digitalocean.com/v2/droplets/${ID}" || true
done
env:
DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
- name: Cleanup old snapshots
if: success()
run: |
PREFIX="spawn-${AGENT_NAME}-"
SNAPSHOTS=$(curl -s -H "Authorization: Bearer ${DO_API_TOKEN}" \
@ -145,27 +131,8 @@ jobs:
DO_API_TOKEN: ${{ secrets.DO_API_TOKEN }}
AGENT_NAME: ${{ matrix.agent }}
- name: Cleanup old Hetzner snapshots
if: success() && matrix.cloud == 'hetzner'
run: |
PREFIX="spawn-${AGENT_NAME}-"
# Hetzner Packer sets snapshot_name → description field in the API
SNAPSHOTS=$(curl -s -H "Authorization: Bearer ${HCLOUD_TOKEN}" \
"https://api.hetzner.cloud/v1/images?type=snapshot&per_page=100" \
| jq -r --arg prefix "$PREFIX" \
'[.images[] | select(.description | startswith($prefix))] | sort_by(.created) | reverse | .[1:] | .[].id')
for ID in $SNAPSHOTS; do
echo "Deleting old snapshot: ${ID}"
curl -s -X DELETE -H "Authorization: Bearer ${HCLOUD_TOKEN}" \
"https://api.hetzner.cloud/v1/images/${ID}" || true
done
env:
HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }}
AGENT_NAME: ${{ matrix.agent }}
- name: Submit to DO Marketplace
if: success() && matrix.cloud == 'digitalocean'
if: success()
run: |
# Skip if no marketplace app IDs configured
if [ -z "$MARKETPLACE_APP_IDS" ]; then