chore(deps): update actions/checkout action to v3

chore(deps): update aevea/release-notary digest to 03e771a
chore(deps): update aevea/commitsar digest to 27ea5e5
2022-03-31 11:32:10 +02:00 · 2022-03-31 11:31:45 +02:00 · 2022-03-31 11:31:37 +02:00 · 2022-03-31 11:29:47 +02:00 · 2022-03-31 11:29:47 +02:00 · 2022-02-21 15:27:55 +01:00
9 changed files with 162 additions and 38 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1,3 @@
 *
 !entrypoint.sh
-
+.env*
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -6,6 +6,8 @@ jobs:
    runs-on: ubuntu-latest
    name: Verify commit messages
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
      - name: Run commitsar
-        uses: docker://aevea/commitsar
+        uses: docker://aevea/commitsar@sha256:27ea5e528b153393e924d98764d6400a181f03768d972ba151b3ddc9f14ff12c
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -11,7 +11,7 @@ jobs:
      - name: GitHub Package Registry
        uses: aevea/action-kaniko@master
        with:
-          registry: docker.pkg.github.com
+          registry: ghcr.io
          password: ${{ secrets.GITHUB_TOKEN }}
          image: kaniko
          cache: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,17 +10,19 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0

      - name: Release Notary Action
-        uses: docker://aevea/release-notary
+        uses: docker://aevea/release-notary@sha256:03e771a509881121758b05217a8938ca8379d29dfa69a2605ceca06ffca2db4d
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: GitHub Package Registry
        uses: aevea/action-kaniko@master
        with:
-          registry: docker.pkg.github.com
+          registry: ghcr.io
          password: ${{ secrets.GITHUB_TOKEN }}
          image: kaniko
          cache: true
--- a/18
+++ b/18
@@ -1,6 +1,24 @@
+FROM alpine as certs
+
+RUN apk --update add ca-certificates
+
 FROM gcr.io/kaniko-project/executor:debug

+SHELL ["/busybox/sh", "-c"]
+
+RUN wget -O /kaniko/jq \
+    https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
+    chmod +x /kaniko/jq && \
+    wget -O /kaniko/reg \
+    https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
+    chmod +x /kaniko/reg && \
+    wget -O /crane.tar.gz \ 
+    https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \
+    tar -xvzf /crane.tar.gz crane -C /kaniko && \
+    rm /crane.tar.gz
+
 COPY entrypoint.sh /
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

 ENTRYPOINT ["/entrypoint.sh"]

--- a/24
+++ b/24
@@ -0,0 +1,24 @@
+build:
+	docker build -t aevea/kaniko .
+
+run: build
+	docker run \
+		-v $(shell pwd):/tmp \
+		-e GITHUB_REPOSITORY \
+		-e GITHUB_REF \
+		-e GITHUB_ACTOR \
+		-e GITHUB_TOKEN \
+		-e GITHUB_WORKSPACE="/tmp" \
+		-e INPUT_IMAGE \
+		-e INPUT_CACHE \
+		-e INPUT_CACHE_TTL \
+		-e INPUT_CACHE_REGISTRY \
+		-e INPUT_STRIP_TAG_PREFIX \
+		-e INPUT_SKIP_UNCHANGED_DIGEST \
+	aevea/kaniko
+
+shell: build
+	docker run \
+		-ti \
+		--entrypoint sh \
+	aevea/kaniko
--- a/README.md
+++ b/README.md
@@ -39,19 +39,24 @@ the most used values. So, technically there is a single required argument

