From 9cea77db2545002226961b41ecad656d30e44f5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20N=C3=BCtzi?= Date: Sat, 6 Jul 2024 22:10:39 +0200 Subject: [PATCH] fix: CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Gabriel Nützi --- .github/workflows/normal.yaml | 10 +++++++++- tools/ci/upload-image.sh | 10 ++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/normal.yaml b/.github/workflows/normal.yaml index c82ba45..9636f3b 100644 --- a/.github/workflows/normal.yaml +++ b/.github/workflows/normal.yaml @@ -18,6 +18,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: read-all + defaults: run: shell: bash @@ -138,7 +140,7 @@ jobs: - name: Build package (nix) run: | - just nix-develop-ci nix-package + just nix-develop-ci just nix-package - name: Build container image (nix) run: | @@ -153,6 +155,9 @@ jobs: if: ${{ inputs.is_release }} + permissions: + packages: write + env: CI_IS_RELEASE: true @@ -176,6 +181,9 @@ jobs: just nix-develop-ci just nix-image - name: Push image (if release) + env: + REGISTRY_USERNAME: ${{ github.repository_owner }} + REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} run: | just nix-develop-ci tools/ci/upload-image.sh diff --git a/tools/ci/upload-image.sh b/tools/ci/upload-image.sh index 13b873c..e31f1a2 100755 --- a/tools/ci/upload-image.sh +++ b/tools/ci/upload-image.sh @@ -11,6 +11,14 @@ ROOT_DIR=$(git rev-parse --show-toplevel) cd "$ROOT_DIR" function main() { + + local username=${REGISTRY_USERNAME:-$USERNAME} + local password=${REGISTRY_PASSWORD:-$PASSWORD} + + if [ -z "$username" ] || [ -z "$password" ]; then + die "'USERNAME' or 'PASSWORD' env. variables not set." + fi + if ! ci_is_running; then die "This script should only be executed in CI" fi @@ -33,6 +41,8 @@ function main() { skopeo \ --insecure-policy \ copy \ + --dest-username <(echo "$username") \ + --dest-password <(echo "$password") \ --dest-authfile "$HOME/.docker/config.json" \ "docker-archive://$image_path" \ "docker://$image_name"