docs: add warning about kaniko lacking maintainers

chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.23.2
chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.22.0
2025-04-04 10:28:48 +02:00 · 2024-11-07 19:00:36 +01:00 · 2024-11-07 18:55:15 +01:00 · 2024-04-22 22:50:48 +02:00 · 2024-04-22 22:47:31 +02:00 · 2024-04-22 22:47:22 +02:00
6 changed files with 95 additions and 59 deletions
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@ -6,8 +6,8 @@ jobs:
    runs-on: ubuntu-latest
    name: Verify commit messages
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Run commitsar
-        uses: docker://aevea/commitsar@sha256:b77adebc0437d4f2bfdf9205a39003e88acbc77a9176fd086b386207a5f3f5cb
+        uses: docker://aevea/commitsar@sha256:e4aed72de9a00b990a53c678ad51fbe9bd04e127a617d10beab0ef0204b1dfa0
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -10,14 +10,17 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Release Notary Action
-        uses: docker://aevea/release-notary@sha256:8b26ced466da96b23a947d5c9e58baac22ee1192fd08200011e5b178f42118a0
+        uses: docker://aevea/release-notary@sha256:690915bf87458fd8eb1e1ff0be34b33377f920eda3f38b96c62ecbf897c831f4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          entrypoint: release-notary
+          args: publish

      - name: GitHub Package Registry
        uses: aevea/action-kaniko@master
--- a/8
+++ b/8
@ -2,18 +2,18 @@ FROM alpine as certs

 RUN apk --update add ca-certificates

-FROM gcr.io/kaniko-project/executor:debug
+FROM gcr.io/kaniko-project/executor:v1.23.2-debug

 SHELL ["/busybox/sh", "-c"]

 RUN wget -O /kaniko/jq \
-    https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
+    https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && \
    chmod +x /kaniko/jq && \
    wget -O /kaniko/reg \
    https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
    chmod +x /kaniko/reg && \
-    wget -O /crane.tar.gz \ 
-    https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \
+    wget -O /crane.tar.gz \
+    https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && \
    tar -xvzf /crane.tar.gz crane -C /kaniko && \
    rm /crane.tar.gz

--- a/README.md
+++ b/README.md
@ -1,5 +1,8 @@
 # Kaniko image builder

+> [!WARNING]  
+> The kaniko project no longer seems to [have maintainers](https://github.com/GoogleContainerTools/kaniko/issues/3348). Keep this in mind before deciding to use kaniko as your image builder.
+
 This Action uses the [kaniko](https://github.com/GoogleContainerTools/kaniko) executor instead of the docker daemon. Kaniko builds the image
 by extracting the filesystem of the base image, making the changes in the user space, snapshotting any change and appending it to the base
 image filesystem.
@ -56,6 +59,7 @@ the most used values. So, technically there is a single required argument
 | path                  | Path to the build context. Defaults to `.`                      | false    | .               |
 | tag_with_latest       | Tags the built image with additional latest tag                 | false    |                 |
 | target                | Sets the target stage to build                                  | false    |                 |
+| debug                 | Enables trace for entrypoint.sh                                 | false    |                 |

