Composite action for deploying Nix flake OCI images to Nomad.
Owns the static-site parameterized Nomad job template, all infra
defaults (registry, S3, Nomad addr), and an optional smoke test.
Site repos only need to provide a flake with an ociImage output
and pass domain + 3 secrets (S3_ACCESS_KEY, S3_SECRET_KEY, NIX_SIGNING_KEY).
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Job-level env vars from secrets aren't injected as real shell env
vars in Docker-based composite actions. Bridge via $GITHUB_ENV,
same pattern as NOMAD_ADDR.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jobs now target the static-sites namespace (required by the CI ACL
policy) and docs include NOMAD_TOKEN in all workflow examples.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
YAML ends a block scalar when it sees content less indented than
the first content line. The JSON heredoc at column 0 caused the
parser to bail out mid-block. Indenting to 8 spaces keeps it inside
the run: | scalar; YAML strips that indentation before handing the
script to the shell, so the NOMAD_EOF terminator lands at column 0
as required.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add -json flag to nomad job run (API JSON uses PascalCase, not HCL2)
- Quote heredoc to prevent shell from mangling Nomad interpolations
- Use Forgejo template expressions for S3 creds in fetch task env
- Fix Volumes to map format (Nomad API JSON, not array)
- Remove unused shell variable assignments
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Prestart task fetches from S3 binary cache into shared volume
- Server task serves from shared volume (read-only)
- Build uses S3 cache as substituter (ultra-fast builds for shared deps)
- Push entire closure to cache (derivation + dependencies)
- No host involvement, pure container isolation
Architecture:
- Site A builds nodejs_20 + vite → pushed to cache
- Site B builds → pulls nodejs_20 + vite from cache (instant)
- Only builds site-specific code
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Build in isolated Nix container
- Push to S3 binary cache (no host /nix/store access)
- Pull specific store paths to alvin
- Mount only specific /nix/store/hash to /var/www (read-only)
- Generate signing keys for cache authentication
- Update documentation with binary cache setup
Security improvements:
- Build container has no access to host /nix/store
- Web server only mounts its specific store path
- Proper isolation at every layer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- New deploy-nix-site action using Nix flakes
- Runs in nixos/nix:latest container for proper isolation
- Builds using flake.nix, uploads to S3, deploys to Nomad
- Update deploy-site action to install Nomad CLI
- Document both actions in README
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
