This commit is contained in:
parent
a40a9a44ea
commit
ed1ff0f7ed
SSH key fingerprint:
SHA256:bsA1SKZxuEcEVHAy3gY1HUeM5ykRJl0U0kQHQn0hMg8
1 changed files with 72 additions and 46 deletions
|
|
@ -1,36 +1,20 @@
|
||||||
name: docker
|
name: docker
|
||||||
|
|
||||||
on:
|
on:
|
||||||
# workflow_run:
|
|
||||||
# workflows: [crane]
|
|
||||||
push:
|
push:
|
||||||
branches: [main]
|
branches: [main]
|
||||||
# types:
|
|
||||||
# - completed
|
|
||||||
# schedule:
|
|
||||||
# - cron: 0 0 * * 1
|
|
||||||
# # Publish semver tags as releases.
|
|
||||||
# tags: [ 'v*.*.*' ]
|
|
||||||
# pull_request:
|
|
||||||
# branches: [ "main" ]
|
|
||||||
|
|
||||||
env:
|
env:
|
||||||
# Use docker.io for Docker Hub if empty
|
|
||||||
REGISTRY: git.nexveridian.com
|
REGISTRY: git.nexveridian.com
|
||||||
# github.repository as <account>/<repo>
|
|
||||||
IMAGE_NAME: ${{ github.repository }}
|
IMAGE_NAME: ${{ github.repository }}
|
||||||
NIX_CONFIG: "experimental-features = nix-command flakes"
|
NIX_CONFIG: "experimental-features = nix-command flakes"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: docker
|
runs-on: docker
|
||||||
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow
|
|
||||||
# if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
packages: write
|
packages: write
|
||||||
# This is used to complete the identity challenge
|
|
||||||
# with sigstore/fulcio when running outside of PRs.
|
|
||||||
id-token: write
|
id-token: write
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
|
|
@ -48,46 +32,88 @@ jobs:
|
||||||
|
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Install Docker
|
- name: Install skopeo
|
||||||
run: |
|
run: |
|
||||||
mkdir -p ~/.local/bin
|
mkdir -p ~/.local/bin
|
||||||
nix build -I nixpkgs=channel:nixos-unstable nixpkgs#docker -o ~/.local/docker
|
nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
|
||||||
ln -sf ~/.local/docker/bin/docker ~/.local/bin/docker
|
ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
|
||||||
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
||||||
|
|
||||||
- name: Log into registry ${{ env.REGISTRY }}
|
|
||||||
if: github.event_name != 'pull_request'
|
|
||||||
uses: docker/login-action@v3
|
|
||||||
with:
|
|
||||||
registry: ${{ env.REGISTRY }}
|
|
||||||
username: ${{ env.GITHUB_ACTOR }}
|
|
||||||
password: ${{ env.GITHUB_TOKEN }}
|
|
||||||
|
|
||||||
- name: Extract Docker metadata
|
|
||||||
id: meta
|
|
||||||
uses: docker/metadata-action@v5
|
|
||||||
with:
|
|
||||||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
||||||
|
|
||||||
- name: Build Nix package
|
- name: Build Nix package
|
||||||
run: nix build .#my-docker
|
run: nix build .#my-docker
|
||||||
|
|
||||||
# https://github.com/orgs/community/discussions/25768#discussioncomment-3249183
|
- name: Prepare repository variables
|
||||||
- name: Downcase REPO
|
|
||||||
run: |
|
run: |
|
||||||
echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
|
echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
|
||||||
|
STRIP_REPO_USERNAME=${GITHUB_REPOSITORY,,#nexveridian/}
|
||||||
- name: Strip REPO Username
|
|
||||||
run: |
|
|
||||||
STRIP_REPO_USERNAME=${REPO#nexveridian/}
|
|
||||||
echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
|
echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
|
||||||
|
# For Forgejo container registry, use just the repo name without org (lowercase)
|
||||||
|
echo "IMAGE_NAME=${STRIP_REPO_USERNAME,,}" >> ${GITHUB_ENV}
|
||||||
|
echo "OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> ${GITHUB_ENV}
