mirror of
https://github.com/aevea/action-kaniko.git
synced 2025-04-19 08:48:14 +02:00
Compare commits
No commits in common. "master" and "v0.7.1" have entirely different histories.
6 changed files with 59 additions and 95 deletions
4
.github/workflows/pr.yml
vendored
4
.github/workflows/pr.yml
vendored
|
|
@ -6,8 +6,8 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
name: Verify commit messages
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/checkout@v2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Run commitsar
|
||||
uses: docker://aevea/commitsar@sha256:e4aed72de9a00b990a53c678ad51fbe9bd04e127a617d10beab0ef0204b1dfa0
|
||||
uses: docker://aevea/commitsar@sha256:b77adebc0437d4f2bfdf9205a39003e88acbc77a9176fd086b386207a5f3f5cb
|
||||
|
|
|
|||
7
.github/workflows/release.yml
vendored
7
.github/workflows/release.yml
vendored
|
|
@ -10,17 +10,14 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Release Notary Action
|
||||
uses: docker://aevea/release-notary@sha256:690915bf87458fd8eb1e1ff0be34b33377f920eda3f38b96c62ecbf897c831f4
|
||||
uses: docker://aevea/release-notary@sha256:8b26ced466da96b23a947d5c9e58baac22ee1192fd08200011e5b178f42118a0
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
entrypoint: release-notary
|
||||
args: publish
|
||||
|
||||
- name: GitHub Package Registry
|
||||
uses: aevea/action-kaniko@master
|
||||
|
|
|
|||
|
|
@ -2,18 +2,18 @@ FROM alpine as certs
|
|||
|
||||
RUN apk --update add ca-certificates
|
||||
|
||||
FROM gcr.io/kaniko-project/executor:v1.23.2-debug
|
||||
FROM gcr.io/kaniko-project/executor:debug
|
||||
|
||||
SHELL ["/busybox/sh", "-c"]
|
||||
|
||||
RUN wget -O /kaniko/jq \
|
||||
https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && \
|
||||
https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
|
||||
chmod +x /kaniko/jq && \
|
||||
wget -O /kaniko/reg \
|
||||
https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
|
||||
chmod +x /kaniko/reg && \
|
||||
wget -O /crane.tar.gz \
|
||||
https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && \
|
||||
https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \
|
||||
tar -xvzf /crane.tar.gz crane -C /kaniko && \
|
||||
rm /crane.tar.gz
|
||||
|
||||
|
|
|
|||
10
README.md
10
README.md
|
|
@ -1,8 +1,5 @@
|
|||
# Kaniko image builder
|
||||
|
||||
> [!WARNING]
|
||||
> The kaniko project no longer seems to [have maintainers](https://github.com/GoogleContainerTools/kaniko/issues/3348). Keep this in mind before deciding to use kaniko as your image builder.
|
||||
|
||||
This Action uses the [kaniko](https://github.com/GoogleContainerTools/kaniko) executor instead of the docker daemon. Kaniko builds the image
|
||||
by extracting the filesystem of the base image, making the changes in the user space, snapshotting any change and appending it to the base
|
||||
image filesystem.
|
||||
|
|
@ -59,7 +56,6 @@ the most used values. So, technically there is a single required argument
|
|||
| path | Path to the build context. Defaults to `.` | false | . |
|
||||
| tag_with_latest | Tags the built image with additional latest tag | false | |
|
||||
| target | Sets the target stage to build | false | |
|
||||
| debug | Enables trace for entrypoint.sh | false | |
|
||||
|
||||
**Here is where it gets specific, as the optional arguments become required depending on the registry targeted**
|
||||
|
||||
|
|
@ -178,9 +174,3 @@ with:
|
|||
```
|
||||
|
||||
for the tag `pre-0.1` will push `kaniko:0.1`, as the `pre-` part will be stripped from the tag name.
|
||||
|
||||
## Outputs
|
||||
|
||||
### `image`
|
||||
|
||||
Full reference to the built image with registry and tag.