 **Here is where it gets specific, as the optional arguments become required depending on the registry targeted**

@ -174,3 +178,9 @@ with:
 ```

 for the tag `pre-0.1` will push `kaniko:0.1`, as the `pre-` part will be stripped from the tag name.
+
+## Outputs
+
+### `image`
+
+Full reference to the built image with registry and tag.
--- a/action.yml
+++ b/action.yml
@ -54,6 +54,12 @@ inputs:
  target:
    description: Sets the target stage to build
    required: false
+  debug:
+    description: Enables trace for entrypoint.sh
+    required: false
+outputs:
+  image:
+    description: "Full reference to the built image with registry and tag"
 runs:
  using: "docker"
  image: "Dockerfile"
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,23 +1,26 @@
 #!/busybox/sh
 set -e pipefail
-
-export REGISTRY=${INPUT_REGISTRY:-"docker.io"}
-export IMAGE=${INPUT_IMAGE}
-export BRANCH=$(echo ${GITHUB_REF} | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g")
-export TAG=${INPUT_TAG:-$([ "$BRANCH" == "master" ] && echo latest || echo $BRANCH)}
-export TAG=${TAG:-"latest"}
-export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
-export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
-export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
-export REPOSITORY=$IMAGE
-export IMAGE=$IMAGE:$TAG
-export CONTEXT_PATH=${INPUT_PATH}
-
-if [[ "$INPUT_TAG_WITH_LATEST" == "true" ]]; then
-    export IMAGE_LATEST="$IMAGE:latest"
+if [ "$INPUT_DEBUG" = "true" ]; then
+    set -o xtrace
 fi

-function ensure() {
+export REGISTRY="${INPUT_REGISTRY:-"docker.io"}"
+export IMAGE="$INPUT_IMAGE"
+export BRANCH=$(echo "$GITHUB_REF" | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g")
+export TAG=${INPUT_TAG:-$([ "$BRANCH" = "master" ] && echo latest || echo "$BRANCH")}
+export TAG="${TAG:-"latest"}"
+export TAG="${TAG#$INPUT_STRIP_TAG_PREFIX}"
+export USERNAME="${INPUT_USERNAME:-$GITHUB_ACTOR}"
+export PASSWORD="${INPUT_PASSWORD:-$GITHUB_TOKEN}"
+export REPOSITORY="$IMAGE"
+export IMAGE="${IMAGE}:${TAG}"
+export CONTEXT_PATH="$INPUT_PATH"
+
+if [ "$INPUT_TAG_WITH_LATEST" = "true" ]; then
+    export IMAGE_LATEST="${REPOSITORY}:latest"
+fi
+
+ensure() {
    if [ -z "${1}" ]; then
        echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?"
        exit 1
@ -31,48 +34,51 @@ ensure "${IMAGE}" "image"
 ensure "${TAG}" "tag"
 ensure "${CONTEXT_PATH}" "path"

-if [ "$REGISTRY" == "ghcr.io" ]; then
+if [ "$REGISTRY" = "ghcr.io" ]; then
    IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
-    export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
-    export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
+    # Set `/` separator, unless image is pre-fixed with dash or slash
+    [ -n "$REPOSITORY" ] && [[ ! "$REPOSITORY" =~ ^[-/] ]] && SEPARATOR="/"
+    export IMAGE="$IMAGE_NAMESPACE$SEPARATOR$IMAGE"
+    export REPOSITORY="$IMAGE_NAMESPACE$SEPARATOR$REPOSITORY"

-    if [ ! -z $IMAGE_LATEST ]; then
-        export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
+    if [ -n "$IMAGE_LATEST" ]; then
+        export IMAGE_LATEST="${IMAGE_NAMESPACE}/${IMAGE_LATEST}"
    fi

-    if [ ! -z $INPUT_CACHE_REGISTRY ]; then
-        export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
+    if [ -n "$INPUT_CACHE_REGISTRY" ]; then
+        export INPUT_CACHE_REGISTRY="${REGISTRY}/${IMAGE_NAMESPACE}/${INPUT_CACHE_REGISTRY}"
    fi
 fi

-if [ "$REGISTRY" == "docker.io" ]; then
+if [ "$REGISTRY" = "docker.io" ]; then
    export REGISTRY="index.${REGISTRY}/v1/"
 else
-    export IMAGE="$REGISTRY/$IMAGE"
+    export IMAGE="${REGISTRY}/${IMAGE}"

-    if [ ! -z $IMAGE_LATEST ]; then
-        export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
