chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.21.0

ci: fix release notary action
explicitly define entrypoint and args
2024-02-29 20:35:02 +00:00 · 2024-01-20 11:24:51 +01:00 · 2024-01-20 11:02:40 +01:00 · 2024-01-20 10:27:37 +01:00 · 2024-01-11 22:51:21 +01:00 · 2024-01-11 22:25:33 +01:00
7 changed files with 98 additions and 62 deletions
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -6,6 +6,8 @@ jobs:
    runs-on: ubuntu-latest
    name: Verify commit messages
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
      - name: Run commitsar
-        uses: docker://aevea/commitsar@sha256:caf5539dd03309a539906c7ad45c2ecc0ae86a1ee2bf5dc538d7986c523526f3
+        uses: docker://aevea/commitsar@sha256:8d2db4e430dd06e3fcde173add43dada80b37150ba1191a69cda1c0bcdba9cb1
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -11,7 +11,7 @@ jobs:
      - name: GitHub Package Registry
        uses: aevea/action-kaniko@master
        with:
-          registry: docker.pkg.github.com
+          registry: ghcr.io
          password: ${{ secrets.GITHUB_TOKEN }}
          image: kaniko
          cache: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,17 +10,22 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0

      - name: Release Notary Action
-        uses: docker://aevea/release-notary@sha256:5eef3c539deb5397457a6acf001ef80df6004ec52bc4b8a0eac0577ad92759d0
+        uses: docker://aevea/release-notary@sha256:b77e86ce9ce4b0c8774cdb3b807b756d1d6139d73aca74388560250de259be4e
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          entrypoint: release-notary
+          args: publish

      - name: GitHub Package Registry
        uses: aevea/action-kaniko@master
        with:
-          registry: docker.pkg.github.com
+          registry: ghcr.io
          password: ${{ secrets.GITHUB_TOKEN }}
          image: kaniko
          cache: true
--- a/8
+++ b/8
@@ -2,18 +2,18 @@ FROM alpine as certs

 RUN apk --update add ca-certificates

-FROM gcr.io/kaniko-project/executor:debug
+FROM gcr.io/kaniko-project/executor:v1.21.0-debug

 SHELL ["/busybox/sh", "-c"]

 RUN wget -O /kaniko/jq \
-    https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
+    https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && \
    chmod +x /kaniko/jq && \
    wget -O /kaniko/reg \
    https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
    chmod +x /kaniko/reg && \
-    wget -O /crane.tar.gz \ 
-    https://github.com/google/go-containerregistry/releases/download/v0.1.1/go-containerregistry_Linux_x86_64.tar.gz && \
+    wget -O /crane.tar.gz \
+    https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && \
    tar -xvzf /crane.tar.gz crane -C /kaniko && \
    rm /crane.tar.gz

--- a/README.md
+++ b/README.md
@@ -56,6 +56,7 @@ the most used values. So, technically there is a single required argument
 | path                  | Path to the build context. Defaults to `.`                      | false    | .               |
 | tag_with_latest       | Tags the built image with additional latest tag                 | false    |                 |
 | target                | Sets the target stage to build                                  | false    |                 |
+| debug                 | Enables trace for entrypoint.sh                                 | false    |                 |

 **Here is where it gets specific, as the optional arguments become required depending on the registry targeted**

@@ -83,7 +84,7 @@ with:
  cache_registry: aevea/cache
 ```

-### [docker.pkg.github.com](https://github.com/features/packages)
+### [ghcr.io](https://github.com/features/packages)

 GitHub's docker registry is a bit special. It doesn't allow top-level images, so this action will prefix any image with the GitHub namespace.
 If you want to push your image like `aevea/action-kaniko/kaniko`, you'll only need to pass `kaniko` to this action.
@@ -93,7 +94,7 @@ passed by default, it will have to be explicitly set up.

