ci: fix release notary action

explicitly define entrypoint and args

.github/workflows/pr.yml

@@ -6,8 +6,8 @@ jobs:
     runs-on: ubuntu-latest
     name: Verify commit messages
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Run commitsar
-        uses: docker://aevea/commitsar@sha256:27ea5e528b153393e924d98764d6400a181f03768d972ba151b3ddc9f14ff12c
+        uses: docker://aevea/commitsar@sha256:8d2db4e430dd06e3fcde173add43dada80b37150ba1191a69cda1c0bcdba9cb1

.github/workflows/release.yml

@@ -10,14 +10,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Release Notary Action
-        uses: docker://aevea/release-notary@sha256:03e771a509881121758b05217a8938ca8379d29dfa69a2605ceca06ffca2db4d
+        uses: docker://aevea/release-notary@sha256:b77e86ce9ce4b0c8774cdb3b807b756d1d6139d73aca74388560250de259be4e
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          entrypoint: release-notary
+          args: publish
 
       - name: GitHub Package Registry
         uses: aevea/action-kaniko@master

Dockerfile

@@ -2,18 +2,18 @@ FROM alpine as certs
 
 RUN apk --update add ca-certificates
 
-FROM gcr.io/kaniko-project/executor:v1.7.0-debug
+FROM gcr.io/kaniko-project/executor:v1.20.0-debug
 
 SHELL ["/busybox/sh", "-c"]
 
 RUN wget -O /kaniko/jq \
-    https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
+    https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux64 && \
     chmod +x /kaniko/jq && \
     wget -O /kaniko/reg \
     https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-386 && \
     chmod +x /kaniko/reg && \
     wget -O /crane.tar.gz \
-    https://github.com/google/go-containerregistry/releases/download/v0.8.0/go-containerregistry_Linux_x86_64.tar.gz && \
+    https://github.com/google/go-containerregistry/releases/download/v0.17.0/go-containerregistry_Linux_x86_64.tar.gz && \
     tar -xvzf /crane.tar.gz crane -C /kaniko && \
     rm /crane.tar.gz
 

