prepare for multi-CI

split things out so more can be shared between CIs

.gitlab-ci.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+#
+# Gitlab CI specific build script.
+#
+set -euo pipefail
+
+./build
+
+if [[ "$CI_COMMIT_REF_NAME" = master ]]; then
+  ./docker-login "$CI_REGISTRY" "$CI_REGISTRY_USER" "$CI_REGISTRY_PASSWORD"
+  ./push-all "$CI_REGISTRY_IMAGE" "$IMAGE_TAG"
+else
+  echo "=== not pushing on non-master ==="
+fi

.gitlab-ci.yml

@@ -2,31 +2,17 @@ image: nixos/nix:latest
 
 stages:
   - build
-  - publish
-
-before_script:
-  - nix-shell --run .gitlab/docker-login
 
 nixos-unstable:
-  extends: .build
+  stage: build
+  script: nix-shell --run ./.gitlab-ci.sh
   variables:
-    NIXPKGS_CHANNEL: nixos-unstable
+    NIX_PATH: nixpkgs=channel:nixos-unstable
     IMAGE_TAG: latest
 
 nixos-18.09:
-  extends: .build
-  variables:
-    NIXPKGS_CHANNEL: nixos-18.09
-    IMAGE_TAG: nixos-18.09
-
-# ---- templates ---
-
-.build:
   stage: build
-  script:
+  script: nix-shell --run ./.gitlab-ci.sh
-    - nix-shell --run ./build
-    - nix-shell --run .gitlab/push-master
   variables:
-    NIX_PATH: "nixpkgs=channel:${NIXPKGS_CHANNEL}"
+    NIX_PATH: nixpkgs=channel:nixos-18.09
-    REGISTRY_URL: "${CI_REGISTRY_IMAGE}"
+    IMAGE_TAG: nixos-18.09
-

.gitlab/docker-login

@@ -1,13 +0,0 @@
-#!/bin/sh -eu
-
-mkdir ~/.docker
-
-cat <<DOCKER_CONF > ~/.docker/config.json
-{
-  "auths": {
-    "$CI_REGISTRY": {
-      "auth": "$(printf "%s:%s" "$CI_REGISTRY_USER" "$CI_REGISTRY_PASSWORD" | base64)"
-    }
-  }
-}
-DOCKER_CONF

.gitlab/push-master

@@ -1,6 +0,0 @@
-#!/bin/sh -eu
-if [ "$CI_COMMIT_REF_NAME" = master ]; then
-  exec ./push-all
-else
-  echo "=== not pushing on non-master ==="
-fi

build

@@ -1,6 +1,8 @@
-#!/bin/sh -eu
+#!/usr/bin/env bash
+set -euo pipefail
 
 # build *all* the docker images
-nix-build release.nix \
+exec nix-build release.nix \
   --no-out-link \
+  --option sandbox true \
   "$@"

docker-login

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+#
+# A simplified docker login approach that doesn't depends on the docker binary
+#
+# Usage: ./docker-login <registry> <username> <password>
+set -euo pipefail
+
+registry=$1
+username=$2
+password=$3
+
+mkdir ~/.docker
+
+cat <<DOCKER_CONF > ~/.docker/config.json
+{
+  "auths": {
+    "$CI_REGISTRY": {
+      "auth": "$(printf "%s:%s" "$CI_REGISTRY_USER" "$CI_REGISTRY_PASSWORD" | base64)"
+    }
+  }
+}
+DOCKER_CONF

push-all

@@ -1,12 +1,15 @@
-#!/bin/sh -eu
+#!/usr/bin/env bash
+#
+# Usage: ./push-all <registry-prefix> <image-tag>
+set -euo pipefail
 
-: "${REGISTRY_URL:=nixpkgs}"
+registry_prefix=${1:-nixpkgs}
-: "${IMAGE_TAG:=latest}"
+image_tag=${2:-latest}
 
 releases_json=$(nix-instantiate ./release.nix --strict --eval --json)
 
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
   file=$(echo "$releases_json" | jq -r ".\"$attr\"")
   echo "--- $attr -> $file"
-  skopeo copy "docker-archive://$file" "docker://$REGISTRY_URL/$attr:$IMAGE_TAG"
+  skopeo copy "docker-archive://$file" "docker://$registry_prefix/$attr:$image_tag"
 done