tenseleyflow/shithub / 0bffad9

+name: runner image

+

+on:

+  workflow_dispatch:

+    inputs:

+      image:

+        description: "Destination image name; blank publishes under this repo's GHCR namespace"

+        required: false

+        default: ""

+      tag:

+        description: "Destination image tag"

+        required: true

+        default: "1.0"

+

+permissions:

+  contents: read

+  id-token: write

+  packages: write

+

+env:

+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"

+

+jobs:

+  build:

+    runs-on: ubuntu-latest

+    steps:

+      - uses: actions/checkout@v4

+

+      - uses: DeterminateSystems/determinate-nix-action@v3

+

+      - name: Resolve destination image

+        id: image

+        env:

+          INPUT_IMAGE: ${{ inputs.image }}

+          INPUT_TAG: ${{ inputs.tag }}

+          REPOSITORY: ${{ github.repository }}

+        run: |

+          set -euo pipefail

+          image="$INPUT_IMAGE"

+          if [ -z "$image" ]; then

+            image="ghcr.io/${REPOSITORY,,}/runner-nix"

+          fi

+          case "$image" in

+            *[!a-z0-9/:._-]* | "")

+              echo "invalid image name: $image" >&2

+              exit 2

+              ;;

+          esac

+          case "$INPUT_TAG" in

+            *[!A-Za-z0-9_.-]* | "")

+              echo "invalid image tag: $INPUT_TAG" >&2

+              exit 2

+              ;;

+          esac

+          printf 'image=%s\n' "$image" >> "$GITHUB_OUTPUT"

+          printf 'tag=%s\n' "$INPUT_TAG" >> "$GITHUB_OUTPUT"

+

+      - name: Build image tarball

+        run: nix build ./deploy/runner-images#runnerImage --print-build-logs

+

+      - name: Load image

+        run: docker load < result

+

+      - name: Tag image

+        run: docker tag ghcr.io/shithub/runner-nix:1.0 "${{ steps.image.outputs.image }}:${{ steps.image.outputs.tag }}"

+

+      - name: Login to GHCR

+        uses: docker/login-action@v3

+        with:

+          registry: ghcr.io

+          username: ${{ github.actor }}

+          password: ${{ secrets.GITHUB_TOKEN }}

+

+      - name: Push image

+        run: docker push "${{ steps.image.outputs.image }}:${{ steps.image.outputs.tag }}"

+# shithub runner image

+

+`flake.nix` builds the default S41d runner container image:

+

+```sh

+nix build ./deploy/runner-images#runnerImage

+docker load < result

+```

+

+The image tag is `ghcr.io/shithub/runner-nix:1.0`, matching

+`internal/runner/config`'s default. `flake.lock` pins nixpkgs so the

+image input set is reviewable and repeatable. The image intentionally

+contains only the baseline tools needed for v1 `run:` steps and checkout

+plumbing:

+`bash`, coreutils, git, curl, CA certificates, gnupg, gcc, gnumake,

+archive tools, OpenSSH, and `shithub-shallow-checkout`.

+

+Publishing is handled by `.github/workflows/runner-image.yml`. That

+workflow is manual because the GHCR namespace may differ between the

+upstream project and self-hosted forks. Leave the image input blank to

+publish under the current repository's GHCR namespace, or override it

+with `ghcr.io/shithub/runner-nix` for the upstream package.

+{

+  "nodes": {

+    "nixpkgs": {

+      "locked": {

+        "lastModified": 1778003029,

+        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",

+        "owner": "NixOS",

+        "repo": "nixpkgs",

+        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",

+        "type": "github"

+      },

+      "original": {

+        "owner": "NixOS",

+        "ref": "nixos-25.11",

+        "repo": "nixpkgs",

+        "type": "github"

+      }

+    },

+    "root": {

+      "inputs": {

+        "nixpkgs": "nixpkgs"

+      }

+    }

+  },

+  "root": "root",

+  "version": 7

+}

+{

+  description = "shithub Actions default runner image";

+

+  inputs = {

+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";

+  };

+

+  outputs = { self, nixpkgs }:

+    let

+      systems = [ "x86_64-linux" "aarch64-linux" ];

+      forAllSystems = nixpkgs.lib.genAttrs systems;

+    in

+    {

+      packages = forAllSystems (system:

+        let

+          pkgs = import nixpkgs { inherit system; };

+          checkoutHelper = pkgs.writeShellApplication {

+            name = "shithub-shallow-checkout";

+            runtimeInputs = [

+              pkgs.git

+              pkgs.coreutils

+            ];

+            text = ''

+              set -euo pipefail

+

+              if [ "$#" -ne 3 ]; then

+                echo "usage: shithub-shallow-checkout <repo-url> <sha> <dest>" >&2

+                exit 2

+              fi

+

+              repo_url="$1"

+              sha="$2"

+              dest="$3"

+

+              mkdir -p "$dest"

+              cd "$dest"

+              git init

+              git remote add origin "$repo_url"

+              git fetch --depth=1 origin "$sha"

+              git checkout --detach FETCH_HEAD

+            '';

+          };

+          imageRoot = pkgs.buildEnv {

+            name = "shithub-runner-nix-root";

+            paths = [

+              pkgs.bashInteractive

+              pkgs.cacert

+              pkgs.coreutils

+              pkgs.curl

+              pkgs.findutils

+              pkgs.gcc

+              pkgs.git

+              pkgs.gnugrep

+              pkgs.gnused

+              pkgs.gnutar

+              pkgs.gzip

+              pkgs.gnupg

+              pkgs.gnumake

+              pkgs.openssh

+              pkgs.xz

+              checkoutHelper

+            ];

+            pathsToLink = [ "/bin" "/etc" ];

+          };

+        in

+        {

+          runnerImage = pkgs.dockerTools.buildLayeredImage {

+            name = "ghcr.io/shithub/runner-nix";

+            tag = "1.0";

+            contents = [ imageRoot ];

+            maxLayers = 80;

+            config = {

+              Cmd = [ "${pkgs.bashInteractive}/bin/bash" ];

+              Env = [

+                "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

+                "GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"

+                "PATH=/bin:${imageRoot}/bin"

+              ];

+              WorkingDir = "/workspace";

+              Labels = {

+                "org.opencontainers.image.title" = "shithub runner-nix";

+                "org.opencontainers.image.description" = "Default container image for shithub Actions run steps.";

+                "org.opencontainers.image.source" = "https://github.com/tenseleyFlow/shithub";

+                "org.opencontainers.image.version" = "1.0";

+                "org.opencontainers.image.licenses" = "AGPL-3.0-or-later";

+              };

+            };

+          };

+

+          default = self.packages.${system}.runnerImage;

+        });

+    };

+}