Christopher Mühl
c54dd89279
Skopeo may use /var/tmp for temporary files during docker-archive operations, even when TMPDIR is set. Create the directory to prevent 'no such file or directory' errors.
104 lines
3.4 KiB
YAML
104 lines
3.4 KiB
YAML
name: Build and Push Docker Image from Nix
|
|
description: Build OCI image with Nix flake, push to registry with Attic caching
|
|
|
|
inputs:
|
|
flake-output:
|
|
description: 'Nix flake output for the OCI image (e.g., .#dojo-image)'
|
|
required: true
|
|
|
|
image-name:
|
|
description: 'Target image name in registry (e.g., git.toph.so/user/repo)'
|
|
required: true
|
|
|
|
image-tag:
|
|
description: 'Image tag'
|
|
required: false
|
|
default: 'main'
|
|
|
|
registry:
|
|
description: 'Docker registry'
|
|
required: false
|
|
default: 'registry.toph.so'
|
|
|
|
registry-username:
|
|
description: 'Registry username (optional for unauthenticated registries)'
|
|
required: false
|
|
default: ''
|
|
|
|
registry-password:
|
|
description: 'Registry password/token (optional for unauthenticated registries)'
|
|
required: false
|
|
default: ''
|
|
|
|
cache-name:
|
|
description: 'Attic cache name to push build artifacts'
|
|
required: false
|
|
default: 'ci'
|
|
|
|
attic-endpoint:
|
|
description: 'Attic cache endpoint'
|
|
required: false
|
|
default: 'https://cache.toph.so'
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Configure Nix
|
|
shell: bash
|
|
run: |
|
|
mkdir -p ~/.config/nix
|
|
cat > ~/.config/nix/nix.conf <<EOF
|
|
experimental-features = nix-command flakes
|
|
extra-substituters = https://cache.nixos.org/ ${{ inputs.attic-endpoint }}/ci ${{ inputs.attic-endpoint }}/toph
|
|
extra-trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= ci:db8ZBxd5cjqoGzOYThRQcxj4XnaqHJZBZw1phCQOiz8= toph:E/oP7KyljH/yprI5LArxNPpSlQCdo29sMOkh3jm53Yg=
|
|
build-users-group =
|
|
max-jobs = auto
|
|
cores = 0
|
|
EOF
|
|
|
|
- name: Build OCI image with Nix
|
|
shell: bash
|
|
run: |
|
|
echo "Building ${{ inputs.flake-output }}..."
|
|
nix build "${{ inputs.flake-output }}" --print-build-logs --refresh
|
|
|
|
- name: Push build artifacts to Attic cache
|
|
shell: bash
|
|
if: env.ATTIC_TOKEN != ''
|
|
env:
|
|
ATTIC_TOKEN: ${{ env.ATTIC_TOKEN }}
|
|
run: |
|
|
# Configure attic client
|
|
mkdir -p ~/.config/attic
|
|
cat > ~/.config/attic/config.toml <<EOF
|
|
[servers.cache]
|
|
endpoint = "${{ inputs.attic-endpoint }}"
|
|
token = "${ATTIC_TOKEN}"
|
|
EOF
|
|
|
|
# Push entire closure to cache (don't fail if this fails)
|
|
if ! attic push "${{ inputs.cache-name }}" ./result; then
|
|
echo "Warning: Failed to push to Attic cache, continuing anyway"
|
|
fi
|
|
|
|
- name: Push image to registry with skopeo
|
|
shell: bash
|
|
run: |
|
|
TARGET_IMAGE="docker://${{ inputs.registry }}/${{ inputs.image-name }}:${{ inputs.image-tag }}"
|
|
echo "Pushing OCI image to: $TARGET_IMAGE"
|
|
|
|
# Set TMPDIR to a writable location (/tmp should always be writable in containers)
|
|
export TMPDIR="${TMPDIR:-/tmp}"
|
|
mkdir -p "$TMPDIR"
|
|
|
|
# Ensure /var/tmp exists as fallback (skopeo may use this)
|
|
sudo mkdir -p /var/tmp 2>/dev/null || mkdir -p /var/tmp || true
|
|
|
|
# Build skopeo command with optional credentials
|
|
SKOPEO_CMD="skopeo copy"
|
|
if [ -n "${{ inputs.registry-username }}" ] && [ -n "${{ inputs.registry-password }}" ]; then
|
|
SKOPEO_CMD="$SKOPEO_CMD --dest-creds ${{ inputs.registry-username }}:${{ inputs.registry-password }}"
|
|
fi
|
|
|
|
# Use skopeo to push directly from OCI tarball to registry
|
|
$SKOPEO_CMD "docker-archive:./result" "$TARGET_IMAGE"
|