+    if [ -n "$IMAGE_LATEST" ]; then
+        export IMAGE_LATEST="${REGISTRY}/${IMAGE_LATEST}"
    fi
 fi

-export CACHE=${INPUT_CACHE:+"--cache=true"}
-export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
-export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
-export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
+export CACHE="${INPUT_CACHE:+"--cache=true"}"
+export CACHE="$CACHE"${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
+export CACHE="$CACHE"${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
+export CACHE="$CACHE"${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
 export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
 export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
 export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}
+export DIGEST="--digest-file /kaniko/digest --image-name-tag-with-digest-file=/kaniko/image-tag-digest"

-if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
-    export DESTINATION="--digest-file digest --no-push --tarPath image.tar --destination $IMAGE"
+if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
+    export DESTINATION="--no-push --tarPath image.tar --destination $IMAGE"
 else
    export DESTINATION="--destination $IMAGE"
-    if [ ! -z $IMAGE_LATEST ]; then
-        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"  
+    if [ -n "$IMAGE_LATEST" ]; then
+        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"
    fi
 fi

-export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
+export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DIGEST $DESTINATION $INPUT_EXTRA_ARGS"

 cat <<EOF >/kaniko/.docker/config.json
 {
@ -85,20 +91,31 @@ cat <<EOF >/kaniko/.docker/config.json
 }
 EOF

+# https://github.com/GoogleContainerTools/kaniko/issues/1803
 # https://github.com/GoogleContainerTools/kaniko/issues/1349
-/kaniko/executor --reproducible --force $ARGS
+export IFS=''
+# Removes a trailing new line
+ARGS=$(echo "${ARGS}" | sed 's/\n*$//')
+kaniko_cmd="/kaniko/executor ${ARGS} --reproducible --force"
+echo "Running kaniko command ${kaniko_cmd}"
+eval "${kaniko_cmd}"

-if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
-    export DIGEST=$(cat digest)
+echo "image=$IMAGE" >> "$GITHUB_OUTPUT"
+echo "digest=$(cat /kaniko/digest)" >> "$GITHUB_OUTPUT"
+echo "image-tag-digest<<EOF" >>"$GITHUB_OUTPUT"
+echo "$(cat /kaniko/image-tag-digest)" >>"$GITHUB_OUTPUT"
+echo 'EOF' >>"$GITHUB_OUTPUT"

-    if [ "$REGISTRY" == "ghcr.io" ]; then
-        wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64 | tr -d \\n)" https://ghcr.io/v2/$REPOSITORY/manifests/latest || true
-        export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')"
-    else
-        export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1)
-    fi

-    if [ "$DIGEST" == "$REMOTE" ]; then
+if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
+    export DIGEST="$(cat /kaniko/digest)"
+
+    /kaniko/crane auth login "$REGISTRY" -u "$USERNAME" -p "$PASSWORD"
+
+    export REMOTE=$(crane digest "${REGISTRY}/${REPOSITORY}:latest")
+
+    if [ "$DIGEST" = "$REMOTE" ]; then
+        echo "refreshed=false" >> "$GITHUB_OUTPUT"
        echo "Digest hasn't changed, skipping, $DIGEST"
        echo "Done 🎉️"
        exit 0
@ -106,13 +123,13 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then

    echo "Pushing image..."

-    /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD
-    /kaniko/crane push image.tar $IMAGE
+    /kaniko/crane push image.tar "$IMAGE"

-    if [ ! -z $IMAGE_LATEST ]; then
+    if [ -n "$IMAGE_LATEST" ]; then
        echo "Tagging latest..."
-        /kaniko/crane tag $IMAGE latest  
+        /kaniko/crane tag "$IMAGE" latest
    fi
- 
+
+    echo "refreshed=false" >> "$GITHUB_OUTPUT"
