ci: switch images from Docker Hub to GitHub Packages

Docker changed their mind and are asking us to pay to keep the org on Docker Hub.
REMOVEME: testing
2023-03-16 12:18:40 +01:00 · 2023-03-16 12:18:40 +01:00
7 changed files with 35 additions and 71 deletions
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -8,6 +8,10 @@ on:
  schedule:
    # Run once per day
    - cron: '0 0 * * *'
 env:
  CI_REGISTRY: ghcr.io
 jobs:
  build:
    strategy:
@@ -16,14 +20,25 @@ jobs:
      matrix:
        channel:
          - nixos-unstable
          - nixos-22.05
          - nixos-22.11
-          - nixos-23.05
+
-    runs-on: native
+    runs-on: ubuntu-latest
-    container: pjjw/nix-flake-runner:1
+
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v3
      - name: Log in to the Container registry
        uses: docker/login-action@v2.1.0
        with:
          registry: ${{ env.CI_REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: cachix/install-nix-action@v20
      - run: nix-shell --run ./ci.sh
        env:
          CI_PROJECT_PATH: pjjw
          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,12 +3,12 @@ stages:
 build:
  stage: build
-  image: nixpkgs/nix:nixos-22.11
+  image: nixpkgs/nix:nixos-22.05
  script: nix-shell --run ./ci.sh
  parallel:
    matrix:
      - NIXPKGS_CHANNEL: nixos-unstable
        IMAGE_TAG: latest
      - NIXPKGS_CHANNEL:
          - nixos-22.05
          - nixos-22.11
          - nixos-23.05
--- a/README.md
+++ b/README.md
@@ -1,5 +1,9 @@
 # docker-nixpkgs: docker images from nixpkgs
 > Docker recently requested that we start paying $420.-/year in order to keep
 > the organization. So we moved the images to GitHub. Sorry for the
 > inconvenience.
 This project is a collection of docker images automatically produced with Nix
 and the latest nixpkgs package set. All the images are refreshed daily with
 the latest versions of nixpkgs.
@@ -39,8 +43,8 @@ nixpkgs channel describes.
 | Channel        | Image Tag   | Description                                       |
 | ---            | ---         | ---                                               |
 | nixos-22.05    | nixos-22.05 | only minor versions that include security updates |
 | nixos-22.11    | nixos-22.11 | only minor versions that include security updates |
 | nixos-23.05    | nixos-23.05 | only minor versions that include security updates |
 | nixos-unstable | latest      | latest and greatest, major versions might change  |
 ## List of images
--- a/ci.sh
+++ b/ci.sh
@@ -5,9 +5,9 @@
 set -euo pipefail
 channel=${NIXPKGS_CHANNEL:-nixos-unstable}
-registry=${CI_REGISTRY:-docker.io}
+registry=${CI_REGISTRY:-ghcr.io}
 registry_auth=${CI_REGISTRY_AUTH:-}
-image_prefix=${CI_PROJECT_PATH:-nixpkgs}
+image_prefix=${CI_PROJECT_PATH:-nix-community/docker-nixpkgs}
 if [[ $channel == nixos-unstable ]]; then
  image_tag=latest
@@ -31,10 +31,10 @@ nix-build \
  --no-out-link \
  --option sandbox true \
-if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
+# if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
-  banner "Skipping push on non-master branch"
+#   banner "Skipping push on non-master branch"
-  exit
+#   exit
-fi
+# fi
 if [[ -n "${registry_auth}" ]]; then
  banner "docker login"
@@ -43,8 +43,3 @@ fi
 banner "docker push"
 ./push-all "$registry" "$image_prefix" "$image_tag"
 if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then
  banner "docker metadata update"
  ./dockerhub-metadata "$registry_auth" "$image_prefix"
 fi
--- a/45
+++ b/45
@@ -1,45 +0,0 @@
 #!/usr/bin/env bash
 #
 # Update docker hub image descriptions. The API is not documented and might
 # break in the future.
 #
 # Usage: ./dockerhub-metadata <user> <password> [org]
 set -euo pipefail
 user=$1
 org=${2:-nixpkgs}
 nix_eval() {
  nix-instantiate --strict --eval --json "$@"
 }
 releases_json=$(nix_eval)
 to_json() {
  local desc=$1 full_desc=$2
  jq -n \
    --arg desc "$desc" \
    --arg full_desc "$full_desc" \
    '.description=$desc | .full_description=$full_desc'
 }
 echo "=== Updating Docker Hub project descriptions"
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
  echo "--- $attr"
  desc=$(nix_eval -A "$attr.meta.description" | jq -r .)
  if [[ -f "$attr/README.md" ]]; then
    full_desc=$(< "$attr/README.md")
  else
    full_desc=$(< "README.md")
  fi
  data=$(to_json "$desc" "$full_desc")
  echo "data: $data"
  url=https://cloud.docker.com/v2/repositories/$org/$attr/
  curl -XPATCH -H "Content-Type: application/json" --user "$user" --data "$data" "$url"
 done
 echo OK
--- a/images/devcontainer/default.nix
+++ b/images/devcontainer/default.nix
@@ -55,12 +55,7 @@ let
      shadow
      # for the vscode extension
-
+      gcc-unwrapped
      # HACK: don't include the "libgcc" output. It has overlapping files with
      #       the "lib" output, and that breaks the build.
      (gcc-unwrapped // {
        outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs;
      })
      iproute
    ];
  };
--- a/2
+++ b/2
@@ -3,7 +3,7 @@
 # Usage: ./push-all <registry> <image-prefix> <image-tag>
 set -euo pipefail
-registry=${1:-docker.io}
+registry=${1:-ghcr.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}
Author	SHA1	Message	Date
zimbatm	8aababdd97	ci: switch images from Docker Hub to GitHub Packages Docker changed their mind and are asking us to pay to keep the org on Docker Hub.	2023-03-16 12:18:40 +01:00
zimbatm	c5d1be8214	REMOVEME: testing	2023-03-16 12:18:40 +01:00