cachix action failing for unknown reasons, patch to use local runner

fixes #57

.github/workflows/nix.yml

@@ -8,10 +8,6 @@ on:
   schedule:
     # Run once per day
     - cron: '0 0 * * *'
-
-env:
-  CI_REGISTRY: ghcr.io
-
 jobs:
   build:
     strategy:
@@ -20,25 +16,13 @@ jobs:
       matrix:
         channel:
           - nixos-unstable
-          - nixos-22.05
           - nixos-22.11
-
+          - nixos-23.05
-    runs-on: ubuntu-latest
+    runs-on: native
-
+    container: pjjw/nix-flake-runner:1
-    permissions:
-      contents: read
-      packages: write
-
     steps:
       - uses: actions/checkout@v3
-      - name: Log in to the Container registry
-        uses: docker/login-action@v2.1.0
-        with:
-          registry: ${{ env.CI_REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: cachix/install-nix-action@v20
       - run: nix-shell --run ./ci.sh
         env:
+          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
           NIXPKGS_CHANNEL: '${{ matrix.channel }}'

.gitlab-ci.yml

@@ -3,12 +3,12 @@ stages:
 
 build:
   stage: build
-  image: nixpkgs/nix:nixos-22.05
+  image: nixpkgs/nix:nixos-22.11
   script: nix-shell --run ./ci.sh
   parallel:
     matrix:
       - NIXPKGS_CHANNEL: nixos-unstable
         IMAGE_TAG: latest
       - NIXPKGS_CHANNEL:
-          - nixos-22.05
           - nixos-22.11
+          - nixos-23.05

README.md

@@ -1,9 +1,5 @@
 # docker-nixpkgs: docker images from nixpkgs
 
-> Docker recently requested that we start paying $420.-/year in order to keep
-> the organization. So we moved the images to GitHub. Sorry for the
-> inconvenience.
-
 This project is a collection of docker images automatically produced with Nix
 and the latest nixpkgs package set. All the images are refreshed daily with
 the latest versions of nixpkgs.
@@ -43,8 +39,8 @@ nixpkgs channel describes.
 
 | Channel        | Image Tag   | Description                                       |
 | ---            | ---         | ---                                               |
-| nixos-22.05    | nixos-22.05 | only minor versions that include security updates |
 | nixos-22.11    | nixos-22.11 | only minor versions that include security updates |
+| nixos-23.05    | nixos-23.05 | only minor versions that include security updates |
 | nixos-unstable | latest      | latest and greatest, major versions might change  |
 
 ## List of images

ci.sh

@@ -5,9 +5,9 @@
 set -euo pipefail
 
 channel=${NIXPKGS_CHANNEL:-nixos-unstable}
-registry=${CI_REGISTRY:-ghcr.io}
+registry=${CI_REGISTRY:-docker.io}
 registry_auth=${CI_REGISTRY_AUTH:-}
-image_prefix=${CI_PROJECT_PATH:-nix-community/docker-nixpkgs}
+image_prefix=${CI_PROJECT_PATH:-nixpkgs}
 
 if [[ $channel == nixos-unstable ]]; then
   image_tag=latest
@@ -31,10 +31,10 @@ nix-build \
   --no-out-link \
   --option sandbox true \
 
-# if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
+if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
-#   banner "Skipping push on non-master branch"
+  banner "Skipping push on non-master branch"
-#   exit
+  exit
-# fi
+fi
 
 if [[ -n "${registry_auth}" ]]; then
   banner "docker login"
@@ -43,3 +43,8 @@ fi
 
 banner "docker push"
 ./push-all "$registry" "$image_prefix" "$image_tag"
+
+if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then
+  banner "docker metadata update"
+  ./dockerhub-metadata "$registry_auth" "$image_prefix"
+fi

dockerhub-metadata

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+#
+# Update docker hub image descriptions. The API is not documented and might
+# break in the future.
+#
+# Usage: ./dockerhub-metadata <user> <password> [org]
+set -euo pipefail
+
+user=$1
+org=${2:-nixpkgs}
+
+nix_eval() {
+  nix-instantiate --strict --eval --json "$@"
+}
+
+releases_json=$(nix_eval)
+
+to_json() {
+  local desc=$1 full_desc=$2
+  jq -n \
+    --arg desc "$desc" \
+    --arg full_desc "$full_desc" \
+    '.description=$desc | .full_description=$full_desc'
+}
+
+echo "=== Updating Docker Hub project descriptions"
+
+for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
+  echo "--- $attr"
+  desc=$(nix_eval -A "$attr.meta.description" | jq -r .)
+
+  if [[ -f "$attr/README.md" ]]; then
+    full_desc=$(< "$attr/README.md")
+  else
+    full_desc=$(< "README.md")
+  fi
+
+  data=$(to_json "$desc" "$full_desc")
+  echo "data: $data"
+  url=https://cloud.docker.com/v2/repositories/$org/$attr/
+
+  curl -XPATCH -H "Content-Type: application/json" --user "$user" --data "$data" "$url"
+done
+
+echo OK

images/devcontainer/default.nix

@@ -55,7 +55,12 @@ let
       shadow
 
       # for the vscode extension
-      gcc-unwrapped
+
+      # HACK: don't include the "libgcc" output. It has overlapping files with
+      #       the "lib" output, and that breaks the build.
+      (gcc-unwrapped // {
+        outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs;
+      })
       iproute
     ];
   };

push-all

@@ -3,7 +3,7 @@
 # Usage: ./push-all <registry> <image-prefix> <image-tag>
 set -euo pipefail
 
-registry=${1:-ghcr.io}
+registry=${1:-docker.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}