diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml index 97df33c..76a37a5 100644 --- a/.github/workflows/nix.yml +++ b/.github/workflows/nix.yml @@ -42,9 +42,8 @@ jobs: - uses: cachix/cachix-action@v14 continue-on-error: true with: - name: teepot + name: nixsgx authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - extraPullNames: nixsgx - name: cargo clippy run: nix develop -L --ignore-environment -c cargo clippy --all --locked @@ -59,8 +58,29 @@ jobs: - uses: cachix/cachix-action@v14 continue-on-error: true with: - name: teepot + name: nixsgx authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' - extraPullNames: nixsgx + + # Cache any artifacts that aren't already cached at https://cache.nixos.org + - name: Enable magic Nix cache + uses: DeterminateSystems/magic-nix-cache-action@main + - name: nix build run: nix run nixpkgs#nixci + + - name: Log in to Docker Hub + if: ${{ github.event_name == 'push' }} + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USER }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Load and push + if: ${{ github.event_name == 'push' }} + run: | + nix build -L .#container-verify-attestation + export IMAGE_TAG=$(docker load < result | grep -Po 'Loaded image.*: \K.*') + echo "Pushing image ${IMAGE_TAG} to Docker Hub" + echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV + docker push "${IMAGE_TAG}" + docker push "${IMAGE_TAG%:*}:latest" diff --git a/packages/container-verify-attestation/default.nix b/packages/container-verify-attestation/default.nix new file mode 100644 index 0000000..0f43011 --- /dev/null +++ b/packages/container-verify-attestation/default.nix @@ -0,0 +1,12 @@ +{ lib +, dockerTools +, teepot +, ... +}: +dockerTools.buildImage { + name = "verify-attestation"; + copyToRoot = [ + teepot.teepot.verify_attestation + ]; + config = { Cmd = [ "${teepot.teepot.verify_attestation}/bin/verify-attestation" ]; }; +}