Merge pull request #962 from kachick/riff #777
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: β¬’π¦ | |
on: | |
push: | |
tags: | |
- 'v*' | |
branches: | |
- main | |
paths: | |
- '.github/workflows/container.yml' | |
- 'containers/**' | |
- '.containerignore' | |
- 'flake.*' | |
- 'home-manager/**' | |
- 'config/**' | |
- '!**.md' | |
pull_request: | |
types: | |
- labeled | |
workflow_dispatch: | |
jobs: | |
# podman can handle lowercase. So normalize the outputs | |
get-meta: | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 5 | |
outputs: | |
started_at: ${{ steps.timestamp.outputs.started_at }} | |
ref_tag: ${{ steps.tags.outputs.ref }} | |
special_tag: ${{ steps.tags.outputs.special }} | |
timestamp_tag: ${{ steps.tags.outputs.timestamp }} | |
require_comments: ${{ steps.comments.outputs.require }} | |
steps: | |
- name: Get started timestamp | |
id: timestamp | |
run: | | |
# Do not use ":" delimiter as iso-8601/rfc-3339, it cannot be used in container tag | |
echo started_at="$(date --utc '+%Y%m%d-%H%M%S-%Z')" | ruby -pe '$_.downcase!' | tee -a "$GITHUB_OUTPUT" | |
- name: Judge to post comments or not | |
id: comments | |
if: >- | |
(github.actor == github.repository_owner) && (github.event_name == 'pull_request') | |
run: echo -n 'require=true' | tee -a "$GITHUB_OUTPUT" | |
- name: Generate tags for the image | |
id: tags | |
# https://github.com/orgs/community/discussions/26557#discussioncomment-3252327 | |
run: | | |
echo "timestamp=${{ steps.timestamp.outputs.started_at }}" | tee -a "$GITHUB_OUTPUT" | |
special='' | |
ref='' | |
if [ '${{ github.event_name }}' = 'pull_request' ]; then | |
special='pr-${{ github.event.number }}-${{ github.event.pull_request.head.sha }}' | |
ref='${{ github.event.pull_request.head.sha }}' | |
elif [ '${{ github.ref_name }}' = '${{ github.event.repository.default_branch }}' ]; then | |
special='latest' | |
ref='${{ github.sha }}' | |
else | |
exit 1 | |
fi | |
echo "special=${special}" | tee -a "$GITHUB_OUTPUT" | |
echo "ref=${ref}" | tee -a "$GITHUB_OUTPUT" | |
minimize-old-comments: | |
needs: [get-meta] | |
if: ${{ needs.get-meta.outputs.require_comments == 'true' }} | |
uses: ./.github/workflows/minimize-staging-deploy-comments.yml | |
with: | |
pr-number: ${{ github.event.number }} | |
build_and_push: | |
# Do not set `cancel-in-progress: true` in main branch, it displays failure badges | |
# https://github.com/orgs/community/discussions/8336 | |
concurrency: | |
group: 'deploy-container-${{ github.ref }}' | |
cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
needs: [get-meta, minimize-old-comments] | |
if: >- | |
(! failure()) && | |
((github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy-staging')) || | |
(github.event_name != 'pull_request')) | |
runs-on: ubuntu-24.04 | |
timeout-minutes: 60 | |
steps: | |
- name: Logging dependency versions | |
run: | | |
podman version | |
crun --version | |
buildah version | |
- name: Install gh-action-escape | |
run: curl -fsSL https://raw.githubusercontent.com/kachick/gh-action-escape/main/scripts/install-in-github-action.sh | sh -s v0.2.0 | |
- uses: actions/checkout@v4 | |
- name: Build base Image | |
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 | |
with: | |
image: systemd-prepared | |
containerfiles: | | |
containers/Containerfile | |
oci: true | |
- name: Inspect the created image | |
run: 'podman inspect systemd-prepared' | |
- name: Start systemd | |
id: start-systemd | |
run: | | |
set -euxo pipefail | |
container_id="$(podman run --detach --rm systemd-prepared)" | |
echo container_id="$container_id" | tee -a "$GITHUB_OUTPUT" | |
- name: Wait for the systemd to be ready | |
run: 'sleep 2' | |
- name: Run Nix commands and cleanup provisioners | |
run: | | |
set -euxo pipefail | |
podman exec --user=user -it '${{ steps.start-systemd.outputs.container_id }}' /provisioner/needs_systemd.bash | |
podman exec --user=root -it '${{ steps.start-systemd.outputs.container_id }}' rm -rf /provisioner | |
- name: Check no personal name in that config | |
run: | | |
# https://unix.stackexchange.com/a/340729 | |
assign_stdin_to_global_command_variable() { | |
command="$(cat)" | |
} | |
assign_stdin_to_global_command_variable <<'EOF' | |
set -uxo | |
# https://unix.stackexchange.com/questions/311090/how-to-disable-set-x | |
set +e | |
/home/user/.nix-profile/bin/rg --hidden --follow --glob='!.local/state' --glob='!.nix-*' 'kachick1' | |
# Need to check the exit code if we want to make sure "not found" in grep family | |
# https://github.com/BurntSushi/ripgrep/issues/1290#issuecomment-761170095 | |
ripgrep_exit_code="$?" # Do not directly use the $? to prevent inserting another command as a human error | |
[[ "$ripgrep_exit_code" -eq 1 ]] | |
EOF | |
podman exec --user=user --workdir=/home/user -it '${{ steps.start-systemd.outputs.container_id }}' bash -c "$command" | |
- name: Persist the container to image | |
run: | | |
podman commit \ | |
--author 'https://github.com/${{github.repository}}/actions/runs/${{ github.run_id }}' \ | |
'${{ steps.start-systemd.outputs.container_id }}' home | |
podman kill '${{ steps.start-systemd.outputs.container_id }}' | |
podman tag home home:${{ needs.get-meta.outputs.special_tag }} | |
podman tag home home:${{ needs.get-meta.outputs.ref_tag}} | |
podman tag home home:${{ needs.get-meta.outputs.timestamp_tag }} | |
- name: Inspect the created image | |
run: 'podman inspect home' | |
- name: Test the created image | |
run: | | |
set -euxo pipefail | |
container_id="$(podman run --detach --rm home:${{ needs.get-meta.outputs.started_at }})" | |
# shellcheck disable=SC2064 | |
trap "podman kill '$container_id'" EXIT ERR | |
sleep 2 # Wait for the systemd to be ready | |
podman exec --user=user "$container_id" cat /etc/nix/nix.conf | |
podman exec --user=user --workdir='/home/user' -it "$container_id" '/home/user/.nix-profile/bin/zsh' -c 'la; lat ~/.config' | |
- name: Push To ghcr.io | |
id: push-to-ghcr | |
if: ${{ github.actor == github.repository_owner }} | |
# Using this method makes ghcr.io warning | |
# `No description provided` | |
# `To provide a description, add the following line to your Dockerfile:` | |
# But you have not to care this noise for now, it is happened even in redhat official | |
# https://github.com/kachick/dotfiles/issues/471#issuecomment-2002565514 | |
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8 | |
with: | |
image: home | |
tags: ${{ needs.get-meta.outputs.special_tag }} ${{ needs.get-meta.outputs.ref_tag }} ${{ needs.get-meta.outputs.timestamp_tag }} | |
registry: ghcr.io/${{ github.repository_owner }} | |
username: ${{ github.repository_owner }} | |
password: ${{ github.token }} | |
- name: Inspect the package | |
id: inspect-package | |
if: ${{ github.actor == github.repository_owner }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
set -euxo pipefail | |
echo "${{ toJSON(steps.push-to-ghcr.outputs) }}" | |
gh api --paginate \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
/users/${{ github.repository_owner }}/packages/container/home/versions \ | |
--jq '.[] | select(.name == "${{ steps.push-to-ghcr.outputs.digest }}")' | \ | |
jq | gh-action-escape -name=json | tee -a "$GITHUB_OUTPUT" | |
- name: Post comments | |
if: ${{ needs.get-meta.outputs.require_comments == 'true' }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
( | |
cat <<'EOF' | |
β¬’π¦ Staging container-image has been deployed π\ | |
You can test the interactive shell π as follows. | |
```bash | |
bash <(curl -fsSL 'https://raw.githubusercontent.com/kachick/dotfiles/${{ github.event.pull_request.head.sha }}/containers/sandbox-with-ghcr.bash') '${{ github.event.pull_request.head.sha }}' | |
``` | |
The package detail | |
```json | |
${{ steps.inspect-package.outputs.json }} | |
``` | |
This image will be automatically π€ removed from ghcr.io ποΈ if you merged/closed this PR π | |
EOF | |
) | gh pr comment ${{ github.event.number }} --body-file - |