From fb0a3cdaffe89afc9f33048edeb0f193afc00d01 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gregor@kleen.consulting>
Date: Wed, 24 May 2023 11:27:34 +0000
Subject: [PATCH] chore(ci): modernize release/container push

---
 .gitlab-ci.yml | 127 ++++++++++++-------------------------------------
 flake.nix      |  10 ----
 2 files changed, 30 insertions(+), 107 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b2c0aa9b7..c630c71e3 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,9 +4,9 @@
 
 workflow:
   rules:
-    - if: '$CI_PIPELINE_SOURCE == "push"'
-      when: always
-    - when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+    - if: $CI_COMMIT_TAG =~ /^v/
 
 default:
   image:
@@ -26,7 +26,7 @@ stages:
   - frontend:build
   - backend:build
   - test
-  - docker
+  - container:build
   - prepare release
   - release
 
@@ -43,11 +43,6 @@ node dependencies:
     - install -v -T -m 0400 "${SSH_DEPLOY_KEY}" ~/.ssh/deploy && echo "IdentityFile ~/.ssh/deploy" >> ~/.ssh/config;
     - install -v -T -m 0644 "${FONTAWESOME_NPM_AUTH_FILE}" /etc/fontawesome-token
     - install -v -T -m 0644 "${NIX_NETRC}" /etc/nix/netrc
-    - |
-      if [ -n "${REGISTRY_AUTHFILE}" ]; then
-        mkdir -p ~/.docker
-        install -v -T -m 0400 "${REGISTRY_AUTHFILE}" ~/.docker/config.json
-      fi
   artifacts:
     paths:
       - node-dependencies.nar.xz
@@ -215,49 +210,12 @@ check:
   retry: 2
   interruptible: true
 
-# demo docker:
-#   stage: docker
-#   script:
-#     - xzcat uniworx:exe:uniworx.nar.xz | nix-store --import
-#     - xzcat uniworx:exe:uniworxdb.nar.xz | nix-store --import
-#     - source .gitlab-ci/construct-flake-url.sh
-#     - nix -L build -o result "${FLAKE}#uniworxDemoDocker"
-#     - cp -pr --reflink=auto -L result uniworx-demo.tar.gz
-#   before_script: *nix-before
-#   needs:
-#     - job: node dependencies # transitive
-#       artifacts: false
-#     - job: well known # transitive
-#       artifacts: false
-#     - job: frontend # tranitive
-#       artifacts: false
-#     - job: uniworx:lib:uniworx # transitive
-#       artifacts: false
-#     - job: uniworx:exe:uniworx
-#       artifacts: true
-#     - job: uniworx:exe:uniworxdb
-#       artifacts: true
-#     - job: check # sanity
-#       artifacts: false
-#   artifacts:
-#     paths:
-#       - uniworx-demo.tar.gz
-#     name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}"
-#     expire_in: "1 day"
-#   retry: 2
-#   interruptible: true
-#   rules:
-#     - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
-#       when: manual
-#       allow_failure: true
-
-docker:
-  stage: docker
+container:
+  stage: container:build
   script:
     - xzcat uniworx:exe:uniworx.nar.xz | nix-store --import
     - source .gitlab-ci/construct-flake-url.sh
-    - nix -L build -o result "${FLAKE}#uniworxDocker"
-    - cp -pr --reflink=auto -L result uniworx.tar.gz
+    - cp -pr --reflink=auto -L $(nix build --print-out-paths  "${FLAKE}#uniworxDocker") uniworx.tar.gz
   before_script: *nix-before
   needs:
     - job: node dependencies # transitive
@@ -279,19 +237,15 @@ docker:
     expire_in: "1 day"
   retry: 2
   interruptible: true
-  rules:
-    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
-      when: manual
-      allow_failure: true
+  rules: &release-rules
+    - if: $CI_COMMIT_TAG =~ /^v/
 
 parse changelog:
   stage: prepare release
   needs:
     - job: node dependencies
       artifacts: true
-  rules:
-    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
-      when: on_success
+  rules: *release-rules
   before_script: *nix-before
   script:
     - xzcat node-dependencies.nar.xz | nix-store --import
@@ -310,13 +264,14 @@ parse changelog:
   retry: 2
   interruptible: true
 
