From 46ef231b54bf6792155c76b5ebc7d9db5dff34e4 Mon Sep 17 00:00:00 2001
From: Mikael Hugo <mikkihugo@users.noreply.github.com>
Date: Mon, 18 May 2026 01:11:46 +0200
Subject: [PATCH] ci: switch self-deploy build to Nix buildah+skopeo, fix
 runs-on label
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Forgejo runner is a k8s pod (forgejo-runner ns, on vega) registered
with labels [ubuntu-latest, ubuntu-22.04, self-hosted]. The workflow's
`runs-on: docker` matched no runner, so jobs never got claimed — that's
why HEAD never built and the cluster stayed pinned to 4be963fd.

The runner has Nix on PATH but no docker daemon — that's intentional
per the operator's runner manifest header: "Builds use Nix
(nix build .#dockerImage + nix run nixpkgs#skopeo for the push) rather
than DinD." So the build step uses rootless buildah from nixpkgs
against the existing docker/Dockerfile.sf-server (vfs storage + chroot
isolation works in-pod), and the push step hands the image to skopeo via
containers-storage. SF_REGISTRY_USER / SF_REGISTRY_PASSWORD become
--dest-creds for skopeo.

Cache-from/cache-to dropped from the buildah invocation for now — first
priority is a working build; registry-backed buildkit cache can be
re-added later.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .forgejo/workflows/self-deploy.yml | 42 ++++++++++++++++++------------
 1 file changed, 25 insertions(+), 17 deletions(-)

diff --git a/.forgejo/workflows/self-deploy.yml b/.forgejo/workflows/self-deploy.yml
index d8ea6551b..ba4f5ca77 100644
--- a/.forgejo/workflows/self-deploy.yml
+++ b/.forgejo/workflows/self-deploy.yml
@@ -25,7 +25,7 @@ env:
 jobs:
   build:
     name: build, test, and publish server image
-    runs-on: docker
+    runs-on: ubuntu-latest
     outputs:
       image: ${{ steps.image.outputs.image }}
     steps:
@@ -69,20 +69,16 @@ jobs:
       - name: Generate release manifest
         run: npm run release:manifest -- --out dist/sf-release-manifest.json
 
-      - name: Login to registry
-        if: env.SF_REGISTRY_USER != '' && env.SF_REGISTRY_PASSWORD != ''
+      # Runner is a k8s pod (forgejo-runner ns) with Nix on PATH and no
+      # docker daemon — build and push via rootless buildah + skopeo from
+      # nixpkgs, matching the operator's documented runner contract.
+      - name: Build server image (rootless buildah)
         run: |
-          printf '%s' "$SF_REGISTRY_PASSWORD" | docker login "${SF_REGISTRY:-registry.centralcloud.com}" --username "$SF_REGISTRY_USER" --password-stdin
-
-      - name: Build server image
-        run: |
-          export DOCKER_BUILDKIT=1
-          export BUILDKIT_PROGRESS=plain
-          cache_ref="${SF_IMAGE_REPOSITORY:-${SF_REGISTRY:-registry.infra.centralcloud.com}/singularity/sf-server}:buildcache"
-          docker build \
+          set -euo pipefail
+          nix run nixpkgs#buildah -- bud \
+            --storage-driver=vfs \
+            --isolation=chroot \
             -f docker/Dockerfile.sf-server \
-            --cache-from "type=registry,ref=${cache_ref}" \
-            --cache-to "type=registry,ref=${cache_ref},mode=max" \
             --build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \
             --build-arg "SF_GIT_REF=${GITHUB_REF_NAME:-$(git rev-parse --abbrev-ref HEAD)}" \
             --build-arg "SF_RELEASE_IMAGE=${{ steps.image.outputs.image }}" \
@@ -90,15 +86,27 @@ jobs:
             -t "${{ steps.image.outputs.image }}" \
             .
 
-      - name: Push server image
+      - name: Push server image (skopeo)
         if: env.SF_PUSH_IMAGE != '0'
-        run: docker push "${{ steps.image.outputs.image }}"
+        run: |
+          set -euo pipefail
+          # Hand the buildah-built image to skopeo via containers-storage,
+          # authenticated against the SF registry.
+          creds_arg=""
+          if [ -n "${SF_REGISTRY_USER:-}" ] && [ -n "${SF_REGISTRY_PASSWORD:-}" ]; then
+            creds_arg="--dest-creds=${SF_REGISTRY_USER}:${SF_REGISTRY_PASSWORD}"
+          fi
+          nix run nixpkgs#skopeo -- copy \
+            --insecure-policy \
+            $creds_arg \
+            "containers-storage:[vfs@/var/lib/containers/storage+/var/run/containers/storage]${{ steps.image.outputs.image }}" \
+            "docker://${{ steps.image.outputs.image }}"
 
 
   deploy-test:
     name: deploy test and probe
     needs: build
-    runs-on: docker
+    runs-on: ubuntu-latest
     steps:
       - name: Configure kubeconfig
         run: |
@@ -129,7 +137,7 @@ jobs:
     needs:
       - build
       - deploy-test
-    runs-on: docker
+    runs-on: ubuntu-latest
     if: needs.deploy-test.result == 'success'
     steps:
       - name: Configure kubeconfig