diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index cf1202d..36058e7 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -6,8 +6,8 @@ jobs: runs-on: ubuntu-latest name: Verify commit messages steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v3 with: fetch-depth: 0 - name: Run commitsar - uses: docker://aevea/commitsar@sha256:e4aed72de9a00b990a53c678ad51fbe9bd04e127a617d10beab0ef0204b1dfa0 + uses: docker://aevea/commitsar@sha256:27ea5e528b153393e924d98764d6400a181f03768d972ba151b3ddc9f14ff12c diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4dbe99b..ba7010b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,17 +10,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@v3 with: fetch-depth: 0 - name: Release Notary Action - uses: docker://aevea/release-notary@sha256:690915bf87458fd8eb1e1ff0be34b33377f920eda3f38b96c62ecbf897c831f4 + uses: docker://aevea/release-notary@sha256:03e771a509881121758b05217a8938ca8379d29dfa69a2605ceca06ffca2db4d env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - entrypoint: release-notary - args: publish - name: GitHub Package Registry uses: aevea/action-kaniko@master diff --git a/Dockerfile b/Dockerfile index 2c0fd25..445159b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,18 +2,18 @@ FROM alpine as certs RUN apk --update add ca-certificates -FROM gcr.io/kaniko-project/executor:v1.23.2-debug +FROM gcr.io/kaniko-project/executor:debug SHELL ["/busybox/sh", "-c"] RUN wget -O /kaniko/jq \ - https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && \ + https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \ chmod +x /kaniko/jq && \ wget -O /kaniko/reg \ https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \ chmod +x /kaniko/reg && \ - wget -O /crane.tar.gz \ - https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && \ + wget -O /crane.tar.gz \ + https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \ tar -xvzf /crane.tar.gz crane -C /kaniko && \ rm /crane.tar.gz diff --git a/README.md b/README.md index 56d6940..6dff48a 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,5 @@ # Kaniko image builder -> [!WARNING] -> The kaniko project no longer seems to [have maintainers](https://github.com/GoogleContainerTools/kaniko/issues/3348). Keep this in mind before deciding to use kaniko as your image builder. - This Action uses the [kaniko](https://github.com/GoogleContainerTools/kaniko) executor instead of the docker daemon. Kaniko builds the image by extracting the filesystem of the base image, making the changes in the user space, snapshotting any change and appending it to the base image filesystem. @@ -178,9 +175,3 @@ with: ``` for the tag `pre-0.1` will push `kaniko:0.1`, as the `pre-` part will be stripped from the tag name. - -## Outputs - -### `image` - -Full reference to the built image with registry and tag. diff --git a/action.yml b/action.yml index 7c51772..cb313e3 100644 --- a/action.yml +++ b/action.yml @@ -57,9 +57,6 @@ inputs: debug: description: Enables trace for entrypoint.sh required: false -outputs: - image: - description: "Full reference to the built image with registry and tag" runs: using: "docker" image: "Dockerfile" diff --git a/entrypoint.sh b/entrypoint.sh index 8a29b69..bbeeff8 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,26 +1,26 @@ #!/busybox/sh set -e pipefail -if [ "$INPUT_DEBUG" = "true" ]; then +if [[ "$INPUT_DEBUG" == "true" ]]; then set -o xtrace fi -export REGISTRY="${INPUT_REGISTRY:-"docker.io"}" -export IMAGE="$INPUT_IMAGE" -export BRANCH=$(echo "$GITHUB_REF" | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g") -export TAG=${INPUT_TAG:-$([ "$BRANCH" = "master" ] && echo latest || echo "$BRANCH")} -export TAG="${TAG:-"latest"}" -export TAG="${TAG#$INPUT_STRIP_TAG_PREFIX}" -export USERNAME="${INPUT_USERNAME:-$GITHUB_ACTOR}" -export PASSWORD="${INPUT_PASSWORD:-$GITHUB_TOKEN}" -export REPOSITORY="$IMAGE" -export IMAGE="${IMAGE}:${TAG}" -export CONTEXT_PATH="$INPUT_PATH" +export REGISTRY=${INPUT_REGISTRY:-"docker.io"} +export IMAGE=${INPUT_IMAGE} +export BRANCH=$(echo ${GITHUB_REF} | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g") +export TAG=${INPUT_TAG:-$([ "$BRANCH" == "master" ] && echo latest || echo $BRANCH)} +export TAG=${TAG:-"latest"} +export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX} +export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR} +export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN} +export REPOSITORY=$IMAGE +export IMAGE=$IMAGE:$TAG +export CONTEXT_PATH=${INPUT_PATH} -if [ "$INPUT_TAG_WITH_LATEST" = "true" ]; then - export IMAGE_LATEST="${REPOSITORY}:latest" +if [[ "$INPUT_TAG_WITH_LATEST" == "true" ]]; then + export IMAGE_LATEST="$REPOSITORY:latest" fi -ensure() { +function ensure() { if [ -z "${1}" ]; then echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?" exit 1 @@ -34,51 +34,48 @@ ensure "${IMAGE}" "image" ensure "${TAG}" "tag" ensure "${CONTEXT_PATH}" "path" -if [ "$REGISTRY" = "ghcr.io" ]; then +if [ "$REGISTRY" == "ghcr.io" ]; then IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')" - # Set `/` separator, unless image is pre-fixed with dash or slash - [ -n "$REPOSITORY" ] && [[ ! "$REPOSITORY" =~ ^[-/] ]] && SEPARATOR="/" - export IMAGE="$IMAGE_NAMESPACE$SEPARATOR$IMAGE" - export REPOSITORY="$IMAGE_NAMESPACE$SEPARATOR$REPOSITORY" + export IMAGE="$IMAGE_NAMESPACE/$IMAGE" + export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY" - if [ -n "$IMAGE_LATEST" ]; then - export IMAGE_LATEST="${IMAGE_NAMESPACE}/${IMAGE_LATEST}" + if [ ! -z $IMAGE_LATEST ]; then + export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST" fi - if [ -n "$INPUT_CACHE_REGISTRY" ]; then - export INPUT_CACHE_REGISTRY="${REGISTRY}/${IMAGE_NAMESPACE}/${INPUT_CACHE_REGISTRY}" + if [ ! -z $INPUT_CACHE_REGISTRY ]; then + export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY" fi fi -if [ "$REGISTRY" = "docker.io" ]; then +if [ "$REGISTRY" == "docker.io" ]; then export REGISTRY="index.${REGISTRY}/v1/" else - export IMAGE="${REGISTRY}/${IMAGE}" + export IMAGE="$REGISTRY/$IMAGE" - if [ -n "$IMAGE_LATEST" ]; then - export IMAGE_LATEST="${REGISTRY}/${IMAGE_LATEST}" + if [ ! -z $IMAGE_LATEST ]; then + export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST" fi fi -export CACHE="${INPUT_CACHE:+"--cache=true"}" -export CACHE="$CACHE"${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"} -export CACHE="$CACHE"${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"} -export CACHE="$CACHE"${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"} +export CACHE=${INPUT_CACHE:+"--cache=true"} +export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"} +export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"} +export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"} export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH" export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}" export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"} -export DIGEST="--digest-file /kaniko/digest --image-name-tag-with-digest-file=/kaniko/image-tag-digest" -if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then - export DESTINATION="--no-push --tarPath image.tar --destination $IMAGE" +if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then + export DESTINATION="--digest-file digest --no-push --tarPath image.tar --destination $IMAGE" else export DESTINATION="--destination $IMAGE" - if [ -n "$IMAGE_LATEST" ]; then - export DESTINATION="$DESTINATION --destination $IMAGE_LATEST" + if [ ! -z $IMAGE_LATEST ]; then + export DESTINATION="$DESTINATION --destination $IMAGE_LATEST" fi fi -export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DIGEST $DESTINATION $INPUT_EXTRA_ARGS" +export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS" cat </kaniko/.docker/config.json { @@ -91,31 +88,20 @@ cat </kaniko/.docker/config.json } EOF -# https://github.com/GoogleContainerTools/kaniko/issues/1803 # https://github.com/GoogleContainerTools/kaniko/issues/1349 -export IFS='' -# Removes a trailing new line -ARGS=$(echo "${ARGS}" | sed 's/\n*$//') -kaniko_cmd="/kaniko/executor ${ARGS} --reproducible --force" -echo "Running kaniko command ${kaniko_cmd}" -eval "${kaniko_cmd}" +/kaniko/executor --reproducible --force $ARGS -echo "image=$IMAGE" >> "$GITHUB_OUTPUT" -echo "digest=$(cat /kaniko/digest)" >> "$GITHUB_OUTPUT" -echo "image-tag-digest<>"$GITHUB_OUTPUT" -echo "$(cat /kaniko/image-tag-digest)" >>"$GITHUB_OUTPUT" -echo 'EOF' >>"$GITHUB_OUTPUT" +if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then + export DIGEST=$(cat digest) + if [ "$REGISTRY" == "ghcr.io" ]; then + wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64 | tr -d \\n)" https://ghcr.io/v2/$REPOSITORY/manifests/latest || true + export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')" + else + export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1) + fi -if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then - export DIGEST="$(cat /kaniko/digest)" - - /kaniko/crane auth login "$REGISTRY" -u "$USERNAME" -p "$PASSWORD" - - export REMOTE=$(crane digest "${REGISTRY}/${REPOSITORY}:latest") - - if [ "$DIGEST" = "$REMOTE" ]; then - echo "refreshed=false" >> "$GITHUB_OUTPUT" + if [ "$DIGEST" == "$REMOTE" ]; then echo "Digest hasn't changed, skipping, $DIGEST" echo "Done 🎉️" exit 0 @@ -123,13 +109,13 @@ if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then echo "Pushing image..." - /kaniko/crane push image.tar "$IMAGE" + /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD + /kaniko/crane push image.tar $IMAGE - if [ -n "$IMAGE_LATEST" ]; then + if [ ! -z $IMAGE_LATEST ]; then echo "Tagging latest..." - /kaniko/crane tag "$IMAGE" latest + /kaniko/crane tag $IMAGE latest fi - - echo "refreshed=false" >> "$GITHUB_OUTPUT" + echo "Done 🎉️" fi