 ```yaml
 with:
-  registry: docker.pkg.github.com
+  registry: ghcr.io
  password: ${{ secrets.GITHUB_TOKEN }}
  image: kaniko
 ```
@@ -104,7 +105,7 @@ cache layers to that image instead

 ```yaml
 with:
-  registry: docker.pkg.github.com
+  registry: ghcr.io
  password: ${{ secrets.GITHUB_TOKEN }}
  image: kaniko
  cache: true
@@ -167,10 +168,16 @@ Example:

 ```yaml
 with:
-  registry: docker.pkg.github.com
+  registry: ghcr.io
  password: ${{ secrets.GITHUB_TOKEN }}
  image: kaniko
  strip_tag_prefix: pre-
 ```

 for the tag `pre-0.1` will push `kaniko:0.1`, as the `pre-` part will be stripped from the tag name.
+
+## Outputs
+
+### `image`
+
+Full reference to the built image with registry and tag.
--- a/action.yml
+++ b/action.yml
@@ -54,6 +54,12 @@ inputs:
  target:
    description: Sets the target stage to build
    required: false
+  debug:
+    description: Enables trace for entrypoint.sh
+    required: false
+outputs:
+  image:
+    description: "Full reference to the built image with registry and tag"
 runs:
  using: "docker"
  image: "Dockerfile"
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,20 +1,26 @@
 #!/busybox/sh
 set -e pipefail
+if [ "$INPUT_DEBUG" = "true" ]; then
+    set -o xtrace
+fi

-export REGISTRY=${INPUT_REGISTRY:-"docker.io"}
-export IMAGE=${INPUT_IMAGE}
-export BRANCH=$(echo ${GITHUB_REF} | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g")
-export TAG=${INPUT_TAG:-$([ "$BRANCH" == "master" ] && echo latest || echo $BRANCH)}
-export TAG=${TAG:-"latest"}
-export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
-export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
-export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
-export REPOSITORY=$IMAGE
-export IMAGE_LATEST=${INPUT_TAG_WITH_LATEST:+"$IMAGE:latest"}
-export IMAGE=$IMAGE:$TAG
-export CONTEXT_PATH=${INPUT_PATH}
+export REGISTRY="${INPUT_REGISTRY:-"docker.io"}"
+export IMAGE="$INPUT_IMAGE"
+export BRANCH=$(echo "$GITHUB_REF" | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g")
+export TAG=${INPUT_TAG:-$([ "$BRANCH" = "master" ] && echo latest || echo "$BRANCH")}
+export TAG="${TAG:-"latest"}"
+export TAG="${TAG#$INPUT_STRIP_TAG_PREFIX}"
+export USERNAME="${INPUT_USERNAME:-$GITHUB_ACTOR}"
+export PASSWORD="${INPUT_PASSWORD:-$GITHUB_TOKEN}"
+export REPOSITORY="$IMAGE"
+export IMAGE="${IMAGE}:${TAG}"
+export CONTEXT_PATH="$INPUT_PATH"

-function ensure() {
+if [ "$INPUT_TAG_WITH_LATEST" = "true" ]; then
+    export IMAGE_LATEST="${REPOSITORY}:latest"
+fi
+
+ensure() {
    if [ -z "${1}" ]; then
        echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?"
        exit 1
@@ -28,48 +34,51 @@ ensure "${IMAGE}" "image"
 ensure "${TAG}" "tag"
 ensure "${CONTEXT_PATH}" "path"

-if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
+if [ "$REGISTRY" = "ghcr.io" ]; then
    IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
-    export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
-    export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
+    # Set `/` separator, unless image is pre-fixed with dash or slash
+    [ -n "$REPOSITORY" ] && [[ ! "$REPOSITORY" =~ ^[-/] ]] && SEPARATOR="/"
+    export IMAGE="$IMAGE_NAMESPACE$SEPARATOR$IMAGE"
+    export REPOSITORY="$IMAGE_NAMESPACE$SEPARATOR$REPOSITORY"

-    if [ ! -z $IMAGE_LATEST ]; then
-        export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
+    if [ -n "$IMAGE_LATEST" ]; then
+        export IMAGE_LATEST="${IMAGE_NAMESPACE}/${IMAGE_LATEST}"
    fi

-    if [ ! -z $INPUT_CACHE_REGISTRY ]; then
-        export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
+    if [ -n "$INPUT_CACHE_REGISTRY" ]; then
+        export INPUT_CACHE_REGISTRY="${REGISTRY}/${IMAGE_NAMESPACE}/${INPUT_CACHE_REGISTRY}"
    fi
 fi

-if [ "$REGISTRY" == "docker.io" ]; then
+if [ "$REGISTRY" = "docker.io" ]; then
    export REGISTRY="index.${REGISTRY}/v1/"
 else
-    export IMAGE="$REGISTRY/$IMAGE"
+    export IMAGE="${REGISTRY}/${IMAGE}"

-    if [ ! -z $IMAGE_LATEST ]; then
-        export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
+    if [ -n "$IMAGE_LATEST" ]; then
+        export IMAGE_LATEST="${REGISTRY}/${IMAGE_LATEST}"
    fi
 fi

-export CACHE=${INPUT_CACHE:+"--cache=true"}
-export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
-export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
-export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
+export CACHE="${INPUT_CACHE:+"--cache=true"}"
+export CACHE="$CACHE"${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
+export CACHE="$CACHE"${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
+export CACHE="$CACHE"${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
 export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
 export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
 export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}
+export DIGEST="--digest-file /kaniko/digest --image-name-tag-with-digest-file=/kaniko/image-tag-digest"

-if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
-    export DESTINATION="--digest-file digest --tarPath image.tar --destination $IMAGE"
+if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
+    export DESTINATION="--no-push --tarPath image.tar --destination $IMAGE"
 else
    export DESTINATION="--destination $IMAGE"
-    if [ ! -z $IMAGE_LATEST ]; then
-        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"  
+    if [ -n "$IMAGE_LATEST" ]; then
+        export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"
    fi
 fi

-export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
+export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DIGEST $DESTINATION $INPUT_EXTRA_ARGS"

 cat <<EOF >/kaniko/.docker/config.json
 {
@@ -82,20 +91,27 @@ cat <<EOF >/kaniko/.docker/config.json
 }
 EOF

+# https://github.com/GoogleContainerTools/kaniko/issues/1803
 # https://github.com/GoogleContainerTools/kaniko/issues/1349
-/kaniko/executor --reproducible --force $ARGS
+export IFS=''
+kaniko_cmd="/kaniko/executor ${ARGS} --reproducible --force"
+echo "Running kaniko command ${kaniko_cmd}"
+eval "${kaniko_cmd}"

-if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
-    export DIGEST=$(cat digest)
+echo "image=$IMAGE" >> "$GITHUB_OUTPUT"
+echo "digest=$(cat /kaniko/digest)" >> "$GITHUB_OUTPUT"
+echo "image-tag-digest=$(cat /kaniko/image-tag-digest)" >> "$GITHUB_OUTPUT"

-    if [ "$REGISTRY" == "docker.pkg.github.com" ]; then
-        wget -q -O manifest --header "Authorization: Basic $(echo -n $USERNAME:$PASSWORD | base64)" https://docker.pkg.github.com/v2/$REPOSITORY/manifests/latest || true
-        export REMOTE="sha256:$(cat manifest | sha256sum | awk '{ print $1 }')"
-    else
-        export REMOTE=$(reg digest -u $USERNAME -p $PASSWORD $REGISTRY/$REPOSITORY | tail -1)
-    fi

-    if [ "$DIGEST" == "$REMOTE" ]; then
+if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
+    export DIGEST="$(cat /kaniko/digest)"
+
+    /kaniko/crane auth login "$REGISTRY" -u "$USERNAME" -p "$PASSWORD"
+
+    export REMOTE=$(crane digest "${REGISTRY}/${REPOSITORY}:latest")
+
+    if [ "$DIGEST" = "$REMOTE" ]; then
+        echo "refreshed=false" >> "$GITHUB_OUTPUT"
        echo "Digest hasn't changed, skipping, $DIGEST"
        echo "Done 🎉️"
        exit 0
@@ -103,13 +119,13 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then

    echo "Pushing image..."

-    /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD
-    /kaniko/crane push image.tar $IMAGE
+    /kaniko/crane push image.tar "$IMAGE"

-    if [ ! -z $IMAGE_LATEST ]; then
+    if [ -n "$IMAGE_LATEST" ]; then
        echo "Tagging latest..."
-        /kaniko/crane tag $IMAGE latest  
+        /kaniko/crane tag "$IMAGE" latest
    fi
- 
+
+    echo "refreshed=false" >> "$GITHUB_OUTPUT"
    echo "Done 🎉️"
 fi
Author	SHA1	Message	Date
renovate[bot]	419afdc93d	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.21.0	2024-02-29 20:35:02 +00:00
Alex Viscreanu	16c18d6aee	ci: fix release notary action explicitly define entrypoint and args	2024-01-20 11:24:51 +01:00
Theo Cabrerizo Diem	ec00be49b7	refactor: make entrypoint script more posix compliant remove most of the 'bashisms' in the script, improve quoting, escaping and make more consistent regarding references to variable names	2024-01-20 11:02:40 +01:00
renovate[bot]	4f9a6a7f2c	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.20.0	2024-01-20 10:27:37 +01:00
Theo Cabrerizo Diem	81a26cb33a	feat: expand output variables add output variables for digests and if image was refreshed or not	2024-01-11 22:51:21 +01:00
Mikael Elkiaer	17bff7af73	fix(ghcr): omit separator in case image is prefixed with dash or slash this allows local pushing to the repo running the action	2024-01-11 22:25:33 +01:00
Idriss Neumann	a95ae7d706	fix(kaniko): workaround for passing arguments containing spaces set up input field separator as null and use eval to run kaniko executor	2024-01-11 22:21:21 +01:00
renovate[bot]	10b098cb52	chore(deps): update aevea/commitsar docker digest to 8d2db4e	2024-01-11 22:05:46 +01:00
renovate[bot]	4387eb381c	chore(deps): update actions/checkout action to v4	2024-01-11 22:05:22 +01:00
Mikhail Nacharov	ca098255c5	feat: output built image reference	2024-01-11 22:04:49 +01:00
Alex Viscreanu	e54575cc70	chore(deps): bump kaniko to v1.19.2 and update dependencies	2024-01-11 22:02:42 +01:00
renovate[bot]	78060c4e9d	chore(deps): update aevea/release-notary docker digest to b77e86c	2022-12-27 21:25:52 +01:00
renovate[bot]	98d5caab7f	chore(deps): update aevea/commitsar docker digest to 18c604f	2022-12-27 21:22:59 +01:00
renovate[bot]	83ddee1c8b	chore(deps): update gcr.io/kaniko-project/executor docker tag to v1.9.1	2022-12-27 21:20:48 +01:00
Doron Somech	57fd639926	fix: use version 1.7.0 of kaniko Version 1.8.0 and above breaks reproducible builds. https://github.com/GoogleContainerTools/kaniko/issues/2005	2022-05-13 16:59:27 +02:00
Doron Somech	c97b90ade3	chore(deps): update crane to 0.8.0	2022-05-13 16:59:27 +02:00
Doron Somech	1200c08dba	fix: downloading manifest doesn't work for github packages	2022-05-13 16:59:27 +02:00
Renovate Bot	a4abaead48	chore(deps): update actions/checkout action to v3	2022-03-31 11:32:10 +02:00
Renovate Bot	59bc747ae2	chore(deps): update aevea/release-notary digest to 03e771a	2022-03-31 11:31:45 +02:00
Renovate Bot	548ad7dd4a	chore(deps): update aevea/commitsar digest to 27ea5e5	2022-03-31 11:31:37 +02:00
Sandro Modarelli	20173de989	feat: adding debug flag	2022-03-31 11:29:47 +02:00
Sandro Modarelli	17f90e5aa4	fix: use complete image name when computing latest target	2022-03-31 11:29:47 +02:00
Alex	a5055cd007	docs: update references to github's package registry host	2022-02-21 15:27:55 +01:00
Alex	3e397648f8	fix(ci): use updated github container registry host	2022-02-21 15:25:01 +01:00
Alex Viscreanu	dc591110cc	fix: update github container registry host	2022-02-21 15:21:10 +01:00
Julien Semaan	8e9a423400	fix: tag with latest only when its config is true	2022-01-24 10:46:25 +01:00
Alex Viscreanu	f16a14fc0f	fix(ci): fetch all necessary commits for commitsar and release notary	2022-01-24 10:45:57 +01:00
Renovate Bot	8bd3e02fd2	chore(deps): update actions/checkout action to v2	2022-01-24 10:13:55 +01:00
Renovate Bot	571e42aef3	chore(deps): update aevea/release-notary docker digest to 8b26ced	2022-01-24 10:11:09 +01:00
Renovate Bot	e846d42497	chore(deps): update aevea/commitsar docker digest to b77adeb	2022-01-24 10:04:50 +01:00
Renovate Bot	b7f0f661e3	chore(deps): update aevea/release-notary docker digest to fad8346	2022-01-24 10:04:40 +01:00
Dmitry Tsoy	7033a0543d	fix: long base64 string may contain new-line if the base64 string has more than 76 characters, it is wrapped with \n	2022-01-24 10:03:08 +01:00
Doron Somech	e03153c634	fix: don't push image when skip_unchanged_digest is set Kaniko default behavior changed, `--tarPath` alone is not enough to skip the push to registry, `--no-push` is now required as well. Reference: GoogleContainerTools/kaniko#1503	2021-09-21 11:52:28 +02:00