ci: switch images from Docker Hub to GitHub Packages

Docker changed their mind and are asking us to pay to keep the org on Docker Hub.
REMOVEME: testing
2026-01-12 04:40:42 -05:00 · 2023-03-16 12:18:40 +01:00 · 2023-03-16 12:18:40 +01:00
24 changed files with 54 additions and 282 deletions
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -2,13 +2,16 @@ name: Nix
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
  workflow_dispatch:
  schedule:
    # Run once per day
    - cron: '0 0 * * *'
 env:
  CI_REGISTRY: ghcr.io
 jobs:
  build:
    strategy:
@@ -17,11 +20,9 @@ jobs:
      matrix:
        channel:
          - nixos-unstable
-          - nixos-25.05
+          - nixos-22.05
-          - nixos-25.11
+          - nixos-22.11
-        system:
+
          - aarch64-linux
          - x86_64-linux
    runs-on: ubuntu-latest
    permissions:
@@ -29,54 +30,15 @@ jobs:
      packages: write
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v3
-      - name: Set up QEMU
+      - name: Log in to the Container registry
-        uses: docker/setup-qemu-action@v3
+        uses: docker/login-action@v2.1.0
        with:
-          platforms: arm64
+          registry: ${{ env.CI_REGISTRY }}
-      - uses: DeterminateSystems/nix-installer-action@main
+          username: ${{ github.actor }}
-        with:
+          password: ${{ secrets.GITHUB_TOKEN }}
          extra-conf: |
            extra-platforms = aarch64-linux
      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - name: Push to Docker Hub
+      - uses: cachix/install-nix-action@v20
-        run: nix-shell --run ./ci.sh
+      - run: nix-shell --run ./ci.sh
        env:
          CI_PROJECT_PATH: 'nixpkgs'
          CI_REGISTRY: 'docker.io'
          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
          NIX_SYSTEM_NAME: '${{ matrix.system }}'
      - name: Push to GitHub Pages
        run: nix-shell --run ./ci.sh
        env:
          CI_PROJECT_PATH: 'nix-community/docker-nixpkgs'
          CI_REGISTRY: 'ghcr.io'
          CI_REGISTRY_AUTH: '${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}'
          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
          NIX_SYSTEM_NAME: '${{ matrix.system }}'
  push-manifest:
    needs: [build]
    strategy:
      fail-fast: false
      matrix:
        channel:
          - nixos-unstable
          - nixos-25.05
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: DeterminateSystems/nix-installer-action@main
        with:
          extra-conf: |
            extra-platforms = aarch64-linux
      - uses: DeterminateSystems/magic-nix-cache-action@main
      - run: nix-shell --run ./ci-manifests.sh
        env:
          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
          NIX_SYSTEM_NAME: '${{ matrix.system }}'
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,12 +3,12 @@ stages:
 build:
  stage: build
-  image: nixpkgs/nix:nixos-25.05
+  image: nixpkgs/nix:nixos-22.05
  script: nix-shell --run ./ci.sh
  parallel:
    matrix:
      - NIXPKGS_CHANNEL: nixos-unstable
        IMAGE_TAG: latest
      - NIXPKGS_CHANNEL:
-          - nixos-25.05
+          - nixos-22.05
-          - nixos-25.11
+          - nixos-22.11
--- a/README.md
+++ b/README.md
@@ -1,5 +1,9 @@
 # docker-nixpkgs: docker images from nixpkgs
 > Docker recently requested that we start paying $420.-/year in order to keep
 > the organization. So we moved the images to GitHub. Sorry for the
 > inconvenience.
 This project is a collection of docker images automatically produced with Nix
 and the latest nixpkgs package set. All the images are refreshed daily with
 the latest versions of nixpkgs.
@@ -39,8 +43,8 @@ nixpkgs channel describes.
 | Channel        | Image Tag   | Description                                       |
 | ---            | ---         | ---                                               |
-| nixos-25.05    | nixos-25.05 | only minor versions that include security updates |
+| nixos-22.05    | nixos-22.05 | only minor versions that include security updates |
-| nixos-25.11    | nixos-25.11 | only minor versions that include security updates |
+| nixos-22.11    | nixos-22.11 | only minor versions that include security updates |
 | nixos-unstable | latest      | latest and greatest, major versions might change  |
 ## List of images
@@ -52,11 +56,9 @@ All images are automatically built and published to Docker Hub, and served
 on our custom domain, courtesy of [Scarf](https://scarf.sh).
