From cb06e9a3090c8c34109a7837eaad8c132c84e77d Mon Sep 17 00:00:00 2001 From: guangtao Date: Fri, 23 Feb 2024 23:19:50 -0800 Subject: [PATCH] fix(CI): copyToPodman --- .github/actions/common-setup/action.yml | 1 - .github/workflows/ci.yaml | 18 +- nix/std/cells/repo/containers.nix | 6 +- nix/std/flake.lock | 336 +++++++++++++++++++++++- nix/std/flake.nix | 8 + 5 files changed, 356 insertions(+), 13 deletions(-) diff --git a/.github/actions/common-setup/action.yml b/.github/actions/common-setup/action.yml index 5ad274c..9d97b8c 100644 --- a/.github/actions/common-setup/action.yml +++ b/.github/actions/common-setup/action.yml @@ -26,7 +26,6 @@ runs: with: extra-conf: | accept-flake-config = true - github_token: ${{ inputs.SECRET_GITHUB_TOKEN }} - uses: DeterminateSystems/magic-nix-cache-action@main diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ccea3ae..934df4a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -4,6 +4,11 @@ on: push: branches: - main +env: + REGISTRY_USER: ${{ github.actor }} + REGISTRY_PASSWORD: ${{ github.token }} + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + jobs: Jupyenv: runs-on: ubuntu-latest @@ -58,16 +63,17 @@ jobs: with: SECRET_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/login-action@master + - name: Log in to ghcr.io + uses: redhat-actions/podman-login@v1 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} + registry: ${{ env.IMAGE_REGISTRY }} - name: build oci-image run: | nix build ./nix/std#x86_64-linux.repo.containers.dev.out - name: copy oci-image to the register run: | - # nix run ./nix/std#x86_64-linux.repo.containers.dev.out.copyToRegistry - nix run ./nix/std\#x86_64-linux.repo.containers.dev.out.copyTo -- docker://ghcr.io/hardenedlinux/aisecurity-research-template:latest + nix run ./nix/std#x86_64-linux.repo.containers.dev.out.copyToRegistry + # nix run ./nix/std\#x86_64-linux.repo.containers.dev.out.copyTo -- docker://ghcr.io/hardenedlinux/aisecurity-research-template:latest diff --git a/nix/std/cells/repo/containers.nix b/nix/std/cells/repo/containers.nix index b5a35e7..defbaf5 100644 --- a/nix/std/cells/repo/containers.nix +++ b/nix/std/cells/repo/containers.nix @@ -1,6 +1,6 @@ { inputs, cell }: let - inherit (inputs) std; + inherit (inputs) std stdN2c; l = inputs.nixpkgs.lib // builtins; inputsPaths = inputs.omnibus.lib.omnibus.inputsToPaths [ # because it is not in the input closure of the derivation @@ -9,9 +9,11 @@ let ]; in { - dev = std.lib.ops.mkDevOCI { + dev = stdN2c.lib.ops.mkDevOCI { name = "ghcr.io/hardenedlinux/aisecurity-research-template"; tag = "latest"; + # avoid missing hash in github action + reproducible = false; devshell = inputs.cells.repo.shells.default; pkgs = [ ]; preLoadStorePaths = [ ] ++ inputsPaths; diff --git a/nix/std/flake.lock b/nix/std/flake.lock index 2489421..31f878b 100644 --- a/nix/std/flake.lock +++ b/nix/std/flake.lock @@ -30,6 +30,21 @@ "type": "github" } }, + "blank": { + "locked": { + "lastModified": 1625557891, + "narHash": "sha256-O8/MWsPBGhhyPoPLHZAuoZiiHo9q6FLlEeIDEXuj6T4=", + "owner": "divnix", + "repo": "blank", + "rev": "5a5d2684073d9f563072ed07c871d577a6c614a8", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "blank", + "type": "github" + } + }, "call-flake": { "locked": { "lastModified": 