From a64e0e141e2ac5e83f72560b24385e81d02781dc Mon Sep 17 00:00:00 2001
From: Edward Amsden <edward@blackriversoft.com>
Date: Wed, 13 Jan 2021 07:33:09 -0500
Subject: [PATCH] build: Build docker image and publish to Docker Hub

d3c5aa74c1e introduced a Docker image intended for deploying Urbit ships

This commit modifies the build.yml GitHub Actions workflow to build the
docker image as part of the push/PR workflow, and adds a
`release-docker.yml` workflow, which runs on any tag push `urbit-v*` and
pushes the image to Docker Hub, also synchronizing the README.

Co-authored-by: Josh Lehman <josh@urbit.org>
---
 .github/workflows/build.yml          | 19 ++++++++++--
 .github/workflows/release-docker.yml | 43 ++++++++++++++++++++++++++++
 .github/workflows/release.yml        |  2 +-
 default.nix                          |  2 ++
 pkg/docker-image/README.md           |  6 ++--
 5 files changed, 65 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/release-docker.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7b89b59c58..dc7dacb200 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,10 +47,22 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
+
+      # We only want the extra nix config on linux, where it is necessary
+      # for the docker build. We don't want in on Mac, where it isn't but
+      # it breaks the nix install. The two `if` clauses should be mutually
+      # exclusive
       - uses: cachix/install-nix-action@v12
+        with:
+          extra_nix_config: |
+            system-features = nixos-test benchmark big-parallel kvm
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+      - uses: cachix/install-nix-action@v12
+        if: ${{ matrix.os != 'ubuntu-latest' }}
+
       - uses: cachix/cachix-action@v8
         with:
-          name: ares
+          name: ${{ secrets.CACHIX_NAME }}
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - run: nix-build -A urbit --arg enableStatic true
@@ -58,6 +70,9 @@ jobs:
       - if: ${{ matrix.os == 'ubuntu-latest' }}
         run: nix-build -A urbit-tests
 
+      - if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: nix-build -A docker-image
+
   haskell:
     strategy:
       fail-fast: false
@@ -73,7 +88,7 @@ jobs:
       - uses: cachix/install-nix-action@v12
       - uses: cachix/cachix-action@v8
         with:
-          name: ares
+          name: ${{ secrets.CACHIX_NAME }}
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - run: nix-build -A hs.urbit-king.components.exes.urbit-king --arg enableStatic true
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
new file mode 100644
index 0000000000..36657b2231
--- /dev/null
+++ b/.github/workflows/release-docker.yml
@@ -0,0 +1,43 @@
+name: release-docker
+
+on:
+  release: null
+  push:
+    tags: ['urbit-v*']
+
+jobs:
+  upload:
+    strategy:
+      matrix:
+        include:
+          - { os: ubuntu-latest, system: x86_64-linux }
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: cachix/install-nix-action@v12
+        with:
+          extra_nix_config: |
+            system-features = nixos-test benchmark big-parallel kvm
+      - uses: cachix/cachix-action@v8
+        with:
+          name: ${{ secrets.CACHIX_NAME }}
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - uses: docker/docker-login-action@v1.8.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: christian-korneck/update-container-description-action@v1
+        env:
+          DOCKER_USER: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKER_PASS: ${{ secrets.DOCKERHUB_TOKEN }}
+        with:
+          destination_container_repo: ${{ secrets.DOCKERHUB_USERNAME }}/urbit
+          provider: dockerhub
+          short_description: 'Urbit: a clean-slate OS and network for the 21st century'
+          readme_file: 'pkg/docker-image/README.md'
+
+      - run: |
+          version="$(cat ./pkg/urbit/version)"
+          $(nix-build -A skopeo)/bin/skopeo --insecure-policy copy tarball:$(nix-build -A docker-image) docker://${{ secrets.DOCKERHUB_USERNAME }}/urbit:v$version
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 78a8c01037..db22e4b8de 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
       - uses: cachix/install-nix-action@v12
       - uses: cachix/cachix-action@v8
         with:
-          name: ares
+          name: ${{ secrets.CACHIX_NAME }}
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - uses: google-github-actions/setup-gcloud@v0.2.0
diff --git a/default.nix b/default.nix
index 57bfb8b469..668b017025 100644
--- a/default.nix
+++ b/default.nix
@@ -160,6 +160,8 @@ let
       };
     };
 
+    inherit (pkgsNative) skopeo;
+
     # A convenience function for constructing a shell.nix for any of the
     # pkgsLocal derivations by automatically propagating any dependencies 
     # to the nix-shell.
diff --git a/pkg/docker-image/README.md b/pkg/docker-image/README.md
index 5e22576226..e5e2163eed 100644
--- a/pkg/docker-image/README.md
+++ b/pkg/docker-image/README.md
@@ -10,16 +10,15 @@ To use this image, you should mount a volume with a keyfile, comet file, or exis
 as described below.
 
 ### Volume Mount
-This image expects a volume mounted at `/urbit`. This volume should initially obtain one of
+This image expects a volume mounted at `/urbit`. This volume should initially contain one of
 
 - A keyfile `<shipname>.key` for a galaxy, star, planet, or moon. See the setup instructions for Urbit for information on [obtaining a keyfile](https://urbit.org/using/install/). 
   * e.g. `sampel-palnet.key` for the planet `sampel-palnet`.
-  to urbit to boot a ship from an existing pier, and in most cases (other than comets) will be named for the ship.
 - An empty file with the extension `.comet`. This will cause Urbit to boot a [comet](https://urbit.org/docs/glossary/comet/) in a pier named for the `.comet` file (less the extension).
   * e.g. starting with an empty file `my-urbit-bot.comet` will result in Urbit booting a comet into the pier
     `my-urbit-bot` under your volume.
 - An existing pier as a directory `<shipname>`. You can migrate an existing ship to a new docker container in this way by placing its pier under the volume.
-  * e.g. if your ship is `sampel-palnet` then you likely have a directory `sampel-palnet` whose path you pass to `./urbit` when starting. While your ship is not running, move this directory to the volume and then start the container.
+  * e.g. if your ship is `sampel-palnet` then you likely have a directory `sampel-palnet` whose path you pass to `./urbit` when starting. [Move your pier](https://urbit.org/using/operations/using-your-ship/#moving-your-pier) directory to the volume and then start the container.
 
 The first two options result in Urbit attempting to boot either the ship named by the name of the keyfile, or a comet. In both cases, after that boot is successful, the `.key` or `.comet` file will be removed from the volume and the pier will take its place.
 
@@ -36,4 +35,3 @@ You likely do not want to extend this image. External applications which interac
 
 ## Development
 The docker image is built by a Nix derivation in the [`nix/pkgs/docker-image/default.nix`](https://github.com/urbit/urbit/tree/master/nix/pkgs/docker-image/default.nix) file under the Urbit git repository.
-