From 5e25ae9c63e13a7e79955b4ff2d600732449fdf6 Mon Sep 17 00:00:00 2001 From: Doron Somech Date: Mon, 29 Jun 2020 15:26:53 +0300 Subject: [PATCH 01/44] refactor: Use google/go-containerregistry to push image --- Dockerfile | 6 +++++- entrypoint.sh | 17 ++++++++--------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 024c21c..627dd36 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,7 +11,11 @@ RUN wget -O /kaniko/jq \ chmod +x /kaniko/jq && \ wget -O /kaniko/reg \ https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \ - chmod +x /kaniko/reg + chmod +x /kaniko/reg && \ + wget -O /crane.tar.gz \ + https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \ + tar -xvzf /crane.tar.gz crane -C /kaniko && \ + rm crane.tar.gz COPY entrypoint.sh / COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt diff --git a/entrypoint.sh b/entrypoint.sh index c744ff4..ebbac0e 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -61,7 +61,7 @@ export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}" export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"} if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then - export DESTINATION="--no-push --digest-file digest" + export DESTINATION="--digest-file digest --tarPath image.tar --destination $IMAGE" else export DESTINATION="--destination $IMAGE" if [ ! -z $IMAGE_LATEST ]; then @@ -101,16 +101,15 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then exit 0 fi - export DESTINATION="--destination $IMAGE" - if [ ! -z $IMAGE_LATEST ]; then - export DESTINATION="$DESTINATION --destination $IMAGE_LATEST" - fi - - export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS" - echo "Pushing image..." - /kaniko/executor --reproducible $ARGS >/dev/null 2>&1 + /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD + /kaniko/crane push image.tar $IMAGE + if [ ! -z $IMAGE_LATEST ]; then + echo "Tagging latest..." + /kaniko/crane tag $IMAGE latest + fi + echo "Done 🎉️" fi From 5be93ca286ecb023cf1dc203fe298cc4d3f17440 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 24 Aug 2020 08:42:49 +0000 Subject: [PATCH 02/44] chore(deps): pin docker digests --- .github/workflows/pr.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index a733345..0e33f9d 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -8,4 +8,4 @@ jobs: steps: - uses: actions/checkout@v1 - name: Run commitsar - uses: docker://aevea/commitsar + uses: docker://aevea/commitsar@sha256:fa4fd97f10b3ad4222d9f45cf0e9a4f28a3287118d97c38ea6b7355628b0fc88 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ea8e3c0..c749523 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: uses: actions/checkout@v1 - name: Release Notary Action - uses: docker://aevea/release-notary + uses: docker://aevea/release-notary@sha256:5eef3c539deb5397457a6acf001ef80df6004ec52bc4b8a0eac0577ad92759d0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 418284a2f209c08736480a9bc6f90d7012c4cc1b Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sat, 5 Sep 2020 13:35:24 +0000 Subject: [PATCH 03/44] chore(deps): update aevea/commitsar docker digest to caf5539 --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 0e33f9d..2b3d6d2 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -8,4 +8,4 @@ jobs: steps: - uses: actions/checkout@v1 - name: Run commitsar - uses: docker://aevea/commitsar@sha256:fa4fd97f10b3ad4222d9f45cf0e9a4f28a3287118d97c38ea6b7355628b0fc88 + uses: docker://aevea/commitsar@sha256:caf5539dd03309a539906c7ad45c2ecc0ae86a1ee2bf5dc538d7986c523526f3 From 49888d43ab6af132df9bda1669f9588e8d792811 Mon Sep 17 00:00:00 2001 From: Alex Viscreanu Date: Wed, 17 Feb 2021 10:54:13 +0100 Subject: [PATCH 04/44] fix(build): delete crane tarfile using absolute path --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 627dd36..445159b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ RUN wget -O /kaniko/jq \ wget -O /crane.tar.gz \ https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \ tar -xvzf /crane.tar.gz crane -C /kaniko && \ - rm crane.tar.gz + rm /crane.tar.gz COPY entrypoint.sh / COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt From e03153c634718f2e04bdb0c85cd021564dfc955e Mon Sep 17 00:00:00 2001 From: Doron Somech Date: Tue, 8 Jun 2021 15:52:09 +0300 Subject: [PATCH 05/44] fix: don't push image when skip_unchanged_digest is set Kaniko default behavior changed, `--tarPath` alone is not enough to skip the push to registry, `--no-push` is now required as well. Reference: GoogleContainerTools/kaniko#1503 --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index ebbac0e..0ea868c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -61,7 +61,7 @@ export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}" export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"} if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then - export DESTINATION="--digest-file digest --tarPath image.tar --destination $IMAGE" + export DESTINATION="--digest-file digest --no-push --tarPath image.tar --destination $IMAGE" else export DESTINATION="--destination $IMAGE" if [ ! -z $IMAGE_LATEST ]; then From 7033a0543dab07acec910afec52af07c52846dab Mon Sep 17 00:00:00 2001 From: Dmitry Tsoy Date: Fri, 16 Apr 2021 14:02:59 +0300 Subject: [PATCH 06/44] fix: long base64 string may contain new-line if the base64 string has more than 76 characters, it is wrapped with \n --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 0ea868c..bea704b 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -89,7 +89,7 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then export DIGEST=$(cat digest) if [ "$REGISTRY" == "docker.pkg.github.com" ]; then - wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64)" https://docker.pkg.github.com/v2/$REPOSITORY/manifests/latest || true + wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64 | tr -d \\n)" https://docker.pkg.github.com/v2/$REPOSITORY/manifests/latest || true export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')" else export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1) From b7f0f661e31e66cb2eadb93d0753ad74dce8563d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 19 Oct 2021 02:02:14 +0000 Subject: [PATCH 07/44] chore(deps): update aevea/release-notary docker digest to fad8346 --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c749523..041727e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: uses: actions/checkout@v1 - name: Release Notary Action - uses: docker://aevea/release-notary@sha256:5eef3c539deb5397457a6acf001ef80df6004ec52bc4b8a0eac0577ad92759d0 + uses: docker://aevea/release-notary@sha256:fad8346e2c6d56e78987f84c0e70676b7ed4d1ccffdb4f2f799c7f0d972ce55c env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From e846d424977c90c1d4342e40819441442b0ef8c1 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 19 Oct 2021 02:02:11 +0000 Subject: [PATCH 08/44] chore(deps): update aevea/commitsar docker digest to b77adeb --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 2b3d6d2..c3ba41f 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -8,4 +8,4 @@ jobs: steps: - uses: actions/checkout@v1 - name: Run commitsar - uses: docker://aevea/commitsar@sha256:caf5539dd03309a539906c7ad45c2ecc0ae86a1ee2bf5dc538d7986c523526f3 + uses: docker://aevea/commitsar@sha256:b77adebc0437d4f2bfdf9205a39003e88acbc77a9176fd086b386207a5f3f5cb From 571e42aef3dd17d0dddecf2d4f2dd976b54e74f4 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 24 Jan 2022 09:04:54 +0000 Subject: [PATCH 09/44] chore(deps): update aevea/release-notary docker digest to 8b26ced --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 041727e..865e4c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: uses: actions/checkout@v1 - name: Release Notary Action - uses: docker://aevea/release-notary@sha256:fad8346e2c6d56e78987f84c0e70676b7ed4d1ccffdb4f2f799c7f0d972ce55c + uses: docker://aevea/release-notary@sha256:8b26ced466da96b23a947d5c9e58baac22ee1192fd08200011e5b178f42118a0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 8bd3e02fd2a22f4309ea6e59e25e16d062e670cd Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Mon, 24 Jan 2022 09:05:34 +0000 Subject: [PATCH 10/44] chore(deps): update actions/checkout action to v2 --- .github/workflows/pr.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index c3ba41f..f4c7e10 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -6,6 +6,6 @@ jobs: runs-on: ubuntu-latest name: Verify commit messages steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v2 - name: Run commitsar uses: docker://aevea/commitsar@sha256:b77adebc0437d4f2bfdf9205a39003e88acbc77a9176fd086b386207a5f3f5cb diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 865e4c1..c159ed4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v1 + uses: actions/checkout@v2 - name: Release Notary Action uses: docker://aevea/release-notary@sha256:8b26ced466da96b23a947d5c9e58baac22ee1192fd08200011e5b178f42118a0 From f16a14fc0fb8bb33ee9b13dce13ff3a5af6e76f9 Mon Sep 17 00:00:00 2001 From: Alex Viscreanu Date: Mon, 24 Jan 2022 10:13:19 +0100 Subject: [PATCH 11/44] fix(ci): fetch all necessary commits for commitsar and release notary --- .github/workflows/pr.yml | 2 ++ .github/workflows/release.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f4c7e10..38b6ed2 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -7,5 +7,7 @@ jobs: name: Verify commit messages steps: - uses: actions/checkout@v2 + with: + fetch-depth: 0 - name: Run commitsar uses: docker://aevea/commitsar@sha256:b77adebc0437d4f2bfdf9205a39003e88acbc77a9176fd086b386207a5f3f5cb diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c159ed4..7755bf4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,8 @@ jobs: steps: - name: Check out code uses: actions/checkout@v2 + with: + fetch-depth: 0 - name: Release Notary Action uses: docker://aevea/release-notary@sha256:8b26ced466da96b23a947d5c9e58baac22ee1192fd08200011e5b178f42118a0 From 8e9a42340097df535b530c49820ac36fe8428f31 Mon Sep 17 00:00:00 2001 From: Julien Semaan Date: Sun, 16 Jan 2022 20:38:57 -0500 Subject: [PATCH 12/44] fix: tag with latest only when its config is true --- entrypoint.