ci: switch images from Docker Hub to GitHub Packages

Docker changed their mind and are asking us to pay to keep the org on
Docker Hub.

.github/workflows/nix.yml

@@ -8,6 +8,10 @@ on:
   schedule:
     # Run once per day
     - cron: '0 0 * * *'
+
+env:
+  CI_REGISTRY: ghcr.io
+
 jobs:
   build:
     strategy:
@@ -18,11 +22,23 @@ jobs:
           - nixos-unstable
           - nixos-22.05
           - nixos-22.11
+
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - uses: actions/checkout@v3
+      - name: Log in to the Container registry
+        uses: docker/login-action@v2.1.0
+        with:
+          registry: ${{ env.CI_REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - uses: cachix/install-nix-action@v20
       - run: nix-shell --run ./ci.sh
         env:
-          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
           NIXPKGS_CHANNEL: '${{ matrix.channel }}'

README.md

@@ -1,5 +1,9 @@
 # docker-nixpkgs: docker images from nixpkgs
 
+> Docker recently requested that we start paying $420.-/year in order to keep
+> the organization. So we moved the images to GitHub. Sorry for the
+> inconvenience.
+
 This project is a collection of docker images automatically produced with Nix
 and the latest nixpkgs package set. All the images are refreshed daily with
 the latest versions of nixpkgs.

ci.sh

@@ -5,9 +5,9 @@
 set -euo pipefail
 
 channel=${NIXPKGS_CHANNEL:-nixos-unstable}
-registry=${CI_REGISTRY:-docker.io}
+registry=${CI_REGISTRY:-ghcr.io}
 registry_auth=${CI_REGISTRY_AUTH:-}
-image_prefix=${CI_PROJECT_PATH:-nixpkgs}
+image_prefix=${CI_PROJECT_PATH:-nix-community/docker-nixpkgs}
 
 if [[ $channel == nixos-unstable ]]; then
   image_tag=latest
@@ -31,10 +31,10 @@ nix-build \
   --no-out-link \
   --option sandbox true \
 
-if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
-  banner "Skipping push on non-master branch"
-  exit
-fi
+# if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
+#   banner "Skipping push on non-master branch"
+#   exit
+# fi
 
 if [[ -n "${registry_auth}" ]]; then
   banner "docker login"
@@ -43,8 +43,3 @@ fi
 
 banner "docker push"
 ./push-all "$registry" "$image_prefix" "$image_tag"
-
-if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then
-  banner "docker metadata update"
-  ./dockerhub-metadata "$registry_auth" "$image_prefix"
-fi

dockerhub-metadata

@@ -1,45 +0,0 @@
-#!/usr/bin/env bash
-#
-# Update docker hub image descriptions. The API is not documented and might
-# break in the future.
-#
-# Usage: ./dockerhub-metadata <user> <password> [org]
-set -euo pipefail
-
-user=$1
-org=${2:-nixpkgs}
-
-nix_eval() {
-  nix-instantiate --strict --eval --json "$@"
-}
-
-releases_json=$(nix_eval)
-
-to_json() {
-  local desc=$1 full_desc=$2
-  jq -n \
-    --arg desc "$desc" \
-    --arg full_desc "$full_desc" \
-    '.description=$desc | .full_description=$full_desc'
-}
-
-echo "=== Updating Docker Hub project descriptions"
-
-for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
-  echo "--- $attr"
-  desc=$(nix_eval -A "$attr.meta.description" | jq -r .)
-
-  if [[ -f "$attr/README.md" ]]; then
-    full_desc=$(< "$attr/README.md")
-  else
-    full_desc=$(< "README.md")
-  fi
-
-  data=$(to_json "$desc" "$full_desc")
-  echo "data: $data"
-  url=https://cloud.docker.com/v2/repositories/$org/$attr/
-
-  curl -XPATCH -H "Content-Type: application/json" --user "$user" --data "$data" "$url"
-done
-
-echo OK

push-all

@@ -3,7 +3,7 @@
 # Usage: ./push-all <registry> <image-prefix> <image-tag>
 set -euo pipefail
 
-registry=${1:-docker.io}
+registry=${1:-ghcr.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}