ci: add integration tests

[austinvazquez]

No description provided.

[Copilot]

Pull request overview

This PR adds a new integration test job to the CI workflow to improve test coverage by running integration tests in the build pipeline.

Key changes:

• Added a new integration job to the GitHub Actions workflow
• Configured the job to build the project and run integration tests using Go

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[austinvazquez]

Downgrade to 6.12.44 (from #74)

[Copilot]

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The variable name OS may conflict with environment variables or built-in variables in some shells. Consider renaming it to HOST_OS for clarity and consistency with the HOST_OS variable used in the docker-bake.hcl file.

Suggested change

	OS ?= $(shell uname -s | tr '[:upper:]' '[:lower:]')
	ARCH ?= $(shell uname -m)
	export PLATFORM ?= $(OS)/$(ARCH)
	HOST_OS ?= $(shell uname -s | tr '[:upper:]' '[:lower:]')
	ARCH ?= $(shell uname -m)
	export PLATFORM ?= $(HOST_OS)/$(ARCH)

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

The build target exports ARCH=$(ARCH) from uname -m (e.g., x86_64, aarch64) into docker-bake.hcl, but the bake file’s ARCH variable is used as a Docker/Go arch (amd64/arm64). This mismatch makes kernelArch() return unknown (and may set GOARCH to an invalid value), breaking builds. Normalize ARCH before passing it (e.g., map x86_64->amd64, aarch64/arm64->arm64), or pass a separate variable for kernel arch vs Go/Docker arch.

[Copilot]

_common.args forcibly sets TARGETARCH = ARCH. Buildx already provides TARGETARCH based on the build platform; overriding it with a custom variable (defaulting to amd64) will produce incorrect artifacts on non-amd64 runners unless every workflow explicitly sets ARCH. If you need a separate knob for kernel naming, consider not overriding TARGETARCH and instead pass only KERNEL_ARCH, or ensure ARCH is always set to amd64/arm64 in all callers (including CI).

Suggested change

TARGETARCH = ARCH

[Copilot]

This step runs docker buildx bake host-binaries guest-binaries without setting ARCH (or HOST_OS). Because docker-bake.hcl defaults ARCH to amd64 and also overrides TARGETARCH, the arm64 matrix job will build amd64 guest artifacts (notably nerdbox-initrd), causing VM startup/tests to fail. Export ARCH/HOST_OS for this step (or stop overriding TARGETARCH in the bake file so Buildx can set it correctly).

Suggested change

	echo "Building host and guest binaries:"
	echo "Building host and guest binaries:"
	if [ "${{ matrix.arch }}" = "x86_64" ]; then
	export ARCH=amd64
	else
	export ARCH=arm64
	fi
	export HOST_OS=linux
	echo "Using ARCH=${ARCH}, HOST_OS=${HOST_OS}"

[Copilot]

Starting containerd with sudo nohup containerd ... & is likely to conflict with any existing containerd already running on the runner (default socket /run/containerd/containerd.sock), and the health check (ctr version) will succeed even if it’s talking to the pre-existing daemon. To make the installed version deterministic, start containerd on an isolated socket/address (and point ctr to it) or stop/disable the preinstalled service before starting the downloaded binary.

[Copilot]

The downloaded containerd tarball is installed without any integrity verification (checksum/signature). For supply-chain safety, verify the archive against published checksums (or use a provenance-verified source) before extracting as root.

[Copilot]

OS is now normalized to lowercase ("linux"/"darwin"), but later logic still relies on title-cased OS keys (e.g., LDFLAGS_*_Linux/LDFLAGS_*_Darwin and ifeq ($(OS),Darwin)). With the new OS value, $(LDFLAGS_$(ARCH)_$(OS)) will not resolve and the Darwin codesign blocks will never run. Consider either keeping OS in the original casing, or updating the LDFLAGS variable names and all OS comparisons to match the lowercase convention.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

kernelArch() only handles ARCH values amd64 and arm64. If ARCH is set to common host values like x86_64 or aarch64, it returns "unknown", which will later make the kernel build fail (e.g., missing kernel/config-<version>-unknown). Consider either accepting x86_64/aarch64 here (mapping aarch64 -> arm64) or returning ARCH by default instead of "unknown" so local builds don’t break when ARCH comes from uname -m.