-upload docker:
-  stage: docker
+upload container:
+  variables:
+    GIT_STRATEGY: none
+  stage: release
+  image: quay.io/skopeo/stable:latest
   script:
-    - xzcat uniworx:exe:uniworx.nar.xz | nix-store --import
-    - source .gitlab-ci/construct-flake-url.sh
-    - nix -L run "${FLAKE}#pushUniworxDocker"
-  before_script: *nix-before
+    - skopeo --insecure-policy copy --dest-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" docker-archive://$(pwd)/uniworx.tar.gz docker://${CI_REGISTRY_IMAGE}:${VERSION}
+    - skopeo --insecure-policy copy --src-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" --dest-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" docker://${CI_REGISTRY_IMAGE}:${VERSION} docker://${CI_REGISTRY_IMAGE}:latest
   needs:
     - job: node dependencies # transitive
       artifacts: false
@@ -326,51 +281,29 @@ upload docker:
       artifacts: false
     - job: uniworx:lib:uniworx # transitive
       artifacts: false
-    - job: uniworx:exe:uniworx
+    - job: uniworx:exe:uniworx # transitive
+      artifacts: false
+    - job: container
+      artifacts: true
+    - job: parse changelog
       artifacts: true
     - job: check # sanity
       artifacts: false
-  rules:
-    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
-      when: on_success
-
-# upload demo docker:
-#   stage: docker
-#   script:
-#     - xzcat uniworx:exe:uniworx.nar.xz | nix-store --import
-#     - xzcat uniworx:exe:uniworxdb.nar.xz | nix-store --import
-#     - source .gitlab-ci/construct-flake-url.sh
-#     - nix -L run "${FLAKE}#pushUniworxDemoDocker"
-#   before_script: *nix-before
-#   needs:
-#     - job: node dependencies # transitive
-#       artifacts: false
-#     - job: well known # transitive
-#       artifacts: false
-#     - job: frontend # tranitive
-#       artifacts: false
-#     - job: uniworx:lib:uniworx # transitive
-#       artifacts: false
-#     - job: uniworx:exe:uniworx
-#       artifacts: true
-#     - job: uniworx:exe:uniworxdb
-#       artifacts: true
-#     - job: check # sanity
-#       artifacts: false
-#   rules:
-#     - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
-#       when: on_success
+  rules: *release-rules
+  retry: 2
 
 release:
   variables:
     GIT_STRATEGY: none
   stage: release
   image: registry.gitlab.com/gitlab-org/release-cli:latest
-  rules:
-    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9].*/
-      when: on_success
+  rules: *release-rules
   script:
-    - release-cli create --name "${VERSION}" --tag-name $CI_COMMIT_TAG --description .current-changelog.md
+    - echo "Will create release ${VERSION}..."
+  release:
+    name: '$VERSION'
+    tag_name: '$CI_COMMIT_TAG'
+    description: .current-changelog.md
   needs:
     - job: check # sanity
       artifacts: false
diff --git a/flake.nix b/flake.nix
index 6a598026c..6c5489232 100644
--- a/flake.nix
+++ b/flake.nix
@@ -124,14 +124,6 @@
 
           haskellFlake = pkgs.uniworx.flake {};
 
-          mkPushDocker = { imageName, dockerImage, defaultRegistry ? "docker://registry.uniworx.de/fradrive/fradrive" }: pkgs.writeScriptBin "push-${dockerImage.imageName}" ''
-            #!${pkgs.zsh}/bin/zsh -xe
-
-            target=''${1:-${defaultRegistry}/${imageName}:${dockerImage.imageTag}}
-            [[ -n "''${1}" ]] && shift
-            ${pkgs.skopeo}/bin/skopeo --tmpdir ''${TMPDIR:-/var/tmp} ''${@} --insecure-policy copy docker-archive://${dockerImage} ''${target}
-          '';
-
           inherit (pkgs.lib) recursiveUpdate;
       in {
         packages = haskellFlake.packages // {
@@ -139,8 +131,6 @@
         };
 
         apps = haskellFlake.apps // {
-          pushUniworxDemoDocker = flake-utils.lib.mkApp { drv = mkPushDocker { imageName = "uniworx-demo"; dockerImage = pkgs.uniworxDemoDocker; }; };
-          pushUniworxDocker = flake-utils.lib.mkApp { drv = mkPushDocker { imageName = "uniworx"; dockerImage = pkgs.uniworxDocker; }; };
           calculateMaterializedSha = flake-utils.lib.mkApp { drv = pkgs.uniworx.stack-nix.passthru.calculateMaterializedSha; exePath = ""; };
           jqChangelogJson = flake-utils.lib.mkApp { drv = pkgs.jqChangelogJson; };
         };