readyblockedneeds helpallepicskb

Set up CI/CD to push agent images to container registry

t-421·WorkTask·
·
·
Created1 month ago·Updated1 month ago

Description

Edit

Set up CI/CD to push agent container images to a container registry.

Context

Agent container images are built via Nix (Omni/Agentd/Images/*.nix) but currently only loaded locally via docker load. For k8s deployment, images need to be in a registry that k8s can pull from.

Current State

  • Images defined in Omni/Agentd/Images/Base.nix, Git.nix, Haskell.nix
  • Built via bild Omni/Agentd/Images/Base.nix
  • Output is a tarball loadable via docker load
  • No automated push to registry

Goals

1. Choose a registry (GitHub Container Registry recommended) 2. Set up authentication 3. Add CI step to build and push on changes 4. Tag images appropriately (version, latest, git sha)

Implementation

1. Registry Choice

Recommend GitHub Container Registry (ghcr.io):

  • Free for public repos
  • Integrated with GitHub Actions
  • Simple auth via GITHUB_TOKEN

Alternative: Docker Hub, ECR, GCR, self-hosted

2. Manual Push Script

Create Omni/Agentd/push-images.sh: 

#!/usr/bin/env bash
set -euo pipefail

REGISTRY="${REGISTRY:-ghcr.io/your-org}"
TAG="${TAG:-latest}"

for image in Base Git Haskell; do
  echo "Building $image..."
  bild "Omni/Agentd/Images/$image.nix"
  
  tarball="_/nix/Omni/Agentd/Images/$image.nix"
  name=$(echo "$image" | tr '[:upper:]' '[:lower:]')
  
  echo "Loading $image..."
  docker load < "$tarball"
  
  echo "Tagging $image..."
  docker tag "agent-$name:latest" "$REGISTRY/agent-$name:$TAG"
  
  echo "Pushing $image..."
  docker push "$REGISTRY/agent-$name:$TAG"
done

echo "Done!"

3. CI Integration

If using GitHub Actions, add to .github/workflows/ci.yml: 

push-images:
  runs-on: ubuntu-latest
  if: github.ref == 'refs/heads/main'
  steps:
    - uses: actions/checkout@v4
    
    - uses: cachix/install-nix-action@v24
    
    - name: Login to GHCR
      run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
    
    - name: Build and push images
      run: |
        export REGISTRY=ghcr.io/${{ github.repository_owner }}
        export TAG=${{ github.sha }}
        ./Omni/Agentd/push-images.sh
        
        # Also tag as latest
        export TAG=latest
        ./Omni/Agentd/push-images.sh

4. Update K8s Manifests

Update any k8s manifests to use the registry path: 

image: ghcr.io/your-org/agent-base:latest
# or pinned:
image: ghcr.io/your-org/agent-base:abc123

5. Image Pull Secrets (if private)

If using a private registry, create a pull secret: 

kubectl create secret docker-registry ghcr-secret \
  --docker-server=ghcr.io \
  --docker-username=<github-user> \
  --docker-password=<github-token>

And reference in pod spec: 

imagePullSecrets:
  - name: ghcr-secret

Files to Create/Modify

  • Omni/Agentd/push-images.sh — new script
  • .github/workflows/ci.yml — add push job (if using GitHub Actions)
  • Omni/Agentd/README.md — document the process

Testing

1. Run push script manually with valid credentials 2. Verify images appear in registry 3. Pull image from registry on a different machine 4. Run container from pulled image

Acceptance Criteria

  • [ ] Push script exists and works
  • [ ] CI pushes on main branch changes
  • [ ] Images tagged with git sha and latest
  • [ ] Images pullable from k8s cluster
  • [ ] Process documented in README

Timeline (3)

💬[human]1 month ago

Added Omni/Ide/push.sh --images to build/load/push agent images to DO registry (auto-create via doctl) and documented in Omni/Agentd/README.md.

🔄[human]Open → Done1 month ago