 `> ./readme-image-matrix`
 <!-- BEGIN mdsh -->
 | Image / Tag | Pull |
 | ---         | ---  |
 | [nixpkgs/attic](https://hub.docker.com/r/nixpkgs/attic)| `docker pull docker.nix-community.org/nixpkgs/attic` |
 | [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash)| `docker pull docker.nix-community.org/nixpkgs/bash` |
 | [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox)| `docker pull docker.nix-community.org/nixpkgs/busybox` |
 | [nixpkgs/cachix](https://hub.docker.com/r/nixpkgs/cachix)| `docker pull docker.nix-community.org/nixpkgs/cachix` |
@@ -64,19 +66,15 @@ on our custom domain, courtesy of [Scarf](https://scarf.sh).
 | [nixpkgs/caddy](https://hub.docker.com/r/nixpkgs/caddy)| `docker pull docker.nix-community.org/nixpkgs/caddy` |
 | [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl)| `docker pull docker.nix-community.org/nixpkgs/curl` |
 | [nixpkgs/devcontainer](https://hub.docker.com/r/nixpkgs/devcontainer)| `docker pull docker.nix-community.org/nixpkgs/devcontainer` |
 | [nixpkgs/devenv](https://hub.docker.com/r/nixpkgs/devenv)| `docker pull docker.nix-community.org/nixpkgs/devenv` |
 | [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose)| `docker pull docker.nix-community.org/nixpkgs/docker-compose` |
 | [nixpkgs/hugo](https://hub.docker.com/r/nixpkgs/hugo)| `docker pull docker.nix-community.org/nixpkgs/hugo` |
 | [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl)| `docker pull docker.nix-community.org/nixpkgs/kubectl` |
 | [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm)| `docker pull docker.nix-community.org/nixpkgs/kubernetes-helm` |
 | [nixpkgs/maddy](https://hub.docker.com/r/nixpkgs/maddy)| `docker pull docker.nix-community.org/nixpkgs/maddy` |
 | [nixpkgs/nginx](https://hub.docker.com/r/nixpkgs/nginx)| `docker pull docker.nix-community.org/nixpkgs/nginx` |
 | [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix)| `docker pull docker.nix-community.org/nixpkgs/nix` |
 | [nixpkgs/nix-flakes](https://hub.docker.com/r/nixpkgs/nix-flakes)| `docker pull docker.nix-community.org/nixpkgs/nix-flakes` |
 | [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable` |
 | [nixpkgs/nix-unstable-static](https://hub.docker.com/r/nixpkgs/nix-unstable-static)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable-static` |
 | [nixpkgs/pocket-id](https://hub.docker.com/r/nixpkgs/pocket-id)| `docker pull docker.nix-community.org/nixpkgs/pocket-id` |
 | [nixpkgs/yarr](https://hub.docker.com/r/nixpkgs/yarr)| `docker pull docker.nix-community.org/nixpkgs/yarr` |
