fix: Force kaniko to run on GitHub action's environment

When skipping the push on unchanged digests, it's not enough to push the current tag,
which is probably semver, we also need to push the latest, so we can later check if
the latest digest equals the currently built image

Dockerfile

@@ -6,13 +6,12 @@ FROM gcr.io/kaniko-project/executor:debug
 
 SHELL ["/busybox/sh", "-c"]
 
-RUN mkdir -p /usr/local/bin && \
+RUN wget -O /kaniko/jq \
-    wget -O /usr/local/bin/jq \
     https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
-    chmod +x /usr/local/bin/jq && \
+    chmod +x /kaniko/jq && \
-    wget -O /usr/local/bin/reg \
+    wget -O /kaniko/reg \
     https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
-    chmod +x /usr/local/bin/reg
+    chmod +x /kaniko/reg
 
 COPY entrypoint.sh /
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

README.md

@@ -53,6 +53,9 @@ the most used values. So, technically there is a single required argument
 | extra_args            | Additional arguments to be passed to the kaniko executor        | false    |                 |
 | strip_tag_prefix      | Prefix to be stripped from the tag                              | false    |                 |
 | skip_unchanged_digest | Avoids pushing the image if the build generated the same digest | false    |                 |
+| path                  | Path to the build context. Defaults to `.`                      | false    | .               |
+| tag_with_latest       | Tags the built image with additional latest tag                 | false    |                 |
+| target                | Sets the target stage to build                                  | false    |                 |
 
 **Here is where it gets specific, as the optional arguments become required depending on the registry targeted**
 

action.yml

@@ -5,6 +5,10 @@ branding:
   icon: anchor
   color: orange
 inputs:
+  path:
+    description: Path to the build context
+    required: false
+    default: "."
   registry:
     description: "Docker registry where the image will be pushed"
     required: false
@@ -44,6 +48,12 @@ inputs:
   skip_unchanged_digest:
     description: "Avoids pushing the image if the build generated the same digest"
     required: false
+  tag_with_latest:
+    description: "Tags the built image with additional latest tag"
+    required: false
+  target:
+    description: Sets the target stage to build
+    required: false
 runs:
   using: "docker"
   image: "Dockerfile"

entrypoint.sh

@@ -9,7 +9,10 @@ export TAG=${TAG:-"latest"}
 export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
 export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
 export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
+export REPOSITORY=$IMAGE
+export IMAGE_LATEST=${INPUT_TAG_WITH_LATEST:+"$IMAGE:latest"}
 export IMAGE=$IMAGE:$TAG
+export CONTEXT_PATH=${INPUT_PATH}
 
 function ensure() {
     if [ -z "${1}" ]; then
@@ -23,10 +26,16 @@ ensure "${USERNAME}" "username"
 ensure "${PASSWORD}" "password"
 ensure "${IMAGE}" "image"
 ensure "${TAG}" "tag"
+ensure "${CONTEXT_PATH}" "path"
 
 if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
     IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
     export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
+    export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
+    fi
 
     if [ ! -z $INPUT_CACHE_REGISTRY ]; then
         export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
@@ -37,22 +46,30 @@ if [ "$REGISTRY" == "docker.io" ]; then
     export REGISTRY="index.${REGISTRY}/v1/"
 else
     export IMAGE="$REGISTRY/$IMAGE"
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
+    fi
 fi
 
 export CACHE=${INPUT_CACHE:+"--cache=true"}
 export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
 export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
 export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
-export CONTEXT="--context $GITHUB_WORKSPACE"
+export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
-export DOCKERFILE="--dockerfile ${INPUT_BUILD_FILE:-Dockerfile}"
+export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
+export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}
 
 if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
     export DESTINATION="--no-push --digest-file digest"
 else
     export DESTINATION="--destination $IMAGE"
+    if [ ! -z $IMAGE_LATEST ]; then
+        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"  
+    fi
 fi
 
-export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS"
+export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
 
 cat <<EOF >/kaniko/.docker/config.json
 {
@@ -65,11 +82,18 @@ cat <<EOF >/kaniko/.docker/config.json
 }
 EOF
 
-/kaniko/executor --reproducible $ARGS
+# https://github.com/GoogleContainerTools/kaniko/issues/1349
+/kaniko/executor --reproducible --force $ARGS
 
 if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
     export DIGEST=$(cat digest)
-    export REMOTE=$(reg digest "$IMAGE" | tail -1)
+
+    if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
+        wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64)" https://docker.pkg.github.com/v2/$REPOSITORY/manifests/latest || true
+        export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')"
+    else
+        export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1)
+    fi
 
     if [ "$DIGEST" == "$REMOTE" ]; then
         echo "Digest hasn't changed, skipping, $DIGEST"
@@ -78,7 +102,11 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
     fi
 
     export DESTINATION="--destination $IMAGE"
-    export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS"
+    if [ ! -z $IMAGE_LATEST ]; then
+        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"  
+    fi
+    
+    export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
 
     echo "Pushing image..."