README.md

@@ -175,3 +175,9 @@ with:
 ```
 
 for the tag `pre-0.1` will push `kaniko:0.1`, as the `pre-` part will be stripped from the tag name.
+
+## Outputs
+
+### `image`
+
+Full reference to the built image with registry and tag.

action.yml

@@ -57,6 +57,9 @@ inputs:
   debug:
     description: Enables trace for entrypoint.sh
     required: false
+outputs:
+  image:
+    description: "Full reference to the built image with registry and tag"
 runs:
   using: "docker"
   image: "Dockerfile"

entrypoint.sh

@@ -1,26 +1,26 @@
 #!/busybox/sh
 set -e pipefail
-if [[ "$INPUT_DEBUG" == "true" ]]; then
+if [ "$INPUT_DEBUG" = "true" ]; then
     set -o xtrace
 fi
 
-export REGISTRY=${INPUT_REGISTRY:-"docker.io"}
+export REGISTRY="${INPUT_REGISTRY:-"docker.io"}"
-export IMAGE=${INPUT_IMAGE}
+export IMAGE="$INPUT_IMAGE"
-export BRANCH=$(echo ${GITHUB_REF} | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g")
+export BRANCH=$(echo "$GITHUB_REF" | sed -E "s/refs\/(heads|tags)\///g" | sed -e "s/\//-/g")
-export TAG=${INPUT_TAG:-$([ "$BRANCH" == "master" ] && echo latest || echo $BRANCH)}
+export TAG=${INPUT_TAG:-$([ "$BRANCH" = "master" ] && echo latest || echo "$BRANCH")}
-export TAG=${TAG:-"latest"}
+export TAG="${TAG:-"latest"}"
-export TAG=${TAG#$INPUT_STRIP_TAG_PREFIX}
+export TAG="${TAG#$INPUT_STRIP_TAG_PREFIX}"
-export USERNAME=${INPUT_USERNAME:-$GITHUB_ACTOR}
+export USERNAME="${INPUT_USERNAME:-$GITHUB_ACTOR}"
-export PASSWORD=${INPUT_PASSWORD:-$GITHUB_TOKEN}
+export PASSWORD="${INPUT_PASSWORD:-$GITHUB_TOKEN}"
-export REPOSITORY=$IMAGE
+export REPOSITORY="$IMAGE"
-export IMAGE=$IMAGE:$TAG
+export IMAGE="${IMAGE}:${TAG}"
-export CONTEXT_PATH=${INPUT_PATH}
+export CONTEXT_PATH="$INPUT_PATH"
 
-if [[ "$INPUT_TAG_WITH_LATEST" == "true" ]]; then
+if [ "$INPUT_TAG_WITH_LATEST" = "true" ]; then
-    export IMAGE_LATEST="$REPOSITORY:latest"
+    export IMAGE_LATEST="${REPOSITORY}:latest"
 fi
 
-function ensure() {
+ensure() {
     if [ -z "${1}" ]; then
         echo >&2 "Unable to find the ${2} variable. Did you set with.${2}?"
         exit 1
@@ -34,48 +34,51 @@ ensure "${IMAGE}" "image"
 ensure "${TAG}" "tag"
 ensure "${CONTEXT_PATH}" "path"
 
-if [ "$REGISTRY" == "ghcr.io" ]; then
+if [ "$REGISTRY" = "ghcr.io" ]; then
     IMAGE_NAMESPACE="$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')"
-    export IMAGE="$IMAGE_NAMESPACE/$IMAGE"
+    # Set `/` separator, unless image is pre-fixed with dash or slash
-    export REPOSITORY="$IMAGE_NAMESPACE/$REPOSITORY"
+    [ -n "$REPOSITORY" ] && [[ ! "$REPOSITORY" =~ ^[-/] ]] && SEPARATOR="/"
+    export IMAGE="$IMAGE_NAMESPACE$SEPARATOR$IMAGE"
+    export REPOSITORY="$IMAGE_NAMESPACE$SEPARATOR$REPOSITORY"
 
-    if [ ! -z $IMAGE_LATEST ]; then
+    if [ -n "$IMAGE_LATEST" ]; then
-        export IMAGE_LATEST="$IMAGE_NAMESPACE/$IMAGE_LATEST"
+        export IMAGE_LATEST="${IMAGE_NAMESPACE}/${IMAGE_LATEST}"
     fi
 
-    if [ ! -z $INPUT_CACHE_REGISTRY ]; then
+    if [ -n "$INPUT_CACHE_REGISTRY" ]; then
-        export INPUT_CACHE_REGISTRY="$REGISTRY/$IMAGE_NAMESPACE/$INPUT_CACHE_REGISTRY"
+        export INPUT_CACHE_REGISTRY="${REGISTRY}/${IMAGE_NAMESPACE}/${INPUT_CACHE_REGISTRY}"
     fi
 fi
 
-if [ "$REGISTRY" == "docker.io" ]; then
+if [ "$REGISTRY" = "docker.io" ]; then
     export REGISTRY="index.${REGISTRY}/v1/"
 else
-    export IMAGE="$REGISTRY/$IMAGE"
+    export IMAGE="${REGISTRY}/${IMAGE}"
 
-    if [ ! -z $IMAGE_LATEST ]; then