    echo "Done 🎉️"
 fi
Author	SHA1	Message	Date
Alex Viscreanu	be5ce625a5	docs: add warning about kaniko lacking maintainers	2024-11-07 19:00:36 +01:00
renovate[bot]	58af85fb13	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.23.2	2024-11-07 18:55:15 +01:00
renovate[bot]	9223ef89b8	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.22.0	2024-04-22 22:50:48 +02:00
renovate[bot]	12a3a8cc81	chore(deps): update aevea/commitsar docker digest to e4aed72	2024-04-22 22:47:31 +02:00
renovate[bot]	977090a03e	chore(deps): update aevea/release-notary docker digest to 690915b	2024-04-22 22:47:22 +02:00
Jason Kratz	fd47216104	fix: correctly handle multi-line tag digests output kaniko outputs each tag on a new line, so users that push multiple tags at once would get an error as the output wasn't prepared to handle multi-line text	2024-04-22 22:38:37 +02:00
renovate[bot]	8de7c88b27	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.21.1	2024-03-08 13:50:40 +01:00
ykyr	ef9c4ca42e	fix: entrypoint ARGS remove new line	2024-03-08 13:50:15 +01:00
Alex Viscreanu	16c18d6aee	ci: fix release notary action explicitly define entrypoint and args	2024-01-20 11:24:51 +01:00
Theo Cabrerizo Diem	ec00be49b7	refactor: make entrypoint script more posix compliant remove most of the 'bashisms' in the script, improve quoting, escaping and make more consistent regarding references to variable names	2024-01-20 11:02:40 +01:00
renovate[bot]	4f9a6a7f2c	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.20.0	2024-01-20 10:27:37 +01:00
Theo Cabrerizo Diem	81a26cb33a	feat: expand output variables add output variables for digests and if image was refreshed or not	2024-01-11 22:51:21 +01:00
Mikael Elkiaer	17bff7af73	fix(ghcr): omit separator in case image is prefixed with dash or slash this allows local pushing to the repo running the action	2024-01-11 22:25:33 +01:00
Idriss Neumann	a95ae7d706	fix(kaniko): workaround for passing arguments containing spaces set up input field separator as null and use eval to run kaniko executor	2024-01-11 22:21:21 +01:00
renovate[bot]	10b098cb52	chore(deps): update aevea/commitsar docker digest to 8d2db4e	2024-01-11 22:05:46 +01:00
renovate[bot]	4387eb381c	chore(deps): update actions/checkout action to v4	2024-01-11 22:05:22 +01:00
Mikhail Nacharov	ca098255c5	feat: output built image reference	2024-01-11 22:04:49 +01:00
Alex Viscreanu	e54575cc70	chore(deps): bump kaniko to v1.19.2 and update dependencies	2024-01-11 22:02:42 +01:00
renovate[bot]	78060c4e9d	chore(deps): update aevea/release-notary docker digest to b77e86c	2022-12-27 21:25:52 +01:00
renovate[bot]	98d5caab7f	chore(deps): update aevea/commitsar docker digest to 18c604f	2022-12-27 21:22:59 +01:00
renovate[bot]	83ddee1c8b	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.9.1	2022-12-27 21:20:48 +01:00
Doron Somech	57fd639926	fix: use version 1.7.0 of kaniko Version 1.8.0 and above breaks reproducible builds. https://github.com/GoogleContainerTools/kaniko/issues/2005	2022-05-13 16:59:27 +02:00
Doron Somech	c97b90ade3	chore(deps): update crane to 0.8.0	2022-05-13 16:59:27 +02:00
Doron Somech	1200c08dba	fix: downloading manifest doesn't work for github packages	2022-05-13 16:59:27 +02:00
Renovate Bot	a4abaead48	chore(deps): update actions/checkout action to v3	2022-03-31 11:32:10 +02:00
Renovate Bot	59bc747ae2	chore(deps): update aevea/release-notary digest to 03e771a	2022-03-31 11:31:45 +02:00
Renovate Bot	548ad7dd4a	chore(deps): update aevea/commitsar digest to 27ea5e5	2022-03-31 11:31:37 +02:00
Sandro Modarelli	20173de989	feat: adding debug flag	2022-03-31 11:29:47 +02:00
Sandro Modarelli	17f90e5aa4	fix: use complete image name when computing latest target	2022-03-31 11:29:47 +02:00