ci: add publish-arm64 flake app for local parity (emmett#44)
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/push/woodpecker Pipeline was successful
Introduce a shared publish-arm64 flake app (archetype oci-image-skopeo) that builds the arm64 docker-archive via Nix and skopeo-copies it to the Gitea OCI registry as :<ver>-arm64, mirroring to :latest-arm64. Both .woodpecker.yaml and `nix run .#publish-arm64` invoke the same app so CI and local cannot drift. - dry-run by default; PUBLISH=1 to actually push (safe to run locally) - token via $REGISTRY_TOKEN, fallback pass infra/gitea/personal_access_token_packages_rw - token never printed; no set -x on token-bearing paths - rename CI secret env CI_REGISTRY_TOKEN -> REGISTRY_TOKEN - thin .woodpecker.yaml: one PUBLISH=1 nix run line - --help/--dry-run honored; meta.description set
This commit is contained in:
Oleks
+6
-26
@@ -24,7 +24,8 @@ steps:
|
||||
environment:
|
||||
GITEA_CLONE_TOKEN:
|
||||
from_secret: gitea_clone_token
|
||||
CI_REGISTRY_TOKEN:
|
||||
# Single token env var shared by CI + local parity (emmett#44).
|
||||
REGISTRY_TOKEN:
|
||||
from_secret: registry_token
|
||||
backend_options:
|
||||
kubernetes:
|
||||
@@ -43,28 +44,7 @@ steps:
|
||||
EOF
|
||||
- if [ -n "$GITEA_CLONE_TOKEN" ]; then echo "machine git.oleks.space login oleks password $GITEA_CLONE_TOKEN" >~/.netrc && chmod 600 ~/.netrc; fi
|
||||
|
||||
# Resolve the upstream Angie version and build the image stream script.
|
||||
- VERSION="$(nix eval --raw .#angieVersion)"
|
||||
- echo "Building angie $VERSION"
|
||||
- STREAM="$(nix build .#default --print-out-paths --no-link)"
|
||||
|
||||
# skopeo's containers/image library writes intermediate files under
|
||||
# /var/tmp (not TMPDIR), and the nix-ci image doesn't seed that path.
|
||||
- mkdir -p /var/tmp && chmod 1777 /var/tmp
|
||||
|
||||
# Auth + push to Gitea OCI registry under both <ver>-arm64 and latest-arm64.
|
||||
- mkdir -p ~/.config/containers
|
||||
- |
|
||||
printf '{"auths":{"git.oleks.space":{"auth":"%s"}}}\n' \
|
||||
"$(printf 'oleks:%s' "$CI_REGISTRY_TOKEN" | base64 -w0)" \
|
||||
> ~/.config/containers/auth.json
|
||||
- |
|
||||
nix run nixpkgs#skopeo -- copy --insecure-policy \
|
||||
--authfile ~/.config/containers/auth.json \
|
||||
docker-archive:<("$STREAM") \
|
||||
docker://git.oleks.space/oleks/angie:$VERSION-arm64
|
||||
- |
|
||||
nix run nixpkgs#skopeo -- copy --insecure-policy \
|
||||
--authfile ~/.config/containers/auth.json \
|
||||
docker://git.oleks.space/oleks/angie:$VERSION-arm64 \
|
||||
docker://git.oleks.space/oleks/angie:latest-arm64
|
||||
# Thin front door: CI and `nix run .#publish-arm64` on emmett run the
|
||||
# exact same shared app (emmett#44, archetype oci-image-skopeo). The app
|
||||
# is dry-run by default; PUBLISH=1 makes it actually push.
|
||||
- PUBLISH=1 nix run .#publish-arm64
|
||||
|
||||
Reference in New Issue
Block a user