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index bea704b..975e071 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -10,10 +10,13 @@ export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX} export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR} export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN} export REPOSITORY=$IMAGE -export IMAGE_LATEST=${INPUT_TAG_WITH_LATEST:+"$IMAGE:latest"} export IMAGE=$IMAGE:$TAG export CONTEXT_PATH=${INPUT_PATH} +if [[ "$INPUT_TAG_WITH_LATEST" == "true" ]]; then + export IMAGE_LATEST="$IMAGE:latest" +fi + function ensure() { if [ -z "${1}" ]; then echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?" From dc591110ccb8df6e5876d0d526c564f4408757ad Mon Sep 17 00:00:00 2001 From: Alex Viscreanu Date: Mon, 21 Feb 2022 15:19:19 +0100 Subject: [PATCH 13/44] fix: update github container registry host --- entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 975e071..e124bfb 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -31,7 +31,7 @@ ensure "${IMAGE}" "image" ensure "${TAG}" "tag" ensure "${CONTEXT_PATH}" "path" -if [ "$REGISTRY" == "docker.pkg.github.com" ]; then +if [ "$REGISTRY" == "ghcr.io" ]; then IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')" export IMAGE="$IMAGE_NAMESPACE/$IMAGE" export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY" @@ -91,8 +91,8 @@ EOF if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then export DIGEST=$(cat digest) - if [ "$REGISTRY" == "docker.pkg.github.com" ]; then - wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64 | tr -d \\n)" https://docker.pkg.github.com/v2/$REPOSITORY/manifests/latest || true + if [ "$REGISTRY" == "ghcr.io" ]; then + wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64 | tr -d \\n)" https://ghcr.io/v2/$REPOSITORY/manifests/latest || true export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')" else export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1) From 3e397648f84051501dbc85b31b8d8585e27fb311 Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 21 Feb 2022 15:25:01 +0100 Subject: [PATCH 14/44] fix(ci): use updated github container registry host --- .github/workflows/push.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 3260341..fc0bb44 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -11,7 +11,7 @@ jobs: - name: GitHub Package Registry uses: aevea/action-kaniko@master with: - registry: docker.pkg.github.com + registry: ghcr.io password: ${{ secrets.GITHUB_TOKEN }} image: kaniko cache: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7755bf4..0fe0aca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,7 +22,7 @@ jobs: - name: GitHub Package Registry uses: aevea/action-kaniko@master with: - registry: docker.pkg.github.com + registry: ghcr.io password: ${{ secrets.GITHUB_TOKEN }} image: kaniko cache: true From a5055cd00751f1beb018792aa62d34334a3185bf Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 21 Feb 2022 15:27:55 +0100 Subject: [PATCH 15/44] docs: update references to github's package registry host --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a09a7ca..76ea61b 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ with: cache_registry: aevea/cache ``` -### [docker.pkg.github.com](https://github.com/features/packages) +### [ghcr.io](https://github.com/features/packages) GitHub's docker registry is a bit special. It doesn't allow top-level images, so this action will prefix any image with the GitHub namespace. If you want to push your image like `aevea/action-kaniko/kaniko`, you'll only need to pass `kaniko` to this action. @@ -93,7 +93,7 @@ passed by default, it will have to be explicitly set up. ```yaml with: - registry: docker.pkg.github.com + registry: ghcr.io password: ${{ secrets.GITHUB_TOKEN }} image: kaniko ``` @@ -104,7 +104,7 @@ cache layers to that image instead ```yaml with: - registry: docker.pkg.github.com + registry: ghcr.io password: ${{ secrets.GITHUB_TOKEN }} image: kaniko cache: true @@ -167,7 +167,7 @@ Example: ```yaml with: - registry: docker.pkg.github.com + registry: ghcr.io password: ${{ secrets.GITHUB_TOKEN }} image: kaniko strip_tag_prefix: pre- From 17f90e5aa45fae7f51284c35b27d1c05b0fd2c12 Mon Sep 17 00:00:00 2001 From: Sandro Modarelli Date: Fri, 25 Mar 2022 14:46:48 +0100 Subject: [PATCH 16/44] fix: use complete image name when computing latest target --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index e124bfb..d2f4421 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -14,7 +14,7 @@ export IMAGE=$IMAGE:$TAG export CONTEXT_PATH=${INPUT_PATH} if [[ "$INPUT_TAG_WITH_LATEST" == "true" ]]; then - export IMAGE_LATEST="$IMAGE:latest" + export IMAGE_LATEST="$REPOSITORY:latest" fi function ensure() { From 20173de989ec7311b36c6a7f69f74d81dfbddbb5 Mon Sep 17 00:00:00 2001 From: Sandro Modarelli Date: Fri, 25 Mar 2022 15:09:12 +0100 Subject: [PATCH 17/44] feat: adding debug flag --- README.md | 1 + action.yml | 3 +++ entrypoint.sh | 3 +++ 3 files changed, 7 insertions(+) diff --git a/README.md b/README.md index 76ea61b..6dff48a 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,7 @@ the most used values. So, technically there is a single required argument | path | Path to the build context. Defaults to `.` | false | . | | tag_with_latest | Tags the built image with additional latest tag | false | | | target | Sets the target stage to build | false | | +| debug | Enables trace for entrypoint.sh | false | | **Here is where it gets specific, as the optional arguments become required depending on the registry targeted** diff --git a/action.yml b/action.yml index bc41cfb..cb313e3 100644 --- a/action.yml +++ b/action.yml @@ -54,6 +54,9 @@ inputs: target: description: Sets the target stage to build required: false + debug: + description: Enables trace for entrypoint.sh + required: false runs: using: "docker" image: "Dockerfile" diff --git a/entrypoint.sh b/entrypoint.sh index d2f4421..bbeeff8 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,5 +1,8 @@ #!/busybox/sh set -e pipefail +if [[ "$INPUT_DEBUG" == "true" ]]; then + set -o xtrace +fi export REGISTRY=${INPUT_REGISTRY:-"docker.io"} export IMAGE=${INPUT_IMAGE} From 548ad7dd4a8871f8294cb54f1e6d591948287222 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 20 Mar 2022 11:45:22 +0000 Subject: [PATCH 18/44] chore(deps): update aevea/commitsar digest to 27ea5e5 --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 38b6ed2..0cd90b8 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -10,4 +10,4 @@ jobs: with: fetch-depth: 0 - name: Run commitsar - uses: docker://aevea/commitsar@sha256:b77adebc0437d4f2bfdf9205a39003e88acbc77a9176fd086b386207a5f3f5cb + uses: docker://aevea/commitsar@sha256:27ea5e528b153393e924d98764d6400a181f03768d972ba151b3ddc9f14ff12c From 59bc747ae2717b1ca013661865876666738a0db3 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 16 Mar 2022 18:16:46 +0000 Subject: [PATCH 19/44] chore(deps): update aevea/release-notary digest to 03e771a --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0fe0aca..a7fe79f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: fetch-depth: 0 - name: Release Notary Action - uses: docker://aevea/release-notary@sha256:8b26ced466da96b23a947d5c9e58baac22ee1192fd08200011e5b178f42118a0 + uses: docker://aevea/release-notary@sha256:03e771a509881121758b05217a8938ca8379d29dfa69a2605ceca06ffca2db4d env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From a4abaead4857a69bbbcc82ef01452500d71f7b1d Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Tue, 1 Mar 2022 18:45:14 +0000 Subject: [PATCH 20/44] chore(deps): update actions/checkout action to v3 --- .github/workflows/pr.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 0cd90b8..36058e7 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest name: Verify commit messages steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: fetch-depth: 0 - name: Run commitsar diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a7fe79f..ba7010b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 From 1200c08dbadeeb08d95f56a7fc97fefec1993e40 Mon Sep 17 00:00:00 2001 From: Doron Somech Date: Fri, 29 Apr 2022 12:12:49 +0300 Subject: [PATCH 21/44] fix: downloading manifest doesn't work for github packages --- entrypoint.sh | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index bbeeff8..d12889d 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -94,12 +94,9 @@ EOF if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then export DIGEST=$(cat digest) - if [ "$REGISTRY" == "ghcr.io" ]; then - wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64 | tr -d \\n)" https://ghcr.io/v2/$REPOSITORY/manifests/latest || true - export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')" - else - export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1) - fi + /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD + + export REMOTE=$(crane digest $REGISTRY/${REPOSITORY}:latest) if [ "$DIGEST" == "$REMOTE" ]; then echo "Digest hasn't changed, skipping, $DIGEST" @@ -108,8 +105,7 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then fi echo "Pushing image..." - - /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD + /kaniko/crane push image.tar $IMAGE if [ ! -z $IMAGE_LATEST ]; then From c97b90ade310a31002b2783c1c9364140d3a1aba Mon Sep 17 00:00:00 2001 From: Doron Somech Date: Sat, 30 Apr 2022 18:26:59 +0300 Subject: [PATCH 22/44] chore(deps): update crane to 0.8.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 445159b..fc8715f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ RUN wget -O /kaniko/jq \ https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \ chmod +x /kaniko/reg && \ wget -O /crane.tar.gz \ - https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \ + https://github.com/google/go-containerregistry/releases/download/v0.8.0/go-containerregistry_Linux_x86_64.tar.gz && \ tar -xvzf /crane.tar.gz crane -C /kaniko && \ rm /crane.tar.gz From 57fd639926c415a2fa4150ac72230eb5758ff48b Mon Sep 17 00:00:00 2001 From: Doron Somech Date: Sat, 30 Apr 2022 20:08:50 +0300 Subject: [PATCH 23/44] fix: use version 1.7.0 of kaniko Version 1.8.0 and above breaks reproducible builds. https://github.com/GoogleContainerTools/kaniko/issues/2005 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fc8715f..2398b0f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine as certs RUN apk --update add ca-certificates -FROM gcr.io/kaniko-project/executor:debug +FROM gcr.io/kaniko-project/executor:v1.7.0-debug SHELL ["/busybox/sh", "-c"] From 83ddee1c8b2f6e5b22b0985c5b3a8288f76c25b0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 20 Nov 2022 19:51:16 +0000 Subject: [PATCH 24/44] chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.9.1 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2398b0f..7a3cc1c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine as certs RUN apk --update add ca-certificates -FROM gcr.io/kaniko-project/executor:v1.7.0-debug +FROM gcr.io/kaniko-project/executor:v1.9.1-debug SHELL ["/busybox/sh", "-c"] From 98d5caab7ff9147af1090b1013511350746e24d1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 20 Nov 2022 19:51:03 +0000 Subject: [PATCH 25/44] chore(deps): update aevea/commitsar docker digest to 18c604f --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 36058e7..827e2de 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -10,4 +10,4 @@ jobs: with: fetch-depth: 0 - name: Run commitsar - uses: docker://aevea/commitsar@sha256:27ea5e528b153393e924d98764d6400a181f03768d972ba151b3ddc9f14ff12c + uses: