diff --git a/.gitea/workflows/windows-drivers-provision.yml b/.gitea/workflows/windows-drivers-provision.yml deleted file mode 100644 index d590bd1..0000000 --- a/.gitea/workflows/windows-drivers-provision.yml +++ /dev/null @@ -1,27 +0,0 @@ -# One-shot provisioning of the WDK + cargo-wdk onto the persistent self-hosted windows-amd64 runner, so -# the all-Rust UMDF drivers can build there (design/windows-host-rewrite.md, M0). The runner has the base -# Windows SDK + MSVC + LLVM + Rust but NOT the WDK (no km/wdf/iddcx headers) or cargo-wdk. -# -# Dispatch manually (workflow_dispatch). Idempotent: re-running is a near no-op once provisioned. The -# install persists on the runner (real box, not an ephemeral container), so this runs once, not per build. -name: windows-drivers-provision - -on: - workflow_dispatch: - push: - branches: [main] - paths: - - 'scripts/ci/provision-windows-wdk.ps1' - - '.gitea/workflows/windows-drivers-provision.yml' - -jobs: - provision: - runs-on: windows-amd64 - timeout-minutes: 60 - defaults: - run: - shell: pwsh - steps: - - uses: actions/checkout@v4 - - name: Install WDK + cargo-wdk on the runner - run: ./scripts/ci/provision-windows-wdk.ps1 diff --git a/.gitea/workflows/windows-drivers.yml b/.gitea/workflows/windows-drivers.yml index a77c025..00d0cd5 100644 --- a/.gitea/workflows/windows-drivers.yml +++ b/.gitea/workflows/windows-drivers.yml @@ -1,5 +1,5 @@ -# Windows driver workspace CI — runs on the self-hosted Windows runner (home-windows-1, host mode; -# label windows-amd64). Part of the Windows-host rewrite (design/windows-host-rewrite.md, M0). +# Windows driver workspace CI — runs on a self-hosted Windows runner (home-windows-runner-1, host +# mode; label windows-amd64). Part of the Windows-host rewrite (design/windows-host-rewrite.md, M0). # # Stage 1 (this file): PROBE the runner's driver toolchain (WDK / EWDK / cargo-make / LLVM / the # inf2cat/stampinf/devgen/signtool tools) so we know what's provisioned BEFORE writing driver code, @@ -26,7 +26,8 @@ on: - 'crates/pf-driver-proto/**' - 'packaging/windows/drivers/**' -# Driver builds need the WDK on the runner (provision once via windows-drivers-provision.yml). +# Driver builds need the WDK on the runner - the driver-build job below self-provisions it via +# scripts/ci/ensure-windows-toolchain.ps1, a fast no-op once already present. jobs: probe-and-proto: @@ -124,11 +125,12 @@ jobs: # retired that — see design/windows-build-and-packaging.md. steps: - uses: actions/checkout@v4 - - name: Ensure WDK + cargo-wdk (idempotent self-provision) - # Run the provisioning script here too so driver-build is self-sufficient and never races a - # separate provision run on the single runner. Path is relative to the job working-directory - # (packaging/windows/drivers). Near-noop once the toolchain is present. - run: ../../../scripts/ci/provision-windows-wdk.ps1 + - name: Ensure Windows toolchain (WDK, FFmpeg, Inno Setup, ARM64 target) + # Shared self-provision step (also used by windows.yml/windows-msix.yml/windows-host.yml) so + # driver-build is self-sufficient on any windows-amd64 runner and never races a manually + # dispatched provisioning workflow landing on a different one. Path is relative to the job + # working-directory (packaging/windows/drivers). Near-noop once the toolchain is present. + run: ../../../scripts/ci/ensure-windows-toolchain.ps1 - name: cargo build the driver workspace (wdk-probe + wdk-iddcx + pf-vdisplay) # Whole workspace: wdk-probe (toolchain/surface-assert probe) + wdk-iddcx (DDI wrappers) + # pf-vdisplay (the real IddCx driver). pf-vdisplay linking proves the IddCx call sites resolve diff --git a/.gitea/workflows/windows-host.yml b/.gitea/workflows/windows-host.yml index cd35936..353972b 100644 --- a/.gitea/workflows/windows-host.yml +++ b/.gitea/workflows/windows-host.yml @@ -1,8 +1,9 @@ # Build the punktfunk Windows HOST as a signed Inno Setup installer and publish it to Gitea's generic # package registry, so a Windows GPU box can install the streaming host (SYSTEM service + bundled # pf-vdisplay virtual-display driver + the web management console, run by a scheduled task on a bundled -# bun) from one signed setup.exe. Runs on the self-hosted Windows