1697332845, @@ -45,6 +60,21 @@ "type": "github" } }, + "call-flake_2": { + "locked": { + "lastModified": 1687380775, + "narHash": "sha256-bmhE1TmrJG4ba93l9WQTLuYM53kwGQAjYHRvHOeuxWU=", + "owner": "divnix", + "repo": "call-flake", + "rev": "74061f6c241227cd05e79b702db9a300a2e4131a", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "call-flake", + "type": "github" + } + }, "dmerge": { "inputs": { "haumea": [ @@ -77,6 +107,54 @@ "type": "github" } }, + "dmerge_2": { + "inputs": { + "haumea": [ + "stdN2c", + "haumea" + ], + "nixlib": [ + "stdN2c", + "lib" + ], + "yants": [ + "stdN2c", + "yants" + ] + }, + "locked": { + "lastModified": 1686862774, + "narHash": "sha256-ojGtRQ9pIOUrxsQEuEPerUkqIJEuod9hIflfNkY+9CE=", + "owner": "divnix", + "repo": "dmerge", + "rev": "9f7f7a8349d33d7bd02e0f2b484b1f076e503a96", + "type": "github" + }, + "original": { + "owner": "divnix", + "ref": "0.2.1", + "repo": "dmerge", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flops": { "inputs": { "POP": "POP", @@ -122,6 +200,85 @@ "type": "github" } }, + "haumea_2": { + "inputs": { + "nixpkgs": [ + "stdN2c", + "lib" + ] + }, + "locked": { + "lastModified": 1685133229, + "narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=", + "owner": "nix-community", + "repo": "haumea", + "rev": "34dd58385092a23018748b50f9b23de6266dffc2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.2.2", + "repo": "haumea", + "type": "github" + } + }, + "incl": { + "inputs": { + "nixlib": [ + "stdN2c", + "lib" + ] + }, + "locked": { + "lastModified": 1669263024, + "narHash": "sha256-E/+23NKtxAqYG/0ydYgxlgarKnxmDbg6rCMWnOBqn9Q=", + "owner": "divnix", + "repo": "incl", + "rev": "ce7bebaee048e4cd7ebdb4cee7885e00c4e2abca", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "incl", + "type": "github" + } + }, + "lib": { + "locked": { + "lastModified": 1694306727, + "narHash": "sha256-26fkTOJOI65NOTNKFvtcJF9mzzf/kK9swHzfYt1Dl6Q=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "c30b6a84c0b84ec7aecbe74466033facc9ed103f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "n2c": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1708373500, + "narHash": "sha256-Z99xGwhrOCHbuEsygO+8079XtRg1+xNKKWjQav/TeA4=", + "owner": "nlewo", + "repo": "nix2container", + "rev": "3680aaa3cec382e8e114c5ab6212b11df4b194c8", + "type": "github" + }, + "original": { + "owner": "nlewo", + "repo": "nix2container", + "type": "github" + } + }, "nixlib": { "locked": { "lastModified": 1705193289, @@ -137,16 +294,47 @@ "type": "github" } }, + "nixpkgs": { + "locked": { + "lastModified": 1708692673, + "narHash": "sha256-qIQMXkkp3/Lo2Zu41BK/oN3Dt3b5rUJELvt+CbAXPXw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "48b75eb6e521f2303cb3cd53a94ec80021b422aa", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nosys": { + "locked": { + "lastModified": 1668010795, + "narHash": "sha256-JBDVBnos8g0toU7EhIIqQ1If5m/nyBqtHhL3sicdPwI=", + "owner": "divnix", + "repo": "nosys", + "rev": "feade0141487801c71ff55623b421ed535dbdefa", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "nosys", + "type": "github" + } + }, "omnibus": { "inputs": { "flops": "flops" }, "locked": { - "lastModified": 