Set up CI/CD to push agent container images to a container registry.
Agent container images are built via Nix (Omni/Agentd/Images/*.nix) but currently only loaded locally via docker load. For k8s deployment, images need to be in a registry that k8s can pull from.
Omni/Agentd/Images/Base.nix, Git.nix, Haskell.nixbild Omni/Agentd/Images/Base.nixdocker load1. Choose a registry (GitHub Container Registry recommended) 2. Set up authentication 3. Add CI step to build and push on changes 4. Tag images appropriately (version, latest, git sha)
Recommend GitHub Container Registry (ghcr.io):
Alternative: Docker Hub, ECR, GCR, self-hosted
Create Omni/Agentd/push-images.sh:
#!/usr/bin/env bash
set -euo pipefail
REGISTRY="${REGISTRY:-ghcr.io/your-org}"
TAG="${TAG:-latest}"
for image in Base Git Haskell; do
echo "Building $image..."
bild "Omni/Agentd/Images/$image.nix"
tarball="_/nix/Omni/Agentd/Images/$image.nix"
name=$(echo "$image" | tr '[:upper:]' '[:lower:]')
echo "Loading $image..."
docker load < "$tarball"
echo "Tagging $image..."
docker tag "agent-$name:latest" "$REGISTRY/agent-$name:$TAG"
echo "Pushing $image..."
docker push "$REGISTRY/agent-$name:$TAG"
done
echo "Done!"
If using GitHub Actions, add to .github/workflows/ci.yml:
push-images:
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v24
- name: Login to GHCR
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Build and push images
run: |
export REGISTRY=ghcr.io/${{ github.repository_owner }}
export TAG=${{ github.sha }}
./Omni/Agentd/push-images.sh
# Also tag as latest
export TAG=latest
./Omni/Agentd/push-images.sh
Update any k8s manifests to use the registry path:
image: ghcr.io/your-org/agent-base:latest
# or pinned:
image: ghcr.io/your-org/agent-base:abc123
If using a private registry, create a pull secret:
kubectl create secret docker-registry ghcr-secret \
--docker-server=ghcr.io \
--docker-username=<github-user> \
--docker-password=<github-token>
And reference in pod spec:
imagePullSecrets:
- name: ghcr-secret
Omni/Agentd/push-images.sh — new script.github/workflows/ci.yml — add push job (if using GitHub Actions)Omni/Agentd/README.md — document the process1. Run push script manually with valid credentials 2. Verify images appear in registry 3. Pull image from registry on a different machine 4. Run container from pulled image
Added Omni/Ide/push.sh --images to build/load/push agent images to DO registry (auto-create via doctl) and documented in Omni/Agentd/README.md.