docker://aevea/commitsar@sha256:18c604faa349035b105bd3706a214d32f0fb87d8b1e9ac7c4b42450579acef33 From 78060c4e9d3a27c9d53824f67fa1b33ddfc2e7e1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Dec 2022 20:24:46 +0000 Subject: [PATCH 26/44] chore(deps): update aevea/release-notary docker digest to b77e86c --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba7010b..9e97335 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: fetch-depth: 0 - name: Release Notary Action - uses: docker://aevea/release-notary@sha256:03e771a509881121758b05217a8938ca8379d29dfa69a2605ceca06ffca2db4d + uses: docker://aevea/release-notary@sha256:b77e86ce9ce4b0c8774cdb3b807b756d1d6139d73aca74388560250de259be4e env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From e54575cc707c209f2e99516c23198b604b4e1d93 Mon Sep 17 00:00:00 2001 From: Alex Viscreanu Date: Thu, 11 Jan 2024 22:02:42 +0100 Subject: [PATCH 27/44] chore(deps): bump kaniko to v1.19.2 and update dependencies --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7a3cc1c..172249b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,18 +2,18 @@ FROM alpine as certs RUN apk --update add ca-certificates -FROM gcr.io/kaniko-project/executor:v1.9.1-debug +FROM gcr.io/kaniko-project/executor:v1.19.2-debug SHELL ["/busybox/sh", "-c"] RUN wget -O /kaniko/jq \ - https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \ + https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && \ chmod +x /kaniko/jq && \ wget -O /kaniko/reg \ https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \ chmod +x /kaniko/reg && \ - wget -O /crane.tar.gz \ - https://github.com/google/go-containerregistry/releases/download/v0.8.0/go-containerregistry_Linux_x86_64.tar.gz && \ + wget -O /crane.tar.gz \ + https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && \ tar -xvzf /crane.tar.gz crane -C /kaniko && \ rm /crane.tar.gz From ca098255c542127940a1c857bcf1ef428c26fca2 Mon Sep 17 00:00:00 2001 From: Mikhail Nacharov Date: Wed, 1 Feb 2023 11:28:51 +0400 Subject: [PATCH 28/44] feat: output built image reference --- README.md | 6 ++++++ action.yml | 3 +++ entrypoint.sh | 1 + 3 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 6dff48a..30f8528 100644 --- a/README.md +++ b/README.md @@ -175,3 +175,9 @@ with: ``` for the tag `pre-0.1` will push `kaniko:0.1`, as the `pre-` part will be stripped from the tag name. + +## Outputs + +### `image` + +Full reference to the built image with registry and tag. diff --git a/action.yml b/action.yml index cb313e3..7c51772 100644 --- a/action.yml +++ b/action.yml @@ -57,6 +57,9 @@ inputs: debug: description: Enables trace for entrypoint.sh required: false +outputs: + image: + description: "Full reference to the built image with registry and tag" runs: using: "docker" image: "Dockerfile" diff --git a/entrypoint.sh b/entrypoint.sh index d12889d..5e30e41 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -90,6 +90,7 @@ EOF # https://github.com/GoogleContainerTools/kaniko/issues/1349 /kaniko/executor --reproducible --force $ARGS +echo "image=$IMAGE" >> $GITHUB_OUTPUT if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then export DIGEST=$(cat digest) From 4387eb381c35d67d86822849536a891ea1dcdf55 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 19 Oct 2023 11:12:28 +0000 Subject: [PATCH 29/44] chore(deps): update actions/checkout action to v4 --- .github/workflows/pr.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 827e2de..bf3fe46 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest name: Verify commit messages steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Run commitsar diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9e97335..c6f52fa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 From 10b098cb525aed8497e905767ad75ad3f1084c09 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 25 Nov 2023 01:25:47 +0000 Subject: [PATCH 30/44] chore(deps): update aevea/commitsar docker digest to 8d2db4e --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index bf3fe46..ba7236d 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -10,4 +10,4 @@ jobs: with: fetch-depth: 0 - name: Run commitsar - uses: docker://aevea/commitsar@sha256:18c604faa349035b105bd3706a214d32f0fb87d8b1e9ac7c4b42450579acef33 + uses: docker://aevea/commitsar@sha256:8d2db4e430dd06e3fcde173add43dada80b37150ba1191a69cda1c0bcdba9cb1 From a95ae7d70653e404655e84ccf0e177eb9e1e85bf Mon Sep 17 00:00:00 2001 From: Idriss Neumann Date: Fri, 24 Jun 2022 12:41:58 +0100 Subject: [PATCH 31/44] fix(kaniko): workaround for passing arguments containing spaces set up input field separator as null and use eval to run kaniko executor --- entrypoint.sh | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 5e30e41..0626f1a 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -71,7 +71,7 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then else export DESTINATION="--destination $IMAGE" if [ ! -z $IMAGE_LATEST ]; then - export DESTINATION="$DESTINATION --destination $IMAGE_LATEST" + export DESTINATION="$DESTINATION --destination $IMAGE_LATEST" fi fi @@ -88,8 +88,13 @@ cat </kaniko/.docker/config.json } EOF +# https://github.com/GoogleContainerTools/kaniko/issues/1803 # https://github.com/GoogleContainerTools/kaniko/issues/1349 -/kaniko/executor --reproducible --force $ARGS +export IFS='' +kaniko_cmd="/kaniko/executor ${ARGS} --reproducible --force" +echo "Running kaniko command ${kaniko_cmd}" +eval "${kaniko_cmd}" + echo "image=$IMAGE" >> $GITHUB_OUTPUT if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then @@ -106,13 +111,13 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then fi echo "Pushing image..." - + /kaniko/crane push image.tar $IMAGE if [ ! -z $IMAGE_LATEST ]; then echo "Tagging latest..." - /kaniko/crane tag $IMAGE latest + /kaniko/crane tag $IMAGE latest fi - + echo "Done 🎉️" fi From 17bff7af73609de877334100ef0d9339f8f82c4e Mon Sep 17 00:00:00 2001 From: Mikael Elkiaer <2102306+MikaelElkiaer@users.noreply.github.com> Date: Tue, 31 Jan 2023 10:35:34 +0100 Subject: [PATCH 32/44] fix(ghcr): omit separator in case image is prefixed with dash or slash this allows local pushing to the repo running the action --- entrypoint.