153 lines
5.7 KiB
YAML
153 lines
5.7 KiB
YAML
name: docker
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
|
|
env:
|
|
REGISTRY: git.nexveridian.com
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
NIX_CONFIG: "experimental-features = nix-command flakes"
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: docker
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
|
|
steps:
|
|
- run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.nexveridian.com ${{ secrets.ATTIC_TOKEN }} || true
|
|
- run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create nexveridian-web || true
|
|
- run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use nexveridian-web || true
|
|
|
|
- name: Install Node.js
|
|
run: |
|
|
mkdir -p ~/.local/bin
|
|
nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs
|
|
ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node
|
|
ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install skopeo
|
|
run: |
|
|
mkdir -p ~/.local/bin
|
|
nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo
|
|
ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo
|
|
echo "$HOME/.local/bin" >> $GITHUB_PATH
|
|
|
|
- name: Build Nix package
|
|
run: nix build .#my-docker
|
|
|
|
- name: Prepare repository variables
|
|
run: |
|
|
echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV}
|
|
echo "OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> ${GITHUB_ENV}
|
|
# Extract just the repository name (everything after the last slash)
|
|
REPO_NAME=${GITHUB_REPOSITORY##*/}
|
|
echo "IMAGE_NAME=${REPO_NAME,,}" >> ${GITHUB_ENV}
|
|
|
|
# Debug output
|
|
echo "Full repository: ${GITHUB_REPOSITORY}"
|
|
echo "Repository owner: ${GITHUB_REPOSITORY_OWNER}"
|
|
echo "Extracted repo name: ${REPO_NAME}"
|
|
echo "Final image name: ${REPO_NAME,,}"
|
|
echo "Final owner: ${GITHUB_REPOSITORY_OWNER,,}"
|
|
|
|
- name: Setup skopeo policy and push image
|
|
run: |
|
|
# configure container policy to accept insecure registry
|
|
mkdir -p ~/.config/containers
|
|
cat > ~/.config/containers/policy.json <<EOF
|
|
{
|
|
"default": [{"type":"insecureAcceptAnything"}]
|
|
}
|
|
EOF
|
|
|
|
# ensure all required directories exist with proper permissions
|
|
mkdir -p /tmp/skopeo /var/tmp ~/.local/share/containers
|
|
chmod 755 /tmp/skopeo /var/tmp || true
|
|
|
|
# set multiple environment variables for skopeo temporary directories
|
|
export TMPDIR=/tmp/skopeo
|
|
export TMP=/tmp/skopeo
|
|
export TEMP=/tmp/skopeo
|
|
export XDG_RUNTIME_DIR=/tmp/skopeo
|
|
|
|
# The Nix build creates a compressed tar.gz file, we need to extract it first
|
|
echo "Extracting Nix-built Docker image..."
|
|
cd /tmp/skopeo
|
|
cp ${GITHUB_WORKSPACE}/result ./docker-image.tar.gz
|
|
gunzip docker-image.tar.gz
|
|
|
|
# Debug information
|
|
echo "Registry: ${{ env.REGISTRY }}"
|
|
echo "Repository: ${{ env.REPO }}"
|
|
echo "Image Name: ${{ env.IMAGE_NAME }}"
|
|
echo "Owner: ${{ env.OWNER }}"
|
|
echo "Actor: ${{ github.actor }}"
|
|
echo "Target: docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest"
|
|
|
|
# Create authentication file for skopeo
|
|
echo "Creating authentication file..."
|
|
mkdir -p ~/.docker
|
|
cat > ~/.docker/config.json <<EOF
|
|
{
|
|
"auths": {
|
|
"${{ env.REGISTRY }}": {
|
|
"auth": "$(echo -n "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" | base64 -w 0)"
|
|
}
|
|
}
|
|
}
|
|
EOF
|
|
|
|
# Also create auth for containers directory
|
|
mkdir -p ~/.config/containers
|
|
cp ~/.docker/config.json ~/.config/containers/auth.json
|
|
|
|
# Test registry connectivity first
|
|
echo "Testing registry authentication..."
|
|
skopeo login --username "${{ github.actor }}" --password "${{ secrets.GITHUB_TOKEN }}" "${{ env.REGISTRY }}" || echo "Login failed, continuing anyway..."
|
|
|
|
# Try alternative authentication method
|
|
echo "Attempting push with explicit credentials..."
|
|
|
|
# Method 1: Use auth file approach
|
|
skopeo copy \
|
|
--dest-tls-verify=false \
|
|
--tmpdir /tmp/skopeo \
|
|
--authfile ~/.config/containers/auth.json \
|
|
docker-archive:/tmp/skopeo/docker-image.tar \
|
|
docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest || {
|
|
|
|
echo "Auth file method failed, trying direct credentials..."
|
|
|
|
# Method 2: Use credentials directly with insecure registry
|
|
skopeo copy \
|
|
--dest-tls-verify=false \
|
|
--dest-cert-dir= \
|
|
--tmpdir /tmp/skopeo \
|
|
--dest-creds "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" \
|
|
--insecure-policy \
|
|
docker-archive:/tmp/skopeo/docker-image.tar \
|
|
docker://${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.IMAGE_NAME }}:latest
|
|
}
|
|
|
|
- name: Push to attic
|
|
if: always()
|
|
run: |
|
|
valid_paths=""
|
|
for path in /nix/store/*/; do
|
|
if nix path-info "$path" >/dev/null 2>&1; then
|
|
valid_paths="$valid_paths $path"
|
|
fi
|
|
done
|
|
|
|
if [ -n "$valid_paths" ]; then
|
|
for i in {1..3}; do
|
|
nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push nexveridian-web $valid_paths && break || [ $i -eq 3 ] || sleep 5
|
|
done
|
|
fi
|