name: CI/CD
on:
push:
branches:
- main
tags:
- 'v*'
pull_request:
release:
types: [published]
workflow_dispatch:
permissions:
contents: write
packages: write
pull-requests: write
id-token: write
actions: write
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Install Nix
uses: cachix/install-nix-action@v31
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
- &cache-nix-store
name: Cache Nix Store
uses: nix-community/cache-nix-action@v7
with:
primary-key: ${{ runner.os }}-nix-${{ hashFiles('flake.lock', 'Cargo.lock') }}
restore-prefixes-first-match: |
${{ runner.os }}-nix-
gc-max-store-size-linux: 2G
- name: Run Nix checks
run: nix flake check -L
container-image:
name: Build & Push Container Image
needs: [test]
runs-on: ubuntu-latest
if: |
github.event_name == 'release' ||
github.event_name == 'workflow_dispatch' ||
(github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')))
steps:
- name: Checkout
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Install Nix
uses: cachix/install-nix-action@v31
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
- *cache-nix-store
- name: Docker meta
id: meta
uses: docker/metadata-action@v6
with:
images: ghcr.io/kevinastone/lynceus
- name: Login to GHCR
uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: 📦 Build Docker Image with Nix
run: nix build .#image -L
- name: ⬆️ Push Image to GHCR with Skopeo
env:
TAGS: ${{ steps.meta.outputs.tags }}
run: |
echo "$TAGS" | while read -r tag; do
if [ -n "$tag" ]; then
echo "Pushing to $tag..."
nix run .#skopeo -- --insecure-policy copy --all \
docker-archive:./result \
docker://$tag
fi
done
release-plz-release:
name: Release-plz release
needs: [test]
runs-on: ubuntu-latest
if: github.repository_owner == 'kevinastone' && github.event_name == 'push' && github.ref == 'refs/heads/main'
permissions:
contents: write
pull-requests: read
steps:
- &checkout
name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 0
persist-credentials: false
- &install-rust
name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Run release-plz
uses: release-plz/action@v0.5
with:
command: release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-plz-pr:
name: Release-plz PR
needs: [test]
runs-on: ubuntu-latest
if: github.repository_owner == 'kevinastone' && github.event_name == 'push' && github.ref == 'refs/heads/main'
permissions:
contents: write
pull-requests: write
concurrency:
group: release-plz-${{ github.ref }}
cancel-in-progress: false
steps:
- *checkout
- *install-rust
- name: Run release-plz
uses: release-plz/action@v0.5
with:
command: release-pr
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}