fix: tag with latest only when its config is true

if the base64 string has more than 76 characters, it is wrapped with \n

.dockerignore

@@ -1,3 +1,3 @@
 *
 !entrypoint.sh
-
+.env*

.github/workflows/pr.yml

@@ -0,0 +1,13 @@
+name: Pull request
+on: pull_request
+
+jobs:
+  commitsar:
+    runs-on: ubuntu-latest
+    name: Verify commit messages
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Run commitsar
+        uses: docker://aevea/commitsar@sha256:b77adebc0437d4f2bfdf9205a39003e88acbc77a9176fd086b386207a5f3f5cb

.github/workflows/push.yml

@@ -0,0 +1,27 @@
+name: Commit
+on: push
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    name: Build docker image
+    steps:
+      - uses: actions/checkout@master
+
+      - name: GitHub Package Registry
+        uses: aevea/action-kaniko@master
+        with:
+          registry: docker.pkg.github.com
+          password: ${{ secrets.GITHUB_TOKEN }}
+          image: kaniko
+          cache: true
+          cache_registry: cache
+
+      - name: Dockerhub
+        uses: aevea/action-kaniko@master
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          image: aevea/kaniko
+          cache: true
+          cache_registry: aevea/cache

.github/workflows/release.yml

@@ -0,0 +1,38 @@
+name: Release
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  release-notes:
+    name: Release Notes
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Release Notary Action
+        uses: docker://aevea/release-notary@sha256:8b26ced466da96b23a947d5c9e58baac22ee1192fd08200011e5b178f42118a0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: GitHub Package Registry
+        uses: aevea/action-kaniko@master
+        with:
+          registry: docker.pkg.github.com
+          password: ${{ secrets.GITHUB_TOKEN }}
+          image: kaniko
+          cache: true
+          cache_registry: cache
+
+      - name: Dockerhub
+        uses: aevea/action-kaniko@master
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          image: aevea/kaniko
+          cache: true
+          cache_registry: aevea/cache

Dockerfile

@@ -1,8 +1,26 @@
+FROM alpine as certs
+
+RUN apk --update add ca-certificates
+
 FROM gcr.io/kaniko-project/executor:debug
 
+SHELL ["/busybox/sh", "-c"]
+
+RUN wget -O /kaniko/jq \
+    https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
+    chmod +x /kaniko/jq && \
+    wget -O /kaniko/reg \
+    https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
+    chmod +x /kaniko/reg && \
+    wget -O /crane.tar.gz \ 
+    https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \
+    tar -xvzf /crane.tar.gz crane -C /kaniko && \
+    rm /crane.tar.gz
+
 COPY entrypoint.sh /
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 ENTRYPOINT ["/entrypoint.sh"]
 
-LABEL repository="https://github.com/outillage/action-kaniko" \
+LABEL repository="https://github.com/aevea/action-kaniko" \
     maintainer="Alex Viscreanu <alexviscreanu@gmail.com>"

Makefile

@@ -0,0 +1,24 @@
+build:
+	docker build -t aevea/kaniko .
+
+run: build
+	docker run \
+		-v $(shell pwd):/tmp \
+		-e GITHUB_REPOSITORY \
+		-e GITHUB_REF \
+		-e GITHUB_ACTOR \
+		-e GITHUB_TOKEN \
+		-e GITHUB_WORKSPACE="/tmp" \
+		-e INPUT_IMAGE \
+		-e INPUT_CACHE \
+		-e INPUT_CACHE_TTL \
+		-e INPUT_CACHE_REGISTRY \
+		-e INPUT_STRIP_TAG_PREFIX \
+		-e INPUT_SKIP_UNCHANGED_DIGEST \
+	aevea/kaniko
+
+shell: build
+	docker run \
+		-ti \
+		--entrypoint sh \
+	aevea/kaniko

README.md

@@ -19,13 +19,13 @@ jobs:
     steps:
       - uses: actions/checkout@master
       - name: Kaniko build
-        uses: outillage/kaniko-action@master
+        uses: aevea/action-kaniko@master
         with:
-          image: outillage/kaniko
+          image: aevea/kaniko
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
           cache: true
-          cache_registry: outillage/cache
+          cache_registry: aevea/cache
 ```
 
 ## Required Arguments
@@ -34,13 +34,13 @@ This action aims to be as flexible as possible, so it tries to define the defaul
 the most used values. So, technically there is a single required argument
 
 | variable         | description                                              | required | default                     |
-|-----------------|----------------------------------------------------------|----------|-----------------------------|
+|------------------|----------------------------------------------------------|----------|-----------------------------|
 | image            | Name of the image you would like to push                 | true     |                             |
 
 ## Optional Arguments
 
 | variable              | description                                                     | required | default         |
-|-----------------|----------------------------------------------------------|----------|-----------------------------|
+|-----------------------|-----------------------------------------------------------------|----------|-----------------|
 | registry              | Docker registry where the image will be pushed                  | false    | docker.io       |
 | username              | Username used for authentication to the Docker registry         | false    | $GITHUB_ACTOR   |
 | password              | Password used for authentication to the Docker registry         | false    |                 |
@@ -51,6 +51,11 @@ the most used values. So, technically there is a single required argument
 | cache_directory       | Filesystem path meant to be used as cache                       | false    |                 |
 | build_file            | Dockerfile filename                                             | false    | Dockerfile      |
 | extra_args            | Additional arguments to be passed to the kaniko executor        | false    |                 |
+| strip_tag_prefix      | Prefix to be stripped from the tag                              | false    |                 |
+| skip_unchanged_digest | Avoids pushing the image if the build generated the same digest | false    |                 |
+| path                  | Path to the build context. Defaults to `.`                      | false    | .               |
+| tag_with_latest       | Tags the built image with additional latest tag                 | false    |                 |
+| target                | Sets the target stage to build                                  | false    |                 |
 
 **Here is where it gets specific, as the optional arguments become required depending on the registry targeted**
 
@@ -61,7 +66,7 @@ In this case, the authentication credentials need to be passed via GitHub Action
 
 ```yaml
 with:
-  image: outillage/kaniko
+  image: aevea/kaniko
   username: ${{ secrets.DOCKERHUB_USERNAME }}
   password: ${{ secrets.DOCKERHUB_PASSWORD }}
 ```
@@ -71,17 +76,17 @@ doesn't work. If you want to use caching with Dockerhub, create a `cache` reposi
 
 ```yaml
 with:
-  image: outillage/kaniko
+  image: aevea/kaniko
   username: ${{ secrets.DOCKERHUB_USERNAME }}
   password: ${{ secrets.DOCKERHUB_PASSWORD }}
   cache: true
-  cache_registry: outillage/cache
+  cache_registry: aevea/cache
 ```
 
 ### [docker.pkg.github.com](https://github.com/features/packages)
 
 GitHub's docker registry is a bit special. It doesn't allow top-level images, so this action will prefix any image with the GitHub namespace.
-If you want to push your image like `outillage/kaniko-action/kaniko`, you'll only need to pass `kaniko` to this action.
+If you want to push your image like `aevea/action-kaniko/kaniko`, you'll only need to pass `kaniko` to this action.
 
 The authentication is automatically done using the `GITHUB_ACTOR` and `GITHUB_TOKEN` provided from GitHub itself. But as `GITHUB_TOKEN` is not
 passed by default, it will have to be explicitly set up.
@@ -124,7 +129,7 @@ with:
   registry: registry.gitlab.com
   username: ${{ secrets.GL_REGISTRY_USERNAME }}
   password: ${{ secrets.GL_REGISTRY_PASSWORD }}
-  image: outillage/kaniko
+  image: aevea/kaniko
 ```
 
