feat: hash-suffixed GCS deploy + upload-release-to-gcs script

[ValentaTomas]

Adds scripts/upload-release-to-gcs.sh that locates a fc-kernels release by commit hash and uploads its vmlinux-*.bin assets to a GCS bucket under hash-suffixed names:

• gs://<bucket>/vmlinux-<version>-<short_hash>/<arch>/vmlinux.bin
• gs://<bucket>/vmlinux-<version>-<short_hash>/vmlinux.bin (legacy = amd64)

Skips any object that already exists and supports --dry-run.

The release workflow's single-bucket upload step is replaced by a deploy matrix over staging, juliett, foxtrot, public, each calling the script with its environment-scoped GCP vars (GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT, GCP_BUCKET_NAME) — mirroring the fc-versions release pipeline. The four environments must exist with those variables configured before merging.

[cursor]

PR Summary

Medium Risk
Changes the release pipeline to deploy to multiple GCS environments via OIDC and a new upload script, so misconfigured environment vars or permissions could break releases or upload to the wrong buckets. The new hash-suffixed object layout also changes downstream lookup expectations.

Overview
The release workflow now adds a deploy job (matrix over staging, juliett, foxtrot) that authenticates to GCP via environment-scoped vars and uploads artifacts to each environment’s GCS bucket after publishing a GitHub release.

Direct workflow artifact upload to GCS is replaced with a new scripts/upload-release-to-gcs.sh that finds the matching GitHub release by commit hash and uploads only arch-suffixed vmlinux-*-{amd64,arm64}.bin assets to hash-suffixed paths, skipping any objects that already exist (with optional --dry-run).

Documentation updates the GCS destination format and notes the manual upload command and non-overwrite behavior.

^{Reviewed by Cursor Bugbot for commit 5e08233. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix prepared a fix for 1 of the 2 issues found in the latest run.

• ✅ Fixed: SIGPIPE breaks script under set -eo pipefail
  • Replaced 'head -1' with 'sed -n "1p"' to prevent SIGPIPE (exit 141) when gh api --paginate produces more output than consumed.

Or push these changes by commenting:

@cursor push d2b7a6555a

Preview (d2b7a6555a)

diff --git a/scripts/upload-release-to-gcs.sh b/scripts/upload-release-to-gcs.sh
--- a/scripts/upload-release-to-gcs.sh
+++ b/scripts/upload-release-to-gcs.sh
@@ -62,7 +62,7 @@
 # we locate the matching release by scanning bodies.
 RELEASE_TAG=$(gh api "repos/$REPO/releases?per_page=100" --paginate \
   --jq ".[] | select((.body // \"\") | contains(\"$FULL_HASH\")) | .tag_name" \
-  | head -1)
+  | sed -n '1p')
 
 if [[ -z "$RELEASE_TAG" ]]; then
   echo "ERROR: no release in $REPO references commit $FULL_HASH" >&2

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit 5e08233. Configure here.}

[cursor]

Deploy matrix missing the public environment

High Severity

The PR description explicitly states the deploy matrix covers four environments (staging, juliett, foxtrot, public) and mentions "The four environments must exist," but the matrix only lists three: [staging, juliett, foxtrot]. The public environment is missing, meaning production/public buckets won't receive kernel deployments.

 

^{Reviewed by Cursor Bugbot for commit 5e08233. Configure here.}

[cursor]

Bugbot Autofix determined this is a false positive.

The removal of 'public' from the deploy matrix was intentional as evidenced by commit 5e08233 'drop public from deploy matrix'.

_{You can send follow-ups to the cloud agent here.}

[cursor]

SIGPIPE breaks script under set -eo pipefail

Low Severity

The gh api --paginate ... | head -1 pattern combined with set -eo pipefail will cause the script to abort with exit code 141 (SIGPIPE) when gh produces more than one line of output. This happens when multiple releases reference the same commit, or when pagination is active (>100 releases) and the match is found early. Using head -1 as a pipe consumer under pipefail is a well-documented bash pitfall.

 

^{Reviewed by Cursor Bugbot for commit 5e08233. Configure here.}