fix: CI

Signed-off-by: Gabriel Nützi <gnuetzi@gmail.com>

.github/workflows/normal.yaml

@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions: read-all
+
 defaults:
   run:
     shell: bash
@@ -138,7 +140,7 @@ jobs:
 
       - name: Build package (nix)
         run: |
-          just nix-develop-ci nix-package
+          just nix-develop-ci just nix-package
 
       - name: Build container image (nix)
         run: |
@@ -153,6 +155,9 @@ jobs:
 
     if: ${{ inputs.is_release }}
 
+    permissions:
+      packages: write
+
     env:
       CI_IS_RELEASE: true
 
@@ -176,6 +181,9 @@ jobs:
           just nix-develop-ci just nix-image
 
       - name: Push image (if release)
+        env:
+          REGISTRY_USERNAME: ${{ github.actor }}
+          REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
         run: |
           just nix-develop-ci tools/ci/upload-image.sh
 

tools/ci/upload-image.sh

@@ -11,6 +11,14 @@ ROOT_DIR=$(git rev-parse --show-toplevel)
 cd "$ROOT_DIR"
 
 function main() {
+
+    local username=${REGISTRY_USERNAME:-$USERNAME}
+    local password=${REGISTRY_PASSWORD:-$PASSWORD}
+
+    if [ -z "$username" ] || [ -z "$password" ]; then
+        die "'USERNAME' or 'PASSWORD' env. variables not set."
+    fi
+
     if ! ci_is_running; then
         die "This script should only be executed in CI"
     fi
@@ -33,6 +41,8 @@ function main() {
         skopeo \
             --insecure-policy \
             copy \
+            --dest-username <(echo "$username") \
+            --dest-password <(echo "$password") \
             --dest-authfile "$HOME/.docker/config.json" \
             "docker-archive://$image_path" \
             "docker://$image_name"