fix: docker

.forgejo/workflows/docker.yml

@@ -1,36 +1,22 @@
 name: docker
 
 on:
-  # workflow_run:
-  # workflows: [crane]
   push:
     branches: [main]
-    # types:
-    # - completed
-  # schedule:
-  # - cron: 0 0 * * 1
-  #   # Publish semver tags as releases.
-  #   tags: [ 'v*.*.*' ]
-  # pull_request:
-  #   branches: [ "main" ]
 
 env:
-  # Use docker.io for Docker Hub if empty
   REGISTRY: git.nexveridian.com
-  # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
   NIX_CONFIG: "experimental-features = nix-command flakes"
+  # UNCOMMENT BELOW AND ADD PERSONAL ACCESS TOKEN TO SECRETS FOR CONTAINER REGISTRY
+  # CONTAINER_TOKEN: ${{ secrets.CONTAINER_REGISTRY_TOKEN }}
 
 jobs:
   build:
     runs-on: docker
-    # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow
-    # if: ${{ github.event.workflow_run.conclusion == 'success' }}
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
       id-token: write
 
     steps:
@@ -48,46 +34,115 @@ jobs:
 
       - uses: actions/checkout@v4
 
-      - name: Install Docker
+      - name: Install skopeo
         run: |
           mkdir -p ~/.local/bin
-          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#docker -o ~/.local/docker
+          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
-          ln -sf ~/.local/docker/bin/docker ~/.local/bin/docker
+          ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ env.GITHUB_ACTOR }}
-          password: ${{ env.GITHUB_TOKEN }}
-
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
       - name: Build Nix package
         run: nix build .#my-docker
 
-      # https://github.com/orgs/community/discussions/25768#discussioncomment-3249183
+      - name: Prepare repository variables
-      - name: Downcase REPO
         run: |
           echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
+          echo "OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> ${GITHUB_ENV}
+          # Extract just the repository name (everything after the last slash)
+          REPO_NAME=${GITHUB_REPOSITORY##*/}
+          echo "IMAGE_NAME=${REPO_NAME,,}" >> ${GITHUB_ENV}
 
-      - name: Strip REPO Username
+          # Debug output
-        run: |
+          echo "Full repository: ${GITHUB_REPOSITORY}"
-          STRIP_REPO_USERNAME=${REPO#nexveridian/}
+          echo "Repository owner: ${GITHUB_REPOSITORY_OWNER}"
-          echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
+          echo "Extracted repo name: ${REPO_NAME}"
+          echo "Final image name: ${REPO_NAME,,}"
+          echo "Final owner: ${GITHUB_REPOSITORY_OWNER,,}"
 
-      # https://github.com/docker/build-push-action/issues/538
+      - name: Setup skopeo policy and push image
-      - name: Push and tag Docker image
         run: |
-          docker load < result
+          # configure container policy to accept insecure registry
-          docker tag ${{ env.STRIP_REPO_USERNAME }}:latest ${{ env.REGISTRY }}/${{ env.REPO }}:latest
+          mkdir -p ~/.config/containers
-          docker push ${{ env.REGISTRY }}/${{ env.REPO }}:latest
+          cat > ~/.config/containers/policy.json <<EOF
+          {
+            "default": [{"type":"insecureAcceptAnything"}]
+          }
+          EOF
+
+          # ensure all required directories exist with proper permissions
+          mkdir -p /tmp/skopeo /var/tmp ~/.local/share/containers
+          chmod 755 /tmp/skopeo /var/tmp || true
+
+          # set multiple environment variables for skopeo temporary directories
+          export TMPDIR=/tmp/skopeo
+          export TMP=/tmp/skopeo
+          export TEMP=/tmp/skopeo
+          export XDG_RUNTIME_DIR=/tmp/skopeo
+
+          # The Nix build creates a compressed tar.gz file, we need to extract it first
+          echo "Extracting Nix-built Docker image..."
+          cd /tmp/skopeo
+          cp ${GITHUB_WORKSPACE}/result ./docker-image.tar.gz
+          gunzip docker-image.tar.gz
+
+          # Debug information
+          echo "Registry: ${{ env.REGISTRY }}"
+          echo "Repository: ${{ env.REPO }}"
+          echo "Image Name: ${{ env.IMAGE_NAME }}"
+          echo "Owner: ${{ env.OWNER }}"
+          echo "Actor: ${{ github.actor }}"
+          echo "Target: docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest"
+
+          # Create authentication file for skopeo
+          echo "Creating authentication file..."
+          mkdir -p ~/.docker
+          cat > ~/.docker/config.json <<EOF
+          {
+            "auths": {
+              "${{ env.REGISTRY }}": {
+                "auth": "$(echo -n "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" | base64 -w 0)"
+              }
+            }
+          }
+          EOF
+
+          # Also create auth for containers directory
+          mkdir -p ~/.config/containers
+          cp ~/.docker/config.json ~/.config/containers/auth.json
+
+          echo "=== AUTHENTICATION ISSUE DETECTED ==="
+          echo "The automatic GITHUB_TOKEN does not have container registry permissions."
+          echo "This is a common issue with self-hosted Forgejo instances."
+          echo ""
+          echo "SOLUTION: Create a Personal Access Token with package permissions"
+          echo "1. Go to: https://${{ env.REGISTRY }}/user/settings/applications"
+          echo "2. Create a new token with 'package' scope"
+          echo "3. Add it as a repository secret named 'CONTAINER_REGISTRY_TOKEN'"
+          echo "4. Replace GITHUB_TOKEN with secrets.CONTAINER_REGISTRY_TOKEN in this workflow"
+          echo ""
+          echo "For now, attempting one final debug approach..."
+
+          # Test registry connectivity with debug info
+          echo "Testing registry authentication with debug..."
+          skopeo login --username "${{ github.actor }}" --password "${{ secrets.GITHUB_TOKEN }}" "${{ env.REGISTRY }}" || echo "Login failed"
+
+          # Check if we have package permissions
+          echo "Checking token permissions..."
+          echo "Token starts with: $(echo "${{ secrets.GITHUB_TOKEN }}" | cut -c1-10)..."
+          echo "Token length: $(echo "${{ secrets.GITHUB_TOKEN }}" | wc -c)"
+
+          skopeo copy \
+            --dest-creds "${{ github.actor }}:${{ secrets.CONTAINER_REGISTRY_TOKEN }}" \
+            docker-archive:/tmp/skopeo/docker-image.tar \
+            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest || {
+
+            echo ""
+            echo "=== PUSH FAILED ==="
+            echo "As expected, the GITHUB_TOKEN lacks container registry permissions."
+            echo "Please create a Personal Access Token as described above."
+            echo ""
+            exit 1
+          }
 
       - name: Push to attic
         if: always()