feat: Add option for skip pushing if the digest hasn't changed

Dockerfile

@@ -1,6 +1,21 @@
+FROM alpine as certs
+
+RUN apk --update add ca-certificates
+
 FROM gcr.io/kaniko-project/executor:debug
 
+SHELL ["/busybox/sh", "-c"]
+
+RUN mkdir -p /usr/local/bin && \
+    wget -O /usr/local/bin/jq \
+    https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
+    chmod +x /usr/local/bin/jq && \
+    wget -O /usr/local/bin/reg \
+    https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
+    chmod +x /usr/local/bin/reg
+
 COPY entrypoint.sh /
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 ENTRYPOINT ["/entrypoint.sh"]
 

README.md

@@ -39,19 +39,20 @@ the most used values. So, technically there is a single required argument
 
 ## Optional Arguments
 
-| variable         | description                                              | required | default                     |
+| variable              | description                                                     | required | default         |
-|------------------|----------------------------------------------------------|----------|-----------------------------|
+|-----------------------|-----------------------------------------------------------------|----------|-----------------|
-| registry         | Docker registry where the image will be pushed           | false    | docker.io                   |
+| registry              | Docker registry where the image will be pushed                  | false    | docker.io       |
-| username         | Username used for authentication to the Docker registry  | false    | $GITHUB_ACTOR               |
+| username              | Username used for authentication to the Docker registry         | false    | $GITHUB_ACTOR   |
-| password         | Password used for authentication to the Docker registry  | false    |                             |
+| password              | Password used for authentication to the Docker registry         | false    |                 |
-| tag              | Image tag                                                | false    | latest                      |
+| tag                   | Image tag                                                       | false    | latest          |
-| cache            | Enables build cache                                      | false    | false                       |
+| cache                 | Enables build cache                                             | false    | false           |
-| cache_ttl        | How long the cache should be considered valid            | false    |                             |
+| cache_ttl             | How long the cache should be considered valid                   | false    |                 |
-| cache_registry   | Docker registry meant to be used as cache                | false    |                             |
+| cache_registry        | Docker registry meant to be used as cache                       | false    |                 |
-| cache_directory  | Filesystem path meant to be used as cache                | false    |                             |
+| cache_directory       | Filesystem path meant to be used as cache                       | false    |                 |
-| build_file       | Dockerfile filename                                      | false    | Dockerfile                  |
+| build_file            | Dockerfile filename                                             | false    | Dockerfile      |
-| extra_args       | Additional arguments to be passed to the kaniko executor | false    |                             |
+| extra_args            | Additional arguments to be passed to the kaniko executor        | false    |                 |
-| strip_tag_prefix | Prefix to be stripped from the tag                       | false    |                             |
+| strip_tag_prefix      | Prefix to be stripped from the tag                              | false    |                 |
+| skip_unchanged_digest | Avoids pushing the image if the build generated the same digest | false    |                 |
 
 **Here is where it gets specific, as the optional arguments become required depending on the registry targeted**
 

action.yml

@@ -41,6 +41,9 @@ inputs:
   extra_args:
     description: "Additional arguments to be passed to the kaniko executor"
     required: false
+  skip_unchanged_digest:
+    description: "Avoids pushing the image if the build generated the same digest"
+    required: false
 runs:
   using: "docker"
   image: "Dockerfile"

entrypoint.sh

@@ -45,10 +45,9 @@ export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"
 export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
 export CONTEXT="--context $GITHUB_WORKSPACE"
 export DOCKERFILE="--dockerfile ${INPUT_BUILD_FILE:-Dockerfile}"
-export DESTINATION="--destination $IMAGE"
+export DESTINATION="--no-push"
 
 export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS"
-echo $ARGS
 
 cat <<EOF >/kaniko/.docker/config.json
 {
@@ -61,4 +60,23 @@ cat <<EOF >/kaniko/.docker/config.json
 }
 EOF
 
-/kaniko/executor $ARGS
+/kaniko/executor --digest-file digest --reproducible $ARGS
+
+export DIGEST=$(cat digest)
+export REMOTE=$(reg digest "$IMAGE" | tail -1)
+
+if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
+    if [ "$DIGEST" == "$REMOTE" ]; then
+        echo "Digest hasn't changed, skipping, $DIGEST"
+        exit 0
+    fi
+fi
+
+export DESTINATION="--destination $IMAGE"
+export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS"
+
+echo "Pushing image..."
+
+/kaniko/executor --reproducible $ARGS >/dev/null 2>&1
+
+echo "Done 🎉️"