-
Notifications
You must be signed in to change notification settings - Fork 0
208 lines (194 loc) Β· 8.63 KB
/
container.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
name: β¬’π¦
on:
push:
tags:
- 'v*'
branches:
- main
paths:
- '.github/workflows/container.yml'
- 'containers/**'
- '.containerignore'
- 'flake.*'
- 'home-manager/**'
- 'config/**'
- '!**.md'
pull_request:
types:
- labeled
workflow_dispatch:
jobs:
# podman can handle lowercase. So normalize the outputs
get-meta:
runs-on: ubuntu-24.04
timeout-minutes: 5
outputs:
started_at: ${{ steps.timestamp.outputs.started_at }}
ref_tag: ${{ steps.tags.outputs.ref }}
special_tag: ${{ steps.tags.outputs.special }}
timestamp_tag: ${{ steps.tags.outputs.timestamp }}
require_comments: ${{ steps.comments.outputs.require }}
steps:
- name: Get started timestamp
id: timestamp
run: |
# Do not use ":" delimiter as iso-8601/rfc-3339, it cannot be used in container tag
echo started_at="$(date --utc '+%Y%m%d-%H%M%S-%Z')" | ruby -pe '$_.downcase!' | tee -a "$GITHUB_OUTPUT"
- name: Judge to post comments or not
id: comments
if: >-
(github.actor == github.repository_owner) && (github.event_name == 'pull_request')
run: echo -n 'require=true' | tee -a "$GITHUB_OUTPUT"
- name: Generate tags for the image
id: tags
# https://github.com/orgs/community/discussions/26557#discussioncomment-3252327
run: |
echo "timestamp=${{ steps.timestamp.outputs.started_at }}" | tee -a "$GITHUB_OUTPUT"
special=''
ref=''
if [ '${{ github.event_name }}' = 'pull_request' ]; then
special='pr-${{ github.event.number }}-${{ github.event.pull_request.head.sha }}'
ref='${{ github.event.pull_request.head.sha }}'
elif [ '${{ github.ref_name }}' = '${{ github.event.repository.default_branch }}' ]; then
special='latest'
ref='${{ github.sha }}'
else
exit 1
fi
echo "special=${special}" | tee -a "$GITHUB_OUTPUT"
echo "ref=${ref}" | tee -a "$GITHUB_OUTPUT"
minimize-old-comments:
needs: [get-meta]
if: ${{ needs.get-meta.outputs.require_comments == 'true' }}
uses: ./.github/workflows/minimize-staging-deploy-comments.yml
with:
pr-number: ${{ github.event.number }}
build_and_push:
# Do not set `cancel-in-progress: true` in main branch, it displays failure badges
# https://github.com/orgs/community/discussions/8336
concurrency:
group: 'deploy-container-${{ github.ref }}'
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
needs: [get-meta, minimize-old-comments]
if: >-
(! failure()) &&
((github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy-staging')) ||
(github.event_name != 'pull_request'))
runs-on: ubuntu-24.04
timeout-minutes: 60
steps:
- name: Logging dependency versions
run: |
podman version
crun --version
buildah version
- name: Install gh-action-escape
run: curl -fsSL https://raw.githubusercontent.com/kachick/gh-action-escape/main/scripts/install-in-github-action.sh | sh -s v0.2.0
- uses: actions/checkout@v4
- name: Build base Image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
with:
image: systemd-prepared
containerfiles: |
containers/Containerfile
oci: true
- name: Inspect the created image
run: 'podman inspect systemd-prepared'
- name: Start systemd
id: start-systemd
run: |
set -euxo pipefail
container_id="$(podman run --detach --rm systemd-prepared)"
echo container_id="$container_id" | tee -a "$GITHUB_OUTPUT"
- name: Wait for the systemd to be ready
run: 'sleep 2'
- name: Run Nix commands and cleanup provisioners
run: |
set -euxo pipefail
podman exec --user=user -it '${{ steps.start-systemd.outputs.container_id }}' /provisioner/needs_systemd.bash
podman exec --user=root -it '${{ steps.start-systemd.outputs.container_id }}' rm -rf /provisioner