|
||||
|
|
|
|||
|
|
@ -54,12 +54,6 @@ inputs:
|
|||
target:
|
||||
description: Sets the target stage to build
|
||||
required: false
|
||||
debug:
|
||||
description: Enables trace for entrypoint.sh
|
||||
required: false
|
||||
outputs:
|
||||
image:
|
||||
description: "Full reference to the built image with registry and tag"
|
||||
runs:
|
||||
using: "docker"
|
||||
image: "Dockerfile"
|
||||
|
|
|
|||
115
entrypoint.sh
115
entrypoint.sh
|
|
@ -1,26 +1,23 @@
|
|||
#!/busybox/sh
|
||||
set -e pipefail
|
||||
if [ "$INPUT_DEBUG" = "true" ]; then
|
||||
set -o xtrace
|
||||
|
||||
export REGISTRY=${INPUT_REGISTRY:-"docker.io"}
|
||||
export IMAGE=${INPUT_IMAGE}
|
||||
export BRANCH=$(echo ${GITHUB_REF} | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g")
|
||||
export TAG=${INPUT_TAG:-$([ "$BRANCH" == "master" ] && echo latest || echo $BRANCH)}
|
||||
export TAG=${TAG:-"latest"}
|
||||
export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
|
||||
export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
|
||||
export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
|
||||
export REPOSITORY=$IMAGE
|
||||
export IMAGE=$IMAGE:$TAG
|
||||
export CONTEXT_PATH=${INPUT_PATH}
|
||||
|
||||
if [[ "$INPUT_TAG_WITH_LATEST" == "true" ]]; then
|
||||
export IMAGE_LATEST="$IMAGE:latest"
|
||||
fi
|
||||
|
||||
export REGISTRY="${INPUT_REGISTRY:-"docker.io"}"
|
||||
export IMAGE="$INPUT_IMAGE"
|
||||
export BRANCH=$(echo "$GITHUB_REF" | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g")
|
||||
export TAG=${INPUT_TAG:-$([ "$BRANCH" = "master" ] && echo latest || echo "$BRANCH")}
|
||||
export TAG="${TAG:-"latest"}"
|
||||
export TAG="${TAG#$INPUT_STRIP_TAG_PREFIX}"
|
||||
export USERNAME="${INPUT_USERNAME:-$GITHUB_ACTOR}"
|
||||
export PASSWORD="${INPUT_PASSWORD:-$GITHUB_TOKEN}"
|
||||
export REPOSITORY="$IMAGE"
|
||||
export IMAGE="${IMAGE}:${TAG}"
|
||||
export CONTEXT_PATH="$INPUT_PATH"
|
||||
|
||||
if [ "$INPUT_TAG_WITH_LATEST" = "true" ]; then
|
||||
export IMAGE_LATEST="${REPOSITORY}:latest"
|
||||
fi
|
||||
|
||||
ensure() {
|
||||
function ensure() {
|
||||
if [ -z "${1}" ]; then
|
||||
echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?"
|
||||
exit 1
|
||||
|
|
@ -34,51 +31,48 @@ ensure "${IMAGE}" "image"
|
|||
ensure "${TAG}" "tag"
|
||||
ensure "${CONTEXT_PATH}" "path"
|
||||
|
||||
if [ "$REGISTRY" = "ghcr.io" ]; then
|
||||
if [ "$REGISTRY" == "ghcr.io" ]; then
|
||||
IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
|
||||
# Set `/` separator, unless image is pre-fixed with dash or slash
|
||||
[ -n "$REPOSITORY" ] && [[ ! "$REPOSITORY" =~ ^[-/] ]] && SEPARATOR="/"
|
||||
export IMAGE="$IMAGE_NAMESPACE$SEPARATOR$IMAGE"
|
||||
export REPOSITORY="$IMAGE_NAMESPACE$SEPARATOR$REPOSITORY"
|
||||
export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
|
||||
export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
|
||||
|
||||
if [ -n "$IMAGE_LATEST" ]; then
|
||||
export IMAGE_LATEST="${IMAGE_NAMESPACE}/${IMAGE_LATEST}"
|
||||
if [ ! -z $IMAGE_LATEST ]; then
|
||||
export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
|
||||
fi
|
||||
|
||||
if [ -n "$INPUT_CACHE_REGISTRY" ]; then
|
||||
export INPUT_CACHE_REGISTRY="${REGISTRY}/${IMAGE_NAMESPACE}/${INPUT_CACHE_REGISTRY}"
|
||||
if [ ! -z $INPUT_CACHE_REGISTRY ]; then
|
||||
export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$REGISTRY" = "docker.io" ]; then
|
||||
if [ "$REGISTRY" == "docker.io" ]; then
|
||||
export REGISTRY="index.${REGISTRY}/v1/"
|
||||
else
|
||||
export IMAGE="${REGISTRY}/${IMAGE}"
|
||||
export IMAGE="$REGISTRY/$IMAGE"
|
||||
|
||||
if [ -n "$IMAGE_LATEST" ]; then
|
||||
export IMAGE_LATEST="${REGISTRY}/${IMAGE_LATEST}"
|
||||
if [ ! -z $IMAGE_LATEST ]; then
|
||||
export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
|
||||
fi
|
||||
fi
|
||||
|
||||
export CACHE="${INPUT_CACHE:+"--cache=true"}"
|
||||
export CACHE="$CACHE"${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
