Skip to content

⬒🦭

⬒🦭 #874

Workflow file for this run

name: ⬒🦭
on:
push:
tags:
- 'v*'
# Don't add branch trigger, this workflow is heavy and required to consider concurrency
# branches:
# - main
pull_request:
types:
- labeled
schedule:
# Every 11:42 and 23:42 JST
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
- cron: '42 2,14 * * *'
workflow_dispatch:
jobs:
# podman can handle lowercase. So normalize the outputs
get-meta:
runs-on: ubuntu-24.04
timeout-minutes: 5
outputs:
started_at: ${{ steps.timestamp.outputs.started_at }}
ref_tag: ${{ steps.tags.outputs.ref }}
special_tag: ${{ steps.tags.outputs.special }}
timestamp_tag: ${{ steps.tags.outputs.timestamp }}
require_comments: ${{ steps.comments.outputs.require }}
steps:
- name: Get started timestamp
id: timestamp
run: |
# Do not use ":" delimiter as iso-8601/rfc-3339, it cannot be used in container tag
echo started_at="$(date --utc '+%Y%m%d-%H%M%S-%Z')" | ruby -pe '$_.downcase!' | tee -a "$GITHUB_OUTPUT"
- name: Judge to post comments or not
id: comments
if: >-
(github.actor == github.repository_owner) && (github.event_name == 'pull_request')
run: echo -n 'require=true' | tee -a "$GITHUB_OUTPUT"
- name: Generate tags for the image
id: tags
# https://github.com/orgs/community/discussions/26557#discussioncomment-3252327
run: |
echo "timestamp=${{ steps.timestamp.outputs.started_at }}" | tee -a "$GITHUB_OUTPUT"
special=''
ref=''
if [ '${{ github.event_name }}' = 'pull_request' ]; then
special='pr-${{ github.event.number }}-${{ github.event.pull_request.head.sha }}'
ref='${{ github.event.pull_request.head.sha }}'
elif [ '${{ github.ref_name }}' = '${{ github.event.repository.default_branch }}' ]; then
special='latest'
ref='${{ github.sha }}'
else
exit 1
fi
echo "special=${special}" | tee -a "$GITHUB_OUTPUT"
echo "ref=${ref}" | tee -a "$GITHUB_OUTPUT"
minimize-old-comments:
needs: [get-meta]
if: ${{ needs.get-meta.outputs.require_comments == 'true' }}
uses: ./.github/workflows/minimize-staging-deploy-comments.yml
with:
pr-number: ${{ github.event.number }}
build_and_push:
# Do not set `cancel-in-progress: true` in main branch, it displays failure badges
# https://github.com/orgs/community/discussions/8336
concurrency:
group: 'deploy-container-${{ github.ref }}'
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
needs: [get-meta, minimize-old-comments]
if: >-
(! failure()) &&
((github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy-staging')) ||
(github.event_name != 'pull_request'))
runs-on: ubuntu-24.04
timeout-minutes: 60
steps:
- name: Logging dependency versions
run: |
podman version
crun --version
buildah version
- name: Install gh-action-escape
run: curl -fsSL https://raw.githubusercontent.com/kachick/gh-action-escape/main/scripts/install-in-github-action.sh | sh -s v0.2.0
- uses: actions/checkout@v4
- name: Build base Image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
with:
image: systemd-prepared
containerfiles: |
containers/Containerfile
oci: true
- name: Inspect the created image
run: 'podman inspect systemd-prepared'
- name: Start systemd
id: start-systemd
run: |
set -euxo pipefail
container_id="$(podman run --detach --rm systemd-prepared)"
echo container_id="$container_id" | tee -a "$GITHUB_OUTPUT"
- name: Wait for the systemd to be ready
run: 'sleep 2'
- name: Run Nix commands and cleanup provisioners
run: |
set -euxo pipefail
podman exec --user=user -it '${{ steps.start-systemd.outputs.container_id }}' /provisioner/needs_systemd.bash
podman exec --user=root -it '${{ steps.start-systemd.outputs.container_id }}' rm -rf /provisioner
- name: Check no personal name in that config
