NVIDIA · drew · May 4, 2026 · Apr 24, 2026 · Apr 27, 2026 · Apr 27, 2026
@@ -75,80 +75,22 @@ jobs:
           path: runtime-artifacts/vm-runtime-*.tar.zst
           retention-days: 1
 
-  build-rootfs:
-    name: Build Rootfs (${{ matrix.arch }})
-    strategy:
-      matrix:
-        include:
-          - arch: arm64
-            runner: build-arm64
-            guest_arch: aarch64
-          - arch: amd64
-            runner: build-amd64
-            guest_arch: x86_64
-    runs-on: ${{ matrix.runner }}
-    timeout-minutes: 30
-    container:
-      image: ghcr.io/nvidia/openshell/ci:latest
-      credentials:
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-      options: --privileged
-      volumes:
-        - /var/run/docker.sock:/var/run/docker.sock
-    env:
-      MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      OPENSHELL_IMAGE_TAG: ${{ inputs['image-tag'] }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ inputs['checkout-ref'] }}
-
-      - name: Mark workspace safe for git
-        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
-
-      - name: Log in to GHCR
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin
-
-      - name: Install tools
-        run: mise install --locked
-
-      - name: Install zstd
-        run: apt-get update && apt-get install -y --no-install-recommends zstd && rm -rf /var/lib/apt/lists/*
-
-      - name: Build base rootfs tarball
-        run: |
-          set -euo pipefail
-          crates/openshell-vm/scripts/build-rootfs.sh \
-            --base \
-            --arch ${{ matrix.guest_arch }} \
-            target/rootfs-build
-
-          mkdir -p target/vm-runtime-compressed
-          tar -C target/rootfs-build -cf - . \
-            | zstd -19 -T0 -o target/vm-runtime-compressed/rootfs.tar.zst
-
-      - name: Upload rootfs artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: driver-vm-rootfs-${{ matrix.arch }}
-          path: target/vm-runtime-compressed/rootfs.tar.zst
-          retention-days: 1
-
   build-driver-vm-linux:
     name: Build Driver VM (Linux ${{ matrix.arch }})
-    needs: [download-kernel-runtime, build-rootfs]
+    needs: [download-kernel-runtime]
     strategy:
       matrix:
         include:
           - arch: arm64
             runner: build-arm64
             target: aarch64-unknown-linux-gnu
             platform: linux-aarch64
+            guest_arch: aarch64
           - arch: amd64
             runner: build-amd64
             target: x86_64-unknown-linux-gnu
             platform: linux-x86_64
+            guest_arch: x86_64
     runs-on: ${{ matrix.runner }}
     timeout-minutes: 30
     container:
@@ -192,12 +134,6 @@ jobs:
           name: driver-vm-kernel-runtime-tarballs
           path: runtime-download/
 
-      - name: Download rootfs tarball
-        uses: actions/download-artifact@v4
-        with:
-          name: driver-vm-rootfs-${{ matrix.arch }}
-          path: rootfs-download/
-
       - name: Stage compressed runtime for embedding
         run: |
           set -euo pipefail
@@ -208,16 +144,32 @@ jobs:
           zstd -d "runtime-download/vm-runtime-${{ matrix.platform }}.tar.zst" --stdout \
             | tar -xf - -C "$EXTRACT_DIR"
 
+          echo "Extracted runtime files:"
+          ls -lah "$EXTRACT_DIR"
+
           for file in "$EXTRACT_DIR"/*; do
             [ -f "$file" ] || continue
             name=$(basename "$file")
             [ "$name" = "provenance.json" ] && continue
             zstd -19 -f -q -T0 -o "${COMPRESSED_DIR}/${name}.zst" "$file"
           done
 
-          cp rootfs-download/rootfs.tar.zst "${COMPRESSED_DIR}/rootfs.tar.zst"
+          echo "Staged compressed runtime artifacts:"
           ls -lah "$COMPRESSED_DIR"
 
+      - name: Build bundled supervisor
+        run: |
+          set -euo pipefail
+          OPENSHELL_VM_RUNTIME_COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed" \
+            tasks/scripts/vm/build-supervisor-bundle.sh --arch "${{ matrix.guest_arch }}"
+
+      - name: Verify embedded driver inputs
+        run: |
+          set -euo pipefail
+          for file in libkrun.so.zst libkrunfw.so.5.zst gvproxy.zst openshell-sandbox.zst; do
+            test -s "target/vm-runtime-compressed/${file}"
+          done
+
       - name: Scope workspace to driver-vm crates
         run: |
           set -euo pipefail

@@ -421,7 +421,7 @@ jobs:
   # ---------------------------------------------------------------------------
   build-driver-vm-linux:
     name: Build Driver VM (Linux ${{ matrix.arch }})
-    needs: [compute-versions, download-kernel-runtime, build-rootfs]
+    needs: [compute-versions, download-kernel-runtime]
     strategy:
       matrix:
         include:
@@ -477,12 +477,6 @@ jobs:
           name: kernel-runtime-tarballs
           path: runtime-download/
 
-      - name: Download rootfs tarball
-        uses: actions/download-artifact@v4
-        with:
-          name: rootfs-${{ matrix.arch }}
-          path: rootfs-download/
-
       - name: Stage compressed runtime for embedding
         run: |
           set -euo pipefail
@@ -504,12 +498,15 @@ jobs:
             zstd -19 -f -q -T0 -o "${COMPRESSED_DIR}/${name}.zst" "$file"
           done
 
-          # Copy rootfs tarball (already zstd-compressed)
-          cp rootfs-download/rootfs.tar.zst "${COMPRESSED_DIR}/rootfs.tar.zst"
-
           echo "Staged compressed artifacts:"
           ls -lah "$COMPRESSED_DIR"
 
+      - name: Build bundled supervisor
+        run: |
+          set -euo pipefail
+          OPENSHELL_VM_RUNTIME_COMPRESSED_DIR="${PWD}/target/vm-runtime-compressed" \
+            tasks/scripts/vm/build-supervisor-bundle.sh --arch "${{ matrix.guest_arch }}"
+
       - name: Scope workspace to driver-vm crates
         run: |
           set -euo pipefail
@@ -551,7 +548,7 @@ jobs:
   # ---------------------------------------------------------------------------
   build-driver-vm-macos:
     name: Build Driver VM (macOS)
-    needs: [compute-versions, download-kernel-runtime, build-rootfs]
+    needs: [compute-versions, download-kernel-runtime]
     runs-on: build-amd64
     timeout-minutes: 60
     container:
@@ -591,12 +588,6 @@ jobs:
           name: kernel-runtime-tarballs
           path: runtime-download/
 
-      - name: Download rootfs tarball (arm64)
-        uses: actions/download-artifact@v4
-        with:
-          name: rootfs-arm64
-          path: rootfs-download/
-
       - name: Prepare compressed runtime directory
         run: |
           set -euo pipefail
@@ -619,12 +610,24 @@ jobs:
             zstd -19 -f -q -T0 -o "${COMPRESSED_DIR}/${name}.zst" "$file"
           done
 
-          # The macOS VM guest is always Linux ARM64, so use the arm64 rootfs
-          cp rootfs-download/rootfs.tar.zst "${COMPRESSED_DIR}/rootfs.tar.zst"
-
           echo "Staged macOS compressed artifacts:"
           ls -lah "$COMPRESSED_DIR"
 
+      - name: Build bundled supervisor
+        run: |
+          set -euo pipefail
+          docker buildx build \
+            --file deploy/docker/Dockerfile.images \
+            --platform linux/arm64 \
+            --build-arg OPENSHELL_CARGO_VERSION="${{ needs.compute-versions.outputs.cargo_version }}" \
+            --build-arg OPENSHELL_IMAGE_TAG=dev \
+            --target supervisor-output \
+            --output type=local,dest=supervisor-out/ \
+            .
+
+          zstd -19 -T0 -f supervisor-out/openshell-sandbox \
+            -o "${PWD}/target/vm-runtime-compressed-macos/openshell-sandbox.zst"
+
       - name: Build macOS binary via Docker (osxcross)
         run: |
           set -euo pipefail
@@ -776,7 +779,7 @@ jobs:
 
             ### VM Compute Driver Binaries
 
-            `openshell-driver-vm` binaries with embedded kernel runtime and sandbox rootfs.
+            `openshell-driver-vm` binaries with embedded kernel runtime and bundled sandbox supervisor.
             Launched by the gateway when `--drivers=vm` is configured. Rebuilt on every
             push to main alongside the openshell-vm binaries.