diff --git a/.dockerignore b/.dockerignore index e53007c..c9c8ccc 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,3 @@ * !entrypoint.sh -.env* + diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index cf1202d..2a64815 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -6,8 +6,6 @@ jobs: runs-on: ubuntu-latest name: Verify commit messages steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 + - uses: actions/checkout@v1 - name: Run commitsar - uses: docker://aevea/commitsar@sha256:e4aed72de9a00b990a53c678ad51fbe9bd04e127a617d10beab0ef0204b1dfa0 + uses: docker://commitsar/commitsar diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index fc0bb44..3ab1573 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -9,19 +9,19 @@ jobs: - uses: actions/checkout@master - name: GitHub Package Registry - uses: aevea/action-kaniko@master + uses: outillage/kaniko-action@master with: - registry: ghcr.io + registry: docker.pkg.github.com password: ${{ secrets.GITHUB_TOKEN }} image: kaniko cache: true cache_registry: cache - name: Dockerhub - uses: aevea/action-kaniko@master + uses: outillage/kaniko-action@master with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - image: aevea/kaniko + image: outillage/kaniko cache: true - cache_registry: aevea/cache + cache_registry: outillage/cache diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4dbe99b..73bf734 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,32 +10,27 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 - with: - fetch-depth: 0 + uses: actions/checkout@v1 - name: Release Notary Action - uses: docker://aevea/release-notary@sha256:690915bf87458fd8eb1e1ff0be34b33377f920eda3f38b96c62ecbf897c831f4 + uses: docker://commitsar/release-notary env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - entrypoint: release-notary - args: publish - name: GitHub Package Registry - uses: aevea/action-kaniko@master + uses: outillage/kaniko-action@master with: - registry: ghcr.io + registry: docker.pkg.github.com password: ${{ secrets.GITHUB_TOKEN }} image: kaniko cache: true cache_registry: cache - name: Dockerhub - uses: aevea/action-kaniko@master + uses: outillage/kaniko-action@master with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} - image: aevea/kaniko + image: outillage/kaniko cache: true - cache_registry: aevea/cache + cache_registry: outillage/cache diff --git a/Dockerfile b/Dockerfile index 2c0fd25..18f6f4d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,26 +1,8 @@ -FROM alpine as certs - -RUN apk --update add ca-certificates - -FROM gcr.io/kaniko-project/executor:v1.23.2-debug - -SHELL ["/busybox/sh", "-c"] - -RUN wget -O /kaniko/jq \ - https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && \ - chmod +x /kaniko/jq && \ - wget -O /kaniko/reg \ - https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \ - chmod +x /kaniko/reg && \ - wget -O /crane.tar.gz \ - https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && \ - tar -xvzf /crane.tar.gz crane -C /kaniko && \ - rm /crane.tar.gz +FROM gcr.io/kaniko-project/executor:debug COPY entrypoint.sh / -COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt ENTRYPOINT ["/entrypoint.sh"] -LABEL repository="https://github.com/aevea/action-kaniko" \ +LABEL repository="https://github.com/outillage/action-kaniko" \ maintainer="Alex Viscreanu " diff --git a/Makefile b/Makefile deleted file mode 100644 index dcf9cdd..0000000 --- a/Makefile +++ /dev/null @@ -1,24 +0,0 @@ -build: - docker build -t aevea/kaniko . - -run: build - docker run \ - -v $(shell pwd):/tmp \ - -e GITHUB_REPOSITORY \ - -e GITHUB_REF \ - -e GITHUB_ACTOR \ - -e GITHUB_TOKEN \ - -e GITHUB_WORKSPACE="/tmp" \ - -e INPUT_IMAGE \ - -e INPUT_CACHE \ - -e INPUT_CACHE_TTL \ - -e INPUT_CACHE_REGISTRY \ - -e INPUT_STRIP_TAG_PREFIX \ - -e INPUT_SKIP_UNCHANGED_DIGEST \ - aevea/kaniko - -shell: build - docker run \ - -ti \ - --entrypoint sh \ - aevea/kaniko diff --git a/README.md b/README.md index 56d6940..a3b61ad 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,5 @@ # Kaniko image builder -> [!WARNING] -> The kaniko project no longer seems to [have maintainers](https://github.com/GoogleContainerTools/kaniko/issues/3348). Keep this in mind before deciding to use kaniko as your image builder. - This Action uses the [kaniko](https://github.com/GoogleContainerTools/kaniko) executor instead of the docker daemon. Kaniko builds the image by extracting the filesystem of the base image, making the changes in the user