 > NOTE: As GitLab's registry does support namespacing, Kaniko can natively push cached layers to it, so only `cache: true` is necessary to be
@@ -135,7 +140,7 @@ with:
   registry: registry.gitlab.com
   username: ${{ secrets.GL_REGISTRY_USERNAME }}
   password: ${{ secrets.GL_REGISTRY_PASSWORD }}
-  image: outillage/kaniko
+  image: aevea/kaniko
   cache: true
 ```
 
@@ -154,3 +159,18 @@ If you would like to publish the image to other registries, these actions might
 
 The `tag` argument, **unless overridden**, is automatically guessed based on the branch name. If the branch is `master` then the tag will
 be `latest`, otherwise it will keep the branch name, but replacing any forward slash (/) with a hyphen (-).
+
+If the `v` prefix that it's usually added to the GitHub releases is not desired when pushed to dockerhub, the `strip_tag_prefix` allows to
+specify which part of the tag should be removed.
+
+Example:
+
+```yaml
+with:
+  registry: docker.pkg.github.com
+  password: ${{ secrets.GITHUB_TOKEN }}
+  image: kaniko
+  strip_tag_prefix: pre-
+```
+
+for the tag `pre-0.1` will push `kaniko:0.1`, as the `pre-` part will be stripped from the tag name.

action.yml

@@ -5,6 +5,10 @@ branding:
   icon: anchor
   color: orange
 inputs:
+  path:
+    description: Path to the build context
+    required: false
+    default: "."
   registry:
     description: "Docker registry where the image will be pushed"
     required: false
@@ -35,9 +39,21 @@ inputs:
   build_file:
     description: "Dockerfile filename"
     required: false
+  strip_tag_prefix:
+    description: "Prefix to be stripped from the tag"
+    required: false
   extra_args:
     description: "Additional arguments to be passed to the kaniko executor"
     required: false
+  skip_unchanged_digest:
+    description: "Avoids pushing the image if the build generated the same digest"
+    required: false
+  tag_with_latest:
+    description: "Tags the built image with additional latest tag"
+    required: false
+  target:
+    description: Sets the target stage to build
+    required: false
 runs:
   using: "docker"
   image: "Dockerfile"

entrypoint.sh

@@ -3,31 +3,45 @@ set -e pipefail
 
 export REGISTRY=${INPUT_REGISTRY:-"docker.io"}
 export IMAGE=${INPUT_IMAGE}
-export BRANCH=$(echo ${GITHUB_REF} | sed -e "s/refs\/heads\///g" | sed -e "s/\//-/g")
+export BRANCH=$(echo ${GITHUB_REF} | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g")
 export TAG=${INPUT_TAG:-$([ "$BRANCH" == "master" ] && echo latest || echo $BRANCH)}
 export TAG=${TAG:-"latest"}
+export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
 export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
 export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
+export REPOSITORY=$IMAGE
 export IMAGE=$IMAGE:$TAG
+export CONTEXT_PATH=${INPUT_PATH}
 
-function sanitize() {
+if [[ "$INPUT_TAG_WITH_LATEST" == "true" ]]; then
+    export IMAGE_LATEST="$IMAGE:latest"
+fi
+
+function ensure() {
     if [ -z "${1}" ]; then
-        echo >&2 "Unable to find the ${2}. Did you set with.${2}?"
+        echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?"
         exit 1
     fi
 }
 
-sanitize "${REGISTRY}" "registry"
+ensure "${REGISTRY}" "registry"
-sanitize "${USERNAME}" "username"
+ensure "${USERNAME}" "username"
-sanitize "${PASSWORD}" "password"
+ensure "${PASSWORD}" "password"
-sanitize "${IMAGE}" "image"
+ensure "${IMAGE}" "image"
-sanitize "${TAG}" "tag"
+ensure "${TAG}" "tag"
+ensure "${CONTEXT_PATH}" "path"
 
 if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
-    export IMAGE="$GITHUB_REPOSITORY/$IMAGE"
+    IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
+    export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
+    export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
 
-    if [ -z $INPUT_CACHE_REGISTRY ]; then
+    if [ ! -z $IMAGE_LATEST ]; then
-        export INPUT_CACHE_REGISTRY="$GITHUB_REPOSITORY/$INPUT_CACHE_REGISTRY"
+        export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
+    fi
+
+    if [ ! -z $INPUT_CACHE_REGISTRY ]; then
+        export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
     fi
 fi
 
@@ -35,18 +49,30 @@ if [ "$REGISTRY" == "docker.io" ]; then
     export REGISTRY="index.${REGISTRY}/v1/"
 else
     export IMAGE="$REGISTRY/$IMAGE"
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
+    fi
 fi
 
 export CACHE=${INPUT_CACHE:+"--cache=true"}
 export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
 export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
 export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
-export CONTEXT="--context $GITHUB_WORKSPACE"
+export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
-export DOCKERFILE="--dockerfile ${INPUT_BUILD_FILE:-Dockerfile}"
+export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
-export DESTINATION="--destination $IMAGE"
+export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}
 
-export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS"
+if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
-echo $ARGS
+    export DESTINATION="--digest-file digest --no-push --tarPath image.tar --destination $IMAGE"
+else
+    export DESTINATION="--destination $IMAGE"
+    if [ ! -z $IMAGE_LATEST ]; then
+        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"  
+    fi
+fi
+
+export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
 
 cat <<EOF >/kaniko/.docker/config.json
 {
@@ -59,4 +85,34 @@ cat <<EOF >/kaniko/.docker/config.json
 }
 EOF
 
-/kaniko/executor $ARGS
+# https://github.com/GoogleContainerTools/kaniko/issues/1349
+/kaniko/executor --reproducible --force $ARGS
+
+if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
+    export DIGEST=$(cat digest)
+
+    if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
+        wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64 | tr -d \\n)" https://docker.pkg.github.com/v2/$REPOSITORY/manifests/latest || true
+        export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')"
+    else
+        export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1)
+    fi
+
+    if [ "$DIGEST" == "$REMOTE" ]; then
+        echo "Digest hasn't changed, skipping, $DIGEST"
+        echo "Done 🎉️"
+        exit 0
+    fi
+
+    echo "Pushing image..."
+
+    /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD
+    /kaniko/crane push image.tar $IMAGE
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        echo "Tagging latest..."
+        /kaniko/crane tag $IMAGE latest  
+    fi
+ 
+    echo "Done 🎉️"
+fi

renovate.json

@@ -0,0 +1,5 @@
+{
+  "extends": [
+    "config:base"
+  ]
+}