actions/kaniko
actions/kaniko
1
0
Fork 0
Code Issues Pull requests Releases Packages1 Activity Actions

- CI pipeline & Dockerfile hardening: env var rename, extended logging, POSIX shell, privilege drop #5

Merged
GuillaumeHemmen merged 5 commits from 4-script-is-not-found into master 2025-05-19 11:31:46 +00:00
Conversation 0 Commits 5 Files changed 3 +58 -50
GuillaumeHemmen commented 2025-05-19 10:47:50 +00:00
Owner

This PR closes by renaming the GitHub Actions variable from GITHUB_REF_NAME to GIT_REF_NAME, fixing secrets and artifact destination paths, and adding detailed logging of environment variables and build actions for easier troubleshooting. It also updates the Dockerfile to run installation steps as root but switches to a non-root user for runtime, and replaces the shell with a strictly POSIX-compliant variant to improve portability and security.

This PR closes #4 by renaming the GitHub Actions variable from GITHUB_REF_NAME to GIT_REF_NAME, fixing secrets and artifact destination paths, and adding detailed logging of environment variables and build actions for easier troubleshooting. It also updates the Dockerfile to run installation steps as root but switches to a non-root user for runtime, and replaces the shell with a strictly POSIX-compliant variant to improve portability and security.
GuillaumeHemmen added 1 commit 2025-05-19 10:47:50 +00:00 
Replaced bash with sh for broader compatibility, ensuring scripts work with BusyBox/dash. Updated Dockerfile to use non-root user (UID 1000) and adjusted paths and permissions accordingly. Simplified and streamlined variable checks and logic in build.sh.
GuillaumeHemmen added 1 commit 2025-05-19 10:56:01 +00:00 
Switched the user from UID 1000 to root (UID 0) in the Dockerfile. This change allows for operations requiring elevated privileges during container execution. Ensure any downstream implications of running as root are understood and addressed.
GuillaumeHemmen added 1 commit 2025-05-19 11:18:18 +00:00 
This change introduces logging of key environment variables used during the build process, with sensitive values partially masked for security. It also provides clear messaging on whether the build includes a push to the registry, improving transparency and debugging capabilities.
GuillaumeHemmen added 1 commit 2025-05-19 11:21:24 +00:00 
Standardize the environment variable naming for consistency across documentation and scripts. Updated all references in README.md and build.sh, ensuring functionality remains intact.
GuillaumeHemmen added 1 commit 2025-05-19 11:28:53 +00:00 
Replaced outdated secret references with `docker_username` and `access_token`. Adjusted `KANIKO_DESTINATION` to point to the correct private registry and current image structure. Ensures compatibility and correct credentials for the build process.
GuillaumeHemmen changed title from #4 - Switch to POSIX-compliant shell and drop root privileges to #4 - CI pipeline & Dockerfile hardening: env var rename, extended logging, POSIX shell, privilege drop 2025-05-19 11:31:09 +00:00
GuillaumeHemmen merged commit a719e4dfbc into master 2025-05-19 11:31:46 +00:00
GuillaumeHemmen deleted branch 4-script-is-not-found 2025-05-19 11:31:46 +00:00
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: actions/kaniko#5
No description provided.
Delete branch "4-script-is-not-found"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?