space, snapshotting any change and appending it to the base image filesystem. @@ -22,13 +19,13 @@ jobs: steps: - uses: actions/checkout@master - name: Kaniko build - uses: aevea/action-kaniko@master + uses: outillage/kaniko-action@master with: - image: aevea/kaniko + image: outillage/kaniko username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} cache: true - cache_registry: aevea/cache + cache_registry: outillage/cache ``` ## Required Arguments @@ -36,30 +33,24 @@ jobs: This action aims to be as flexible as possible, so it tries to define the defaults as for what I thought of being the most used values. So, technically there is a single required argument -| variable | description | required | default | -|------------------|----------------------------------------------------------|----------|-----------------------------| -| image | Name of the image you would like to push | true | | +| variable | description | required | default | +|-----------------|----------------------------------------------------------|----------|-----------------------------| +| image | Name of the image you would like to push | true | | ## Optional Arguments -| variable | description | required | default | -|-----------------------|-----------------------------------------------------------------|----------|-----------------| -| registry | Docker registry where the image will be pushed | false | docker.io | -| username | Username used for authentication to the Docker registry | false | $GITHUB_ACTOR | -| password | Password used for authentication to the Docker registry | false | | -| tag | Image tag | false | latest | -| cache | Enables build cache | false | false | -| cache_ttl | How long the cache should be considered valid | false | | -| cache_registry | Docker registry meant to be used as cache | false | | -| cache_directory | Filesystem path meant to be used as cache | false | | -| build_file | Dockerfile filename | false | Dockerfile | -| extra_args | Additional arguments to be passed to the kaniko executor | false | | -| strip_tag_prefix | Prefix to be stripped from the tag | false | | -| skip_unchanged_digest | Avoids pushing the image if the build generated the same digest | false | | -| path | Path to the build context. Defaults to `.` | false | . | -| tag_with_latest | Tags the built image with additional latest tag | false | | -| target | Sets the target stage to build | false | | -| debug | Enables trace for entrypoint.sh | false | | +| variable | description | required | default | +|-----------------|----------------------------------------------------------|----------|-----------------------------| +| registry | Docker registry where the image will be pushed | false | docker.io | +| username | Username used for authentication to the Docker registry | false | $GITHUB_ACTOR | +| password | Password used for authentication to the Docker registry | false | | +| tag | Image tag | false | latest | +| cache | Enables build cache | false | false | +| cache_ttl | How long the cache should be considered valid | false | | +| cache_registry | Docker registry meant to be used as cache | false | | +| cache_directory | Filesystem path meant to be used as cache | false | | +| build_file | Dockerfile filename | false | Dockerfile | +| extra_args | Additional arguments to be passed to the kaniko executor | false | | **Here is where it gets specific, as the optional arguments become required depending on the registry targeted** @@ -70,7 +61,7 @@ In this case, the authentication credentials need to be passed via GitHub Action ```yaml with: - image: aevea/kaniko + image: outillage/kaniko username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} ``` @@ -80,24 +71,24 @@ doesn't work. If you want to use caching with Dockerhub, create a `cache` reposi ```yaml with: - image: aevea/kaniko + image: outillage/kaniko username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} cache: true - cache_registry: aevea/cache + cache_registry: outillage/cache ``` -### [ghcr.io](https://github.com/features/packages) +### [docker.pkg.github.com](https://github.com/features/packages) GitHub's docker registry is a bit special. It doesn't allow top-level images, so this action will prefix any image with the GitHub namespace. -If you want to push your image like `aevea/action-kaniko/kaniko`, you'll only need to pass `kaniko` to this action. +If you want to push your image like `outillage/kaniko-action/kaniko`, you'll only need to pass `kaniko` to this action. The authentication is automatically done using the `GITHUB_ACTOR` and `GITHUB_TOKEN` provided from GitHub itself. But as `GITHUB_TOKEN` is not passed by default, it will have to be explicitly set up. ```yaml with: - registry: ghcr.io + registry: docker.pkg.github.com password: ${{ secrets.GITHUB_TOKEN }} image: kaniko ``` @@ -108,7 +99,7 @@ cache layers to that image instead ```yaml with: - registry: ghcr.io + registry: docker.pkg.github.com password: ${{ secrets.GITHUB_TOKEN }} image: kaniko cache: true @@ -133,7 +124,7 @@ with: registry: registry.gitlab.com username: ${{ secrets.GL_REGISTRY_USERNAME }} password: ${{ secrets.GL_REGISTRY_PASSWORD }} - image: aevea/kaniko + image: outillage/kaniko ``` > NOTE: As GitLab's registry does support namespacing, Kaniko can natively push cached layers to it, so only `cache: true` is necessary to be @@ -144,7 +135,7 @@ with: registry: registry.gitlab.com username: ${{ secrets.GL_REGISTRY_USERNAME }} password: ${{ secrets.GL_REGISTRY_PASSWORD }} - image: aevea/kaniko + image: outillage/kaniko cache: true ``` @@ -163,24 +154,3 @@ If you would like to publish the image to other registries, these actions might The `tag` argument, **unless overridden**, is automatically guessed based on the branch name. If the branch is `master` then the tag will be `latest`, otherwise it will keep the branch name, but replacing any forward slash (/) with a hyphen (-). - -If the `v` prefix that it's usually added to the GitHub releases is not desired when pushed to dockerhub, the `strip_tag_prefix` allows to -specify which part of the tag should be removed. - -Example: - -```yaml -with: - registry: ghcr.io - password: ${{ secrets.GITHUB_TOKEN }} - image: kaniko - strip_tag_prefix: pre- -``` - -for the tag `pre-0.1` will push `kaniko:0.1`, as the `pre-` part will be stripped from the tag name. - -## Outputs - -### `image` - -Full reference to the built image with registry and tag. diff --git a/action.yml b/action.yml index 7c51772..e09bb95 100644 --- a/action.yml +++ b/action.yml @@ -5,10 +5,6 @@ branding: icon: anchor color: orange inputs: - path: - description: Path to the build context - required: false - default: "." registry: description: "Docker registry where the image will be pushed" required: false @@ -39,27 +35,9 @@ inputs: build_file: description: "Dockerfile filename" required: false - strip_tag_prefix: - description: "Prefix to be stripped from the tag" - required: false extra_args: description: "Additional arguments to be passed to the kaniko executor" required: false - skip_unchanged_digest: - description: "Avoids pushing the image if the build generated the same digest" - required: false - tag_with_latest: - description: "Tags the built image with additional latest tag" - required: false - target: - description: Sets the target stage to build - required: false - debug: - description: Enables trace for entrypoint.sh - required: false -outputs: - image: - description: "Full reference to the built image with registry and tag" runs: using: "docker" image: "Dockerfile" diff --git a/entrypoint.sh b/entrypoint.sh index 8a29b69..a44f977 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,84 +1,52 @@ #!/busybox/sh set -e pipefail -if [ "$INPUT_DEBUG" = "true" ]; then - set -o xtrace -fi -export REGISTRY="${INPUT_REGISTRY:-"docker.io"}" -export IMAGE="$INPUT_IMAGE" -export BRANCH=$(echo "$GITHUB_REF" | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g") -export TAG=${INPUT_TAG:-$([ "$BRANCH" = "master" ] && echo latest || echo "$BRANCH")} -export TAG="${TAG:-"latest"}" -export TAG="${TAG#$INPUT_STRIP_TAG_PREFIX}" -export USERNAME="${INPUT_USERNAME:-$GITHUB_ACTOR}" -export PASSWORD="${INPUT_PASSWORD:-$GITHUB_TOKEN}" -export REPOSITORY="$IMAGE" -export IMAGE="${IMAGE}:${TAG}" -export CONTEXT_PATH="$INPUT_PATH" +export REGISTRY=${INPUT_REGISTRY:-"docker.io"} +export IMAGE=${INPUT_IMAGE} +export BRANCH=$(echo ${GITHUB_REF} | sed -e "s/refs\/heads\///g" | sed -e "s/\//-/g") +export TAG=${INPUT_TAG:-$([ "$BRANCH" == "master" ] && echo latest || echo $BRANCH)} +export TAG=${TAG:-"latest"} +export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR} +export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN} +export IMAGE=$IMAGE:$TAG -if [ "$INPUT_TAG_WITH_LATEST" = "true" ]; then - export IMAGE_LATEST="${REPOSITORY}:latest" -fi - -ensure() { +function sanitize() { if [ -z "${1}" ]; then - echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?" + echo >&2 "Unable to find the ${2}. Did you set with.${2}?" exit 1 fi } -ensure "${REGISTRY}" "registry" -ensure "${USERNAME}" "username" -ensure "${PASSWORD}" "password" -ensure "${IMAGE}" "image" -ensure "${TAG}" "tag" -ensure "${CONTEXT_PATH}" "path" +sanitize "${REGISTRY}" "registry" +sanitize "${USERNAME}" "username" +sanitize "${PASSWORD}" "password" +sanitize "${IMAGE}" "image" +sanitize "${TAG}" "tag" -if [ "$REGISTRY" = "ghcr.io" ]; then - IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')" - # Set `/` separator, unless image is pre-fixed with dash or slash - [ -n "$REPOSITORY" ] && [[ ! "$REPOSITORY" =~ ^[-/] ]] && SEPARATOR="/" - export IMAGE="$IMAGE_NAMESPACE$SEPARATOR$IMAGE" - export REPOSITORY="$IMAGE_NAMESPACE$SEPARATOR$REPOSITORY" +if [ "$REGISTRY" == "docker.pkg.github.com" ]; then + export IMAGE="$GITHUB_REPOSITORY/$IMAGE" - if [ -n "$IMAGE_LATEST" ]; then - export IMAGE_LATEST="${IMAGE_NAMESPACE}/${IMAGE_LATEST}" - fi - - if [ -n "$INPUT_CACHE_REGISTRY" ]; then - export INPUT_CACHE_REGISTRY="${REGISTRY}/${IMAGE_NAMESPACE}/${INPUT_CACHE_REGISTRY}" + if [ ! -z $INPUT_CACHE_REGISTRY ]; then + export INPUT_CACHE_REGISTRY="$REGISTRY/$GITHUB_REPOSITORY/$INPUT_CACHE_REGISTRY" fi fi -if [ "$REGISTRY" = "docker.io" ]; then +if [ "$REGISTRY" == "docker.io" ]; then export REGISTRY="index.${REGISTRY}/v1/" else - export IMAGE="${REGISTRY}/${IMAGE}" - - if [ -n "$IMAGE_LATEST" ]; then - export IMAGE_LATEST="${REGISTRY}/${IMAGE_LATEST}" - fi + export IMAGE="$REGISTRY/$IMAGE" fi -export CACHE="${INPUT_CACHE:+"--cache=true"}" -export CACHE="$CACHE"${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"} -export CACHE="$CACHE"${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"} -export CACHE="$CACHE"${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"} -export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH" -export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}" -export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"} -export DIGEST="--digest-file /kaniko/digest --image-name-tag-with-digest-file=/kaniko/image-tag-digest" +export CACHE=${INPUT_CACHE:+"--cache=true"} +export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"} +export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"} +export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"} +export CONTEXT="--context $GITHUB_WORKSPACE" +export DOCKERFILE="--dockerfile ${INPUT_BUILD_FILE:-Dockerfile}" +export DESTINATION="--destination $IMAGE" -if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then - export DESTINATION="--no-push --tarPath image.tar --destination $IMAGE" -else - export DESTINATION="--destination $IMAGE" - if [ -n "$IMAGE_LATEST" ]; then - export DESTINATION="$DESTINATION --destination $IMAGE_LATEST" - fi -fi - -export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DIGEST $DESTINATION $INPUT_EXTRA_ARGS" +export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS" +echo $ARGS cat </kaniko/.docker/config.json { @@ -91,45 +59,4 @@ cat </kaniko/.docker/config.json } EOF -# https://github.com/GoogleContainerTools/kaniko/issues/1803 -# https://github.com/GoogleContainerTools/kaniko/issues/1349 -export IFS='' -# Removes a trailing new line -ARGS=$(echo "${ARGS}" | sed 's/\n*$//') -kaniko_cmd="/kaniko/executor ${ARGS} --reproducible --force" -echo "Running kaniko command ${kaniko_cmd}" -eval "${kaniko_cmd}" - -echo "image=$IMAGE" >> "$GITHUB_OUTPUT" -echo "digest=$(cat /kaniko/digest)" >> "$GITHUB_OUTPUT" -echo "image-tag-digest<>"$GITHUB_OUTPUT" -echo "$(cat /kaniko/image-tag-digest)" >>"$GITHUB_OUTPUT" -echo 'EOF' >>"$GITHUB_OUTPUT" - - -if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then - export DIGEST="$(cat /kaniko/digest)" - - /kaniko/crane auth login "$REGISTRY" -u "$USERNAME" -p "$PASSWORD" - - export REMOTE=$(crane digest "${REGISTRY}/${REPOSITORY}:latest") - - if [ "$DIGEST" = "$REMOTE" ]; then - echo "refreshed=false" >> "$GITHUB_OUTPUT" - echo "Digest hasn't changed, skipping, $DIGEST" - echo "Done 🎉️" - exit 0 - fi - - echo "Pushing image..." - - /kaniko/crane push image.tar "$IMAGE" - - if [ -n "$IMAGE_LATEST" ]; then - echo "Tagging latest..." - /kaniko/crane tag "$IMAGE" latest - fi - - echo "refreshed=false" >> "$GITHUB_OUTPUT" - echo "Done 🎉️" -fi +/kaniko/executor $ARGS diff --git a/renovate.json b/renovate.json deleted file mode 100644 index f45d8f1..0000000 --- a/renovate.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "extends": [ - "config:base" - ] -}