 <!-- END mdsh -->
 ## Adding new images
--- a/ci-manifests.sh
+++ b/ci-manifests.sh
@@ -1,39 +0,0 @@
 #!/usr/bin/env bash
 #
 # CI specific build script.
 #
 set -euo pipefail
 channel=${NIXPKGS_CHANNEL:-nixos-unstable}
 registry=${CI_REGISTRY:-docker.io}
 registry_auth=${CI_REGISTRY_AUTH:-}
 image_prefix=${CI_PROJECT_PATH:-nixpkgs}
 if [[ $channel == nixos-unstable ]]; then
  image_tag=latest
 else
  image_tag=$channel
 fi
 export NIX_PATH=channel:$channel
 banner() {
  echo "========================================================"
  echo "  $*"
  echo "========================================================"
 }
 cd "$(dirname "$0")"
 if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
  banner "Skipping push on non-main branch"
  exit
 fi
 if [[ -n "${registry_auth}" ]]; then
  banner "docker login"
  ./docker-login "$registry_auth" "$registry"
 fi
 banner "generate manifests"
 ./generate-manifests "$registry" "$image_prefix" "$image_tag"
--- a/ci.sh
+++ b/ci.sh
@@ -5,10 +5,9 @@
 set -euo pipefail
 channel=${NIXPKGS_CHANNEL:-nixos-unstable}
-registry=${CI_REGISTRY:-docker.io}
+registry=${CI_REGISTRY:-ghcr.io}
 registry_auth=${CI_REGISTRY_AUTH:-}
-image_prefix=${CI_PROJECT_PATH:-nixpkgs}
+image_prefix=${CI_PROJECT_PATH:-nix-community/docker-nixpkgs}
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 if [[ $channel == nixos-unstable ]]; then
  image_tag=latest
@@ -31,12 +30,11 @@ banner "Building images"
 nix-build \
  --no-out-link \
  --option sandbox true \
  --argstr system "$system_name"
-if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
+# if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
-  banner "Skipping push on non-main branch"
+#   banner "Skipping push on non-master branch"
-  exit
+#   exit
-fi
+# fi
 if [[ -n "${registry_auth}" ]]; then
  banner "docker login"
@@ -45,8 +43,3 @@ fi
 banner "docker push"
 ./push-all "$registry" "$image_prefix" "$image_tag"
 if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then
  banner "docker metadata update"
  ./dockerhub-metadata "$registry_auth" "$image_prefix"
 fi
--- a/default.nix
+++ b/default.nix
@@ -1,14 +1,4 @@
-{
+let
-  system ? builtins.currentSystem
+  pkgs = import ./pkgs.nix;
 }: let
  _parts = builtins.split "-" system;
  arch = builtins.elemAt _parts 0;
  os = builtins.elemAt _parts 2;
  system' =
    if os == "darwin"
    then "${arch}-linux"
    else system;
  pkgs =
    import ./pkgs.nix system';
 in
 pkgs.docker-nixpkgs
--- a/46
+++ b/46
@@ -1,46 +0,0 @@
 #!/usr/bin/env bash
 #
 # Update docker hub image descriptions. The API is not documented and might
 # break in the future.
 #
 # Usage: ./dockerhub-metadata <user> <password> [org]
 set -euo pipefail
 user=$1
 org=${2:-nixpkgs}
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 nix_eval() {
  nix-instantiate --strict --eval --argstr system "$system_name" --json "$@"
 }
 releases_json=$(nix_eval)
 to_json() {
  local desc=$1 full_desc=$2
  jq -n \
    --arg desc "$desc" \
    --arg full_desc "$full_desc" \
    '.description=$desc | .full_description=$full_desc'
 }
 echo "=== Updating Docker Hub project descriptions"
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
  echo "--- $attr"
  desc=$(nix_eval -A "$attr.meta.description" | jq -r .)
  if [[ -f "$attr/README.md" ]]; then
    full_desc=$(< "$attr/README.md")
  else
    full_desc=$(< "README.md")
  fi
  data=$(to_json "$desc" "$full_desc")
  echo "data: $data"
  url=https://cloud.docker.com/v2/repositories/$org/$attr/
  curl -XPATCH -H "Content-Type: application/json" --user "$user" --data "$data" "$url"
 done
 echo OK
--- a/25
+++ b/25
@@ -1,25 +0,0 @@
 #!/usr/bin/env bash
 #
 # Usage: ./push-all <registry> <image-prefix> <image-tag>
 set -euo pipefail
 registry=${1:-docker.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
 echo "=== Generating manifests for $registry"
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
  repository=$registry/$image_prefix/$attr
  target_image=${repository}:${image_tag}
  echo "--- attr=$attr target=$target_image"
  podman manifest create "$target_image"
  podman manifest add "$target_image" "docker://$repository:${image_tag}-x86_64-linux"
  podman manifest add "$target_image" "docker://$repository:${image_tag}-aarch64-linux"
  podman manifest push --all "$target_image" "docker://$target_image"
 done
 echo OK
--- a/images/attic/default.nix
+++ b/images/attic/default.nix
@@ -1,10 +0,0 @@
 { docker-nixpkgs
 , attic-client
 }:
 (docker-nixpkgs.nix.override {
  extraContents = [ attic-client ];
 }).overrideAttrs (prev: {
  meta = (prev.meta or { }) // {
    description = "Nix and Attic client image";
  };
 })