- name: Check no personal name in that config
run: |
# https://unix.stackexchange.com/a/340729
assign_stdin_to_global_command_variable() {
command="$(cat)"
}
assign_stdin_to_global_command_variable <<'EOF'
set -uxo
# https://unix.stackexchange.com/questions/311090/how-to-disable-set-x
set +e
/home/user/.nix-profile/bin/rg --hidden --follow --glob='!.local/state' --glob='!.nix-*' 'kachick1'
# Need to check the exit code if we want to make sure "not found" in grep family
# https://github.com/BurntSushi/ripgrep/issues/1290#issuecomment-761170095
ripgrep_exit_code="$?" # Do not directly use the $? to prevent inserting another command as a human error
[[ "$ripgrep_exit_code" -eq 1 ]]
EOF
podman exec --user=user --workdir=/home/user -it '${{ steps.start-systemd.outputs.container_id }}' bash -c "$command"
- name: Persist the container to image
run: |
podman commit \
--author 'https://github.com/${{github.repository}}/actions/runs/${{ github.run_id }}' \
'${{ steps.start-systemd.outputs.container_id }}' home
podman kill '${{ steps.start-systemd.outputs.container_id }}'
podman tag home home:${{ needs.get-meta.outputs.special_tag }}
podman tag home home:${{ needs.get-meta.outputs.ref_tag}}
podman tag home home:${{ needs.get-meta.outputs.timestamp_tag }}
- name: Inspect the created image
run: 'podman inspect home'
- name: Test the created image
run: |
set -euxo pipefail
container_id="$(podman run --detach --rm home:${{ needs.get-meta.outputs.started_at }})"
# shellcheck disable=SC2064
trap "podman kill '$container_id'" EXIT ERR
sleep 2 # Wait for the systemd to be ready
podman exec --user=user "$container_id" cat /etc/nix/nix.conf
podman exec --user=user --workdir='/home/user' -it "$container_id" '/home/user/.nix-profile/bin/zsh' -c 'la; lat ~/.config'
- name: Push To ghcr.io
id: push-to-ghcr
if: ${{ github.actor == github.repository_owner }}
# Using this method makes ghcr.io warning
# `No description provided`
# `To provide a description, add the following line to your Dockerfile:`
# But you have not to care this noise for now, it is happened even in redhat official
# https://github.com/kachick/dotfiles/issues/471#issuecomment-2002565514
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
with:
image: home
tags: ${{ needs.get-meta.outputs.special_tag }} ${{ needs.get-meta.outputs.ref_tag }} ${{ needs.get-meta.outputs.timestamp_tag }}
registry: ghcr.io/${{ github.repository_owner }}
username: ${{ github.repository_owner }}
password: ${{ github.token }}
- name: Inspect the package
id: inspect-package
if: ${{ github.actor == github.repository_owner }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euxo pipefail
echo "${{ toJSON(steps.push-to-ghcr.outputs) }}"
gh api --paginate \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/users/${{ github.repository_owner }}/packages/container/home/versions \
--jq '.[] | select(.name == "${{ steps.push-to-ghcr.outputs.digest }}")' | \
jq | gh-action-escape -name=json | tee -a "$GITHUB_OUTPUT"
- name: Post comments
if: ${{ needs.get-meta.outputs.require_comments == 'true' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
(
cat <<'EOF'
β¬’π¦ Staging container-image has been deployed π\
You can test the interactive shell π as follows.
```bash
bash <(curl -fsSL 'https://raw.githubusercontent.com/kachick/dotfiles/${{ github.event.pull_request.head.sha }}/containers/sandbox-with-ghcr.bash') '${{ github.event.pull_request.head.sha }}'
```
The package detail
```json
${{ steps.inspect-package.outputs.json }}
```
This image will be automatically π€ removed from ghcr.io ποΈ if you merged/closed this PR π
EOF
) | gh pr comment ${{ github.event.number }} --body-file -