feat(ci): add shadow-rust-native-build workflow for OS-49 Phase 4 (PR 4a)

[jtoelke2]

Summary

OS-49 Phase 4 / PR 4a — non-blocking shadow workflow that builds openshell-gateway and openshell-sandbox natively per-arch on the nv-gha-runners shared CPU pool with a GHA-backed sccache, and uploads the resulting binaries as artifacts.

The artifacts are shaped exactly for the BINARY_SOURCE=prebuilt path that landed in #945 — one binary per (component, arch), uploaded as rust-binary-{gateway,sandbox}-linux-{amd64,arm64}, staged inside the artifact at prebuilt-binaries/<arch>/openshell-{gateway,sandbox}. PR 4c will wire these into docker-build.yml via actions/download-artifact, flip the Dockerfile default to BINARY_SOURCE=prebuilt, and delete the Rust RUN cargo build stages.

Related Issue

• OS-128 — Phase 4 parent
• Reuses the per-arch native build pattern from feat(release): publish standalone openshell-gateway binaries #853
• Follows the shadow convention from feat(ci): add shadow-shared-cpu-spike workflow for OS-49 Phase 2 #934 (Phase 2) and feat(ci): add shadow-docker-build workflow for OS-49 Phase 3 #964 (Phase 3)

Changes

• .github/workflows/shadow-rust-native-build.yml (new, 154 lines):
  • Matrix: component={gateway,sandbox} × arch={amd64,arm64} → 4 jobs, fail-fast: false.
  • Runners: linux-{amd64,arm64}-cpu8 (Phase 2-validated).
  • Container: ghcr.io/nvidia/openshell/ci:latest.
  • sccache via mozilla-actions/sccache-action with SCCACHE_GHA_VERSION partitioned per (component, arch) to avoid the 409-Conflict collisions that PR fix(ci): partition GHA sccache cache per arch in shadow spike #961 fixed for Phase 2.
  • Version injection: uv run python tasks/scripts/release.py get-version --cargo + sed on [workspace.package] in Cargo.toml (same as docker-build.yml and release-dev.yml).
  • Build: cargo build --release --target <triple> -p <crate> --bin <binary> --features openshell-core/dev-settings (matches docker-build.yml's default EXTRA_CARGO_FEATURES so artifacts are interchangeable with the in-Docker build's output for PR 4c).
  • Verify step: --version grep + ldd --version + ldd <bin> diagnostics (so glibc drift from the Ubuntu noble runtime base image is visible in the logs).
  • Artifact upload with if-no-files-found: error, 5-day retention.

Testing

• Static review: Cargo.toml [workspace.package] matches the sed pattern; openshell-server + openshell-sandbox both have [[bin]] entries matching openshell-gateway / openshell-sandbox; both depend on openshell-core directly so --features openshell-core/dev-settings propagates; tasks/scripts/release.py get-version --cargo exists.
• license:check passes.
• Dispatch plan after merge: 4-5 runs via workflow_dispatch to collect cold + warm wall times and sccache hit rates, recorded on OS-128.

Checklist

• Conventional commit format, signed-off.
• License header present.
• Trigger scoped to workflow_dispatch + push-to-main (non-blocking; required-check list untouched).
• No changes to any existing workflow, action, or Cargo file.
• Decision thresholds will be recorded on OS-128 after dispatch runs.
• PR 4c (flip default + delete Rust build stages) opens once dispatch numbers land.

Notes

Draft until the first dispatch completes and the wall-time / sccache-hit numbers look sane. Then ready for review.

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.