name: docker on: # workflow_run: # workflows: [crane] push: branches: [main] # types: # - completed # schedule: # - cron: 0 0 * * 1 # # Publish semver tags as releases. # tags: [ 'v*.*.*' ] # pull_request: # branches: [ "main" ] env: # Use docker.io for Docker Hub if empty REGISTRY: git.nexveridian.com # github.repository as / IMAGE_NAME: ${{ github.repository }} NIX_CONFIG: "experimental-features = nix-command flakes" jobs: build: runs-on: docker # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow # if: ${{ github.event.workflow_run.conclusion == 'success' }} permissions: contents: read packages: write # This is used to complete the identity challenge # with sigstore/fulcio when running outside of PRs. id-token: write steps: - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.nexveridian.com ${{ secrets.ATTIC_TOKEN }} || true - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create nexveridian-web || true - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use nexveridian-web || true - name: Install Node.js run: | mkdir -p ~/.local/bin nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm echo "$HOME/.local/bin" >> $GITHUB_PATH - uses: actions/checkout@v4 # Install skopeo from Nix (for daemonless image operations) - name: Install skopeo run: | mkdir -p ~/.local/bin nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo echo "$HOME/.local/bin" >> $GITHUB_PATH # Create a simple policy file for skopeo mkdir -p ~/.config/containers cat > ~/.config/containers/policy.json << 'EOF' { "default": [ { "type": "insecureAcceptAnything" } ] } EOF skopeo --version # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build Nix package run: nix build .#my-docker # https://github.com/orgs/community/discussions/25768#discussioncomment-3249183 - name: Downcase REPO run: | echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV} - name: Strip REPO Username run: | STRIP_REPO_USERNAME=${REPO#nexveridian/} echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV} # https://github.com/docker/build-push-action/issues/538 - name: Push Docker image with skopeo if: github.event_name != 'pull_request' run: | # The Nix result is a compressed tarball, we need to extract it first TARGET_FILE=$(readlink -f result) echo "Target file: $TARGET_FILE" # Extract the compressed tarball to get the docker archive gunzip -c "$TARGET_FILE" > docker-image.tar # Debug authentication echo "Registry: ${{ env.REGISTRY }}" echo "Repository: ${{ env.REPO }}" echo "Username: ${{ github.actor }}" # Copy the image directly from the extracted archive to the registry skopeo copy \ --dest-creds="${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" \ --dest-tls-verify=false \ docker-archive:docker-image.tar \ docker://${{ env.REGISTRY }}/${{ env.REPO }}:latest - name: Push to attic if: always() run: | valid_paths="" for path in /nix/store/*/; do if nix path-info "$path" >/dev/null 2>&1; then valid_paths="$valid_paths $path" fi done if [ -n "$valid_paths" ]; then for i in {1..10}; do nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push nexveridian-web $valid_paths && break || [ $i -eq 5 ] || sleep 5 done fi