Erich Blume
bd0ff30d3f
All checks were successful
Build Container / detect (push) Successful in 3s
## Summary - Merges `build-container.yaml` and `build-container-nix.yaml` into a single workflow - Detect job classifies each changed container by presence of `Dockerfile` and/or `default.nix` - Dockerfile containers build on `k8s` (indri) via Dagger; Nix containers build on `nix-container-builder` (ringtail) via nix-build + skopeo - Containers with both build files (alloy, nettest, ntfy) get built on both runners ## Test plan - [ ] Push a change to a Dockerfile-only container (e.g. grafana) — verify it builds on k8s only - [ ] Push a change to a nix-only container (e.g. jobsync) — verify it builds on nix-container-builder only - [ ] Push a change to a dual container (e.g. ntfy) — verify it builds on both runners - [ ] Test workflow_dispatch with a specific container name 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #306
3.1 KiB
3.1 KiB
| title | modified | tags | |||
|---|---|---|---|---|---|
| Dagger | 2026-03-06 |
|
Dagger
Build engine for BlumeOps CI/CD pipelines. Replaces shell-based build scripts with Python functions that run identically locally and in CI.
Quick Reference
| Property | Value |
|---|---|
| Module | blumeops-ci |
| Engine Version | v0.20.1 |
| SDK | Python |
| Source | .dagger/src/blumeops_ci/main.py |
| Config | dagger.json |
Functions
| Function | Signature | Description |
|---|---|---|
build |
(src, container_name) → Container |
Build a container from containers/<name>/Dockerfile |
publish |
(src, container_name, version, registry?) → str |
Build and push to registry (default: registry.ops.eblu.me) |
build_nix |
(src, container_name) → File |
Build a nix container from containers/<name>/default.nix, return docker-archive tarball |
nix_version |
(package) → str |
Extract the version of a nixpkgs package |
build_docs |
(src, version) → File |
Build Quartz docs site, return docs tarball |
flake_lock |
(src, flake_path?) → File |
Resolve flake inputs, return updated flake.lock |
flake_update |
(src, flake_path?) → File |
Update all flake inputs to latest, return flake.lock |
CLI Examples
# Build a container
dagger call build --src=. --container-name=devpi
# Drop into container shell for inspection
dagger call build --src=. --container-name=devpi terminal
# Debug a failure interactively
dagger call --interactive build --src=. --container-name=devpi
# Publish a container to zot
dagger call publish --src=. --container-name=devpi --version=v1.1.0
# Build a nix container (no local nix required)
dagger call build-nix --src=. --container-name=ntfy export --path=./ntfy.tar.gz
# Check a nixpkgs package version
dagger call nix-version --package=authentik
# Build docs tarball locally
dagger call build-docs --src=. --version=dev export --path=./docs-dev.tar.gz
# Debug a docs build failure
dagger call --interactive build-docs --src=. --version=dev
# Update all ringtail flake inputs
dagger call flake-update --src=. --flake-path=nixos/ringtail \
export --path=nixos/ringtail/flake.lock
Secrets
Dagger has a first-class Secret type — values are never logged or cached. Pass secrets from environment variables using the env:VAR syntax:
dagger call release-docs \
--src=. --version=v1.6.0 \
--forgejo-token=env:FORGEJO_TOKEN \
--argocd-token=env:ARGOCD_TOKEN
In forgejo Actions, secrets are injected as env vars. Locally, mise tasks call op read to populate them.
Caveats
- Pre-1.0 API — Current version is v0.20.x. Pin the CLI version and test upgrades on a branch before adopting. See upgrade-dagger for the upgrade procedure.
- Privileged container — The Dagger engine requires privileged container access. The Forgejo runner's DinD sidecar provides this.
Related
- forgejo — CI/CD trigger layer
- zot — Container registry (publish target)
- docs — Documentation site (build target)
- manage-lockfile — Ringtail flake lockfile management