--- a/images/devcontainer/default.nix
+++ b/images/devcontainer/default.nix
@@ -14,7 +14,7 @@
 , gnutar
 , gzip
 , iana-etc
-, iproute2
+, iproute
 , less
 , lib
 , nix
@@ -42,11 +42,7 @@ let
      nix
      # runtime dependencies of nix
-      # HACK: don't include the "hashed" output. It has overlapping files with
+      cacert
      #       the "unbundled" output, and that breaks the build.
      (cacert // {
        outputs = builtins.filter (x: x != "hashed") cacert.outputs;
      })
      gitReallyMinimal
      gnutar
      gzip
@@ -59,13 +55,8 @@ let
      shadow
      # for the vscode extension
-
+      gcc-unwrapped
-      # HACK: don't include the "libgcc" output. It has overlapping files with
+      iproute
      #       the "lib" output, and that breaks the build.
      (gcc-unwrapped // {
        outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs;
      })
      iproute2
    ];
  };
@@ -130,7 +121,7 @@ let
      ];
      Labels = {
        # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
-        "org.label-schema.vcs-ref" = "main";
+        "org.label-schema.vcs-ref" = "master";
        "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
      };
    };
--- a/images/devenv/default.nix
+++ b/images/devenv/default.nix
@@ -1,11 +0,0 @@
 { docker-nixpkgs
 , devenv ? null
 }:
 (docker-nixpkgs.nix.override {
  # only available since 24.05
  extraContents = [ devenv ];
 }).overrideAttrs (prev: {
  meta = (prev.meta or { }) // {
    description = "Nix and devenv image";
  };
 })
--- a/images/maddy/default.nix
+++ b/images/maddy/default.nix
@@ -1,6 +0,0 @@
 { buildCLIImage
 , maddy
 }:
 buildCLIImage {
  drv = maddy;
 }
--- a/images/nix-flakes/default.nix
+++ b/images/nix-flakes/default.nix
@@ -1,10 +1,10 @@
 { docker-nixpkgs
-, nixVersions
+, nixFlakes
 , writeTextFile
 , extraContents ? [ ]
 }:
 docker-nixpkgs.nix.override {
-  nix = nixVersions.stable;
+  nix = nixFlakes;
  extraContents = [
    (writeTextFile {
      name = "nix.conf";
@@ -12,12 +12,7 @@ docker-nixpkgs.nix.override {
      text = ''
        accept-flake-config = true
        experimental-features = nix-command flakes
        max-jobs = auto
      '';
    })
  ] ++ extraContents;
  extraEnv = [
    "PATH=/root/.nix-profile/bin:/usr/bin:/bin" # Not sure how to just prepend
  ];
 }
--- a/images/nix-unstable-static/default.nix
+++ b/images/nix-unstable-static/default.nix
@@ -19,8 +19,8 @@ let
  # Get nix from Hydra because the nixpkgs one is not fully static
  nixStaticBin = fetchurl {
-    url = "https://hydra.nixos.org/build/305222051/download/1/nix";
+    url = "https://hydra.nixos.org/build/181573550/download/1/nix";
-    hash = "sha256-OahnvQ/OKnRhbXaIJ7iEQYu86ECGtUqwW8XrryVkXaM=";
+    hash = "sha256-zO2xJhQIrLtL/ReTlcorjwsaTO1W5Rnr+sXwcLcujok=";
  };
  nixSymlinks = [
@@ -84,12 +84,11 @@ let
    mkdir -p libexec/nix
    ln -s /bin/nix libexec/nix/build-remote
-    # Enable flakes and parallel building
+    # Enable flakes
    mkdir -p etc/nix
    cat <<NIX_CONFIG > etc/nix/nix.conf
    accept-flake-config = true
    experimental-features = nix-command flakes
    max-jobs = auto
    NIX_CONFIG
    # Add run-as-user script
--- a/images/nix-unstable/default.nix
+++ b/images/nix-unstable/default.nix
@@ -1,6 +1,6 @@
 { docker-nixpkgs
-, pkgs
+, nixUnstable
 }:
 docker-nixpkgs.nix.override {
-  nix = pkgs.nixVersions.latest;
+  nix = nixUnstable;
 }
--- a/images/nix/default.nix
+++ b/images/nix/default.nix
@@ -11,7 +11,6 @@
 , openssh
 , xz
 , extraContents ? [ ]
 , extraEnv ? [ ]
 }:
 let
  image = dockerTools.buildImageWithNixDb {
@@ -59,7 +58,7 @@ let
        "PATH=/usr/bin:/bin"
        "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
        "USER=root"
-      ] ++ extraEnv;
+      ];
    };
  };
 in
--- a/images/nix/fake_nixpkgs/default.nix
+++ b/images/nix/fake_nixpkgs/default.nix
@@ -3,7 +3,7 @@ throw ''
  This container doesn't include nixpkgs.
