singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

ci: revert to plain docker build/push (runner now has docker.sock)
Some checks failed
sf self-deploy / deploy test and probe (push) Blocked by required conditions
Details
sf self-deploy / promote prod (push) Blocked by required conditions
Details
sf self-deploy / build, test, and publish server image (push) Has been cancelled
Details

Browse source 
The runner deployment now mounts vega's host docker.sock and ships
docker-client via Nix. Drop the buildah/skopeo dance — plain docker build
+ docker push are simpler and avoid the rootless privilege traps we hit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mikael Hugo 2026-05-18 03:24:51 +02:00
parent d65726ca29
commit 51e3e0a007
1 changed files with 15 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
.forgejo/workflows/self-deploy.yml
View file

@ -86,23 +86,21 @@ jobs:
- name: Generate release manifest
run: npm run release:manifest -- --out dist/sf-release-manifest.json
# Runner is a k8s pod (forgejo-runner ns) with Nix on PATH and no
# docker daemon — build and push via rootless buildah + skopeo from
# nixpkgs, matching the operator's documented runner contract.
- name: Build server image (rootless buildah)
# The forgejo-runner pod has /var/run/docker.sock mounted from the
# vega host (via the runner deployment in /srv/infra). docker CLI
# is on PATH via nixpkgs#docker-client. So: plain `docker build` and
# `docker push` against the host's docker daemon.
- name: Login to registry
if: env.SF_REGISTRY_USER != '' && env.SF_REGISTRY_PASSWORD != ''
run: |
printf '%s' "$SF_REGISTRY_PASSWORD" | docker login \
"${SF_REGISTRY:-registry.infra.centralcloud.com}" \
--username "$SF_REGISTRY_USER" --password-stdin
- name: Build server image
run: |
set -euo pipefail
# buildah needs a containers policy file; the runner image doesn't
# ship one. Write a permissive "trust-all" policy inline.
mkdir -p "$HOME/.config/containers"
printf '%s\n' '{"default":[{"type":"insecureAcceptAnything"}]}' \
> "$HOME/.config/containers/policy.json"
nix run nixpkgs#buildah -- bud \
--signature-policy="$HOME/.config/containers/policy.json" \
--storage-driver=vfs \
--root="$HOME/.local/share/containers/storage" \
--runroot="$HOME/.local/share/containers/runroot" \
--isolation=chroot \
docker build \
-f docker/Dockerfile.sf-server \
--build-arg "SF_GIT_SHA=${GITHUB_SHA:-$(git rev-parse HEAD)}" \
--build-arg "SF_GIT_REF=${GITHUB_REF_NAME:-$(git rev-parse --abbrev-ref HEAD)}" \
@ -111,21 +109,9 @@ jobs:
-t "${{ steps.image.outputs.image }}" \
.
- name: Push server image (skopeo)
- name: Push server image
if: env.SF_PUSH_IMAGE != '0'
run: |
set -euo pipefail
# Hand the buildah-built image to skopeo via containers-storage,
# authenticated against the SF registry.
creds_arg=""
if [ -n "${SF_REGISTRY_USER:-}" ] && [ -n "${SF_REGISTRY_PASSWORD:-}" ]; then
creds_arg="--dest-creds=${SF_REGISTRY_USER}:${SF_REGISTRY_PASSWORD}"
fi
nix run nixpkgs#skopeo -- copy \
--insecure-policy \
$creds_arg \
"containers-storage:[vfs@$HOME/.local/share/containers/storage+$HOME/.local/share/containers/runroot]${{ steps.image.outputs.image }}" \
"docker://${{ steps.image.outputs.image }}"
run: docker push "${{ steps.image.outputs.image }}"
deploy-test: