diff options
| author | seth <[email protected]> | 2024-01-07 20:42:07 -0500 |
|---|---|---|
| committer | seth <[email protected]> | 2024-01-07 21:08:57 -0500 |
| commit | 90ad9d652f009a53b57115c924446baf6f1d3b7b (patch) | |
| tree | 6df1841fc082fefd37846391a0d9964cb482b401 /.github | |
| parent | 4578d68f3106f95607e9d3e713936ba2a565322b (diff) | |
feat: use nix to build images
this should result in smaller images, as well as safer updates
Diffstat (limited to '.github')
| -rw-r--r-- | .github/dependabot.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/check-commit.yml | 31 | ||||
| -rw-r--r-- | .github/workflows/docker-publish.yml | 63 | ||||
| -rw-r--r-- | .github/workflows/docker.yaml | 87 |
4 files changed, 95 insertions, 94 deletions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..8db6eb5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,8 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + commit-message: + prefix: "deps(actions)" diff --git a/.github/workflows/check-commit.yml b/.github/workflows/check-commit.yml deleted file mode 100644 index 87d00a0..0000000 --- a/.github/workflows/check-commit.yml +++ /dev/null @@ -1,31 +0,0 @@ -name: Get latest commit -on: - workflow_dispatch: - schedule: - - cron: '0 0 * * *' - -jobs: - get-commit: - runs-on: ubuntu-latest - steps: - - uses: actions/[email protected] - - name: Fetch packwiz commit - run: | - curl -sL https://api.github.com/repos/packwiz/packwiz/commits | jq .[0].sha > current_commit.txt - - name: Check for new commit - id: git-check - run: | - echo ::set-output name=modified::$([ -z "`git status --porcelain`" ] && echo "false" || echo "true") - - name: Update cached commit - if: steps.git-check.outputs.modified == 'true' - run: | - git config --global user.name 'github-actions' - git config --global user.email '[email protected]' - git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} - - git add current_commit.txt - - git commit -m "chore: update packwiz commit" - git tag -a "$(date '+%Y%m%d')" -m "scheduled release" - - git push --follow-tags diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml deleted file mode 100644 index 1e19120..0000000 --- a/.github/workflows/docker-publish.yml +++ /dev/null @@ -1,63 +0,0 @@ -name: Publish Docker Image - -on: - push: - tags: - - '*' - pull_request: - branches: - - 'main' - -env: - IMAGE_NAME: ${{ github.repository }} - - -jobs: - build: - - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@main - - - name: Setup Docker buildx - uses: docker/setup-buildx-action@v2 - - - name: Log into docker hub - if: github.event_name != 'pull_request' - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_TOKEN }} - - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v4 - with: - images: ${{ env.IMAGE_NAME }} - - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@v3 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml new file mode 100644 index 0000000..b90999a --- /dev/null +++ b/.github/workflows/docker.yaml @@ -0,0 +1,87 @@ +name: Publish Docker Image + +on: + push: + branches: [main] + pull_request: + +jobs: + build: + name: Build image + runs-on: ubuntu-latest + + strategy: + matrix: + arch: [x86_64, aarch64] + + permissions: + contents: read + + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@v9 + + - name: Setup Nix cache + uses: DeterminateSystems/magic-nix-cache-action@v2 + + - name: Build Docker image + id: build + run: | + nix build -L .#container-${{ matrix.arch }} + [ ! -L result ] && exit 1 + echo "path=$(realpath result)" >> "$GITHUB_OUTPUT" + + - name: Upload image + uses: actions/upload-artifact@v4 + with: + name: container-${{ matrix.arch }} + path: ${{ steps.build.outputs.path }} + if-no-files-found: error + retention-days: 12 + + push: + name: Push image + runs-on: ubuntu-latest + needs: build + + permissions: + contents: read + packages: write + + if: github.event_name == 'push' + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Download images + uses: actions/download-artifact@v4 + with: + path: images + + - name: Login to registry + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_TOKEN }} + + - name: Push to registry + env: + TAG: docker.io/getchoo/packwiz-serve:latest + run: | + set -euo pipefail + + architectures=("x86_64" "aarch64") + for arch in "${architectures[@]}"; do + docker load < images/container-"$arch"/*.tar.gz + docker tag packwiz-serve:latest-"$arch" ${{ env.TAG }}-"$arch" + docker push ${{ env.TAG }}-"$arch" + done + + docker manifest create ${{ env.TAG }} \ + --amend ${{ env.TAG }}-x86_64 \ + --amend ${{ env.TAG }}-aarch64 + + docker manifest push ${{ env.TAG }} |