run: |
# https://unix.stackexchange.com/a/340729
assign_stdin_to_global_command_variable() {
command="$(cat)"
}
assign_stdin_to_global_command_variable <<'EOF'
set -uxo
# https://unix.stackexchange.com/questions/311090/how-to-disable-set-x
set +e
/home/user/.nix-profile/bin/rg --hidden --follow --glob='!.local/state' --glob='!.nix-*' 'kachick1'
# Need to check the exit code if we want to make sure "not found" in grep family
# https://github.com/BurntSushi/ripgrep/issues/1290#issuecomment-761170095
ripgrep_exit_code="$?" # Do not directly use the $? to prevent inserting another command as a human error
[[ "$ripgrep_exit_code" -eq 1 ]]
EOF
podman exec --user=user --workdir=/home/user -it '${{ steps.start-systemd.outputs.container_id }}' bash -c "$command"
- name: Persist the container to image
run: |
podman commit \
--author 'https://github.com/${{github.repository}}/actions/runs/${{ github.run_id }}' \
'${{ steps.start-systemd.outputs.container_id }}' home
podman kill '${{ steps.start-systemd.outputs.container_id }}'
podman tag home home:${{ needs.get-meta.outputs.special_tag }}
podman tag home home:${{ needs.get-meta.outputs.ref_tag}}
podman tag home home:${{ needs.get-meta.outputs.timestamp_tag }}
- name: Inspect the created image
run: 'podman inspect home'
- name: Test the created image
run: |
set -euxo pipefail
container_id="$(podman run --detach --rm home:${{ needs.get-meta.outputs.started_at }})"
# shellcheck disable=SC2064
trap "podman kill '$container_id'" EXIT ERR
sleep 2 # Wait for the systemd to be ready
podman exec --user=user "$container_id" cat /etc/nix/nix.conf
podman exec --user=user --workdir='/home/user' -it "$container_id" '/home/user/.nix-profile/bin/zsh' -c 'la; lat ~/.config'
- name: Push To ghcr.io
id: push-to-ghcr
if: ${{ github.actor == github.repository_owner }}
# Using this method makes ghcr.io warning
# `No description provided`
# `To provide a description, add the following line to your Dockerfile:`
# But you have not to care this noise for now, it is happened even in redhat official
# https://github.com/kachick/dotfiles/issues/471#issuecomment-2002565514
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
with:
image: home
tags: ${{ needs.get-meta.outputs.special_tag }} ${{ needs.get-meta.outputs.ref_tag }} ${{ needs.get-meta.outputs.timestamp_tag }}
registry: ghcr.io/${{ github.repository_owner }}
username: ${{ github.repository_owner }}
password: ${{ github.token }}
- name: Inspect the package
id: inspect-package
if: ${{ github.actor == github.repository_owner }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euxo pipefail
echo "${{ toJSON(steps.push-to-ghcr.outputs) }}"
gh api --paginate \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/users/${{ github.repository_owner }}/packages/container/home/versions \
--jq '.[] | select(.name == "${{ steps.push-to-ghcr.outputs.digest }}")' | \
jq | gh-action-escape -name=json | tee -a "$GITHUB_OUTPUT"
- name: Post comments
if: ${{ needs.get-meta.outputs.require_comments == 'true' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
(
cat <<'EOF'
⬒🦭 Staging container-image has been deployed πŸš€\
You can test the interactive shell 🐚 as follows.
```bash
bash <(curl -fsSL 'https://raw.githubusercontent.com/kachick/dotfiles/${{ github.event.pull_request.head.sha }}/containers/sandbox-with-ghcr.bash') '${{ github.event.pull_request.head.sha }}'
```
The package detail
```json
${{ steps.inspect-package.outputs.json }}
```
This image will be automatically πŸ€– removed from ghcr.io πŸ—‘οΈ if you merged/closed this PR 😌
EOF
) | gh pr comment ${{ github.event.number }} --body-file -