runner -# (host mode; scripts/ci/setup-windows-runner.ps1) — same MSVC/Windows-SDK/LLVM env as windows.yml. +# bun) from one signed setup.exe. Runs on a self-hosted windows-amd64 runner +# (host mode; same MSVC/Windows-SDK/LLVM env as windows.yml — generic from unom/infra's +# windows-runner/, FFmpeg/Inno Setup self-provision via the "Ensure Windows toolchain" step below). # # Why an installer and not MSIX (like the client): the host installs a LocalSystem SCM service that # CreateProcessAsUserW's into the interactive session for secure-desktop capture, and bundles a @@ -57,6 +58,10 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Ensure Windows toolchain (WDK, FFmpeg, Inno Setup, ARM64 target) + shell: pwsh + run: ./scripts/ci/ensure-windows-toolchain.ps1 + - name: Locale-safety gate (installer-run scripts must be ASCII) shell: pwsh # The installer runs these via powershell.exe (Windows PowerShell 5.1) and cmd.exe on the END @@ -82,7 +87,7 @@ jobs: "CARGO_TARGET_DIR=C:\t" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8 "CARGO_WORKSPACE_DIR=$env:GITHUB_WORKSPACE" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8 # FFMPEG_DIR: the same BtbN lgpl-shared x64 tree the Windows CLIENT links against (provisioned - # by scripts/ci/setup-windows-runner.ps1). The host's AMD/Intel AMF/QSV encode backend + # by scripts/ci/provision-windows-punktfunk-extras.ps1). The host's AMD/Intel AMF/QSV encode backend # (--features amf-qsv) link-imports avcodec/avutil/swscale from it; pack-host-installer.ps1 # then bundles its bin\*.dll into the installer. LIBCLANG_PATH is in the runner daemon env. if (-not $env:FFMPEG_DIR) { @@ -125,14 +130,6 @@ jobs: cargo clippy --release -- -D warnings; if ($LASTEXITCODE) { throw "pf-vkhdr-layer clippy" } Pop-Location - - name: Ensure Inno Setup - shell: pwsh - run: | - if (-not (Test-Path 'C:\Program Files (x86)\Inno Setup 6\ISCC.exe') -and -not (Get-Command iscc -ErrorAction SilentlyContinue)) { - Write-Output "installing Inno Setup via choco" - choco install innosetup -y --no-progress - } - - name: Fetch portable bun runtime (build tool + bundled to run the console) shell: pwsh run: | diff --git a/.gitea/workflows/windows-msix.yml b/.gitea/workflows/windows-msix.yml index fc516cc..520f8db 100644 --- a/.gitea/workflows/windows-msix.yml +++ b/.gitea/workflows/windows-msix.yml @@ -1,8 +1,9 @@ # Build the punktfunk Windows client as signed MSIX packages (x64 + ARM64) and publish them to # Gitea's generic package registry, so Windows boxes can download + install a real package (Start -# tile, clean install/uninstall) instead of a loose exe. Runs on the self-hosted Windows runner -# (host mode; scripts/ci/setup-windows-runner.ps1) — the MSVC/WinUI/FFmpeg toolchain + the Windows -# SDK's makeappx/signtool are baked into the runner's daemon env, same as windows.yml. +# tile, clean install/uninstall) instead of a loose exe. Runs on a self-hosted windows-amd64 +# runner (host mode; the MSVC/WinUI toolchain comes from unom/infra's windows-runner/, FFmpeg +# self-provisions via the "Ensure Windows toolchain" step below, same as windows.yml) — the +# Windows SDK's makeappx/signtool are baked into the runner's daemon env. # # Both arches come off the ONE x64 runner: x86_64 natively, aarch64 cross-compiled (the x64 MSVC # toolset has the ARM64 cross compiler; the matrix points FFMPEG_DIR at the ARM64 FFmpeg tree). See @@ -62,6 +63,10 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Ensure Windows toolchain (WDK, FFmpeg, Inno Setup, ARM64 target) + shell: pwsh + run: ./scripts/ci/ensure-windows-toolchain.ps1 + - name: Configure + version shell: pwsh run: | diff --git a/.gitea/workflows/windows.yml b/.gitea/workflows/windows.yml index b7f3048..5e25039 100644 --- a/.gitea/workflows/windows.yml +++ b/.gitea/workflows/windows.yml @@ -1,5 +1,8 @@ -# Windows client CI — runs on the self-hosted Windows runner (home-windows-1, host mode; see -# scripts/ci/setup-windows-runner.ps1). Build + clippy + fmt + test the WinUI 3 client +# Windows client CI — runs on a self-hosted windows-amd64 runner (host mode; the generic runner + +# toolchain come from unom/infra's windows-runner/; punktfunk's own extras - FFmpeg, WDK, Inno +# Setup, the ARM64 rustup target - self-provision via the "Ensure Windows toolchain" step below, a +# fast no-op once already present, so any runner with that label works with no manual dispatch +# step first). Build + clippy + fmt + test the WinUI 3 client # (windows-reactor + D3D11/SwapChainPanel + WASAPI + SDL3). # # Two architectures from ONE x64 runner: x86_64-pc-windows-msvc natively and @@ -61,6 +64,10 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Ensure Windows toolchain (WDK, FFmpeg, Inno Setup, ARM64 target) + shell: pwsh + run: ./scripts/ci/ensure-windows-toolchain.ps1 + - name: Configure + toolchain versions shell: pwsh run: | @@ -68,7 +75,7 @@ jobs: # Per-arch short target root (dodges MAX_PATH; keeps the two legs from sharing target\). $td = if ('${{ matrix.target }}' -eq 'aarch64-pc-windows-msvc') { 'C:\t-a64' } else { 'C:\t' } "CARGO_TARGET_DIR=$td" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8 - # Per-arch FFmpeg import libs (the runner provisions both — setup-windows-runner.ps1). + # Per-arch FFmpeg import libs (provision-windows-punktfunk-extras.ps1 fetches both). $ff = if ('${{ matrix.target }}' -eq 'aarch64-pc-windows-msvc') { 'C:\Users\Public\ffmpeg-arm64' } else { 'C:\Users\Public\ffmpeg' } "FFMPEG_DIR=$ff" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8 rustup target add ${{ matrix.target }} diff --git a/CLAUDE.md b/CLAUDE.md index 18d05f6..4bfc3c3 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -285,7 +285,25 @@ clients are deliberately NOT containerized); `apple.yml` builds the xcframework provisioned by `scripts/ci/setup-macos-runner.sh`). Per-client/host release workflows: `deb.yml`/`rpm.yml`/`flatpak.yml` (Linux client), `android.yml` (Google Play), `windows-msix.yml` (Windows client), `windows-host.yml` (Windows host installer), `release.yml` (Apple notarized DMG + -TestFlight), `decky.yml` (Steam Deck plugin); Windows builds run on a self-hosted Windows runner. +TestFlight), `decky.yml` (Steam Deck plugin); Windows builds run on a self-hosted Windows runner +(`home-windows-runner-1`, vmid 210, `windows-amd64:host` label). The runner is reproducible and +**owned by `unom/infra`**, not this repo, since it's shared across unom Windows projects going +forward: `unom/infra`'s `windows-runner/` Packer template bakes a generic Windows 11 template (OS +install + OpenSSH Server + VS Build Tools/NASM/CMake/LLVM + the act_runner/Node/rustup base, no +registration) on Proxmox once; `proxmox/windows-runner/` (Terraform, `bpg/proxmox`) full-clones it +(agent-based IP discovery, no pre-provisioned DHCP reservation needed) and registers the instance +over SSH remote-exec — the same bake-once/clone-fast split `proxmox/unom-1` uses for the Linux CI +host, just without a native Windows cloud-init (registration goes over `remote-exec`/SSH instead of +`initialization{}`; WinRM was tried first but is deprecated in OpenTofu, so this moved to SSH via +Windows' in-box OpenSSH Server). punktfunk layers its own extras on top of that generic runner: +`scripts/ci/provision-windows-wdk.ps1` (WDK + cargo-wdk for the UMDF drivers) and +`scripts/ci/provision-windows-punktfunk-extras.ps1` (FFmpeg x64/ARM64 trees, Inno Setup, the +`aarch64-pc-windows-msvc` rustup target) — both idempotent, and both run automatically at the start +of every Windows CI job via the shared `scripts/ci/ensure-windows-toolchain.ps1` step (a fast no-op +once already provisioned), rather than a separate manually-dispatched provisioning workflow — that +avoided a real footgun once there could be more than one `windows-amd64` runner: a manually +dispatched provisioning workflow has no way to target a *specific* runner instance, so it could +land on an already-provisioned box instead of the one that actually needed it. ## Layout diff --git a/design/windows-build-and-packaging.md b/design/windows-build-and-packaging.md index 21bb035..d07b43f 100644 --- a/design/windows-build-and-packaging.md +++ b/design/windows-build-and-packaging.md @@ -178,16 +178,21 @@ forest. (`build-web.ps1` is the dev-box rebuild-and-restart helper.) ## 8. CI workflows (`.gitea/workflows/`) -All run on the single self-hosted `windows-amd64` runner (`home-windows-1`), which **serializes** the -whole Windows fleet - a `Cargo.lock`/`packaging/windows/**` touch queues several builds back-to-back. +All run on a self-hosted `windows-amd64` runner (provisioned by unom/infra's `windows-runner/` +Packer template + Terraform clone, `home-windows-runner-1`), which **serializes** the whole +Windows fleet - a `Cargo.lock`/`packaging/windows/**` touch queues several builds back-to-back. | Workflow | Trigger | Does | |----------|---------|------| | `windows-host.yml` | `crates/punktfunk-host`, `packaging/windows`, `scripts/windows`, `web`, tags `v*` | build host + clippy + HDR layer + web smoke-boot -> pack + sign installer -> publish (canary/latest) | | `windows-drivers.yml` | `packaging/windows/drivers`, `crates/pf-driver-proto` | probe the driver toolchain + build/test/clippy `pf-driver-proto` + `cargo build` the driver workspace + inspect FORCE_INTEGRITY (the fast driver-only gate; coverage the pack lacks) | -| `windows-drivers-provision.yml` | `provision-windows-wdk.ps1` | one-shot WDK + cargo-wdk provisioning onto the persistent runner | | `windows.yml` / `windows-msix.yml` | client | build the Windows *client* + its signed MSIX (x64 + ARM64) | +Every workflow above self-provisions its own toolchain at job start via `scripts/ci/ +ensure-windows-toolchain.ps1` (WDK/cargo-wdk, FFmpeg, Inno Setup, the ARM64 rustup target) - a +fast no-op once already present, so no separate one-shot provisioning workflow/dispatch step is +needed, and it works the same on any runner sharing the `windows-amd64` label. + `windows-host.yml` also builds the drivers from source (in pack), so it overlaps `windows-drivers.yml` on a `drivers/**` edit (two driver builds on the serialized runner). They're kept separate on purpose - `windows-drivers.yml` is the fast pre-pack gate. **CI builds, never launches the exe** (no GPU on the diff --git a/design/windows-host-rewrite.md b/design/windows-host-rewrite.md index ceb07bb..02574fa 100644 --- a/design/windows-host-rewrite.md +++ b/design/windows-host-rewrite.md @@ -250,9 +250,10 @@ then restore + `git worktree remove`. Drive over ssh via `powershell -EncodedCom The persistent build validator is the **windows-amd64 CI runner** (no GPU — fine for builds / `iddcx` link / `/INTEGRITYCHECK` self-sign / the surface-asserts; live NVENC encode + on-glass defers to the RTX box). Workflows: `windows-host.yml` (the host installer), `windows-drivers.yml` (the driver workspace -build + FORCE_INTEGRITY clear), `windows-drivers-provision.yml` (WDK/LLVM toolchain), `windows-msix.yml` -(the client). A single Windows runner serializes the whole fleet; a `Cargo.toml` touch costs ~25 min of -queue, so driver pushes that avoid `Cargo.toml` skip the fleet serialization. +build + FORCE_INTEGRITY clear; self-provisions the WDK/LLVM toolchain via `scripts/ci/ +ensure-windows-toolchain.ps1`), `windows-msix.yml` (the client). A single Windows runner serializes +the whole fleet; a `Cargo.toml` touch costs ~25 min of queue, so driver pushes that avoid +`Cargo.toml` skip the fleet serialization. Local pre-push checks (this Linux box can't compile the Windows paths): ```sh diff --git a/scripts/ci/ensure-windows-toolchain.ps1 b/scripts/ci/ensure-windows-toolchain.ps1 new file mode 100644 index 0000000..8146182 --- /dev/null +++ b/scripts/ci/ensure-windows-toolchain.ps1 @@ -0,0 +1,21 @@ +# Idempotent pre-flight for punktfunk's Windows CI dependencies: WDK + cargo-wdk (driver builds), +# FFmpeg x64/ARM64 trees, Inno Setup, and the aarch64-pc-windows-msvc rustup target. Run at the +# start of every Windows CI job so ANY runner - freshly built from unom/infra's windows-runner/ +# template, rebuilt, or a new one added later - self-provisions on first real use, instead of +# needing a human to remember to dispatch a separate provisioning workflow first (and instead of +# racing which runner a manually-dispatched provisioning workflow happens to land on, when more +# than one Windows runner shares the windows-amd64 label). +# +# Each underlying script already does its own existence checks (Test-Path/Get-Command) before +# installing anything, so this is a fast no-op on a runner that's already fully provisioned - the +# only cost is on a genuinely fresh box, where it's the first job's problem to