ci: add GitHub Actions cron (#16)

* ci: add dependabot

* ci: revamp logic

Merge username and password as a single auth token. It doesn't make
sense to split out the user and password since they are so tied
together. Might as well treat the whole think as a secret blob.

Remove Travis-CI. Travis is dead for OSS.

Add GitHub Actions cron. Remove cachix as it's pushing too much stuff.

Merge all of the CI logic into a single ci.sh script.

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/nix.yml

@@ -5,19 +5,22 @@ on:
       - master
   pull_request:
   workflow_dispatch:
+  schedule:
+    # Run once per day
+    - cron: '0 0 * * *'
 jobs:
   build:
     strategy:
       matrix:
-        os: [ ubuntu-20.04 ]
-    runs-on: ${{ matrix.os }}
+        channel:
+          - nixos-unstable
+          - nixos-20.09
+          - nixos-20.03
+    runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v2
       - uses: cachix/install-nix-action@v12
-      - uses: cachix/cachix-action@v8
-        with:
-          name: nix-community
-          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-      - run: ./build
+      - run: nix-shell --run ./ci.sh
         env:
-          - NIX_PATH=channel:nixos-unstable
+          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
+          NIXPKGS_CHANNEL: '${{ matrix.channel }}'

.gitlab-ci.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-#
-# Gitlab CI specific build script.
-#
-set -euo pipefail
-
-./build
-
-# default to the Gitlab registry
-: "${REGISTRY:=$CI_REGISTRY}"
-: "${REGISTRY_USER:=$CI_REGISTRY_USER}"
-: "${REGISTRY_PASSWORD:=$CI_REGISTRY_PASSWORD}"
-: "${IMAGE_PREFIX:=$CI_PROJECT_PATH}"
-
-# IMAGE_TAG is provided by .gitlab-ci.yml
-
-
-if [[ "$CI_COMMIT_REF_NAME" = master ]]; then
-  ./docker-login "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$REGISTRY"
-  ./push-all "$REGISTRY" "$IMAGE_PREFIX" "$IMAGE_TAG"
-  if [[ $REGISTRY = *docker.io ]]; then
-    ./dockerhub-metadata "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$IMAGE_PREFIX"
-  fi
-else
-  echo "=== not pushing on non-master ==="
-fi

.gitlab-ci.yml

@@ -5,19 +5,19 @@ stages:
 
 nixos-unstable:
   stage: build
-  script: NIX_PATH=channel:$NIXPKGS_CHANNEL nix-shell --run ./.gitlab-ci.sh
+  script: nix-shell --run ./ci.sh
   variables:
     NIXPKGS_CHANNEL: nixos-unstable
     IMAGE_TAG: latest
 
 nixos-20.03:
   stage: build
-  script: NIX_PATH=channel:$NIXPKGS_CHANNEL nix-shell --run ./.gitlab-ci.sh
+  script: nix-shell --run ./ci.sh
   variables:
     NIXPKGS_CHANNEL: nixos-20.03
 
 nixos-20.09:
   stage: build
-  script: NIX_PATH=channel:$NIXPKGS_CHANNEL nix-shell --run ./.gitlab-ci.sh
+  script: nix-shell --run ./ci.sh
   variables:
     NIXPKGS_CHANNEL: nixos-20.09

.travis.sh

@@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-#
-# Travis CI specific build script
-#
-set -euo pipefail
-
-# default to Docker Hub
-# the user has to set REGISTRY_USER and REGISTRY_PASSWORD
-: "${REGISTRY:=docker.io}"
-: "${IMAGE_PREFIX:=nixpkgs}"
-
-# either set NIX_PATH and IMAGE_TAG, or set NIXPKGS_CHANNEL
-if [[ -n "${NIXPKGS_CHANNEL:-}" ]]; then
-  : "${IMAGE_TAG:=$NIXPKGS_CHANNEL}"
-  export NIX_PATH=nixpkgs=channel:$NIXPKGS_CHANNEL
-fi
-
-./build
-
-if [[ "$TRAVIS_BRANCH" = master && -z "${TRAVIS_PULL_REQUEST_BRANCH:-}" ]]; then
-  ./docker-login "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$REGISTRY"
-  ./push-all "$REGISTRY" "$IMAGE_PREFIX" "$IMAGE_TAG"
-  if [[ $REGISTRY = *docker.io ]]; then
-    ./dockerhub-metadata "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$IMAGE_PREFIX"
-  fi
-else
-  echo "=== not pushing on non-master ==="
-fi

.travis.yml

@@ -1,15 +0,0 @@
-language: nix
-
-nix: 2.3.6
-
-matrix:
-  include:
-  - name: nixos-unstable
-    env: NIXPKGS_CHANNEL=nixos-unstable IMAGE_TAG=latest
-  - name: nixos-20.03
-    env: NIXPKGS_CHANNEL=nixos-20.03
-  - name: nixos-20.09
-    env: NIXPKGS_CHANNEL=nixos-20.09
-
-script:
-  - NIX_PATH=channel:$NIXPKGS_CHANNEL nix-shell --run ./.travis.sh

build

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# build *all* the docker images
-exec nix-build \
-  --no-out-link \
-  --option sandbox true \
-  "$@"

ci.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+#
+# CI specific build script.
+#
+set -euo pipefail
+
+channel=${NIXPKGS_CHANNEL:-nixos-unstable}
+registry=${CI_REGISTRY:-docker.io}
+registry_auth=${CI_REGISTRY_AUTH:-}
+image_prefix=${CI_PROJECT_PATH:-nixpkgs}
+
+if [[ $channel == nixos-unstable ]]; then
+  image_tag=latest
+else
+  image_tag=$channel
+fi
+
+export NIX_PATH=channel:$channel
+
+banner() {
+  echo "========================================================"
+  echo "  $*"
+  echo "========================================================"
+}
+
+cd "$(dirname "$0")"
+
+banner "Building images"
+# Build all the docker images
+nix-build \
+  --no-out-link \
+  --option sandbox true \
+
+if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
+  banner "Skipping push on non-master branch"
+  exit
+fi
+
+if [[ -n "${registry_auth}" ]]; then
+  banner "docker login"
+  ./docker-login "$registry_auth" "$registry"
+fi
+
+banner "docker push"
+./push-all "$registry" "$image_prefix" "$image_tag"
+
+if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then
+  banner "docker metadata update"
+  ./dockerhub-metadata "$registry_auth" "$image_prefix"
+fi

docker-login

@@ -5,9 +5,8 @@
 # Usage: ./docker-login <username> <password> [registry]
 set -euo pipefail
 
-username=$1
-password=$2
-registry=${3:-docker.io}
+auth=$1
+registry=${2:-docker.io}
 
 # Encode some funky docker heuristic
 if [[ $registry = *docker.io ]]; then
@@ -21,7 +20,7 @@ cat <<DOCKER_CONF > ~/.docker/config.json
 {
   "auths": {
     "$registry": {
-      "auth": "$(printf "%s:%s" "$username" "$password" | base64)"
+      "auth": "$(echo "$auth" | base64)"
     }
   }
 }

dockerhub-metadata

@@ -6,10 +6,8 @@
 # Usage: ./dockerhub-metadata <user> <password> [org]
 set -euo pipefail
 
-username=$1
-password=$2
-org=${3:-nixpkgs}
-user=$username:$password
+user=$1
+org=${2:-nixpkgs}
 
 nix_eval() {
   nix-instantiate --strict --eval --json "$@"