superserve-ai · meAmitPatil · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/.github/workflows/deploy-proxy.yml b/.github/workflows/deploy-proxy.yml
@@ -0,0 +1,172 @@
+name: Deploy Proxy
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - 'cmd/proxy/**'
+      - 'internal/proxy/**'
+      - 'deploy/proxy.service'
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: staging
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Build proxy binary
+        run: |
+          mkdir -p bin
+          CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags '-s -w' -o bin/proxy ./cmd/proxy
+
+      - name: Authenticate to GCP
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Discover and deploy proxy to VMD instances
+        env:
+          GCP_PROJECT: ${{ vars.GCP_PROJECT }}
+          VMD_LABEL: ${{ vars.VMD_LABEL }}
+          VMD_INSTALL_DIR: ${{ vars.VMD_INSTALL_DIR }}
+          SHA: ${{ github.sha }}
+          SANDBOX_ACCESS_TOKEN_SEED: ${{ secrets.SANDBOX_ACCESS_TOKEN_SEED_STAGING }}
+          TERMINAL_ALLOWED_ORIGINS: ${{ vars.TERMINAL_ALLOWED_ORIGINS_STAGING }}
+          REQUIRE_DATA_PLANE: ${{ vars.REQUIRE_DATA_PLANE_STAGING }}
+        run: |
+          python3 - <<'PYEOF'
+          import os, sys, subprocess, textwrap
+          from concurrent.futures import ThreadPoolExecutor, as_completed
+          import re as _re
+
+          project     = os.environ['GCP_PROJECT']
+          label       = os.environ.get('VMD_LABEL', 'component=vmd')
+          install_dir = os.environ.get('VMD_INSTALL_DIR', '/usr/local/bin')
+          sha         = os.environ['SHA'][:8]
+
+          access_seed = os.environ.get('SANDBOX_ACCESS_TOKEN_SEED', '')
+          if access_seed and not _re.fullmatch(r'[0-9a-fA-F]{64,}', access_seed):
+              print('ERROR: SANDBOX_ACCESS_TOKEN_SEED must be hex-encoded, >= 32 bytes (64 hex chars)', file=sys.stderr)
+              sys.exit(1)
+          terminal_origins = os.environ.get('TERMINAL_ALLOWED_ORIGINS', '')
+          if terminal_origins and not _re.fullmatch(r'[A-Za-z0-9.,:/*\-]+', terminal_origins):
+              print('ERROR: TERMINAL_ALLOWED_ORIGINS contains disallowed characters', file=sys.stderr)
+              sys.exit(1)
+          require_data_plane = os.environ.get('REQUIRE_DATA_PLANE', '')
+          if require_data_plane not in ('', '0', '1'):
+              print('ERROR: REQUIRE_DATA_PLANE must be empty, "0", or "1"', file=sys.stderr)
+              sys.exit(1)
+
+          result = subprocess.run([
+              'gcloud', 'compute', 'instances', 'list',
+              f'--project={project}',
+              f'--filter=labels.{label} AND status=RUNNING',
+              '--format=csv[no-heading](name,zone)',
+          ], capture_output=True, text=True, check=True)
+
+          instances = [
+              {'name': r[0], 'zone': r[1]}
+              for line in result.stdout.strip().splitlines()
+              if line.strip()
+              for r in [line.strip().split(',')]
+          ]
+
+          if not instances:
+              print(f'No instances with label {label} found in {project}', file=sys.stderr)
+              sys.exit(1)
+
+          print(f'Deploying proxy to {len(instances)} instance(s)')
+
+          def deploy(inst):
+              name, zone = inst['name'], inst['zone']
+              tag = f'{name}/{zone}'
+
+              for src, dst in [
+                  ('bin/proxy', f'/tmp/proxy-{sha}'),
+                  ('deploy/proxy.service', '/tmp/proxy.service'),
+              ]:
+                  subprocess.run([
+                      'gcloud', 'compute', 'scp', src, f'{name}:{dst}',
+                      f'--zone={zone}', f'--project={project}',
+                      '--quiet', '--tunnel-through-iap',
+                  ], check=True, capture_output=True)
+              print(f'[{tag}] proxy uploaded')
+
+              # Deploy proxy only. VMD is NOT restarted.
+              deploy_script = textwrap.dedent(f'''
+                  set -euo pipefail
+
+                  sudo mv /tmp/proxy-{sha} {install_dir}/proxy
+                  sudo chmod +x {install_dir}/proxy
+
+                  sudo mv /tmp/proxy.service /etc/systemd/system/proxy.service
+                  sudo systemctl daemon-reload
+                  sudo systemctl enable proxy
+
+                  sudo mkdir -p /etc/sandbox
+                  if [ -n "{access_seed}" ]; then
+                      sudo tee /etc/sandbox/proxy.env > /dev/null <<PROXYENV
+                  SANDBOX_ACCESS_TOKEN_SEED={access_seed}
+                  TERMINAL_ALLOWED_ORIGINS={terminal_origins}
+                  REQUIRE_DATA_PLANE={require_data_plane}
+                  PROXYENV
+                      sudo chmod 0600 /etc/sandbox/proxy.env
+                  fi
+
+                  sudo systemctl restart proxy
+                  sleep 3
+                  sudo systemctl is-active --quiet proxy || (
+                      echo "ERROR: proxy failed to become active after restart" >&2
+                      sudo systemctl status --no-pager proxy >&2 || true
+                      sudo journalctl -u proxy --no-pager -n 40 >&2 || true
+                      exit 1
+                  )
+              ''')
+              r = subprocess.run([
+                  'gcloud', 'compute', 'ssh', name,
+                  f'--zone={zone}', f'--project={project}',
+                  '--quiet', '--tunnel-through-iap',
+                  '--command', deploy_script,
+              ], capture_output=True, text=True)
+              if r.returncode != 0:
+                  raise RuntimeError(
+                      f'proxy not healthy\n'
+                      f'--- stdout ---\n{r.stdout}\n'
+                      f'--- stderr ---\n{r.stderr}'
+                  )
+              print(f'[{tag}] proxy active')
+
+          failed = []
+          with ThreadPoolExecutor(max_workers=len(instances)) as ex:
+              futures = {ex.submit(deploy, inst): inst for inst in instances}
+              for f in as_completed(futures):
+                  inst = futures[f]
+                  try:
+                      f.result()
+                  except Exception as e:
+                      tag = f"{inst['name']}/{inst['zone']}"
+                      print(f'[{tag}] FAILED: {e}', file=sys.stderr)
+                      failed.append(tag)
+
+          if failed:
+              print(f'Deploy failed on: {", ".join(failed)}', file=sys.stderr)
+              sys.exit(1)
+
+          print(f'Deployed proxy to {len(instances)} instance(s). sha={sha}')
+          PYEOF