fix(build): delete crane tarfile using absolute path

When skipping the push on unchanged digests, it's not enough to push the current tag,
which is probably semver, we also need to push the latest, so we can later check if
the latest digest equals the currently built image

.github/workflows/pr.yml

@@ -8,4 +8,4 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Run commitsar
-        uses: docker://aevea/commitsar
+        uses: docker://aevea/commitsar@sha256:caf5539dd03309a539906c7ad45c2ecc0ae86a1ee2bf5dc538d7986c523526f3

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
         uses: actions/checkout@v1
 
       - name: Release Notary Action
-        uses: docker://aevea/release-notary
+        uses: docker://aevea/release-notary@sha256:5eef3c539deb5397457a6acf001ef80df6004ec52bc4b8a0eac0577ad92759d0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

Dockerfile

@@ -6,13 +6,16 @@ FROM gcr.io/kaniko-project/executor:debug
 
 SHELL ["/busybox/sh", "-c"]
 
-RUN mkdir -p /usr/local/bin && \
+RUN wget -O /kaniko/jq \
-    wget -O /usr/local/bin/jq \
     https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
-    chmod +x /usr/local/bin/jq && \
+    chmod +x /kaniko/jq && \
-    wget -O /usr/local/bin/reg \
+    wget -O /kaniko/reg \
     https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
-    chmod +x /usr/local/bin/reg
+    chmod +x /kaniko/reg && \
+    wget -O /crane.tar.gz \ 
+    https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \
+    tar -xvzf /crane.tar.gz crane -C /kaniko && \
+    rm /crane.tar.gz
 
 COPY entrypoint.sh /
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

README.md

@@ -53,6 +53,9 @@ the most used values. So, technically there is a single required argument
 | extra_args            | Additional arguments to be passed to the kaniko executor        | false    |                 |
 | strip_tag_prefix      | Prefix to be stripped from the tag                              | false    |                 |
 | skip_unchanged_digest | Avoids pushing the image if the build generated the same digest | false    |                 |
+| path                  | Path to the build context. Defaults to `.`                      | false    | .               |
+| tag_with_latest       | Tags the built image with additional latest tag                 | false    |                 |
+| target                | Sets the target stage to build                                  | false    |                 |
 
 **Here is where it gets specific, as the optional arguments become required depending on the registry targeted**
 

action.yml

@@ -5,6 +5,10 @@ branding:
   icon: anchor
   color: orange
 inputs:
+  path:
+    description: Path to the build context
+    required: false
+    default: "."
   registry:
     description: "Docker registry where the image will be pushed"
     required: false
@@ -44,6 +48,12 @@ inputs:
   skip_unchanged_digest:
     description: "Avoids pushing the image if the build generated the same digest"
     required: false
+  tag_with_latest:
+    description: "Tags the built image with additional latest tag"
+    required: false
+  target:
+    description: Sets the target stage to build
+    required: false
 runs:
   using: "docker"
   image: "Dockerfile"

entrypoint.sh

@@ -9,7 +9,10 @@ export TAG=${TAG:-"latest"}
 export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
 export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
 export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
+export REPOSITORY=$IMAGE
+export IMAGE_LATEST=${INPUT_TAG_WITH_LATEST:+"$IMAGE:latest"}
 export IMAGE=$IMAGE:$TAG
+export CONTEXT_PATH=${INPUT_PATH}
 
 function ensure() {
     if [ -z "${1}" ]; then
@@ -23,10 +26,16 @@ ensure "${USERNAME}" "username"
 ensure "${PASSWORD}" "password"
 ensure "${IMAGE}" "image"
 ensure "${TAG}" "tag"
+ensure "${CONTEXT_PATH}" "path"
 
 if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
     IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
     export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
+    export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
+    fi
 
     if [ ! -z $INPUT_CACHE_REGISTRY ]; then
         export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
@@ -37,22 +46,30 @@ if [ "$REGISTRY" == "docker.io" ]; then
     export REGISTRY="index.${REGISTRY}/v1/"
 else
     export IMAGE="$REGISTRY/$IMAGE"
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
+    fi
 fi
 
 export CACHE=${INPUT_CACHE:+"--cache=true"}
 export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
 export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
 export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
-export CONTEXT="--context $GITHUB_WORKSPACE"
+export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
-export DOCKERFILE="--dockerfile ${INPUT_BUILD_FILE:-Dockerfile}"
+export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
+export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}
 
 if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
-    export DESTINATION="--no-push --digest-file digest"
+    export DESTINATION="--digest-file digest --tarPath image.tar --destination $IMAGE"
 else
     export DESTINATION="--destination $IMAGE"
+    if [ ! -z $IMAGE_LATEST ]; then
+        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"  
+    fi
 fi
 
-export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS"
+export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
 
 cat <<EOF >/kaniko/.docker/config.json
 {
@@ -65,11 +82,18 @@ cat <<EOF >/kaniko/.docker/config.json
 }
 EOF
 
-/kaniko/executor --reproducible $ARGS
+# https://github.com/GoogleContainerTools/kaniko/issues/1349
+/kaniko/executor --reproducible --force $ARGS
 
 if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
     export DIGEST=$(cat digest)
-    export REMOTE=$(reg digest "$IMAGE" | tail -1)
+
+    if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
+        wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64)" https://docker.pkg.github.com/v2/$REPOSITORY/manifests/latest || true
+        export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')"
+    else
+        export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1)
+    fi
 
     if [ "$DIGEST" == "$REMOTE" ]; then
         echo "Digest hasn't changed, skipping, $DIGEST"
@@ -77,12 +101,15 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
         exit 0
     fi
 
-    export DESTINATION="--destination $IMAGE"
-    export ARGS="$CACHE $CONTEXT $DOCKERFILE $DESTINATION $INPUT_EXTRA_ARGS"
-
     echo "Pushing image..."
 
-    /kaniko/executor --reproducible $ARGS >/dev/null 2>&1
+    /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD
+    /kaniko/crane push image.tar $IMAGE
+
+    if [ ! -z $IMAGE_LATEST ]; then
+        echo "Tagging latest..."
+        /kaniko/crane tag $IMAGE latest  
+    fi
  
     echo "Done 🎉️"
 fi