1708676847, - "narHash": "sha256-mLxQ+R+w710IZLkis8/Kc6z+81cS5Czd/ubAs0v9GTQ=", + "lastModified": 1708757039, + "narHash": "sha256-r1/SbtgdlmaZz8vuCZCp5KX+Z/AFyx76XTRrZBtUFGM=", "owner": "gtrunsec", "repo": "omnibus", - "rev": "99ee35d2ff66fd9aa94f26dfd618a984f0f6a9e3", + "rev": "e88b800ca69efc17b6d3719a0b4e84fca4b58117", "type": "github" }, "original": { @@ -155,9 +343,128 @@ "type": "github" } }, + "paisano": { + "inputs": { + "call-flake": "call-flake_2", + "nixpkgs": [ + "stdN2c", + "nixpkgs" + ], + "nosys": "nosys", + "yants": [ + "stdN2c", + "yants" + ] + }, + "locked": { + "lastModified": 1708640854, + "narHash": "sha256-EpcAmvIS4ErqhXtVEfd2GPpU/E/s8CCRSfYzk6FZ/fY=", + "owner": "paisano-nix", + "repo": "core", + "rev": "adcf742bc9463c08764ca9e6955bd5e7dcf3a3fe", + "type": "github" + }, + "original": { + "owner": "paisano-nix", + "ref": "0.2.0", + "repo": "core", + "type": "github" + } + }, + "paisano-tui": { + "flake": false, + "locked": { + "lastModified": 1708637035, + "narHash": "sha256-R19YURSK+MY/Rw6FZnojQS9zuDh+OoTAyngQAjjoubc=", + "owner": "paisano-nix", + "repo": "tui", + "rev": "231761b260587a64817e4ffae3afc15defaa15db", + "type": "github" + }, + "original": { + "owner": "paisano-nix", + "ref": "v0.5.0", + "repo": "tui", + "type": "github" + } + }, "root": { "inputs": { - "omnibus": "omnibus" + "n2c": "n2c", + "nixpkgs": "nixpkgs", + "omnibus": "omnibus", + "stdN2c": "stdN2c" + } + }, + "stdN2c": { + "inputs": { + "arion": [ + "stdN2c", + "blank" + ], + "blank": "blank", + "devshell": [ + "stdN2c", + "blank" + ], + "dmerge": "dmerge_2", + "haumea": "haumea_2", + "incl": "incl", + "lib": "lib", + "makes": [ + "stdN2c", + "blank" + ], + "microvm": [ + "stdN2c", + "blank" + ], + "n2c": [ + "n2c" + ], + "nixago": [ + "stdN2c", + "blank" + ], + "nixpkgs": [ + "nixpkgs" + ], + "paisano": "paisano", + "paisano-tui": "paisano-tui", + "terranix": [ + "stdN2c", + "blank" + ], + "yants": "yants_2" + }, + "locked": { + "lastModified": 1708758182, + "narHash": "sha256-YekGgzTiw0fLMFynUacHI5CmPv4RyCg2zN5pDRhUv3I=", + "owner": "gtrunsec", + "repo": "std", + "rev": "e75179fbd7adbdfee69466ee746d759a2c3aad29", + "type": "github" + }, + "original": { + "owner": "gtrunsec", + "ref": "mkDevOCI", + "repo": "std", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } }, "yants": { @@ -182,6 +489,27 @@ "repo": "yants", "type": "github" } + }, + "yants_2": { + "inputs": { + "nixpkgs": [ + "stdN2c", + "lib" + ] + }, + "locked": { + "lastModified": 1686863218, + "narHash": "sha256-kooxYm3/3ornWtVBNHM3Zh020gACUyFX2G0VQXnB+mk=", + "owner": "divnix", + "repo": "yants", + "rev": "8f0da0dba57149676aa4817ec0c880fbde7a648d", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "yants", + "type": "github" + } } }, "root": "root", diff --git a/nix/std/flake.nix b/nix/std/flake.nix index c948f00..618594a 100644 --- a/nix/std/flake.nix +++ b/nix/std/flake.nix @@ -16,6 +16,14 @@ inputs = { omnibus.url = "github:gtrunsec/omnibus"; + nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + + stdN2c.url = "github:gtrunsec/std/mkDevOCI"; + stdN2c.inputs.n2c.follows = "n2c"; + stdN2c.inputs.nixpkgs.follows = "nixpkgs"; + + n2c.url = "github:nlewo/nix2container"; + n2c.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = { omnibus, ... }@inputs: