fix(build): delete crane tarfile using absolute path

When skipping the push on unchanged digests, it's not enough to push the current tag,
which is probably semver, we also need to push the latest, so we can later check if
the latest digest equals the currently built image

.dockerignore

@@ -1,3 +1,3 @@
 *
 !entrypoint.sh
-
+.env*

.github/workflows/pr.yml

@@ -8,4 +8,4 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Run commitsar
-        uses: docker://commitsar/commitsar
+        uses: docker://aevea/commitsar@sha256:caf5539dd03309a539906c7ad45c2ecc0ae86a1ee2bf5dc538d7986c523526f3

.github/workflows/push.yml

@@ -9,7 +9,7 @@ jobs:
       - uses: actions/checkout@master
 
       - name: GitHub Package Registry
-        uses: outillage/kaniko-action@master
+        uses: aevea/action-kaniko@master
         with:
           registry: docker.pkg.github.com
           password: ${{ secrets.GITHUB_TOKEN }}
@@ -18,10 +18,10 @@ jobs:
           cache_registry: cache
 
       - name: Dockerhub
-        uses: outillage/kaniko-action@master
+        uses: aevea/action-kaniko@master
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
-          image: outillage/kaniko
+          image: aevea/kaniko
           cache: true
-          cache_registry: outillage/cache
+          cache_registry: aevea/cache

.github/workflows/release.yml

@@ -13,12 +13,12 @@ jobs:
         uses: actions/checkout@v1
 
       - name: Release Notary Action
-        uses: docker://commitsar/release-notary
+        uses: docker://aevea/release-notary@sha256:5eef3c539deb5397457a6acf001ef80df6004ec52bc4b8a0eac0577ad92759d0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: GitHub Package Registry
-        uses: outillage/kaniko-action@master
+        uses: aevea/action-kaniko@master
         with:
           registry: docker.pkg.github.com
           password: ${{ secrets.GITHUB_TOKEN }}
@@ -27,10 +27,10 @@ jobs:
           cache_registry: cache
 
       - name: Dockerhub
-        uses: outillage/kaniko-action@master
+        uses: aevea/action-kaniko@master
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
-          image: outillage/kaniko
+          image: aevea/kaniko
           cache: true
-          cache_registry: outillage/cache
+          cache_registry: aevea/cache

Dockerfile

@@ -1,8 +1,26 @@
+FROM alpine as certs
+
+RUN apk --update add ca-certificates
+
 FROM gcr.io/kaniko-project/executor:debug
 
+SHELL ["/busybox/sh", "-c"]
+
+RUN wget -O /kaniko/jq \
+    https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
+    chmod +x /kaniko/jq && \
+    wget -O /kaniko/reg \
+    https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
+    chmod +x /kaniko/reg && \
+    wget -O /crane.tar.gz \ 
+    https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \
+    tar -xvzf /crane.tar.gz crane -C /kaniko && \
+    rm /crane.tar.gz
+
 COPY entrypoint.sh /
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 ENTRYPOINT ["/entrypoint.sh"]
 
-LABEL repository="https://github.com/outillage/action-kaniko" \
+LABEL repository="https://github.com/aevea/action-kaniko" \
     maintainer="Alex Viscreanu <alexviscreanu@gmail.com>"

Makefile

@@ -0,0 +1,24 @@
+build:
+	docker build -t aevea/kaniko .
+
+run: build
+	docker run \
+		-v $(shell pwd):/tmp \
+		-e GITHUB_REPOSITORY \
+		-e GITHUB_REF \
+		-e GITHUB_ACTOR \
+		-e GITHUB_TOKEN \
+		-e GITHUB_WORKSPACE="/tmp" \
+		-e INPUT_IMAGE \
+		-e INPUT_CACHE \
+		-e INPUT_CACHE_TTL \
+		-e INPUT_CACHE_REGISTRY \
+		-e INPUT_STRIP_TAG_PREFIX \
+		-e INPUT_SKIP_UNCHANGED_DIGEST \
+	aevea/kaniko
+
+shell: build
+	docker run \
+		-ti \
+		--entrypoint sh \
+	aevea/kaniko

README.md

@@ -19,13 +19,13 @@ jobs:
     steps:
       - uses: actions/checkout@master
       - name: Kaniko build
-        uses: outillage/kaniko-action@master
+        uses: aevea/action-kaniko@master
         with:
-          image: outillage/kaniko
+          image: aevea/kaniko
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
           cache: true
-          cache_registry: outillage/cache
+          cache_registry: aevea/cache
 ```
 
 ## Required Arguments
@@ -39,19 +39,23 @@ the most used values. So, technically there is a single required argument
 
 ## Optional Arguments
 
-| variable         | description                                              | required | default                     |
-|------------------|----------------------------------------------------------|----------|-----------------------------|
-| registry         | Docker registry where the image will be pushed           | false    | docker.io                   |
-| username         | Username used for authentication to the Docker registry  | false    | $GITHUB_ACTOR               |
-| password         | Password used for authentication to the Docker registry  | false    |                             |
-| tag              | Image tag                                                | false    | latest                      |
-| cache            | Enables build cache                                      | false    | false                       |
-| cache_ttl        | How long the cache should be considered valid            | false    |                             |
-| cache_registry   | Docker registry meant to be used as cache                | false    |                             |
-| cache_directory  | Filesystem path meant to be used as cache                | false    |                             |
-| build_file       | Dockerfile filename                                      | false    | Dockerfile                  |
-| extra_args       | Additional arguments to be passed to the kaniko executor | false    |                             |
-| strip_tag_prefix | Prefix to be stripped from the tag                       | false    |                             |
+| variable              | description                                                     | required | default         |
+|-----------------------|-----------------------------------------------------------------|----------|-----------------|
+| registry              | Docker registry where the image will be pushed                  | false    | docker.io       |
+| username              | Username used for authentication to the Docker registry         | false    | $GITHUB_ACTOR   |
+| password              | Password used for authentication to the Docker registry         | false    |                 |
+| tag                   | Image tag                                                       | false    | latest          |
+| cache                 | Enables build cache                                             | false    | false           |
+| cache_ttl             | How long the cache should be considered valid                   | false    |                 |
+| cache_registry        | Docker registry meant to be used as cache                       | false    |                 |
+| cache_directory       | Filesystem path meant to be used as cache                       | false    |                 |
+| build_file            | Dockerfile filename                                             | false    | Dockerfile      |
+| extra_args            | Additional arguments to be passed to the kaniko executor        | false    |                 |
+| strip_tag_prefix      | Prefix to be stripped from the tag                              | false    |                 |
+| skip_unchanged_digest | Avoids pushing the image if the build generated the same digest | false    |                 |
+| path                  | Path to the build context. Defaults to `.`                      | false    | .               |
+| tag_with_latest       | Tags the built image with additional latest tag                 | false    |                 |
+| target                | Sets the target stage to build                                  | false    |                 |
 
 **Here is where it gets specific, as the optional arguments become required depending on the registry targeted**
 
@@ -62,7 +66,7 @@ In this case, the authentication credentials need to be passed via GitHub Action
 
 ```yaml
 with:
-  image: outillage/kaniko
+  image: aevea/kaniko
   username: ${{ secrets.DOCKERHUB_USERNAME }}
   password: ${{ secrets.DOCKERHUB_PASSWORD }}
 ```
@@ -72,17 +76,17 @@ doesn't work. If you want to use caching with Dockerhub, create a `cache` reposi
 
 ```yaml
 with:
-  image: outillage/kaniko
+  image: aevea/kaniko
   username: ${{ secrets.DOCKERHUB_USERNAME }}
   password: ${{ secrets.DOCKERHUB_PASSWORD }}
   cache: true
-  cache_registry: outillage/cache
+  cache_registry: aevea/cache
 ```
 
 ### [docker.pkg.github.com](https://github.com/features/packages)
 
 GitHub's docker registry is a bit special. It doesn't allow top-level images, so this action will prefix any image with the GitHub namespace.
-If you want to push your image like `outillage/kaniko-action/kaniko`, you'll only need to pass `kaniko` to this action.
+If you want to push your image like `aevea/action-kaniko/kaniko`, you'll only need to pass `kaniko` to this action.
 
 The authentication is automatically done using the `GITHUB_ACTOR` and `GITHUB_TOKEN` provided from GitHub itself. But as `GITHUB_TOKEN` is not
 passed by default, it will have to be explicitly set up.
@@ -125,7 +129,7 @@ with:
   registry: registry.gitlab.com
   username: ${{ secrets.GL_REGISTRY_USERNAME }}
   password: ${{ secrets.GL_REGISTRY_PASSWORD }}
-  image: outillage/kaniko
+  image: aevea/kaniko
 ```
 
 > NOTE: As GitLab's registry does support namespacing, Kaniko can natively push cached layers to it, so only `cache: true` is necessary to be
@@ -136,7 +140,7 @@ with:
   registry: registry.gitlab.com
   username: ${{ secrets.GL_REGISTRY_USERNAME }}
   password: ${{ secrets.GL_REGISTRY_PASSWORD }}
-  image: outillage/kaniko
+  image: aevea/kaniko
   cache: true
 ```
 

action.yml

@@ -5,6 +5,10 @@ branding:
   icon: anchor
   color: orange
 inputs:
+  path:
+    description: Path to the build context
+    required: false
+    default: "."
   registry:
     description: "Docker registry where the image will be pushed"
     required: false
@@ -41,6 +45,15 @@ inputs:
   extra_args:
     description: "Additional arguments to be passed to the kaniko executor"
     required: false
+  skip_unchanged_digest:
+    description: "Avoids pushing the image if the build generated the same digest"
+    required: false
+  tag_with_latest:
+    description: "Tags the built image with additional latest tag"
+    required: false
+  target:
+    description: Sets the target stage to build
+    required: false
 runs:
   using: "docker"
   image: "Dockerfile"

entrypoint.sh

@@ -9,26 +9,36 @@ export TAG=${TAG:-"latest"}
 export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
 export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
 export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
+export REPOSITORY=$IMAGE
+export IMAGE_LATEST=${INPUT_TAG_WITH_LATEST:+"$IMAGE:latest"}
 export IMAGE=$IMAGE:$TAG
+export CONTEXT_PATH=${INPUT_PATH}
 
-function sanitize() {
+function ensure() {
     if [ -z "${1}" ]; then
-        echo >&2 "Unable to find the ${2}. Did you set with.${2}?"
+        echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?"
         exit 1
     fi
 }
 
-sanitize "${REGISTRY}" "registry"
-sanitize "${USERNAME}" "username"
-sanitize "${PASSWORD}" "password"
-sanitize "${IMAGE}" "image"
-sanitize "${TAG}" "tag"
+ensure "${REGISTRY}" "registry"
+ensure "${USERNAME}" "username"
+ensure "${PASSWORD}" "password"
+ensure "${IMAGE}" "image"
+ensure "${TAG}" "tag"
+ensure "${CONTEXT_PATH}" "path"
 
 if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
-    export IMAGE="$GITHUB_REPOSITORY/$IMAGE"
+    IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
+    export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
+    export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
+    fi
 
     if [ ! -z $INPUT_CACHE_REGISTRY ]; then
-        export INPUT_CACHE_REGISTRY="$REGISTRY/$GITHUB_REPOSITORY/$INPUT_CACHE_REGISTRY"
+        export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
     fi
 fi
 
@@ -36,18 +46,30 @@ if [ "$REGISTRY" == "docker.io" ]; then
     export REGISTRY="index.${REGISTRY}/v1/"
 else
     export IMAGE="$REGISTRY/$IMAGE"
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
+    fi
 fi
 
 export CACHE=${INPUT_CACHE:+"--cache=true"}
 export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
 export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
 export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
-export CONTEXT="--context $GITHUB_WORKSPACE"
-export DOCKERFILE="--dockerfile ${INPUT_BUILD_FILE:-Dockerfile}"
-export DESTINATION="--destination $IMAGE"
+export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
+export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
+export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}
 
-export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS"
-echo $ARGS
+if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
+    export DESTINATION="--digest-file digest --tarPath image.tar --destination $IMAGE"
+else
+    export DESTINATION="--destination $IMAGE"
+    if [ ! -z $IMAGE_LATEST ]; then
+        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"  
+    fi
+fi
+
+export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
 
 cat <<EOF >/kaniko/.docker/config.json
 {
@@ -60,4 +82,34 @@ cat <<EOF >/kaniko/.docker/config.json
 }
 EOF
 
-/kaniko/executor $ARGS
+# https://github.com/GoogleContainerTools/kaniko/issues/1349
+/kaniko/executor --reproducible --force $ARGS
+
+if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
+    export DIGEST=$(cat digest)
+
+    if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
+        wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64)" https://docker.pkg.github.com/v2/$REPOSITORY/manifests/latest || true
+        export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')"
+    else
+        export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1)
+    fi
+
+    if [ "$DIGEST" == "$REMOTE" ]; then
+        echo "Digest hasn't changed, skipping, $DIGEST"
+        echo "Done 🎉️"
+        exit 0
+    fi
+
+    echo "Pushing image..."
+
+    /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD
+    /kaniko/crane push image.tar $IMAGE
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        echo "Tagging latest..."
+        /kaniko/crane tag $IMAGE latest  
+    fi
+ 
+    echo "Done 🎉️"
+fi

renovate.json

@@ -0,0 +1,5 @@
+{
+  "extends": [
+    "config:base"
+  ]
+}