action/kaniko
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Compare commits

base: action:v0.3
Branches Tags
action:master action:renovate/gcr.io-kaniko-project-executor-1.x
action:v0.11.0 action:v0.10.0 action:v0.9.0 action:v0.8.0 action:v0.7.1 action:v0.7.0 action:v0.6.2 action:v0.6.1 action:v0.6.0 action:v0.5.1 action:v0.5.0 action:v0.4.0 action:v0.3.2 action:v0.3.1 action:v0.3 action:v0.2.1 action:v0.2 action:v0.1
..
compare: action:v0.5.1
Branches Tags
action:renovate/gcr.io-kaniko-project-executor-1.x action:master
action:v0.11.0 action:v0.10.0 action:v0.9.0 action:v0.8.0 action:v0.7.1 action:v0.7.0 action:v0.6.2 action:v0.6.1 action:v0.6.0 action:v0.5.1 action:v0.5.0 action:v0.4.0 action:v0.3.2 action:v0.3.1 action:v0.3 action:v0.2.1 action:v0.2 action:v0.1

12 Commits
v0.3 ... v0.5.1

Author SHA1 Message Date
Alex
6030da03d4 fix: Force kaniko to run on GitHub action's environment 2020-07-15 19:03:56 +02:00
Doron Somech
daf41b1e54 feat: Add target option 2020-06-22 08:19:55 +02:00
Doron Somech
79ed56ad90 feat: Add tag_with_latest option for tagging with latest additionally 
When skipping the push on unchanged digests, it's not enough to push the current tag,
which is probably semver, we also need to push the latest, so we can later check if
the latest digest equals the currently built image
 2020-06-22 08:18:11 +02:00
Doron Somech
94f437184e feat: Allow custom context path 2020-06-22 08:17:58 +02:00
Doron Somech
51211d4483 fix(digest): Add support for GitHub's docker registry 
Github registry doesn't support digest yet, we need to download the manifest
and calculate the digest manually

Also fixing a few other issues:
 * Multi-stage dockerfiles override /usr/local/lib, moved jq and reg to /kaniko instead
 * The digest was fetched for the current tag, which doesn't exist yet. Fetching digest for the latest tag instead
 2020-06-22 08:14:46 +02:00
Alex Viscreanu
57d6d22cdf chore: Push on first build if skip_unchanged_digest isn't set 2020-06-19 14:10:56 +02:00
Alex Viscreanu
3b9302effb feat: Add option for skip pushing if the digest hasn't changed 2020-06-19 14:10:56 +02:00
Alex Viscreanu
c076596480 chore: Add Makefile for easier development 2020-06-19 13:18:55 +02:00
Alex Viscreanu
edea218783 chore: Rename function to ensure variables being set 2020-06-19 13:14:45 +02:00
Simon Prochazka
73a7639472 chore: Rename organization to aevea 2020-04-26 18:43:20 +02:00
Remon Oldenbeuving
3e63daf6fe fix: Ensure lowercase GitHub image namespace 2020-04-08 09:14:03 +02:00
Renovate Bot
e13fbcb36b chore(deps): add renovate.json 2020-03-15 00:06:57 +01:00
10 changed files with 162 additions and 49 deletions
Expand all files Collapse all files

2
.dockerignore
View File

@@ -1,3 +1,3 @@
* *
!entrypoint.sh !entrypoint.sh
.env*

2
.github/workflows/pr.yml vendored
View File

@@ -8,4 +8,4 @@ jobs:
steps: steps:
- uses: actions/checkout@v1 - uses: actions/checkout@v1
- name: Run commitsar - name: Run commitsar
uses: docker://commitsar/commitsar uses: docker://aevea/commitsar

8
.github/workflows/push.yml vendored
View File

@@ -9,7 +9,7 @@ jobs:
- uses: actions/checkout@master - uses: actions/checkout@master
- name: GitHub Package Registry - name: GitHub Package Registry
uses: outillage/kaniko-action@master uses: aevea/action-kaniko@master
with: with:
registry: docker.pkg.github.com registry: docker.pkg.github.com
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
@@ -18,10 +18,10 @@ jobs:
cache_registry: cache cache_registry: cache
- name: Dockerhub - name: Dockerhub
uses: outillage/kaniko-action@master uses: aevea/action-kaniko@master
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }} password: ${{ secrets.DOCKERHUB_PASSWORD }}
image: outillage/kaniko image: aevea/kaniko
cache: true cache: true
cache_registry: outillage/cache cache_registry: aevea/cache

10
.github/workflows/release.yml vendored
View File

@@ -13,12 +13,12 @@ jobs:
uses: actions/checkout@v1 uses: actions/checkout@v1
- name: Release Notary Action - name: Release Notary Action
uses: docker://commitsar/release-notary uses: docker://aevea/release-notary
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: GitHub Package Registry - name: GitHub Package Registry
uses: outillage/kaniko-action@master uses: aevea/action-kaniko@master
with: with:
registry: docker.pkg.github.com registry: docker.pkg.github.com
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
@@ -27,10 +27,10 @@ jobs:
cache_registry: cache cache_registry: cache
- name: Dockerhub - name: Dockerhub
uses: outillage/kaniko-action@master uses: aevea/action-kaniko@master
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }} password: ${{ secrets.DOCKERHUB_PASSWORD }}
image: outillage/kaniko image: aevea/kaniko
cache: true cache: true
cache_registry: outillage/cache cache_registry: aevea/cache

16
Dockerfile
View File

@@ -1,8 +1,22 @@
FROM alpine as certs
RUN apk --update add ca-certificates
FROM gcr.io/kaniko-project/executor:debug FROM gcr.io/kaniko-project/executor:debug
SHELL ["/busybox/sh", "-c"]
RUN wget -O /kaniko/jq \
https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
chmod +x /kaniko/jq && \
wget -O /kaniko/reg \
https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
chmod +x /kaniko/reg
COPY entrypoint.sh / COPY entrypoint.sh /
COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
ENTRYPOINT ["/entrypoint.sh"] ENTRYPOINT ["/entrypoint.sh"]
LABEL repository="https://github.com/outillage/action-kaniko" \ LABEL repository="https://github.com/aevea/action-kaniko" \
maintainer="Alex Viscreanu <alexviscreanu@gmail.com>" maintainer="Alex Viscreanu <alexviscreanu@gmail.com>"

24
Makefile Normal file
View File

@@ -0,0 +1,24 @@
build:
docker build -t aevea/kaniko .
run: build
docker run \
-v $(shell pwd):/tmp \
-e GITHUB_REPOSITORY \
-e GITHUB_REF \
-e GITHUB_ACTOR \
-e GITHUB_TOKEN \
-e GITHUB_WORKSPACE="/tmp" \
-e INPUT_IMAGE \
-e INPUT_CACHE \
-e INPUT_CACHE_TTL \
-e INPUT_CACHE_REGISTRY \
-e INPUT_STRIP_TAG_PREFIX \
-e INPUT_SKIP_UNCHANGED_DIGEST \
aevea/kaniko
shell: build
docker run \
-ti \
--entrypoint sh \
aevea/kaniko