 ## Optional Arguments

-| variable         | description                                              | required | default                     |
-|------------------|----------------------------------------------------------|----------|-----------------------------|
-| registry         | Docker registry where the image will be pushed           | false    | docker.io                   |
-| username         | Username used for authentication to the Docker registry  | false    | $GITHUB_ACTOR               |
-| password         | Password used for authentication to the Docker registry  | false    |                             |
-| tag              | Image tag                                                | false    | latest                      |
-| cache            | Enables build cache                                      | false    | false                       |
-| cache_ttl        | How long the cache should be considered valid            | false    |                             |
-| cache_registry   | Docker registry meant to be used as cache                | false    |                             |
-| cache_directory  | Filesystem path meant to be used as cache                | false    |                             |
-| build_file       | Dockerfile filename                                      | false    | Dockerfile                  |
-| extra_args       | Additional arguments to be passed to the kaniko executor | false    |                             |
-| strip_tag_prefix | Prefix to be stripped from the tag                       | false    |                             |
+| variable              | description                                                     | required | default         |
+|-----------------------|-----------------------------------------------------------------|----------|-----------------|
+| registry              | Docker registry where the image will be pushed                  | false    | docker.io       |
+| username              | Username used for authentication to the Docker registry         | false    | $GITHUB_ACTOR   |
+| password              | Password used for authentication to the Docker registry         | false    |                 |
+| tag                   | Image tag                                                       | false    | latest          |
+| cache                 | Enables build cache                                             | false    | false           |
+| cache_ttl             | How long the cache should be considered valid                   | false    |                 |
+| cache_registry        | Docker registry meant to be used as cache                       | false    |                 |
+| cache_directory       | Filesystem path meant to be used as cache                       | false    |                 |
+| build_file            | Dockerfile filename                                             | false    | Dockerfile      |
+| extra_args            | Additional arguments to be passed to the kaniko executor        | false    |                 |
+| strip_tag_prefix      | Prefix to be stripped from the tag                              | false    |                 |
+| skip_unchanged_digest | Avoids pushing the image if the build generated the same digest | false    |                 |
+| path                  | Path to the build context. Defaults to `.`                      | false    | .               |
+| tag_with_latest       | Tags the built image with additional latest tag                 | false    |                 |
+| target                | Sets the target stage to build                                  | false    |                 |
+| debug                 | Enables trace for entrypoint.sh                                 | false    |                 |

 **Here is where it gets specific, as the optional arguments become required depending on the registry targeted**

@@ -79,7 +84,7 @@ with:
  cache_registry: aevea/cache
 ```

-### [docker.pkg.github.com](https://github.com/features/packages)
+### [ghcr.io](https://github.com/features/packages)

 GitHub's docker registry is a bit special. It doesn't allow top-level images, so this action will prefix any image with the GitHub namespace.
 If you want to push your image like `aevea/action-kaniko/kaniko`, you'll only need to pass `kaniko` to this action.
@@ -89,7 +94,7 @@ passed by default, it will have to be explicitly set up.

 ```yaml
 with:
-  registry: docker.pkg.github.com
+  registry: ghcr.io
  password: ${{ secrets.GITHUB_TOKEN }}
  image: kaniko
 ```
@@ -100,7 +105,7 @@ cache layers to that image instead

 ```yaml
 with:
-  registry: docker.pkg.github.com
+  registry: ghcr.io
  password: ${{ secrets.GITHUB_TOKEN }}
  image: kaniko
  cache: true
@@ -163,7 +168,7 @@ Example:

 ```yaml
 with:
-  registry: docker.pkg.github.com
+  registry: ghcr.io
  password: ${{ secrets.GITHUB_TOKEN }}
  image: kaniko
  strip_tag_prefix: pre-
--- a/action.yml
+++ b/action.yml
@@ -5,6 +5,10 @@ branding:
  icon: anchor
  color: orange
 inputs:
+  path:
+    description: Path to the build context
+    required: false
+    default: "."
  registry:
    description: "Docker registry where the image will be pushed"
    required: false
@@ -41,6 +45,18 @@ inputs:
  extra_args:
    description: "Additional arguments to be passed to the kaniko executor"
    required: false
+  skip_unchanged_digest:
+    description: "Avoids pushing the image if the build generated the same digest"
+    required: false
+  tag_with_latest:
+    description: "Tags the built image with additional latest tag"
+    required: false
+  target:
+    description: Sets the target stage to build
+    required: false
+  debug:
+    description: Enables trace for entrypoint.sh
+    required: false
 runs:
  using: "docker"
  image: "Dockerfile"
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,5 +1,8 @@
 #!/busybox/sh
 set -e pipefail
+if [[ "$INPUT_DEBUG" == "true" ]]; then
+    set -o xtrace
+fi

 export REGISTRY=${INPUT_REGISTRY:-"docker.io"}
 export IMAGE=${INPUT_IMAGE}
@@ -9,24 +12,36 @@ export TAG=${TAG:-"latest"}
 export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
 export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
 export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
+export REPOSITORY=$IMAGE
 export IMAGE=$IMAGE:$TAG
+export CONTEXT_PATH=${INPUT_PATH}

-function sanitize() {
+if [[ "$INPUT_TAG_WITH_LATEST" == "true" ]]; then
+    export IMAGE_LATEST="$REPOSITORY:latest"
+fi
+
+function ensure() {
    if [ -z "${1}" ]; then
-        echo >&2 "Unable to find the ${2}. Did you set with.${2}?"
+        echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?"
        exit 1
    fi
 }

-sanitize "${REGISTRY}" "registry"
-sanitize "${USERNAME}" "username"
-sanitize "${PASSWORD}" "password"
-sanitize "${IMAGE}" "image"
-sanitize "${TAG}" "tag"
+ensure "${REGISTRY}" "registry"
+ensure "${USERNAME}" "username"
+ensure "${PASSWORD}" "password"
+ensure "${IMAGE}" "image"
+ensure "${TAG}" "tag"
+ensure "${CONTEXT_PATH}" "path"

-if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
+if [ "$REGISTRY" == "ghcr.io" ]; then
    IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
    export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
+    export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
+    fi

    if [ ! -z $INPUT_CACHE_REGISTRY ]; then
        export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
@@ -37,18 +52,30 @@ if [ "$REGISTRY" == "docker.io" ]; then
    export REGISTRY="index.${REGISTRY}/v1/"
 else
    export IMAGE="$REGISTRY/$IMAGE"
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
+    fi
 fi

 export CACHE=${INPUT_CACHE:+"--cache=true"}
 export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
 export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
 export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
-export CONTEXT="--context $GITHUB_WORKSPACE"
-export DOCKERFILE="--dockerfile ${INPUT_BUILD_FILE:-Dockerfile}"
-export DESTINATION="--destination $IMAGE"
+export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
+export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
+export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}

-export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS"
-echo $ARGS
+if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
+    export DESTINATION="--digest-file digest --no-push --tarPath image.tar --destination $IMAGE"
+else
+    export DESTINATION="--destination $IMAGE"
+    if [ ! -z $IMAGE_LATEST ]; then
+        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"  
+    fi
+fi
+
+export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"

 cat <<EOF >/kaniko/.docker/config.json
 {
@@ -61,4 +88,34 @@ cat <<EOF >/kaniko/.docker/config.json
 }
 EOF

-/kaniko/executor $ARGS
+# https://github.com/GoogleContainerTools/kaniko/issues/1349
+/kaniko/executor --reproducible --force $ARGS
+
+if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
+    export DIGEST=$(cat digest)
+
+    if [ "$REGISTRY" == "ghcr.io" ]; then
+        wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64 | tr -d \\n)" https://ghcr.io/v2/$REPOSITORY/manifests/latest || true
+        export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')"
+    else
+        export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1)
+    fi
+
+    if [ "$DIGEST" == "$REMOTE" ]; then
+        echo "Digest hasn't changed, skipping, $DIGEST"
+        echo "Done 🎉️"
+        exit 0
+    fi
+
+    echo "Pushing image..."
+
+    /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD
+    /kaniko/crane push image.tar $IMAGE
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        echo "Tagging latest..."
+        /kaniko/crane tag $IMAGE latest  
+    fi
+ 
+    echo "Done 🎉️"
+fi
Author	SHA1	Message	Date
Renovate Bot	a4abaead48	chore(deps): update actions/checkout action to v3	2022-03-31 11:32:10 +02:00
Renovate Bot	59bc747ae2	chore(deps): update aevea/release-notary digest to 03e771a	2022-03-31 11:31:45 +02:00
Renovate Bot	548ad7dd4a	chore(deps): update aevea/commitsar digest to 27ea5e5	2022-03-31 11:31:37 +02:00
Sandro Modarelli	20173de989	feat: adding debug flag	2022-03-31 11:29:47 +02:00
Sandro Modarelli	17f90e5aa4	fix: use complete image name when computing latest target	2022-03-31 11:29:47 +02:00
Alex	a5055cd007	docs: update references to github's package registry host	2022-02-21 15:27:55 +01:00
Alex	3e397648f8	fix(ci): use updated github container registry host	2022-02-21 15:25:01 +01:00
Alex Viscreanu	dc591110cc	fix: update github container registry host	2022-02-21 15:21:10 +01:00
Julien Semaan	8e9a423400	fix: tag with latest only when its config is true	2022-01-24 10:46:25 +01:00
Alex Viscreanu	f16a14fc0f	fix(ci): fetch all necessary commits for commitsar and release notary	2022-01-24 10:45:57 +01:00
Renovate Bot	8bd3e02fd2	chore(deps): update actions/checkout action to v2	2022-01-24 10:13:55 +01:00
Renovate Bot	571e42aef3	chore(deps): update aevea/release-notary docker digest to 8b26ced	2022-01-24 10:11:09 +01:00
Renovate Bot	e846d42497	chore(deps): update aevea/commitsar docker digest to b77adeb	2022-01-24 10:04:50 +01:00
Renovate Bot	b7f0f661e3	chore(deps): update aevea/release-notary docker digest to fad8346	2022-01-24 10:04:40 +01:00
Dmitry Tsoy	7033a0543d	fix: long base64 string may contain new-line if the base64 string has more than 76 characters, it is wrapped with \n	2022-01-24 10:03:08 +01:00
Doron Somech	e03153c634	fix: don't push image when skip_unchanged_digest is set Kaniko default behavior changed, `--tarPath` alone is not enough to skip the push to registry, `--no-push` is now required as well. Reference: GoogleContainerTools/kaniko#1503	2021-09-21 11:52:28 +02:00
Alex Viscreanu	49888d43ab	fix(build): delete crane tarfile using absolute path	2021-02-17 10:54:13 +01:00
Renovate Bot	418284a2f2	chore(deps): update aevea/commitsar docker digest to caf5539	2020-09-14 11:17:39 +02:00
Renovate Bot	5be93ca286	chore(deps): pin docker digests	2020-09-04 11:49:49 +02:00
Doron Somech	5e25ae9c63	refactor: Use google/go-containerregistry to push image	2020-08-05 17:53:40 +02:00
Alex	6030da03d4	fix: Force kaniko to run on GitHub action's environment	2020-07-15 19:03:56 +02:00
Doron Somech	daf41b1e54	feat: Add target option	2020-06-22 08:19:55 +02:00
Doron Somech	79ed56ad90	feat: Add tag_with_latest option for tagging with latest additionally When skipping the push on unchanged digests, it's not enough to push the current tag, which is probably semver, we also need to push the latest, so we can later check if the latest digest equals the currently built image	2020-06-22 08:18:11 +02:00
Doron Somech	94f437184e	feat: Allow custom context path	2020-06-22 08:17:58 +02:00
Doron Somech	51211d4483	fix(digest): Add support for GitHub's docker registry Github registry doesn't support digest yet, we need to download the manifest and calculate the digest manually Also fixing a few other issues: * Multi-stage dockerfiles override /usr/local/lib, moved jq and reg to /kaniko instead * The digest was fetched for the current tag, which doesn't exist yet. Fetching digest for the latest tag instead	2020-06-22 08:14:46 +02:00
Alex Viscreanu	57d6d22cdf	chore: Push on first build if skip_unchanged_digest isn't set	2020-06-19 14:10:56 +02:00
Alex Viscreanu	3b9302effb	feat: Add option for skip pushing if the digest hasn't changed	2020-06-19 14:10:56 +02:00
Alex Viscreanu	c076596480	chore: Add Makefile for easier development	2020-06-19 13:18:55 +02:00
Alex Viscreanu	edea218783	chore: Rename function to ensure variables being set	2020-06-19 13:14:45 +02:00