singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

ci: switch self-deploy build to Nix buildah+skopeo, fix runs-on label
Some checks failed
sf self-deploy / build, test, and publish server image (push) Failing after 2m3s
Details
sf self-deploy / deploy test and probe (push) Has been skipped
Details
sf self-deploy / promote prod (push) Has been skipped
Details

Browse source 
The Forgejo runner is a k8s pod (forgejo-runner ns, on vega) registered
with labels [ubuntu-latest, ubuntu-22.04, self-hosted]. The workflow's
`runs-on: docker` matched no runner, so jobs never got claimed — that's
why HEAD never built and the cluster stayed pinned to 4be963fd.

The runner has Nix on PATH but no docker daemon — that's intentional
per the operator's runner manifest header: "Builds use Nix
(nix build .#dockerImage + nix run nixpkgs#skopeo for the push) rather
than DinD." So the build step uses rootless buildah from nixpkgs
against the existing docker/Dockerfile.sf-server (vfs storage + chroot
isolation works in-pod), and the push step hands the image to skopeo via
containers-storage. SF_REGISTRY_USER / SF_REGISTRY_PASSWORD become
--dest-creds for skopeo.

Cache-from/cache-to dropped from the buildah invocation for now — first
priority is a working build; registry-backed buildkit cache can be
re-added later.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mikael Hugo 2026-05-18 01:11:46 +02:00
parent e50f2c0af1
commit 46ef231b54
1 changed files with 25 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
.forgejo/workflows/self-deploy.yml
View file

@ -25,7 +25,7 @@ env:
jobs:
build:
name: build, test, and publish server image
runs-on: docker
runs-on: ubuntu-latest
outputs:
image: ${{ steps.image.outputs.image }}
steps:
@ -69,20 +69,16 @@ jobs:
- name: Generate release manifest
run: npm run release:manifest -- --out dist/sf-release-manifest.json
- name: Login to registry
if: env.SF_REGISTRY_USER != '' && env.SF_REGISTRY_PASSWORD != ''
# Runner is a k8s pod (forgejo-runner ns) with Nix on PATH and no
# docker daemon — build and push via rootless buildah + skopeo from
# nixpkgs, matching the operator's documented runner contract.
- name: Build server image (rootless buildah)
run: |
printf '%s' "$SF_REGISTRY_PASSWORD" | docker login "${SF_REGISTRY:-registry.centralcloud.com}" --username "$SF_REGISTRY_USER" --password-stdin
- name: Build server image
run: |
export DOCKER_BUILDKIT=1
export BUILDKIT_PROGRESS=plain
cache_ref="${SF_IMAGE_REPOSITORY:-${SF_REGISTRY:-registry.infra.centralcloud.com}/singularity/sf-server}:buildcache"
docker build \
set -euo pipefail
nix run nixpkgs#buildah -- bud \
--storage-driver=vfs \
--isolation=chroot \
-f docker/Dockerfile.sf-server \
--cache-from "type=registry,ref=${cache_ref}" \
--cache-to "type=registry,ref=${cache_ref},mode=max" \
--build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \
--build-arg "SF_GIT_REF=${GITHUB_REF_NAME:-$(git rev-parse --abbrev-ref HEAD)}" \
--build-arg "SF_RELEASE_IMAGE=${{ steps.image.outputs.image }}" \
@ -90,15 +86,27 @@ jobs:
-t "${{ steps.image.outputs.image }}" \
.
- name: Push server image
- name: Push server image (skopeo)
if: env.SF_PUSH_IMAGE != '0'
run: docker push "${{ steps.image.outputs.image }}"
run: |
set -euo pipefail
# Hand the buildah-built image to skopeo via containers-storage,
# authenticated against the SF registry.
creds_arg=""
if [ -n "${SF_REGISTRY_USER:-}" ] && [ -n "${SF_REGISTRY_PASSWORD:-}" ]; then
creds_arg="--dest-creds=${SF_REGISTRY_USER}:${SF_REGISTRY_PASSWORD}"
fi
nix run nixpkgs#skopeo -- copy \
--insecure-policy \
$creds_arg \
"containers-storage:[vfs@/var/lib/containers/storage+/var/run/containers/storage]${{ steps.image.outputs.image }}" \
"docker://${{ steps.image.outputs.image }}"
deploy-test:
name: deploy test and probe
needs: build
runs-on: docker
runs-on: ubuntu-latest
steps:
- name: Configure kubeconfig
run: |
@ -129,7 +137,7 @@ jobs:
needs:
- build
- deploy-test
runs-on: docker
runs-on: ubuntu-latest
if: needs.deploy-test.result == 'success'
steps:
- name: Configure kubeconfig