|
||||
export CACHE="$CACHE"${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
|
||||
export CACHE="$CACHE"${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
|
||||
export CACHE=${INPUT_CACHE:+"--cache=true"}
|
||||
export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
|
||||
export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
|
||||
export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
|
||||
export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
|
||||
export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
|
||||
export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}
|
||||
export DIGEST="--digest-file /kaniko/digest --image-name-tag-with-digest-file=/kaniko/image-tag-digest"
|
||||
|
||||
if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
|
||||
export DESTINATION="--no-push --tarPath image.tar --destination $IMAGE"
|
||||
if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
|
||||
export DESTINATION="--digest-file digest --no-push --tarPath image.tar --destination $IMAGE"
|
||||
else
|
||||
export DESTINATION="--destination $IMAGE"
|
||||
if [ -n "$IMAGE_LATEST" ]; then
|
||||
if [ ! -z $IMAGE_LATEST ]; then
|
||||
export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"
|
||||
fi
|
||||
fi
|
||||
|
||||
export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DIGEST $DESTINATION $INPUT_EXTRA_ARGS"
|
||||
export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
|
||||
|
||||
cat <<EOF >/kaniko/.docker/config.json
|
||||
{
|
||||
|
|
@ -91,31 +85,20 @@ cat <<EOF >/kaniko/.docker/config.json
|
|||
}
|
||||
EOF
|
||||
|
||||
# https://github.com/GoogleContainerTools/kaniko/issues/1803
|
||||
# https://github.com/GoogleContainerTools/kaniko/issues/1349
|
||||
export IFS=''
|
||||
# Removes a trailing new line
|
||||
ARGS=$(echo "${ARGS}" | sed 's/\n*$//')
|
||||
kaniko_cmd="/kaniko/executor ${ARGS} --reproducible --force"
|
||||
echo "Running kaniko command ${kaniko_cmd}"
|
||||
eval "${kaniko_cmd}"
|
||||
/kaniko/executor --reproducible --force $ARGS
|
||||
|
||||
echo "image=$IMAGE" >> "$GITHUB_OUTPUT"
|
||||
echo "digest=$(cat /kaniko/digest)" >> "$GITHUB_OUTPUT"
|
||||
echo "image-tag-digest<<EOF" >>"$GITHUB_OUTPUT"
|
||||
echo "$(cat /kaniko/image-tag-digest)" >>"$GITHUB_OUTPUT"
|
||||
echo 'EOF' >>"$GITHUB_OUTPUT"
|
||||
if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
|
||||
export DIGEST=$(cat digest)
|
||||
|
||||
if [ "$REGISTRY" == "ghcr.io" ]; then
|
||||
wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64 | tr -d \\n)" https://ghcr.io/v2/$REPOSITORY/manifests/latest || true
|
||||
export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')"
|
||||
else
|
||||
export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1)
|
||||
fi
|
||||
|
||||
if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
|
||||
export DIGEST="$(cat /kaniko/digest)"
|
||||
|
||||
/kaniko/crane auth login "$REGISTRY" -u "$USERNAME" -p "$PASSWORD"
|
||||
|
||||
export REMOTE=$(crane digest "${REGISTRY}/${REPOSITORY}:latest")
|
||||
|
||||
if [ "$DIGEST" = "$REMOTE" ]; then
|
||||
echo "refreshed=false" >> "$GITHUB_OUTPUT"
|
||||
if [ "$DIGEST" == "$REMOTE" ]; then
|
||||
echo "Digest hasn't changed, skipping, $DIGEST"
|
||||
echo "Done 🎉️"
|
||||
exit 0
|
||||
|
|
@ -123,13 +106,13 @@ if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
|
|||
|
||||
echo "Pushing image..."
|
||||
|
||||
/kaniko/crane push image.tar "$IMAGE"
|
||||
/kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD
|
||||
/kaniko/crane push image.tar $IMAGE
|
||||
|
||||
if [ -n "$IMAGE_LATEST" ]; then
|
||||
if [ ! -z $IMAGE_LATEST ]; then
|
||||
echo "Tagging latest..."
|
||||
/kaniko/crane tag "$IMAGE" latest
|
||||
/kaniko/crane tag $IMAGE latest
|
||||
fi
|
||||
|
||||
echo "refreshed=false" >> "$GITHUB_OUTPUT"
|
||||
echo "Done 🎉️"
|
||||
fi
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue