/tmp should always be writable in containers, whereas PWD/tmp
might not be accessible from nested containers.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Support unauthenticated registries (e.g., Tailscale-protected internal
registries) by making username/password optional. Only passes credentials
to skopeo if both are provided.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replace docker load + docker push with skopeo copy to push OCI
images directly to the registry. Benefits:
- No Docker daemon required in runner
- More secure (no socket mounting needed)
- Simpler - direct OCI tarball to registry copy
- Works in any environment with skopeo
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Set build-users-group to empty to disable multi-user builds,
which require nixbld group and build users. This allows the
action to work in single-user Nix environments like containers.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add Nix config step to enable nix-command and flakes features
before building. Also configures Attic substituters for faster builds.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add reusable action for building Docker images with Nix flakes:
- Full reproducibility with Nix derivations
- Attic cache integration for build artifacts
- Optimized layering with dockerTools.buildLayeredImage
- Automatic Nix binary cache usage
Use this instead of docker-build when you want:
- Bit-for-bit identical builds
- Better caching via Attic/Nix
- Smaller, optimized images
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add reusable action for building and pushing Docker images with:
- S3 build cache support (SeaweedFS)
- Optional Nix/Attic cache configuration
- Auto-tagging based on branches, PRs, and semver tags
- Multi-registry support
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Remove hardcoded nomad-addr input — NOMAD_ADDR is now injected by the
Forgejo runner via container.options using host.docker.internal.
Switch Nomad Variable path from static-sites/s3 to nomad/jobs so all
jobs in the namespace can read it without explicit ACL policies.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Extracts sign+push logic into a reusable push-nix-cache action.
Both the site deploy and the image build now use it.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
NixOS test boots a VM, loads the static-server image, starts it with
index.html + foo.html, and verifies that /foo routes to foo.html
(extensionless URL routing). Also adds flake.lock pinning nixpkgs.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Use nix eval --raw --impure + builtins.getEnv instead of Python for
Nomad job JSON generation. Add flake-output input (default: default)
so projects can build non-default outputs like docs.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
S3_BUCKET and S3_ENDPOINT are config, not secrets. Move them to
inputs with defaults (s3.toph.so / nix-cache). Calling workflows
only need to supply AWS credentials, NIX_SIGNING_KEY, NOMAD_TOKEN.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- deploy-static-site/images/flake.nix: moved from images/flake.nix
- .forgejo/workflows/build-static-server.yaml: moved from images/.forgejo/
(Forgejo only picks up workflows from repo root .forgejo/workflows/)
- updated path reference in build workflow
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Composite action for deploying Nix flake OCI images to Nomad.
Owns the static-site parameterized Nomad job template, all infra
defaults (registry, S3, Nomad addr), and an optional smoke test.
Site repos only need to provide a flake with an ociImage output
and pass domain + 3 secrets (S3_ACCESS_KEY, S3_SECRET_KEY, NIX_SIGNING_KEY).
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Job-level env vars from secrets aren't injected as real shell env
vars in Docker-based composite actions. Bridge via $GITHUB_ENV,
same pattern as NOMAD_ADDR.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jobs now target the static-sites namespace (required by the CI ACL
policy) and docs include NOMAD_TOKEN in all workflow examples.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
YAML ends a block scalar when it sees content less indented than
the first content line. The JSON heredoc at column 0 caused the
parser to bail out mid-block. Indenting to 8 spaces keeps it inside
the run: | scalar; YAML strips that indentation before handing the
script to the shell, so the NOMAD_EOF terminator lands at column 0
as required.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add -json flag to nomad job run (API JSON uses PascalCase, not HCL2)
- Quote heredoc to prevent shell from mangling Nomad interpolations
- Use Forgejo template expressions for S3 creds in fetch task env
- Fix Volumes to map format (Nomad API JSON, not array)
- Remove unused shell variable assignments
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Prestart task fetches from S3 binary cache into shared volume
- Server task serves from shared volume (read-only)
- Build uses S3 cache as substituter (ultra-fast builds for shared deps)
- Push entire closure to cache (derivation + dependencies)
- No host involvement, pure container isolation
Architecture:
- Site A builds nodejs_20 + vite → pushed to cache
- Site B builds → pulls nodejs_20 + vite from cache (instant)
- Only builds site-specific code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
