From 26e3f8b17482cff456d37639ad7bba599adef5e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Thu, 29 Jan 2026 13:04:29 +0100
Subject: [PATCH] Add publish container

---
 publish-container/README.md   |  3 ++
 publish-container/action.yaml | 78 +++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+)
 create mode 100644 publish-container/README.md
 create mode 100644 publish-container/action.yaml

diff --git a/publish-container/README.md b/publish-container/README.md
new file mode 100644
index 0000000..98bbef6
--- /dev/null
+++ b/publish-container/README.md
@@ -0,0 +1,3 @@
+# publish-container
+
+A Gitea Action which pushes a container to our container registry.
diff --git a/publish-container/action.yaml b/publish-container/action.yaml
new file mode 100644
index 0000000..3b09709
--- /dev/null
+++ b/publish-container/action.yaml
@@ -0,0 +1,78 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/github-action.json
+name: "publish-container"
+description: "Publishes a Container to a Gitea-hosted Container registry."
+inputs:
+  project:
+    description: "Name of the project to containerize eg. fvcomkit"
+    required: true
+  container-token:
+    description: "Token with which to authenticate to the Container registry."
+    required: true
+  registry:
+    description: "Gitea registry domain, e.g. git.oceanbox.io"
+    required: true
+    default: "git.oceanbox.io"
+  registry-owner:
+    description: "Registry owner/organization name, e.g. oceanbox."
+    required: true
+    default: "oceanbox"
+runs:
+  using: "composite"
+  steps:
+    - name: Set image metadata
+      id: envvars
+      shell: bash
+      run: |
+        SHA="${{ github.sha }}"
+        REPO="${{ github.repository }}"
+        # To lowercase
+        REPO_NAME="${REPO,,}"
+
+        if [ "${{ github.ref_type }}" == "tag" ]; then
+          IMAGE_TAG="${{ github.ref_name }}"
+          ENV="Release"
+        else
+          IMAGE_TAG="${SHA:0:8}-debug"
+          ENV="Debug"
+        fi
+
+        IMAGE_NAME="${{ inputs.registry }}/$REPO_NAME/${{ inputs.project }}:$IMAGE_TAG"
+
+        echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+        echo "IMAGE_NAME=$IMAGE_NAME" >> "$GITHUB_OUTPUT"
+        echo "ENV=$ENV" >> "$GITHUB_OUTPUT"
+    - name: Build and push container
+      if: github.event_name != 'pull_request'
+      shell: bash
+      run: |
+        # Configure container policy to accept insecure registry
+        mkdir -p ~/.config/containers
+        echo '{"default":[{"type":"insecureAcceptAnything"}]}' > ~/.config/containers/policy.json
+
+        # Skopeo temp dirs
+        mkdir -p /tmp/skopeo
+        chmod 755 /tmp/skopeo || true
+
+        export TMPDIR=/tmp/skopeo
+        export TMP=/tmp/skopeo
+        export TEMP=/tmp/skopeo
+        export XDG_RUNTIME_DIR=/tmp/skopeo
+
+        # Login to registry
+        skopeo login \
+          --username "${{ github.actor }}" \
+          --password "${{ inputs.container-token }}" \
+          "${{ vars.REGISTRY }}"
+
+        # Build container
+        nix-build -A containers."${{ inputs.project }}" \
+          --argstr env "${{ steps.envvars.outputs.ENV }}"
+
+        ls -alh ./result
+        skopeo inspect docker-archive://$(readlink -f ./result)
+
+        echo "Pushing image: ${{ steps.envvars.outputs.IMAGE_NAME }}"
+        skopeo copy \
+          --tmpdir /tmp/skopeo \
+          docker-archive://$(readlink -f ./result) \
+          docker://${{ steps.envvars.outputs.IMAGE_NAME }}