pay once. +$ErrorActionPreference = "Stop" +trap { + Write-Host "FATAL: $_" + Write-Host $_.ScriptStackTrace + exit 1 +} + +$ciDir = $PSScriptRoot +& "$ciDir\provision-windows-wdk.ps1" +& "$ciDir\provision-windows-punktfunk-extras.ps1" diff --git a/scripts/ci/provision-windows-punktfunk-extras.ps1 b/scripts/ci/provision-windows-punktfunk-extras.ps1 new file mode 100644 index 0000000..7b8e7b0 --- /dev/null +++ b/scripts/ci/provision-windows-punktfunk-extras.ps1 @@ -0,0 +1,73 @@ +# Layers punktfunk-specific tooling onto the shared unom Windows CI runner: per-arch FFmpeg +# (host + client native builds), Inno Setup (the host installer), and the aarch64-pc-windows-msvc +# rustup target (windows-msix.yml's ARM64 leg). The runner itself - act_runner, Node, rustup, +# VS Build Tools/NASM/CMake/LLVM - is provisioned generically by unom/infra +# (windows-runner/windows-runner.pkr.hcl + proxmox/windows-runner's Terraform clone); this script +# is what punktfunk adds on top, since FFmpeg/Inno Setup/the ARM64 target aren't every project's +# concern. See also provision-windows-wdk.ps1 for the driver-build toolchain (also punktfunk-only). +# +# Idempotent - safe to re-run. Run ELEVATED (admin) on the runner. +[CmdletBinding()] +param() +$ErrorActionPreference = "Stop" +function info($m) { Write-Host "[provision-punktfunk-extras] $m" } + +$env:RUSTUP_HOME = "C:\Users\Public\.rustup" +$env:CARGO_HOME = "C:\Users\Public\.cargo" + +# --- ARM64 cross-compile target (windows.yml / windows-msix.yml build aarch64-pc-windows-msvc off +# this x64 box; the ARM64 MSVC cross compiler itself comes from unom/infra's generic VS Build +# Tools provisioning, which already includes the ARM64 component). --- +$rustup = "C:\Users\Public\.cargo\bin\rustup.exe" +if (Test-Path $rustup) { + info "rustup target add aarch64-pc-windows-msvc" + & $rustup target add aarch64-pc-windows-msvc +} else { + Write-Warning "rustup not found at $rustup - has unom/infra's setup-gitea-runner-base.ps1 run on this box yet?" +} + +# --- FFmpeg shared trees for the host (amf-qsv encode) + clients (decode). BtbN **lgpl-shared** +# builds: the AMD/Intel AMF + Intel QSV encoders, swscale, and the HEVC decoder are all present in +# the LGPL build, and punktfunk never calls the GPL-only encoders (x264/x265 - software encode is +# the separate BSD-2 openh264 crate; NVENC is the direct NVIDIA SDK). lgpl-shared keeps the +# bundled DLLs LGPL-2.1+ (dynamic linking satisfies the relink duty) rather than GPL, so the +# shipped installer/MSIX stay consistent with punktfunk's MIT OR Apache-2.0 posture. +# MIGRATION: a runner previously provisioned with the old *gpl-shared* trees must be +# re-provisioned - delete C:\Users\Public\ffmpeg and C:\Users\Public\ffmpeg-arm64, then re-run. +function Get-BtbnFfmpeg { + param([string]$Dir, [string]$ZipTag) # ZipTag: 'win64' (x64) or 'winarm64' (ARM64 cross tree) + if (Test-Path (Join-Path $Dir 'lib\avcodec.lib')) { info "FFmpeg ($ZipTag) already present at $Dir"; return } + info "fetching FFmpeg ($ZipTag, BtbN lgpl-shared)" + $url = "https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-n7.1-latest-$ZipTag-lgpl-shared-7.1.zip" + $zip = "$Dir.zip"; $tmp = "$Dir-extract" + Invoke-WebRequest -Uri $url -OutFile $zip -UseBasicParsing + if (Test-Path $tmp) { Remove-Item -Recurse -Force $tmp } + Expand-Archive -Path $zip -DestinationPath $tmp -Force # BtbN zips have one top-level folder + $inner = Get-ChildItem $tmp -Directory | Select-Object -First 1 + if (Test-Path $Dir) { Remove-Item -Recurse -Force $Dir } + Move-Item -Path $inner.FullName -Destination $Dir + Remove-Item -Force $zip; Remove-Item -Recurse -Force $tmp -ErrorAction SilentlyContinue +} +Get-BtbnFfmpeg -Dir "C:\Users\Public\ffmpeg" -ZipTag 'win64' +Get-BtbnFfmpeg -Dir "C:\Users\Public\ffmpeg-arm64" -ZipTag 'winarm64' + +# --- Inno Setup (ISCC.exe) for the host installer build (windows-host.yml). pack-host-installer.ps1 +# locates it at its fixed Program Files path, so it need not be on PATH - just present. --- +if (-not (Test-Path "C:\Program Files (x86)\Inno Setup 6\ISCC.exe")) { + if (Get-Command choco -ErrorAction SilentlyContinue) { + info "installing Inno Setup (ISCC)" + choco install innosetup -y --no-progress + } else { Write-Warning "Inno Setup not found and choco unavailable - install it for windows-host.yml." } +} + +# --- Drop punktfunk's env vars into the generic runner's daemon wrapper extension point (see +# unom/infra's scripts/setup-gitea-runner-base.ps1) so the act_runner daemon - and therefore every +# job it runs - sees FFMPEG_DIR without unom/infra needing to know punktfunk exists. --- +$projectEnv = "C:\Users\Public\act-runner\project-env.ps1" +@' +$env:FFMPEG_DIR = "C:\Users\Public\ffmpeg" +$env:PATH = "C:\Users\Public\ffmpeg\bin;" + $env:PATH +'@ | Set-Content -Encoding UTF8 $projectEnv +info "wrote $projectEnv (FFMPEG_DIR) - restart the gitea-act-runner scheduled task to pick it up" + +info "punktfunk extras provisioned OK." diff --git a/scripts/ci/provision-windows-wdk.ps1 b/scripts/ci/provision-windows-wdk.ps1 index 713dd53..a06d917 100644 --- a/scripts/ci/provision-windows-wdk.ps1 +++ b/scripts/ci/provision-windows-wdk.ps1 @@ -7,8 +7,11 @@ # Idempotent: skips the WDK install if the km/wdf headers are already present, and cargo-wdk if already # installed. Safe to run repeatedly. Runs non-interactively (/q /norestart) — never auto-reboots. # -# Invoked by .gitea/workflows/windows-drivers-provision.yml (workflow_dispatch) and referenced by -# scripts/ci/setup-windows-runner.ps1. Run as the runner's account (SYSTEM) with admin rights. +# Invoked by scripts/ci/ensure-windows-toolchain.ps1, the shared self-provision step every Windows +# CI workflow runs at job start (windows-drivers.yml, windows.yml, windows-msix.yml, +# windows-host.yml), on top of the generic runner unom/infra provisions (windows-runner/) and +# provision-windows-punktfunk-extras.ps1's FFmpeg/Inno Setup/ARM64-target layer. Run as the +# runner's account (SYSTEM) with admin rights. [CmdletBinding()] param( # WDK 26100 standalone bootstrapper. Source: https://learn.microsoft.com/windows-hardware/drivers/download-the-wdk diff --git a/scripts/ci/setup-windows-runner.ps1 b/scripts/ci/setup-windows-runner.ps1 deleted file mode 100644 index d93263d..0000000 --- a/scripts/ci/setup-windows-runner.ps1 +++ /dev/null @@ -1,180 +0,0 @@ -# Provision this Windows box as the Gitea Actions runner for the Windows client + host CI/packaging. -# The Windows analogue of scripts/ci/setup-macos-runner.sh. Idempotent — safe to re-run. Run -# ELEVATED (admin) on the box, e.g. over SSH: -# -# ssh "" 'powershell -NoProfile -ExecutionPolicy Bypass -File C:\path\setup-windows-runner.ps1 -Token ' -# -# Installs: the act_runner (gitea-runner) binary in **host mode** (jobs run directly on Windows, -# no containers — MSVC/WinUI builds need the host toolchain), Node 20 via the box's nvm4w (JS -# actions like actions/checkout run via node on PATH), and a SYSTEM scheduled task that keeps the -# daemon alive across reboots with nobody logged in. Registration happens once (.runner file); the -# token is NOT persisted. -# -# Get a **GLOBAL** registration token: Gitea **Site Administration -> Actions -> Runners** (the -# registration token shown there). The runner MUST be global/instance-scoped to pick up org-repo -# jobs like unom/punktfunk — an org- or repo-scoped token leaves it registered but unmatchable -# ("no fitting runner for windows-amd64", even though the runner shows idle). Mirrors the Linux -# runner's scope. -# -# Env/param knobs: -Instance (default https://git.unom.io), -Token (GITEA_RUNNER_TOKEN; required -# for first registration), -RunnerName (default COMPUTERNAME), -Labels (default windows-amd64:host -# — match the Windows job's runs-on), -Version (act_runner, default 1.0.8). -# -# The daemon's env wrapper hard-codes this box's MSVC build paths (cargo/rustup, NASM, CMake, LLVM, -# FFmpeg, the ASCII CARGO_HOME that SDL3's PCH needs) so the Windows workflow inherits a working -# toolchain without re-deriving dev-box specifics. Per-checkout vars (CARGO_WORKSPACE_DIR for the -# windows-reactor build.rs) are set by the workflow, not here. -param( - [string]$Instance = $(if ($env:GITEA_INSTANCE) { $env:GITEA_INSTANCE } else { "https://git.unom.io" }), - [string]$Version = $(if ($env:ACT_RUNNER_VERSION) { $env:ACT_RUNNER_VERSION } else { "1.0.8" }), - [string]$RunnerName = $(if ($env:RUNNER_NAME) { $env:RUNNER_NAME } else { $env:COMPUTERNAME }), - [string]$Labels = $(if ($env:RUNNER_LABELS) { $env:RUNNER_LABELS } else { "windows-amd64:host" }), - [string]$Token = $env:GITEA_RUNNER_TOKEN -) -$ErrorActionPreference = "Stop" -$RunnerHome = "C:\Users\Public\act-runner" -$Exe = "$RunnerHome\act_runner.exe" -New-Item -ItemType Directory -Force -Path $RunnerHome | Out-Null - -# --- act_runner binary (gitea-runner; CLI surface unchanged from act_runner) --- -$need = $true -if (Test-Path $Exe) { try { $need = -not ((& $Exe --version 2>$null) -match [regex]::Escape($Version)) } catch { } } -if ($need) { - $url = "https://dl.gitea.com/gitea-runner/$Version/gitea-runner-$Version-windows-amd64.exe" - Write-Host "==> downloading act_runner $Version" - Invoke-WebRequest -Uri $url -OutFile "$Exe.tmp" -UseBasicParsing - Move-Item -Force "$Exe.tmp" $Exe -} -& $Exe --version - -# --- Node 20 (actions/checkout@v4 demands node20) via the box's nvm4w --- -if (Get-Command nvm -ErrorAction SilentlyContinue) { - if (-not ((node --version 2>$null) -match "^v20")) { - nvm install 20.18.0 | Out-Null - nvm use 20.18.0 | Out-Null - } -} -Write-Host "node $(node --version)" - -# --- config + host-mode labels (empty the docker defaults so .runner's labels rule) --- -Push-Location $RunnerHome -if (-not (Test-Path config.yaml)) { & $Exe generate-config | Set-Content -Encoding ASCII config.yaml } -(Get-Content config.yaml) | - Where-Object { $_ -notmatch "docker.gitea.com/runner-images" } | - ForEach-Object { $_ -replace '^(\s*)labels:\s*$', '${1}labels: []' } | - Set-Content -Encoding ASCII config.yaml -Pop-Location - -# --- one-time registration (from $RunnerHome: register writes .runner to the CWD) --- -if (-not (Test-Path "$RunnerHome\.runner")) { - if (-not $Token) { - Write-Warning "Not registered yet. Re-run with -Token ." - Write-Host " (Gitea: Site Administration -> Actions -> Runners -> registration token; must be GLOBAL scope)" - exit 1 - } - Push-Location $RunnerHome - & $Exe register --no-interactive --instance $Instance --token $Token --name $RunnerName --labels $Labels - Pop-Location -} - -# rustup toolchains under an ASCII path so nothing in the daemon env carries the non-ASCII -# username (the same hazard that breaks SDL3's PCH; here it also keeps this script ASCII-clean). -if (-not (Test-Path "C:\Users\Public\.rustup\settings.toml")) { - Write-Host "==> copying rustup toolchains to an ASCII path" - robocopy "$env:USERPROFILE\.rustup" "C:\Users\Public\.rustup" /E /NFL /NDL /NJH /NJS /MT:16 | Out-Null -} - -# --- ARM64 cross-compile support (windows.yml / windows-msix.yml build aarch64-pc-windows-msvc off -# this x64 box; no ARM64 runner needed). Two pieces beyond the x64 toolchain: -# 1. the rustup std for the target; -# 2. an ARM64 FFmpeg import-lib/DLL tree at C:\Users\Public\ffmpeg-arm64 (the workflow matrix -# points FFMPEG_DIR here for the aarch64 leg; the x64 tree stays at C:\Users\Public\ffmpeg). -# The x64 MSVC toolset already ships the ARM64 cross compiler — if -# VC\Tools\MSVC\\bin\Hostx64\arm64\cl.exe is missing, add the VS "MSVC v143+ ARM64/ARM64EC -# build tools" + "C++ ARM64 build tools" workload components (the cc/cmake crates need it to -# cross-build SDL3 + libopus). -$env:RUSTUP_HOME = "C:\Users\Public\.rustup" -$env:CARGO_HOME = "C:\Users\Public\.cargo" -$rustup = (Get-Command rustup -ErrorAction SilentlyContinue).Source -if (-not $rustup) { $rustup = "C:\Users\Public\.cargo\bin\rustup.exe" } -if (Test-Path $rustup) { - Write-Host "==> rustup target add aarch64-pc-windows-msvc" - & $rustup target add aarch64-pc-windows-msvc -} else { Write-Warning "rustup not found - install rustup then re-run (needed for the aarch64 target)." } - -# FFmpeg shared trees for the host (amf-qsv encode) + clients (decode). We use BtbN **lgpl-shared** -# builds: the AMD/Intel AMF + Intel QSV encoders, swscale, and the HEVC decoder are all present in the -# LGPL build, and punktfunk never calls the GPL-only encoders (x264/x265 — software encode is the -# separate BSD-2 openh264 crate; NVENC is the direct NVIDIA SDK). lgpl-shared keeps the bundled DLLs -# LGPL-2.1+ (dynamic linking satisfies the relink duty) rather than GPL, so the shipped installer/MSIX -# stay consistent with punktfunk's MIT OR Apache-2.0 posture. -# MIGRATION: a runner previously provisioned with the old *gpl-shared* trees must be re-provisioned — -# delete C:\Users\Public\ffmpeg and C:\Users\Public\ffmpeg-arm64, then re-run this script. -function Get-BtbnFfmpeg { - param([string]$Dir, [string]$ZipTag) # ZipTag: 'win64' (x64) or 'winarm64' (ARM64 cross tree) - if (Test-Path (Join-Path $Dir 'lib\avcodec.lib')) { return } - # FFmpeg 7.x (avcodec-61); MSVC-linkable .lib import libs + headers + bin\*.dll — exactly what - # ffmpeg-sys-next + pack-host-installer.ps1 + pack-msix.ps1 consume. The extracted top-level folder - # also carries FFmpeg's own LICENSE/COPYING text, preserved in $Dir for the packagers to bundle. - Write-Host "==> fetching FFmpeg ($ZipTag, BtbN lgpl-shared)" - $url = "https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-n7.1-latest-$ZipTag-lgpl-shared-7.1.zip" - $zip = "$Dir.zip"; $tmp = "$Dir-extract" - Invoke-WebRequest -Uri $url -OutFile $zip -UseBasicParsing - if (Test-Path $tmp) { Remove-Item -Recurse -Force $tmp } - Expand-Archive -Path $zip -DestinationPath $tmp -Force # BtbN zips have one top-level folder - $inner = Get-ChildItem $tmp -Directory | Select-Object -First 1 - if (Test-Path $Dir) { Remove-Item -Recurse -Force $Dir } - Move-Item -Path $inner.FullName -Destination $Dir - Remove-Item -Force $zip; Remove-Item -Recurse -Force $tmp -ErrorAction SilentlyContinue -} -# x64 host+client tree (the workflow's default FFMPEG_DIR = C:\Users\Public\ffmpeg) and the ARM64 cross -# tree (the aarch64 leg points FFMPEG_DIR at C:\Users\Public\ffmpeg-arm64). -Get-BtbnFfmpeg -Dir "C:\Users\Public\ffmpeg" -ZipTag 'win64' -Get-BtbnFfmpeg -Dir "C:\Users\Public\ffmpeg-arm64" -ZipTag 'winarm64' - -# Inno Setup (ISCC.exe) for the host installer build (windows-host.yml). pack-host-installer.ps1 -# locates it at its fixed Program Files path, so it need not be on PATH — just present. -if (-not (Test-Path "C:\Program Files (x86)\Inno Setup 6\ISCC.exe")) { - if (Get-Command choco -ErrorAction SilentlyContinue) { - Write-Host "==> installing Inno Setup (ISCC)" - choco install innosetup -y --no-progress - } - else { Write-Warning "Inno Setup not found and choco unavailable - install it for windows-host.yml." } -} - -# --- daemon env wrapper (the box's MSVC/WinUI/FFmpeg toolchain) --- -$wrapper = "$RunnerHome\run-runner.ps1" -@' -$env:NO_COLOR = "1" -$env:CARGO_HOME = "C:\Users\Public\.cargo" -$env:RUSTUP_HOME = "C:\Users\Public\.rustup" -$env:CMAKE_POLICY_VERSION_MINIMUM = "3.5" -$env:LIBCLANG_PATH = "C:\Program Files\LLVM\bin" -$env:FFMPEG_DIR = "C:\Users\Public\ffmpeg" -$env:PATH = "C:\Program Files\PowerShell\7;C:\Users\Public\.cargo\bin;C:\nvm4w\nodejs;C:\Program Files\NASM;C:\Program Files\CMake\bin;C:\Program Files\LLVM\bin;C:\Users\Public\ffmpeg\bin;" + $env:PATH -Set-Location "C:\Users\Public\act-runner" -# cmd-level redirect (>>, 2>&1) keeps the daemon's native stderr out of PowerShell's error stream. -& cmd /c "act_runner.exe daemon --config config.yaml >> runner.log 2>&1" -'@ | Set-Content -Encoding UTF8 $wrapper - -# --- SYSTEM scheduled task: keep the daemon alive across reboots, no login needed --- -$taskName = "gitea-act-runner" -if (schtasks /Query /TN $taskName 2>$null) { - schtasks /End /TN $taskName 2>$null | Out-Null - schtasks /Delete /TN $taskName /F | Out-Null -} -$action = New-ScheduledTaskAction -Execute "powershell.exe" ` - -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$wrapper`"" -$trigger = New-ScheduledTaskTrigger -AtStartup -$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest -$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries ` - -RestartCount 999 -RestartInterval (New-TimeSpan -Minutes 1) -ExecutionTimeLimit ([TimeSpan]::Zero) -Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger ` - -Principal $principal -Settings $settings -Force | Out-Null -Start-ScheduledTask -TaskName $taskName -Start-Sleep -Seconds 4 - -Write-Host "==> runner '$RunnerName' labels=$Labels instance=$Instance" -$p = Get-Process act_runner -ErrorAction SilentlyContinue -if ($p) { Write-Host "daemon running (pid $($p.Id), session $($p.SessionId))" } -else { Write-Warning "daemon not running yet - check the gitea-act-runner task" }