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 0626f1a..484eca2 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -36,11 +36,13 @@ ensure "${CONTEXT_PATH}" "path" if [ "$REGISTRY" == "ghcr.io" ]; then IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')" - export IMAGE="$IMAGE_NAMESPACE/$IMAGE" - export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY" + # Set `/` separator, unless image is pre-fixed with dash or slash + [ -n "$REPOSITORY" ] && [[ ! "$REPOSITORY" =~ ^[-/] ]] && SEPARATOR="/" + export IMAGE="$IMAGE_NAMESPACE$SEPARATOR$IMAGE" + export REPOSITORY="$IMAGE_NAMESPACE$SEPARATOR$REPOSITORY" if [ ! -z $IMAGE_LATEST ]; then - export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST" + export IMAGE_LATEST="$IMAGE_NAMESPACE$SEPARATOR$IMAGE_LATEST" fi if [ ! -z $INPUT_CACHE_REGISTRY ]; then From 81a26cb33ad8c4eb375aff8b83e48a6be4de115a Mon Sep 17 00:00:00 2001 From: Theo Cabrerizo Diem Date: Mon, 17 Jul 2023 18:25:29 +0200 Subject: [PATCH 33/44] feat: expand output variables add output variables for digests and if image was refreshed or not --- entrypoint.sh | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 484eca2..6a3fdaf 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -67,9 +67,10 @@ export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH" export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}" export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"} +export DIGEST="--digest-file /kaniko/digest --image-name-tag-with-digest-file=/kaniko/image-tag-digest" if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then - export DESTINATION="--digest-file digest --no-push --tarPath image.tar --destination $IMAGE" + export DESTINATION="--no-push --tarPath image.tar --destination $IMAGE" else export DESTINATION="--destination $IMAGE" if [ ! -z $IMAGE_LATEST ]; then @@ -77,7 +78,7 @@ else fi fi -export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS" +export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DIGEST $DESTINATION $INPUT_EXTRA_ARGS" cat </kaniko/.docker/config.json { @@ -98,15 +99,18 @@ echo "Running kaniko command ${kaniko_cmd}" eval "${kaniko_cmd}" echo "image=$IMAGE" >> $GITHUB_OUTPUT +echo "digest=$(cat /kaniko/digest)" >> $GITHUB_OUTPUT +echo "image-tag-digest=$(cat /kaniko/image-tag-digest)" >> $GITHUB_OUTPUT if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then - export DIGEST=$(cat digest) + export DIGEST=$(cat /kaniko/digest) /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD export REMOTE=$(crane digest $REGISTRY/${REPOSITORY}:latest) if [ "$DIGEST" == "$REMOTE" ]; then + echo "refreshed=false" >> $GITHUB_OUTPUT echo "Digest hasn't changed, skipping, $DIGEST" echo "Done 🎉️" exit 0 @@ -121,5 +125,6 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then /kaniko/crane tag $IMAGE latest fi + echo "refreshed=false" >> $GITHUB_OUTPUT echo "Done 🎉️" fi From 4f9a6a7f2caf5b323cf03ebddd672d2c31faf42d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 18 Jan 2024 00:54:45 +0000 Subject: [PATCH 34/44] chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.20.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 172249b..8e0f846 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine as certs RUN apk --update add ca-certificates -FROM gcr.io/kaniko-project/executor:v1.19.2-debug +FROM gcr.io/kaniko-project/executor:v1.20.0-debug SHELL ["/busybox/sh", "-c"] From ec00be49b79f0c04e53d4d962001515f4c67daf5 Mon Sep 17 00:00:00 2001 From: Theo Cabrerizo Diem Date: Mon, 17 Jul 2023 18:18:13 +0200 Subject: [PATCH 35/44] refactor: make entrypoint script more posix compliant remove most of the 'bashisms' in the script, improve quoting, escaping and make more consistent regarding references to variable names --- entrypoint.sh | 87 ++++++++++++++++++++++++++------------------------- 1 file changed, 44 insertions(+), 43 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 6a3fdaf..e5394e7 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,26 +1,26 @@ #!/busybox/sh set -e pipefail -if [[ "$INPUT_DEBUG" == "true" ]]; then +if [ "$INPUT_DEBUG" = "true" ]; then set -o xtrace fi -export REGISTRY=${INPUT_REGISTRY:-"docker.io"} -export IMAGE=${INPUT_IMAGE} -export BRANCH=$(echo ${GITHUB_REF} | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g") -export TAG=${INPUT_TAG:-$([ "$BRANCH" == "master" ] && echo latest || echo $BRANCH)} -export TAG=${TAG:-"latest"} -export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX} -export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR} -export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN} -export REPOSITORY=$IMAGE -export IMAGE=$IMAGE:$TAG -export CONTEXT_PATH=${INPUT_PATH} +export REGISTRY="${INPUT_REGISTRY:-"docker.io"}" +export IMAGE="$INPUT_IMAGE" +export BRANCH=$(echo "$GITHUB_REF" | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g") +export TAG=${INPUT_TAG:-$([ "$BRANCH" = "master" ] && echo latest || echo "$BRANCH")} +export TAG="${TAG:-"latest"}" +export TAG="${TAG#$INPUT_STRIP_TAG_PREFIX}" +export USERNAME="${INPUT_USERNAME:-$GITHUB_ACTOR}" +export PASSWORD="${INPUT_PASSWORD:-$GITHUB_TOKEN}" +export REPOSITORY="$IMAGE" +export IMAGE="${IMAGE}:${TAG}" +export CONTEXT_PATH="$INPUT_PATH" -if [[ "$INPUT_TAG_WITH_LATEST" == "true" ]]; then - export IMAGE_LATEST="$REPOSITORY:latest" +if [ "$INPUT_TAG_WITH_LATEST" = "true" ]; then + export IMAGE_LATEST="${REPOSITORY}:latest" fi -function ensure() { +ensure() { if [ -z "${1}" ]; then echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?" exit 1 @@ -34,46 +34,46 @@ ensure "${IMAGE}" "image" ensure "${TAG}" "tag" ensure "${CONTEXT_PATH}" "path" -if [ "$REGISTRY" == "ghcr.io" ]; then +if [ "$REGISTRY" = "ghcr.io" ]; then IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')" # Set `/` separator, unless image is pre-fixed with dash or slash [ -n "$REPOSITORY" ] && [[ ! "$REPOSITORY" =~ ^[-/] ]] && SEPARATOR="/" export IMAGE="$IMAGE_NAMESPACE$SEPARATOR$IMAGE" export REPOSITORY="$IMAGE_NAMESPACE$SEPARATOR$REPOSITORY" - if [ ! -z $IMAGE_LATEST ]; then - export IMAGE_LATEST="$IMAGE_NAMESPACE$SEPARATOR$IMAGE_LATEST" + if [ -n "$IMAGE_LATEST" ]; then + export IMAGE_LATEST="${IMAGE_NAMESPACE}/${IMAGE_LATEST}" fi - if [ ! -z $INPUT_CACHE_REGISTRY ]; then - export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY" + if [ -n "$INPUT_CACHE_REGISTRY" ]; then + export INPUT_CACHE_REGISTRY="${REGISTRY}/${IMAGE_NAMESPACE}/${INPUT_CACHE_REGISTRY}" fi fi -if [ "$REGISTRY" == "docker.io" ]; then +if [ "$REGISTRY" = "docker.io" ]; then export REGISTRY="index.${REGISTRY}/v1/" else - export IMAGE="$REGISTRY/$IMAGE" + export IMAGE="${REGISTRY}/${IMAGE}" - if [ ! -z $IMAGE_LATEST ]; then - export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST" + if [ -n "$IMAGE_LATEST" ]; then + export IMAGE_LATEST="${REGISTRY}/${IMAGE_LATEST}" fi fi -export CACHE=${INPUT_CACHE:+"--cache=true"} -export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"} -export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"} -export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"} +export CACHE="${INPUT_CACHE:+"--cache=true"}" +export CACHE="$CACHE"${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"} +export CACHE="$CACHE"${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"} +export CACHE="$CACHE"${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"} export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH" export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}" export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"} export DIGEST="--digest-file /kaniko/digest --image-name-tag-with-digest-file=/kaniko/image-tag-digest" -if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then +if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then export DESTINATION="--no-push --tarPath image.tar --destination $IMAGE" else export DESTINATION="--destination $IMAGE" - if [ ! -z $IMAGE_LATEST ]; then + if [ -n "$IMAGE_LATEST" ]; then export DESTINATION="$DESTINATION --destination $IMAGE_LATEST" fi fi @@ -98,19 +98,20 @@ kaniko_cmd="/kaniko/executor ${ARGS} --reproducible --force" echo "Running kaniko command ${kaniko_cmd}" eval "${kaniko_cmd}" -echo "image=$IMAGE" >> $GITHUB_OUTPUT -echo "digest=$(cat /kaniko/digest)" >> $GITHUB_OUTPUT -echo "image-tag-digest=$(cat /kaniko/image-tag-digest)" >> $GITHUB_OUTPUT +echo "image=$IMAGE" >> "$GITHUB_OUTPUT" +echo "digest=$(cat /kaniko/digest)" >> "$GITHUB_OUTPUT" +echo "image-tag-digest=$(cat /kaniko/image-tag-digest)" >> "$GITHUB_OUTPUT" -if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then - export DIGEST=$(cat /kaniko/digest) - /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD +if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then + export DIGEST="$(cat /kaniko/digest)" - export REMOTE=$(crane digest $REGISTRY/${REPOSITORY}:latest) + /kaniko/crane auth login "$REGISTRY" -u "$USERNAME" -p "$PASSWORD" - if [ "$DIGEST" == "$REMOTE" ]; then - echo "refreshed=false" >> $GITHUB_OUTPUT + export REMOTE=$(crane digest "${REGISTRY}/${REPOSITORY}:latest") + + if [ "$DIGEST" = "$REMOTE" ]; then + echo "refreshed=false" >> "$GITHUB_OUTPUT" echo "Digest hasn't changed, skipping, $DIGEST" echo "Done 🎉️" exit 0 @@ -118,13 +119,13 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then echo "Pushing image..." - /kaniko/crane push image.tar $IMAGE + /kaniko/crane push image.tar "$IMAGE" - if [ ! -z $IMAGE_LATEST ]; then + if [ -n "$IMAGE_LATEST" ]; then echo "Tagging latest..." - /kaniko/crane tag $IMAGE latest + /kaniko/crane tag "$IMAGE" latest fi - echo "refreshed=false" >> $GITHUB_OUTPUT + echo "refreshed=false" >> "$GITHUB_OUTPUT" echo "Done 🎉️" fi From 16c18d6aee7876c41524f5e6f920f76c0a99e7a0 Mon Sep 17 00:00:00 2001 From: Alex Viscreanu Date: Sat, 20 Jan 2024 11:17:50 +0100 Subject: [PATCH 36/44] ci: fix release notary action explicitly define entrypoint and args --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c6f52fa..1a0ff39 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,6 +18,9 @@ jobs: uses: docker://aevea/release-notary@sha256:b77e86ce9ce4b0c8774cdb3b807b756d1d6139d73aca74388560250de259be4e