nexveridian-web/.forgejo/workflows/docker.yml

name: docker

on:
  push:
    branches: [main]

env:
  REGISTRY: git.nexveridian.com
  IMAGE_NAME: ${{ github.repository }}
  NIX_CONFIG: "experimental-features = nix-command flakes"

jobs:
  build:
    runs-on: docker
    permissions:
      contents: read
      packages: write
      id-token: write

    steps:
      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.nexveridian.com ${{ secrets.ATTIC_TOKEN }} || true
      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create nexveridian-web || true
      - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use nexveridian-web || true

      - name: Install Node.js
        run: |
          mkdir -p ~/.local/bin
          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs
          ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node
          ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - uses: actions/checkout@v4

      - name: Install skopeo
        run: |
          mkdir -p ~/.local/bin
          nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
          ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Build Nix package
        run: nix build .#my-docker

      - name: Prepare repository variables
        run: |
          echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
          STRIP_REPO_USERNAME=${GITHUB_REPOSITORY,,#nexveridian/}
          echo "STRIP_REPO_USERNAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}
          # For Forgejo container registry, use just the repo name without org
          echo "IMAGE_NAME=${STRIP_REPO_USERNAME}" >> ${GITHUB_ENV}

      - name: Setup skopeo policy and push image
        run: |
          # configure container policy to accept insecure registry
          mkdir -p ~/.config/containers
          cat > ~/.config/containers/policy.json <<EOF
          {
            "default": [{"type":"insecureAcceptAnything"}]
          }
          EOF

          # ensure all required directories exist with proper permissions
          mkdir -p /tmp/skopeo /var/tmp ~/.local/share/containers
          chmod 755 /tmp/skopeo /var/tmp || true

          # set multiple environment variables for skopeo temporary directories
          export TMPDIR=/tmp/skopeo
          export TMP=/tmp/skopeo
          export TEMP=/tmp/skopeo
          export XDG_RUNTIME_DIR=/tmp/skopeo

          # The Nix build creates a compressed tar.gz file, we need to extract it first
          echo "Extracting Nix-built Docker image..."
          cd /tmp/skopeo
          cp ${GITHUB_WORKSPACE}/result ./docker-image.tar.gz
          gunzip docker-image.tar.gz

          # Debug information
          echo "Registry: ${{ env.REGISTRY }}"
          echo "Repository: ${{ env.REPO }}"
          echo "Image Name: ${{ env.IMAGE_NAME }}"
          echo "Actor: ${{ github.actor }}"
          echo "Target 1 (full repo): docker://${{ env.REGISTRY }}/${{ env.REPO }}:latest"
          echo "Target 2 (image name): docker://${{ env.REGISTRY }}/${{ github.actor }}/${{ env.IMAGE_NAME }}:latest"

          # Create authentication file for skopeo
          echo "Creating authentication file..."
          mkdir -p ~/.docker
          cat > ~/.docker/config.json <<EOF
          {
            "auths": {
              "${{ env.REGISTRY }}": {
                "auth": "$(echo -n "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" | base64 -w 0)"
              }
            }
          }
          EOF

          # Also create auth for containers directory
          mkdir -p ~/.config/containers
          cp ~/.docker/config.json ~/.config/containers/auth.json

          # Test registry connectivity first
          echo "Testing registry authentication..."
          skopeo login --username "${{ github.actor }}" --password "${{ secrets.GITHUB_TOKEN }}" "${{ env.REGISTRY }}" || echo "Login failed, continuing anyway..."

          # Try different registry path formats for Forgejo
          echo "Attempting push with owner/repo format..."
          skopeo copy \
            --dest-tls-verify=false \
            --tmpdir /tmp/skopeo \
            docker-archive:/tmp/skopeo/docker-image.tar \
            docker://${{ env.REGISTRY }}/${{ github.actor }}/${{ env.IMAGE_NAME }}:latest || {

            echo "First attempt failed, trying with full repository path..."
            skopeo copy \
              --dest-tls-verify=false \
              --tmpdir /tmp/skopeo \
              docker-archive:/tmp/skopeo/docker-image.tar \
              docker://${{ env.REGISTRY }}/${{ env.REPO }}:latest || {

              echo "Both attempts failed, trying with lowercase actor..."
              skopeo copy \
                --dest-tls-verify=false \
                --tmpdir /tmp/skopeo \
                docker-archive:/tmp/skopeo/docker-image.tar \
                docker://${{ env.REGISTRY }}/${GITHUB_ACTOR,,}/${{ env.IMAGE_NAME }}:latest
            }
          }

      - name: Push to attic
        if: always()
        run: |
          valid_paths=""
          for path in /nix/store/*/; do
            if nix path-info "$path" >/dev/null 2>&1; then
              valid_paths="$valid_paths $path"
            fi
          done

          if [ -n "$valid_paths" ]; then
            for i in {1..3}; do
              nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push nexveridian-web $valid_paths && break || [ $i -eq 3 ] || sleep 5
            done
          fi