fix: docker

2025-08-22 00:57:07 -07:00 · 2025-08-22 00:57:07 -07:00 · e27edf4fd4
commit e27edf4fd4
parent a40a9a44ea
1 changed files with 99 additions and 44 deletions
--- a/.forgejo/workflows/docker.yml
+++ b/.forgejo/workflows/docker.yml
@ -1,36 +1,22 @@
 name: docker

 on:
-  # workflow_run:
-  # workflows: [crane]
  push:
    branches: [main]
-    # types:
-    # - completed
-  # schedule:
-  # - cron: 0 0 * * 1
-  #   # Publish semver tags as releases.
-  #   tags: [ 'v*.*.*' ]
-  # pull_request:
-  #   branches: [ "main" ]

 env:
-  # Use docker.io for Docker Hub if empty
  REGISTRY: git.nexveridian.com
-  # github.repository as <account>/<repo>
  IMAGE_NAME: ${{ github.repository }}
  NIX_CONFIG: "experimental-features = nix-command flakes"
+  # UNCOMMENT BELOW AND ADD PERSONAL ACCESS TOKEN TO SECRETS FOR CONTAINER REGISTRY
+  # CONTAINER_TOKEN: ${{ secrets.CONTAINER_REGISTRY_TOKEN }}

 jobs:
  build:
    runs-on: docker
-    # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow
-    # if: ${{ github.event.workflow_run.conclusion == 'success' }}
    permissions:
      contents: read
      packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
      id-token: write

    steps:
@ -48,46 +34,115 @@ jobs:

      - uses: actions/checkout@v4

-      - name: Install Docker
+      - name: Install skopeo
        run: |
          mkdir -p ~/.local/bin
-          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#docker -o ~/.local/docker
-          ln -sf ~/.local/docker/bin/docker ~/.local/bin/docker
+          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
+          ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
          echo "$HOME/.local/bin" >> $GITHUB_PATH

-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ env.GITHUB_ACTOR }}
-          password: ${{ env.GITHUB_TOKEN }}
-
-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
      - name: Build Nix package
        run: nix build .#my-docker

-      # https://github.com/orgs/community/discussions/25768#discussioncomment-3249183
-      - name: Downcase REPO
+      - name: Prepare repository variables
        run: |
          echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
+          echo "OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> ${GITHUB_ENV}
+          # Extract just the repository name (everything after the last slash)
+          REPO_NAME=${GITHUB_REPOSITORY##*/}
+          echo "IMAGE_NAME=${REPO_NAME,,}" >> ${GITHUB_ENV}

-      - name: Strip REPO Username
-        run: |
-          STRIP_REPO_USERNAME=${REPO#nexveridian/}
-          echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
+          # Debug output
+          echo "Full repository: ${GITHUB_REPOSITORY}"
+          echo "Repository owner: ${GITHUB_REPOSITORY_OWNER}"
+          echo "Extracted repo name: ${REPO_NAME}"
+          echo "Final image name: ${REPO_NAME,,}"
+          echo "Final owner: ${GITHUB_REPOSITORY_OWNER,,}"

-      # https://github.com/docker/build-push-action/issues/538
-      - name: Push and tag Docker image
+      - name: Setup skopeo policy and push image
        run: |
-          docker load < result
-          docker tag ${{ env.STRIP_REPO_USERNAME }}:latest ${{ env.REGISTRY }}/${{ env.REPO }}:latest
-          docker push ${{ env.REGISTRY }}/${{ env.REPO }}:latest
+          # configure container policy to accept insecure registry
+          mkdir -p ~/.config/containers
+          cat > ~/.config/containers/policy.json <<EOF
+          {
+            "default": [{"type":"insecureAcceptAnything"}]
+          }
+          EOF
+
+          # ensure all required directories exist with proper permissions
+          mkdir -p /tmp/skopeo /var/tmp ~/.local/share/containers
+          chmod 755 /tmp/skopeo /var/tmp || true
+
+          # set multiple environment variables for skopeo temporary directories
+          export TMPDIR=/tmp/skopeo
+          export TMP=/tmp/skopeo
+          export TEMP=/tmp/skopeo
+          export XDG_RUNTIME_DIR=/tmp/skopeo
+
+          # The Nix build creates a compressed tar.gz file, we need to extract it first
+          echo "Extracting Nix-built Docker image..."
+          cd /tmp/skopeo
+          cp ${GITHUB_WORKSPACE}/result ./docker-image.tar.gz
+          gunzip docker-image.tar.gz
+
+          # Debug information
+          echo "Registry: ${{ env.REGISTRY }}"
+          echo "Repository: ${{ env.REPO }}"
+          echo "Image Name: ${{ env.IMAGE_NAME }}"
+          echo "Owner: ${{ env.OWNER }}"
+          echo "Actor: ${{ github.actor }}"
+          echo "Target: docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest"
+
+          # Create authentication file for skopeo
+          echo "Creating authentication file..."
+          mkdir -p ~/.docker
+          cat > ~/.docker/config.json <<EOF
+          {
+            "auths": {
+              "${{ env.REGISTRY }}": {
+                "auth": "$(echo -n "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" | base64 -w 0)"
+              }
+            }
+          }
+          EOF
+
+          # Also create auth for containers directory
+          mkdir -p ~/.config/containers
+          cp ~/.docker/config.json ~/.config/containers/auth.json
+
+          echo "=== AUTHENTICATION ISSUE DETECTED ==="
+          echo "The automatic GITHUB_TOKEN does not have container registry permissions."
+          echo "This is a common issue with self-hosted Forgejo instances."
+          echo ""
+          echo "SOLUTION: Create a Personal Access Token with package permissions"
+          echo "1. Go to: https://${{ env.REGISTRY }}/user/settings/applications"
+          echo "2. Create a new token with 'package' scope"
+          echo "3. Add it as a repository secret named 'CONTAINER_REGISTRY_TOKEN'"
+          echo "4. Replace GITHUB_TOKEN with secrets.CONTAINER_REGISTRY_TOKEN in this workflow"
+          echo ""
+          echo "For now, attempting one final debug approach..."
+
+          # Test registry connectivity with debug info
+          echo "Testing registry authentication with debug..."
+          skopeo login --username "${{ github.actor }}" --password "${{ secrets.GITHUB_TOKEN }}" "${{ env.REGISTRY }}" || echo "Login failed"
+
+          # Check if we have package permissions
+          echo "Checking token permissions..."
+          echo "Token starts with: $(echo "${{ secrets.GITHUB_TOKEN }}" | cut -c1-10)..."
+          echo "Token length: $(echo "${{ secrets.GITHUB_TOKEN }}" | wc -c)"
+
+          skopeo copy \
+            --dest-creds "${{ github.actor }}:${{ secrets.CONTAINER_REGISTRY_TOKEN }}" \
+            docker-archive:/tmp/skopeo/docker-image.tar \
+            docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest || {
+
+            echo ""
+            echo "=== PUSH FAILED ==="
+            echo "As expected, the GITHUB_TOKEN lacks container registry permissions."
+            echo "Please create a Personal Access Token as described above."
+            echo ""
+            exit 1
+          }

      - name: Push to attic
        if: always()