Skopeo may use /var/tmp for temporary files during docker-archive
operations, even when TMPDIR is set. Create the directory to prevent
'no such file or directory' errors.
/tmp should always be writable in containers, whereas PWD/tmp
might not be accessible from nested containers.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Support unauthenticated registries (e.g., Tailscale-protected internal
registries) by making username/password optional. Only passes credentials
to skopeo if both are provided.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replace docker load + docker push with skopeo copy to push OCI
images directly to the registry. Benefits:
- No Docker daemon required in runner
- More secure (no socket mounting needed)
- Simpler - direct OCI tarball to registry copy
- Works in any environment with skopeo
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Set build-users-group to empty to disable multi-user builds,
which require nixbld group and build users. This allows the
action to work in single-user Nix environments like containers.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add Nix config step to enable nix-command and flakes features
before building. Also configures Attic substituters for faster builds.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add reusable action for building Docker images with Nix flakes:
- Full reproducibility with Nix derivations
- Attic cache integration for build artifacts
- Optimized layering with dockerTools.buildLayeredImage
- Automatic Nix binary cache usage
Use this instead of docker-build when you want:
- Bit-for-bit identical builds
- Better caching via Attic/Nix
- Smaller, optimized images
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