24
README.md
View File

@@ -19,13 +19,13 @@ jobs:
steps: steps:
- uses: actions/checkout@master - uses: actions/checkout@master
- name: Kaniko build - name: Kaniko build
uses: outillage/kaniko-action@master uses: aevea/action-kaniko@master
with: with:
image: outillage/kaniko image: aevea/kaniko
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }} password: ${{ secrets.DOCKERHUB_PASSWORD }}
cache: true cache: true
cache_registry: outillage/cache cache_registry: aevea/cache
``` ```
## Required Arguments ## Required Arguments
@@ -40,7 +40,7 @@ the most used values. So, technically there is a single required argument
## Optional Arguments ## Optional Arguments
| variable | description | required | default | | variable | description | required | default |
|------------------|----------------------------------------------------------|----------|-----------------------------| |-----------------------|-----------------------------------------------------------------|----------|-----------------|
| registry | Docker registry where the image will be pushed | false | docker.io | | registry | Docker registry where the image will be pushed | false | docker.io |
| username | Username used for authentication to the Docker registry | false | $GITHUB_ACTOR | | username | Username used for authentication to the Docker registry | false | $GITHUB_ACTOR |
| password | Password used for authentication to the Docker registry | false | | | password | Password used for authentication to the Docker registry | false | |
@@ -52,6 +52,10 @@ the most used values. So, technically there is a single required argument
| build_file | Dockerfile filename | false | Dockerfile | | build_file | Dockerfile filename | false | Dockerfile |
| extra_args | Additional arguments to be passed to the kaniko executor | false | | | extra_args | Additional arguments to be passed to the kaniko executor | false | |
| strip_tag_prefix | Prefix to be stripped from the tag | false | | | strip_tag_prefix | Prefix to be stripped from the tag | false | |
| skip_unchanged_digest | Avoids pushing the image if the build generated the same digest | false | |
| path | Path to the build context. Defaults to `.` | false | . |
| tag_with_latest | Tags the built image with additional latest tag | false | |
| target | Sets the target stage to build | false | |
**Here is where it gets specific, as the optional arguments become required depending on the registry targeted** **Here is where it gets specific, as the optional arguments become required depending on the registry targeted**
@@ -62,7 +66,7 @@ In this case, the authentication credentials need to be passed via GitHub Action
```yaml ```yaml
with: with:
image: outillage/kaniko image: aevea/kaniko
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }} password: ${{ secrets.DOCKERHUB_PASSWORD }}
``` ```
@@ -72,17 +76,17 @@ doesn't work. If you want to use caching with Dockerhub, create a `cache` reposi
```yaml ```yaml
with: with:
image: outillage/kaniko image: aevea/kaniko
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }} password: ${{ secrets.DOCKERHUB_PASSWORD }}
cache: true cache: true
cache_registry: outillage/cache cache_registry: aevea/cache
``` ```
### [docker.pkg.github.com](https://github.com/features/packages) ### [docker.pkg.github.com](https://github.com/features/packages)
GitHub's docker registry is a bit special. It doesn't allow top-level images, so this action will prefix any image with the GitHub namespace. GitHub's docker registry is a bit special. It doesn't allow top-level images, so this action will prefix any image with the GitHub namespace.
If you want to push your image like `outillage/kaniko-action/kaniko`, you'll only need to pass `kaniko` to this action. If you want to push your image like `aevea/action-kaniko/kaniko`, you'll only need to pass `kaniko` to this action.
The authentication is automatically done using the `GITHUB_ACTOR` and `GITHUB_TOKEN` provided from GitHub itself. But as `GITHUB_TOKEN` is not The authentication is automatically done using the `GITHUB_ACTOR` and `GITHUB_TOKEN` provided from GitHub itself. But as `GITHUB_TOKEN` is not
passed by default, it will have to be explicitly set up. passed by default, it will have to be explicitly set up.
@@ -125,7 +129,7 @@ with:
registry: registry.gitlab.com registry: registry.gitlab.com
username: ${{ secrets.GL_REGISTRY_USERNAME }} username: ${{ secrets.GL_REGISTRY_USERNAME }}
password: ${{ secrets.GL_REGISTRY_PASSWORD }} password: ${{ secrets.GL_REGISTRY_PASSWORD }}
image: outillage/kaniko image: aevea/kaniko
``` ```
> NOTE: As GitLab's registry does support namespacing, Kaniko can natively push cached layers to it, so only `cache: true` is necessary to be > NOTE: As GitLab's registry does support namespacing, Kaniko can natively push cached layers to it, so only `cache: true` is necessary to be
@@ -136,7 +140,7 @@ with:
registry: registry.gitlab.com registry: registry.gitlab.com
username: ${{ secrets.GL_REGISTRY_USERNAME }} username: ${{ secrets.GL_REGISTRY_USERNAME }}
password: ${{ secrets.GL_REGISTRY_PASSWORD }} password: ${{ secrets.GL_REGISTRY_PASSWORD }}
image: outillage/kaniko image: aevea/kaniko
cache: true cache: true
``` ```

13
action.yml
View File

@@ -5,6 +5,10 @@ branding:
icon: anchor icon: anchor
color: orange color: orange
inputs: inputs:
path:
description: Path to the build context
required: false
default: "."
registry: registry:
description: "Docker registry where the image will be pushed" description: "Docker registry where the image will be pushed"
required: false required: false
@@ -41,6 +45,15 @@ inputs:
extra_args: extra_args:
description: "Additional arguments to be passed to the kaniko executor" description: "Additional arguments to be passed to the kaniko executor"
required: false required: false
skip_unchanged_digest:
description: "Avoids pushing the image if the build generated the same digest"
required: false
tag_with_latest:
description: "Tags the built image with additional latest tag"
required: false
target:
description: Sets the target stage to build
required: false
runs: runs:
using: "docker" using: "docker"
image: "Dockerfile" image: "Dockerfile"

83
entrypoint.sh
View File

@@ -9,26 +9,36 @@ export TAG=${TAG:-"latest"}
export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX} export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR} export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN} export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
export REPOSITORY=$IMAGE
export IMAGE_LATEST=${INPUT_TAG_WITH_LATEST:+"$IMAGE:latest"}
export IMAGE=$IMAGE:$TAG export IMAGE=$IMAGE:$TAG
export CONTEXT_PATH=${INPUT_PATH}
function sanitize() { function ensure() {
if [ -z "${1}" ]; then if [ -z "${1}" ]; then
echo >&2 "Unable to find the ${2}. Did you set with.${2}?" echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?"
exit 1 exit 1
fi fi
} }
sanitize "${REGISTRY}" "registry" ensure "${REGISTRY}" "registry"
sanitize "${USERNAME}" "username" ensure "${USERNAME}" "username"
sanitize "${PASSWORD}" "password" ensure "${PASSWORD}" "password"
sanitize "${IMAGE}" "image" ensure "${IMAGE}" "image"
sanitize "${TAG}" "tag" ensure "${TAG}" "tag"
ensure "${CONTEXT_PATH}" "path"
if [ "$REGISTRY" == "docker.pkg.github.com" ]; then if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
export IMAGE="$GITHUB_REPOSITORY/$IMAGE" IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
if [ ! -z $IMAGE_LATEST ]; then
export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
fi
if [ ! -z $INPUT_CACHE_REGISTRY ]; then if [ ! -z $INPUT_CACHE_REGISTRY ]; then
export INPUT_CACHE_REGISTRY="$REGISTRY/$GITHUB_REPOSITORY/$INPUT_CACHE_REGISTRY" export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
fi fi
fi fi
@@ -36,18 +46,30 @@ if [ "$REGISTRY" == "docker.io" ]; then
export REGISTRY="index.${REGISTRY}/v1/" export REGISTRY="index.${REGISTRY}/v1/"
else else
export IMAGE="$REGISTRY/$IMAGE" export IMAGE="$REGISTRY/$IMAGE"
if [ ! -z $IMAGE_LATEST ]; then
export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
fi
fi fi
export CACHE=${INPUT_CACHE:+"--cache=true"} export CACHE=${INPUT_CACHE:+"--cache=true"}
export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"} export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"} export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"} export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
export CONTEXT="--context $GITHUB_WORKSPACE" export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
export DOCKERFILE="--dockerfile ${INPUT_BUILD_FILE:-Dockerfile}" export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
export DESTINATION="--destination $IMAGE" export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}
export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS" if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
echo $ARGS export DESTINATION="--no-push --digest-file digest"
else
export DESTINATION="--destination $IMAGE"
if [ ! -z $IMAGE_LATEST ]; then
export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"
fi
fi
export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
cat <<EOF >/kaniko/.docker/config.json cat <<EOF >/kaniko/.docker/config.json
{ {
@@ -60,4 +82,35 @@ cat <<EOF >/kaniko/.docker/config.json
} }
EOF EOF
/kaniko/executor $ARGS # https://github.com/GoogleContainerTools/kaniko/issues/1349
/kaniko/executor --reproducible --force $ARGS
if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
export DIGEST=$(cat digest)
if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64)" https://docker.pkg.github.com/v2/$REPOSITORY/manifests/latest || true
export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')"
else
export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1)
fi
if [ "$DIGEST" == "$REMOTE" ]; then
echo "Digest hasn't changed, skipping, $DIGEST"
echo "Done 🎉️"
exit 0
fi
export DESTINATION="--destination $IMAGE"
if [ ! -z $IMAGE_LATEST ]; then
export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"
fi
export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
echo "Pushing image..."
/kaniko/executor --reproducible $ARGS >/dev/null 2>&1
echo "Done 🎉️"
fi

5
renovate.json Normal file
View File

@@ -0,0 +1,5 @@
{
"extends": [
"config:base"
]
}