-
Notifications
You must be signed in to change notification settings - Fork 1
83 lines (72 loc) · 3.1 KB
/
push-to-ghcr.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: Push Docker image to ghcr.io
on:
workflow_dispatch:
push:
# NOTE: if you want to add a branch here other than `main`, please
# consider whether it will cause an unnecessary Primer Nix build
# on a GitHub runner! See the note below.
branches:
- main
jobs:
push-image-to-ghcr:
permissions:
contents: read
packages: write
id-token: write
runs-on: ubuntu-latest
steps:
- name: Checkout repo
uses: actions/checkout@v4.1.0
with:
# Required by flakes
fetch-depth: 0
- name: Import secrets from Vault
uses: hashicorp/vault-action@v2.7.3
id: secrets
with:
url: https://vault.hackworth-corp.com
path: "github-actions"
role: primer-workflow-push-docker-image
method: jwt
secrets: |
secret/data/cachix/hackworthltd-private/github-workflows token | CACHIX_AUTH_TOKEN ;
- name: Install & configure Nix
uses: cachix/install-nix-action@v23
with:
extra_nix_config: |
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hackworthltd.cachix.org-1:0JTCI0qDo2J+tonOalrSQP3yRNleN6bQucJ05yDltRI= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= loony-tools:pr9m4BkM/5/eSTZlkQyRt57Jz7OMBxNSUiMC4FkcNfk=
substituters = https://cache.nixos.org?priority=10 https://hackworthltd.cachix.org?priority=30 https://cache.iog.io?priority=40 https://cache.zw3rk.com?priority=50
- name: Configure Cachix for private Hackworth Ltd cache
uses: cachix/cachix-action@v12
with:
name: hackworthltd-private
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
skipPush: true
# Note: if this Nix derivation hasn't been built yet, it will
# kick off a Primer Nix build on a GitHub runner, which isn't
# ideal. However, because we use GitHub merge queues with this
# repo, and because this workflow is (currently) only
# configured to run on pushes to `main`, we can be confident
# that it will already have been built and can be pulled from
# our Cachix cache without kicking off any builds.
- name: Fetch Primer service Docker image
run: |
nix build -L .#packages.x86_64-linux.primer-service-docker-image
- name: Authenticate to ghcr.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image to ghcr.io
shell: bash
run: |
docker load < result
IMAGE=$(docker image list -f reference=primer-service --format "{{.Repository}}:{{.Tag}}")
TAG=$(docker image list -f reference=primer-service --format "{{.Tag}}")
echo "Loaded image: ${IMAGE}"
NAME="ghcr.io/hackworthltd/primer-service:$TAG"
docker tag "$IMAGE" "$NAME"
echo "Pushing image to ghcr.io: ${NAME}"
docker push "$NAME"
echo "Image pushed."