env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + entrypoint: release-notary + args: publish - name: GitHub Package Registry uses: aevea/action-kaniko@master From ef9c4ca42ec4a0b2040edfabda8497286f093b81 Mon Sep 17 00:00:00 2001 From: ykyr Date: Thu, 7 Mar 2024 21:27:08 +0100 Subject: [PATCH 37/44] fix: entrypoint ARGS remove new line --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index e5394e7..4ce09ea 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -94,6 +94,8 @@ EOF # https://github.com/GoogleContainerTools/kaniko/issues/1803 # https://github.com/GoogleContainerTools/kaniko/issues/1349 export IFS='' +# Removes a trailing new line +ARGS=$(echo "${ARGS}" | sed 's/\n*$//') kaniko_cmd="/kaniko/executor ${ARGS} --reproducible --force" echo "Running kaniko command ${kaniko_cmd}" eval "${kaniko_cmd}" From 8de7c88b27e89ec2a3087d3351b2fee0ced7d8f8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 7 Mar 2024 00:39:15 +0000 Subject: [PATCH 38/44] chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.21.1 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8e0f846..147f951 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine as certs RUN apk --update add ca-certificates -FROM gcr.io/kaniko-project/executor:v1.20.0-debug +FROM gcr.io/kaniko-project/executor:v1.21.1-debug SHELL ["/busybox/sh", "-c"] From fd47216104790b011ad758b5a793c6df2c860b07 Mon Sep 17 00:00:00 2001 From: Jason Kratz Date: Thu, 4 Apr 2024 15:36:38 -0500 Subject: [PATCH 39/44] fix: correctly handle multi-line tag digests output kaniko outputs each tag on a new line, so users that push multiple tags at once would get an error as the output wasn't prepared to handle multi-line text --- entrypoint.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 4ce09ea..8a29b69 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -102,7 +102,9 @@ eval "${kaniko_cmd}" echo "image=$IMAGE" >> "$GITHUB_OUTPUT" echo "digest=$(cat /kaniko/digest)" >> "$GITHUB_OUTPUT" -echo "image-tag-digest=$(cat /kaniko/image-tag-digest)" >> "$GITHUB_OUTPUT" +echo "image-tag-digest<>"$GITHUB_OUTPUT" +echo "$(cat /kaniko/image-tag-digest)" >>"$GITHUB_OUTPUT" +echo 'EOF' >>"$GITHUB_OUTPUT" if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then From 977090a03e2a33a8e917fcf83494c105b052a243 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 3 Apr 2024 09:39:41 +0000 Subject: [PATCH 40/44] chore(deps): update aevea/release-notary docker digest to 690915b --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a0ff39..4dbe99b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: fetch-depth: 0 - name: Release Notary Action - uses: docker://aevea/release-notary@sha256:b77e86ce9ce4b0c8774cdb3b807b756d1d6139d73aca74388560250de259be4e + uses: docker://aevea/release-notary@sha256:690915bf87458fd8eb1e1ff0be34b33377f920eda3f38b96c62ecbf897c831f4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From 12a3a8cc81dbbbee747b7e8a1927156154b47cc8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 3 Apr 2024 09:39:37 +0000 Subject: [PATCH 41/44] chore(deps): update aevea/commitsar docker digest to e4aed72 --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index ba7236d..cf1202d 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -10,4 +10,4 @@ jobs: with: fetch-depth: 0 - name: Run commitsar - uses: docker://aevea/commitsar@sha256:8d2db4e430dd06e3fcde173add43dada80b37150ba1191a69cda1c0bcdba9cb1 + uses: docker://aevea/commitsar@sha256:e4aed72de9a00b990a53c678ad51fbe9bd04e127a617d10beab0ef0204b1dfa0 From 9223ef89b8302afed279fc956849bfd45d7686d2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 4 Apr 2024 14:29:59 +0000 Subject: [PATCH 42/44] chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.22.0 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 147f951..35a822c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine as certs RUN apk --update add ca-certificates -FROM gcr.io/kaniko-project/executor:v1.21.1-debug +FROM gcr.io/kaniko-project/executor:v1.22.0-debug SHELL ["/busybox/sh", "-c"] From 58af85fb137af1cf493b130f5416170be56f2959 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 17 Oct 2024 08:34:15 +0000 Subject: [PATCH 43/44] chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.23.2 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 35a822c..2c0fd25 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine as certs RUN apk --update add ca-certificates -FROM gcr.io/kaniko-project/executor:v1.22.0-debug +FROM gcr.io/kaniko-project/executor:v1.23.2-debug SHELL ["/busybox/sh", "-c"] From be5ce625a52485739db88cc75ebb8a9f8d269bd4 Mon Sep 17 00:00:00 2001 From: Alex Viscreanu Date: Thu, 7 Nov 2024 19:00:36 +0100 Subject: [PATCH 44/44] docs: add warning about kaniko lacking maintainers --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 30f8528..56d6940 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # Kaniko image builder +> [!WARNING] +> The kaniko project no longer seems to [have maintainers](https://github.com/GoogleContainerTools/kaniko/issues/3348). Keep this in mind before deciding to use kaniko as your image builder. + This Action uses the [kaniko](https://github.com/GoogleContainerTools/kaniko) executor instead of the docker daemon. Kaniko builds the image by extracting the filesystem of the base image, making the changes in the user space, snapshotting any change and appending it to the base image filesystem.