Prefer systemd container rather than sudoer #53
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| branches: | |
| - main | |
| paths-ignore: | |
| - '**.md' | |
| - '.vscode/**' | |
| - '.git**' | |
| - '!.github/workflows/container.yml' | |
| pull_request: | |
| paths-ignore: | |
| - '**.md' | |
| - '.vscode/**' | |
| - '.git**' | |
| - '!.github/workflows/container.yml' | |
| workflow_dispatch: | |
| jobs: | |
| get-meta: | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 5 | |
| outputs: | |
| started_at: ${{ steps.timestamp.outputs.started_at }} | |
| steps: | |
| - name: Get started timestamp | |
| id: timestamp | |
| run: | | |
| # Do not use ":" delimiter as iso-8601/rfc-3339, it cannot be used in container tag | |
| echo "started_at=$(date --utc '+%Y%m%d-%H%M%S-%Z')" >> "$GITHUB_OUTPUT" | |
| build_and_push: | |
| needs: [get-meta] | |
| runs-on: ubuntu-22.04 | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Logging initial dependency versions | |
| run: | | |
| podman version | |
| crun --version | |
| - name: Base setup | |
| run: | | |
| # Update crun: https://noobient.com/2023/11/15/fixing-ubuntu-containers-failing-to-start-with-systemd/ | |
| # TODO: Integrate selfup here | |
| CRUN_VER='1.14.4' | |
| mkdir -p "${HOME}/.local/bin" | |
| curl -L "https://github.com/containers/crun/releases/download/${CRUN_VER}/crun-${CRUN_VER}-linux-amd64" -o "${HOME}/.local/bin/crun" | |
| chmod +x "${HOME}/.local/bin/crun" | |
| # We can remove this since ubuntu-24.04, but keeping maybe better | |
| - name: Update crun in podman | |
| run: | | |
| mkdir -p "${HOME}/.config/containers" | |
| cat << EOF > "${HOME}/.config/containers/containers.conf" | |
| [engine.runtimes] | |
| crun = [ | |
| "${HOME}/.local/bin/crun", | |
| "/usr/bin/crun" | |
| ] | |
| EOF | |
| - name: Logging dependency versions | |
| run: | | |
| podman version | |
| crun --version | |
| - uses: actions/checkout@v4 | |
| - name: Build Image | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 #v2.13 | |
| with: | |
| image: systemd-prepared | |
| tags: latest ${{ github.sha }} ${{ needs.get-meta.outputs.started_at }} | |
| containerfiles: | | |
| containers/Containerfile | |
| oci: true | |
| - name: Run and commit Nix operations by the user while running the systemd | |
| run: | | |
| set -euxo pipefail | |
| podman run --rm systemd-prepared & | |
| sleep 1 | |
| container_name="$(podman ps --sort=created --format '{{.Names}}' | tail -1)" | |
| [ -n "$container_name" ] # May be fail with bg timing | |
| podman exec --user=user -it "$container_name" /provisioner/needs_systemd.bash | |
| podman exec --user=root -it "$container_name" rm -rf /provisioner/cleanup.bash | |
| podman commit "$container_name" ran-nix-commands-by-user | |
| podman kill "$container_name" | |
| - name: Finalize the image | |
| id: build-image | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 #v2.13 | |
| with: | |
| image: home | |
| base-image: ran-nix-commands-by-user | |
| tags: latest ${{ github.sha }} ${{ needs.get-meta.outputs.started_at }} | |
| oci: true | |
| - name: Push To ghcr.io | |
| id: push-to-ghcr | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c #v2.8 | |
| with: | |
| image: ${{ steps.build-image.outputs.image }} | |
| tags: ${{ steps.build-image.outputs.tags }} | |
| registry: ghcr.io/${{ github.repository_owner }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ github.token }} | |
| - name: Log pushed outputs | |
| if: ${{ github.event_name != 'pull_request' }} | |
| run: echo "${{ toJSON(steps.push-to-ghcr.outputs) }}" |