Suggested change

	result = ARCH == "amd64" ? "x86_64" : (ARCH == "arm64" ? "arm64" : "unknown")
	result = ARCH == "amd64" || ARCH == "x86_64" ? "x86_64" : (ARCH == "arm64" || ARCH == "aarch64" ? "arm64" : ARCH)

[Copilot]

CONTAINERD_PID=$! here captures the PID of the backgrounded sudo process, not the actual containerd daemon PID. This makes /var/run/containerd.pid misleading and can break any cleanup logic that relies on it. Consider starting containerd via sudo sh -c and writing the real child PID, or drop PID-file creation and rely on pgrep/pkill consistently.

Suggested change

	# Start containerd in background with logging
	sudo nohup containerd > /var/log/containerd/containerd.log 2>&1 &
	CONTAINERD_PID=$!
	echo "Containerd started with PID: $CONTAINERD_PID"
	# Save PID for cleanup
	echo "$CONTAINERD_PID" | sudo tee /var/run/containerd.pid
	# Start containerd in background with logging and save its PID
	sudo sh -c 'nohup containerd > /var/log/containerd/containerd.log 2>&1 & echo $! > /var/run/containerd.pid'
	CONTAINERD_PID=$(sudo cat /var/run/containerd.pid)
	echo "Containerd started with PID: $CONTAINERD_PID"
	# PID is saved for cleanup in /var/run/containerd.pid

[Copilot]

This composite action performs its own actions/checkout, but both callers in this PR (ci.yml and build-kernel.yml) already check out the repo before invoking it. That duplicates work and can also override any checkout options the caller intended (sparse checkout, submodules, custom path, etc.). Prefer removing checkout from the action and requiring callers to checkout, or make it explicitly optional via an input/flag.

Suggested change

	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

[Copilot]

The integration workflow starts a containerd daemon via ./.github/actions/setup-containerd, but the current go test ./integration/... suite doesn’t appear to talk to containerd (it exercises VM + ttrpc APIs directly). If containerd isn’t required, consider removing this setup to reduce CI time/complexity; if it is required, consider adding/adjusting integration tests so the dependency is validated (otherwise failures here may be confusing and unrelated to the tests).

Suggested change

	- name: Validate containerd is running
	run: |
	echo "Validating containerd is running and responsive..."
	# Check containerd version via ctr; this will fail clearly if containerd is not healthy
	sudo ctr version

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

This step will silently set empty outputs if the grep doesn’t match (because there’s no set -e/validation). That would cause downstream jobs to use empty version strings. Consider enabling set -euo pipefail and explicitly failing when kernel_version or containerd_version is empty.

Suggested change

	kernel_version=$(grep -E '^kernel [0-9.]+$' .github/.tool-versions | sed -E 's/^kernel ([0-9.]+)$/\1/')
	echo "kernel-version=${kernel_version}" >> $GITHUB_OUTPUT
	containerd_version=$(grep -E '^containerd [0-9.]+$' .github/.tool-versions | sed -E 's/^containerd ([0-9.]+)$/\1/')
	echo "containerd-version=${containerd_version}" >> $GITHUB_OUTPUT
	set -euo pipefail
	kernel_version="$(awk '/^kernel [0-9.]+$/ {print $2}' .github/.tool-versions)"
	if [ -z "${kernel_version}" ]; then
	echo "Failed to determine kernel version from .github/.tool-versions" >&2
	exit 1
	fi
	echo "kernel-version=${kernel_version}" >> "${GITHUB_OUTPUT}"
	containerd_version="$(awk '/^containerd [0-9.]+$/ {print $2}' .github/.tool-versions)"
	if [ -z "${containerd_version}" ]; then
	echo "Failed to determine containerd version from .github/.tool-versions" >&2
	exit 1
	fi
	echo "containerd-version=${containerd_version}" >> "${GITHUB_OUTPUT}"

[Copilot]

build-kernels checks out the repo, but the referenced ./.github/actions/build-kernel composite action also performs a checkout. This duplicates work and can be confusing if different checkout options are needed. Consider removing one of the checkouts (either rely on the workflow checkout or have the action assume the workspace is already checked out).

Suggested change

- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

[Copilot]

This workflow checks out the repo, but the ./.github/actions/build-kernel composite action also checks out the repo, resulting in a redundant checkout. Consider keeping checkout in one place (workflow or action) to reduce runtime and avoid inconsistent checkout behavior.

Suggested change

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

[Copilot]

The Go version in .github/.tool-versions (used by CI via go-version-file) differs from the Go version pinned in the Dockerfile (GO_VERSION). This can lead to CI/test results not matching Docker-based builds. Consider aligning these versions (or documenting why they intentionally differ).