+    if [ -n "$IMAGE_LATEST" ]; then
-        export IMAGE_LATEST="$REGISTRY/$IMAGE_LATEST"
+        export IMAGE_LATEST="${REGISTRY}/${IMAGE_LATEST}"
     fi
 fi
 
-export CACHE=${INPUT_CACHE:+"--cache=true"}
+export CACHE="${INPUT_CACHE:+"--cache=true"}"
-export CACHE=$CACHE${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
+export CACHE="$CACHE"${INPUT_CACHE_TTL:+" --cache-ttl=$INPUT_CACHE_TTL"}
-export CACHE=$CACHE${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
+export CACHE="$CACHE"${INPUT_CACHE_REGISTRY:+" --cache-repo=$INPUT_CACHE_REGISTRY"}
-export CACHE=$CACHE${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
+export CACHE="$CACHE"${INPUT_CACHE_DIRECTORY:+" --cache-dir=$INPUT_CACHE_DIRECTORY"}
 export CONTEXT="--context $GITHUB_WORKSPACE/$CONTEXT_PATH"
 export DOCKERFILE="--dockerfile $CONTEXT_PATH/${INPUT_BUILD_FILE:-Dockerfile}"
 export TARGET=${INPUT_TARGET:+"--target=$INPUT_TARGET"}
+export DIGEST="--digest-file /kaniko/digest --image-name-tag-with-digest-file=/kaniko/image-tag-digest"
 
-if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
+if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
-    export DESTINATION="--digest-file digest --no-push --tarPath image.tar --destination $IMAGE"
+    export DESTINATION="--no-push --tarPath image.tar --destination $IMAGE"
 else
     export DESTINATION="--destination $IMAGE"
-    if [ ! -z $IMAGE_LATEST ]; then
+    if [ -n "$IMAGE_LATEST" ]; then
         export DESTINATION="$DESTINATION --destination $IMAGE_LATEST"
     fi
 fi
 
-export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DESTINATION $INPUT_EXTRA_ARGS"
+export ARGS="$CACHE $CONTEXT $DOCKERFILE $TARGET $DIGEST $DESTINATION $INPUT_EXTRA_ARGS"
 
 cat <<EOF >/kaniko/.docker/config.json
 {
@@ -88,17 +91,27 @@ cat <<EOF >/kaniko/.docker/config.json
 }
 EOF
 
+# https://github.com/GoogleContainerTools/kaniko/issues/1803
 # https://github.com/GoogleContainerTools/kaniko/issues/1349
-/kaniko/executor --reproducible --force $ARGS
+export IFS=''
+kaniko_cmd="/kaniko/executor ${ARGS} --reproducible --force"
+echo "Running kaniko command ${kaniko_cmd}"
+eval "${kaniko_cmd}"
 
-if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
+echo "image=$IMAGE" >> "$GITHUB_OUTPUT"
-    export DIGEST=$(cat digest)
+echo "digest=$(cat /kaniko/digest)" >> "$GITHUB_OUTPUT"
+echo "image-tag-digest=$(cat /kaniko/image-tag-digest)" >> "$GITHUB_OUTPUT"
 
-    /kaniko/crane auth login $REGISTRY -u $USERNAME -p $PASSWORD
 
-    export REMOTE=$(crane digest $REGISTRY/${REPOSITORY}:latest)
+if [ -n "$INPUT_SKIP_UNCHANGED_DIGEST" ]; then
+    export DIGEST="$(cat /kaniko/digest)"
 
-    if [ "$DIGEST" == "$REMOTE" ]; then
+    /kaniko/crane auth login "$REGISTRY" -u "$USERNAME" -p "$PASSWORD"
+
+    export REMOTE=$(crane digest "${REGISTRY}/${REPOSITORY}:latest")
+
+    if [ "$DIGEST" = "$REMOTE" ]; then
+        echo "refreshed=false" >> "$GITHUB_OUTPUT"
         echo "Digest hasn't changed, skipping, $DIGEST"
         echo "Done 🎉️"
         exit 0
@@ -106,12 +119,13 @@ if [ ! -z $INPUT_SKIP_UNCHANGED_DIGEST ]; then
 
     echo "Pushing image..."
 
-    /kaniko/crane push image.tar $IMAGE
+    /kaniko/crane push image.tar "$IMAGE"
 
-    if [ ! -z $IMAGE_LATEST ]; then
+    if [ -n "$IMAGE_LATEST" ]; then
         echo "Tagging latest..."
-        /kaniko/crane tag $IMAGE latest  
+        /kaniko/crane tag "$IMAGE" latest
     fi
 
+    echo "refreshed=false" >> "$GITHUB_OUTPUT"
     echo "Done 🎉️"
 fi