|
||||||
|
|
||||||
# https://github.com/docker/build-push-action/issues/538
|
- name: Setup skopeo policy and push image
|
||||||
- name: Push and tag Docker image
|
|
||||||
run: |
|
run: |
|
||||||
docker load < result
|
# configure container policy to accept insecure registry
|
||||||
docker tag ${{ env.STRIP_REPO_USERNAME }}:latest ${{ env.REGISTRY }}/${{ env.REPO }}:latest
|
mkdir -p ~/.config/containers
|
||||||
docker push ${{ env.REGISTRY }}/${{ env.REPO }}:latest
|
cat > ~/.config/containers/policy.json <<EOF
|
||||||
|
{
|
||||||
|
"default": [{"type":"insecureAcceptAnything"}]
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# ensure all required directories exist with proper permissions
|
||||||
|
mkdir -p /tmp/skopeo /var/tmp ~/.local/share/containers
|
||||||
|
chmod 755 /tmp/skopeo /var/tmp || true
|
||||||
|
|
||||||
|
# set multiple environment variables for skopeo temporary directories
|
||||||
|
export TMPDIR=/tmp/skopeo
|
||||||
|
export TMP=/tmp/skopeo
|
||||||
|
export TEMP=/tmp/skopeo
|
||||||
|
export XDG_RUNTIME_DIR=/tmp/skopeo
|
||||||
|
|
||||||
|
# The Nix build creates a compressed tar.gz file, we need to extract it first
|
||||||
|
echo "Extracting Nix-built Docker image..."
|
||||||
|
cd /tmp/skopeo
|
||||||
|
cp ${GITHUB_WORKSPACE}/result ./docker-image.tar.gz
|
||||||
|
gunzip docker-image.tar.gz
|
||||||
|
|
||||||
|
# Debug information
|
||||||
|
echo "Registry: ${{ env.REGISTRY }}"
|
||||||
|
echo "Repository: ${{ env.REPO }}"
|
||||||
|
echo "Image Name: ${{ env.IMAGE_NAME }}"
|
||||||
|
echo "Owner: ${{ env.OWNER }}"
|
||||||
|
echo "Actor: ${{ github.actor }}"
|
||||||
|
echo "Target: docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest"
|
||||||
|
|
||||||
|
# Create authentication file for skopeo
|
||||||
|
echo "Creating authentication file..."
|
||||||
|
mkdir -p ~/.docker
|
||||||
|
cat > ~/.docker/config.json <<EOF
|
||||||
|
{
|
||||||
|
"auths": {
|
||||||
|
"${{ env.REGISTRY }}": {
|
||||||
|
"auth": "$(echo -n "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" | base64 -w 0)"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# Also create auth for containers directory
|
||||||
|
mkdir -p ~/.config/containers
|
||||||
|
cp ~/.docker/config.json ~/.config/containers/auth.json
|
||||||
|
|
||||||
|
# Test registry connectivity first
|
||||||
|
echo "Testing registry authentication..."
|
||||||
|
skopeo login --username "${{ github.actor }}" --password "${{ secrets.GITHUB_TOKEN }}" "${{ env.REGISTRY }}" || echo "Login failed, continuing anyway..."
|
||||||
|
|
||||||
|
# Push image with correct lowercase format
|
||||||
|
echo "Attempting push with lowercase owner/image format..."
|
||||||
|
skopeo copy \
|
||||||
|
--dest-tls-verify=false \
|
||||||
|
--tmpdir /tmp/skopeo \
|
||||||
|
--retry-times 3 \
|
||||||
|
docker-archive:/tmp/skopeo/docker-image.tar \
|
||||||
|
docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest
|
||||||
|
|
||||||
- name: Push to attic
|
- name: Push to attic
|
||||||
if: always()
|
if: always()
|
||||||
|
|
@ -100,7 +126,7 @@ jobs:
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$valid_paths" ]; then
|
if [ -n "$valid_paths" ]; then
|
||||||
for i in {1..10}; do
|
for i in {1..3}; do
|
||||||
nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push nexveridian-web $valid_paths && break || [ $i -eq 5 ] || sleep 5
|
nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push nexveridian-web $valid_paths && break || [ $i -eq 3 ] || sleep 5
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue