.github/workflows/docker.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

name: Docker

on:
  push:
    branches: [main]
    paths:
      - "**.nix"
      - "**.rs"
      - "Cargo.lock"
      - "Cargo.toml"
      - "flake.lock"

      - ".github/workflows/docker.yaml"
  pull_request:
    paths:
      - "**.nix"
      - "**.rs"
      - "Cargo.lock"
      - "Cargo.toml"
      - "flake.lock"

      - ".github/workflows/docker.yaml"
  workflow_dispatch:

jobs:
  build:
    name: Build image

    strategy:
      fail-fast: false
      matrix:
        arch: [amd64, arm64]

    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Nix
        uses: DeterminateSystems/nix-installer-action@v14

      - name: Setup Nix cache
        uses: DeterminateSystems/magic-nix-cache-action@v8

      - name: Build Docker image
        id: build
        env:
          ARCH: ${{ matrix.arch }}
        run: |
          nix build \
            --fallback \
            --print-build-logs \
            .#container-"$ARCH"

          # exit if no `result` from nix build
          [ ! -L result ] && exit 1
          echo "path=$(readlink -f ./result)" >> "$GITHUB_OUTPUT"

      - name: Upload image
        uses: actions/upload-artifact@v4
        with:
          name: container-${{ matrix.arch }}
          path: ${{ steps.build.outputs.path }}
          if-no-files-found: error
          retention-days: 1

  release-gate:
    name: Docker Release Gate
    needs: build

    runs-on: ubuntu-latest

    steps:
      - name: Exit with error
        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
        run: exit 1

  push:
    name: Push image
    needs: release-gate

    if: github.event_name == 'push'

    runs-on: ubuntu-latest

    permissions:
      packages: write

    env:
      REGISTRY: ghcr.io
      USERNAME: ${{ github.actor }}

    steps:
      - name: Set image name
        run: |
          echo "IMAGE_NAME=${GITHUB_REPOSITORY,,}" >> "$GITHUB_ENV"

      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Download images
        uses: actions/download-artifact@v4
        with:
          path: images

      - name: Login to registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ env.USERNAME }}
          password: ${{ github.token }}

      - name: Push to registry
        env:
          TAG: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
        run: |
          architectures=("amd64" "arm64")
          for arch in "${architectures[@]}"; do
            docker load < images/container-"$arch"/*.tar.gz
            docker tag nixpkgs-tracker-bot:latest-"$arch" "$TAG"-"$arch"
            docker push "$TAG"-"$arch"
          done

          docker manifest create "$TAG" \
            --amend "$TAG"-amd64 \
            --amend "$TAG"-arm64

          docker manifest push "$TAG"