  The best way to work around that is to pin your dependencies. See
-    https://nix.dev/tutorials/first-steps/towards-reproducibility-pinning-nixpkgs.html
+    https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs.html
  Or if you must, override the NIX_PATH environment variable with eg:
    "NIX_PATH=nixpkgs=channel:nixos-unstable"
--- a/images/pocket-id/default.nix
+++ b/images/pocket-id/default.nix
@@ -1,6 +0,0 @@
 { buildCLIImage
 , pocket-id
 }:
 buildCLIImage {
  drv = pocket-id;
 }
--- a/images/yarr/default.nix
+++ b/images/yarr/default.nix
@@ -1,6 +0,0 @@
 { buildCLIImage
 , yarr
 }:
 buildCLIImage {
  drv = yarr;
 }
--- a/lib/buildCLIImage.nix
+++ b/lib/buildCLIImage.nix
@@ -28,7 +28,7 @@ let
      ];
      Labels = {
        # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
-        "org.label-schema.vcs-ref" = "main";
+        "org.label-schema.vcs-ref" = "master";
        "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
      };
    };
--- a/pkgs.nix
+++ b/pkgs.nix
@@ -1,9 +1,7 @@
 system:
 # docker images run on Linux
 assert builtins.elem system ["x86_64-linux" "aarch64-linux"];
 import <nixpkgs> {
  # docker images run on Linux
  system = "x86_64-linux";
  config = { };
  inherit system;
  overlays = [
    (import ./overlay.nix)
  ];
--- a/7
+++ b/7
@@ -3,19 +3,18 @@
 # Usage: ./push-all <registry> <image-prefix> <image-tag>
 set -euo pipefail
-registry=${1:-docker.io}
+registry=${1:-ghcr.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
-releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
+releases_json=$(nix-instantiate --strict --eval --json)
 echo "=== Pushing images to $registry"
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
  file=$(echo "$releases_json" | jq -r ".\"$attr\"")
  src=docker-archive://$file
-  dst=docker://$registry/$image_prefix/$attr:${image_tag}-${system_name}
+  dst=docker://$registry/$image_prefix/$attr:$image_tag
  echo "--- attr=$attr src=$src dst=$dst"
  skopeo copy --insecure-policy "$src" "$dst"
 done
--- a/4
+++ b/4
@@ -3,11 +3,9 @@
 # Usage: ./dockerhub-image-matrix
 set -euo pipefail
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 ## Main ##
-releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
+releases_json=$(nix-instantiate --strict --eval --json)
 echo "| Image / Tag | Pull |"
 echo "| ---         | ---  |"
--- a/shell.nix
+++ b/shell.nix
@@ -1,5 +1,5 @@
 let
-  nixpkgs = builtins.fetchTarball "channel:nixos-23.11";
+  nixpkgs = builtins.fetchTarball "channel:nixos-22.05";
  pkgs = import nixpkgs { config = { }; overlays = [ ]; };
 in
 with pkgs;
@@ -8,7 +8,6 @@ mkShell {
    dive
    jq
    skopeo
    podman
  ] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh;
  shellHook = ''
Author	SHA1	Message	Date
zimbatm	8aababdd97	ci: switch images from Docker Hub to GitHub Packages Docker changed their mind and are asking us to pay to keep the org on Docker Hub.	2023-03-16 12:18:40 +01:00
zimbatm	c5d1be8214	REMOVEME: testing	2023-03-16 12:18:40 +01:00