118 lines
4 KiB
YAML
118 lines
4 KiB
YAML
name: docker
|
|
|
|
on:
|
|
# workflow_run:
|
|
# workflows: [crane]
|
|
push:
|
|
branches: [main]
|
|
# types:
|
|
# - completed
|
|
# schedule:
|
|
# - cron: 0 0 * * 1
|
|
# # Publish semver tags as releases.
|
|
# tags: [ 'v*.*.*' ]
|
|
# pull_request:
|
|
# branches: [ "main" ]
|
|
|
|
env:
|
|
# Use docker.io for Docker Hub if empty
|
|
REGISTRY: git.nexveridian.com
|
|
# github.repository as <account>/<repo>
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
NIX_CONFIG: "experimental-features = nix-command flakes"
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: docker
|
|
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow
|
|
# if: ${{ github.event.workflow_run.conclusion == 'success' }}
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
# This is used to complete the identity challenge
|
|
# with sigstore/fulcio when running outside of PRs.
|
|
id-token: write
|
|
|
|
steps:
|
|
- run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.nexveridian.com ${{ secrets.ATTIC_TOKEN }} || true
|
|
- run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create nexveridian-web || true
|
|
- run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use nexveridian-web || true
|
|
|
|
- name: Install Node.js
|
|
run: |
|
|
mkdir -p ~/.local/bin
|
|
nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs
|
|
ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node
|
|
ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install skopeo
|
|
run: |
|
|
mkdir -p ~/.local/bin
|
|
nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
|
|
ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
# Note: skopeo handles authentication via --dest-creds flag, so no separate login step needed
|
|
|
|
- name: Extract Docker metadata
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
|
|
- name: Build Nix package
|
|
run: nix build .#my-docker
|
|
|
|
- name: Verify built image
|
|
run: |
|
|
export TMPDIR=/tmp
|
|
mkdir -p $TMPDIR
|
|
IMAGE_PATH=$(readlink -f result)
|
|
echo "Image path: $IMAGE_PATH"
|
|
echo "Image file info:"
|
|
ls -la "$IMAGE_PATH"
|
|
echo "Verifying image structure..."
|
|
skopeo inspect tarball:"$IMAGE_PATH"
|
|
|
|
# https://github.com/orgs/community/discussions/25768#discussioncomment-3249183
|
|
- name: Downcase REPO
|
|
run: |
|
|
echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
|
|
|
|
- name: Strip REPO Username
|
|
run: |
|
|
STRIP_REPO_USERNAME=${REPO#nexveridian/}
|
|
echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
|
|
|
|
# https://github.com/docker/build-push-action/issues/538
|
|
- name: Push Docker image with skopeo
|
|
run: |
|
|
export TMPDIR=/tmp
|
|
mkdir -p $TMPDIR
|
|
IMAGE_PATH=$(readlink -f result)
|
|
echo "Pushing image from: $IMAGE_PATH"
|
|
echo "Target registry: ${{ env.REGISTRY }}/${{ env.REPO }}:latest"
|
|
skopeo copy \
|
|
--insecure-policy \
|
|
--dest-creds "${{ env.GITHUB_ACTOR }}:${{ env.GITHUB_TOKEN }}" \
|
|
"tarball:$IMAGE_PATH" \
|
|
"docker://${{ env.REGISTRY }}/${{ env.REPO }}:latest"
|
|
|
|
- name: Push to attic
|
|
if: always()
|
|
run: |
|
|
valid_paths=""
|
|
for path in /nix/store/*/; do
|
|
if nix path-info "$path" >/dev/null 2>&1; then
|
|
valid_paths="$valid_paths $path"
|
|
fi
|
|
done
|
|
|
|
if [ -n "$valid_paths" ]; then
|
|
for i in {1..10}; do
|
|
nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push nexveridian-web $valid_paths && break || [ $i -eq 5 ] || sleep 5
|
|
done
|
|
fi
|