feat: use skopeo instead of docker for image push

Replace docker load + docker push with skopeo copy to push OCI images directly to the registry. Benefits: - No Docker daemon required in runner - More secure (no socket mounting needed) - Simpler - direct OCI tarball to registry copy - Works in any environment with skopeo Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-03-04 14:53:10 +01:00 · 2026-03-04 14:53:10 +01:00 · 7f3b4032f9
commit 7f3b4032f9
parent cd4c6208cc
1 changed files with 8 additions and 18 deletions
--- a/docker-build-nix/action.yaml
+++ b/docker-build-nix/action.yaml
@ -80,24 +80,14 @@ runs:
          echo "Warning: Failed to push to Attic cache, continuing anyway"
        fi

-    - name: Load image into Docker
+    - name: Push image to registry with skopeo
      shell: bash
      run: |
-        echo "Loading OCI image into Docker..."
-        docker load < ./result
+        TARGET_IMAGE="docker://${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}"
+        echo "Pushing OCI image to: $TARGET_IMAGE"

-    - name: Tag and push to registry
-      shell: bash
-      run: |
-        # Extract image name from the loaded output
-        IMAGE_ID=$(docker images --format "{{.Repository}}:{{.Tag}}" | head -n1)
-        echo "Loaded image: $IMAGE_ID"
-
-        # Tag with target name
-        TARGET_IMAGE="${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}"
-        echo "Tagging as: $TARGET_IMAGE"
-        docker tag "$IMAGE_ID" "$TARGET_IMAGE"
-
-        # Login and push
-        echo "${{ inputs.registry-password }}" | docker login ${{ inputs.registry }} -u ${{ inputs.registry-username }} --password-stdin
-        docker push "$TARGET_IMAGE"
+        # Use skopeo to push directly from OCI tarball to registry
+        skopeo copy \
+          --dest-creds "${{ inputs.registry-username }}:${{ inputs.registry-password }}" \
+          "docker-archive:./result" \
+          "$TARGET_IMAGE"