chore(ci): update publish workflow to use package.nix for versioning

tembleking · tembleking · commit 0f25f5c95f5b · 2025-11-20T14:13:54.000+01:00
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -6,7 +6,7 @@ on:
     branches:
       - main
     paths:
-      - pyproject.toml
+      - package.nix
 
 concurrency:
   group: 'publish-${{ github.workflow }}'
@@ -24,10 +24,10 @@ jobs:
           fetch-tags: true
           fetch-depth: 0
 
-      - name: Extract version from pyproject.toml
+      - name: Extract version from package.nix
         id: extract
         run: |
-          VERSION=$(grep -m1 '^version\s*=' pyproject.toml | sed -E 's/version\s*=\s*"([^"]+)".*/\1/')
+          VERSION=$(grep -m1 'version\s*=' package.nix | sed -E 's/.*version\s*=\s*"([^"]+)";.*/\1/')
           echo "Extracted version: v$VERSION"
           echo "version=v$VERSION" >> $GITHUB_OUTPUT
 
@@ -59,7 +59,6 @@ jobs:
     permissions:
       contents: read # required for actions/checkout
       packages: write # required for pushing to ghcr.io
-      id-token: write # required for signing with cosign
     steps:
       - name: Check out the repo
         uses: actions/checkout@v5
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -1,15 +1,10 @@
----
 name: Test
 
 on:
   pull_request:
-    paths:
-      - pyproject.toml
-      - Dockerfile
-      - "*.py"
-      - tests/**
-      - tools/**
-      - utils/**
+    branches:
+      - main
+      - master
   workflow_call:
   workflow_dispatch:
 
@@ -24,23 +19,30 @@ jobs:
     defaults:
       run:
         shell: nix develop --command bash {0}
-    permissions:
-      contents: read # required for actions/checkout
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
       - name: Install nix
         uses: DeterminateSystems/nix-installer-action@main
 
-      - name: Download dependencies
-        run: make init
-
-      - name: Run ruff
-        run: make lint
-
-      - name: Run Unit Tests
-        run: make test
+      - name: Run Checks
+        run: just check
         env:
           SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }}
           SYSDIG_MCP_API_SECURE_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }}
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: nix develop --command bash {0}
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Install nix
+        uses: DeterminateSystems/nix-installer-action@main
+
+      - name: Build
+        run: go build ./...
diff --git a/.github/workflows/test_image.yaml b/.github/workflows/test_image.yaml
@@ -3,14 +3,9 @@ name: Test Image Build
 
 on:
   pull_request:
-    paths:
-      - pyproject.toml
-      - Dockerfile
-      - "*.py"
-      - tests/**
-      - tools/**
-      - utils/**
-      - .github/workflows/**
+    branches:
+      - main
+      - master
   workflow_call:
   workflow_dispatch:
 
@@ -32,23 +27,20 @@ jobs:
           ref: ${{ github.sha }} # required for better experience using pre-releases
           fetch-depth: "0" # Required due to the way Git works, without it this action won't be able to find any or the correct tags
 
-      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Build Docker image and test push action
         id: build-to-test
         uses: docker/build-push-action@v6
         with:
           context: .
           load: true
-          push: true
+          push: false
           tags: |
             ghcr.io/sysdiglabs/sysdig-mcp-server:test
 
+      - name: Test we can execute the docker image
+        run: |
+          docker run --rm ghcr.io/sysdiglabs/sysdig-mcp-server:test --help | grep "Sysdig MCP Server"
+
       - name: Scan Docker image
         uses: sysdiglabs/scan-action@v6
         with:
diff --git a/Dockerfile b/Dockerfile
@@ -9,16 +9,15 @@ COPY . /app
 # Build the default package from the flake
 # This will produce a 'result' symlink in the working directory
 RUN nix build .#default
-RUN cp ./result/bin/server /app/sysdig-mcp-server
 
 # Final image
 # quay.io/sysdig/sysdig-mini-ubi9:1
 FROM quay.io/sysdig/sysdig-mini-ubi9@sha256:dcef7a07dc6a8655cbee5e2f3ad7822dea5a0cf4929b1b9effa39e56ce928ca0
 
 # Copy the binary from the builder stage
-COPY --from=builder /app/sysdig-mcp-server /sysdig-mcp-server
+COPY --from=builder /app/result/bin/sysdig-mcp-server /usr/local/bin/sysdig-mcp-server
 
 # Run as non-root user (numeric ID)
 USER 1000
 
-ENTRYPOINT ["/sysdig-mcp-server"]
+ENTRYPOINT ["sysdig-mcp-server"]
diff --git a/flake.nix b/flake.nix
@@ -31,18 +31,14 @@
             with pkgs;
             mkShell {
               packages = [
-                pre-commit
-                basedpyright
                 ginkgo
                 go_1_25
                 gofumpt
+                golangci-lint
                 just
                 mockgen
-                python3
-                ruff
+                pre-commit
                 sd
-                sysdig-cli-scanner
-                uv
               ];
               shellHook = ''
                 pre-commit install
diff --git a/package.nix b/package.nix
@@ -1,4 +1,4 @@
-{ buildGoModule }:
+{ buildGoModule, versionCheckHook }:
 buildGoModule (finalAttrs: {
   pname = "sysdig-mcp-server";
   version = "0.4.0";
@@ -18,9 +18,16 @@ buildGoModule (finalAttrs: {
   doCheck = false;
   env.CGO_ENABLED = 0;
 
+  postInstall = ''
+    mv $out/bin/server $out/bin/sysdig-mcp-server
+  '';
+
+  nativeInstallCheckInputs = [ versionCheckHook ];
+  doInstallCheck = true;
+
   meta = {
     description = "Sysdig MCP Server";
     homepage = "https://github.com/sysdiglabs/sysdig-mcp-server";
-    mainProgram = "server";
+    mainProgram = "sysdig-mcp-server";
   };
 })
