# kaniko (action)

![CI](https://git.van-hemmen.com/actions/kaniko/actions)
![License](https://img.shields.io/github/license/actions/kaniko)

Custom **Kaniko** image (forked from Google’s `gcr.io/kaniko-project/executor:debug`) for Forgejo Actions.  
Build & push OCI-compatible container images in your pipelines **without** a Docker daemon. Just set a few environment variables.

---

## Highlights

| Feature | Benefit |
|---------|---------|
| **Daemon-less builds** | Works in completely rootless, container-only environments |
| **Debug base** | Includes `/shell` & common tools for troubleshooting |
| **Registry-agnostic** | Push to Docker Hub, GHCR, Harbor, Quay, Google Artifact Registry, etc. |
| **Small wrapper script** | Autodetects credentials and common env-var combos |

---

## Image tags

| Tag | Base | Intended use |
|-----|------|--------------|
| `latest` | Google `debug` executor | General CI pipelines |

---

## Quick start

```yaml
# .forgejo/workflows/build.yaml
name: Build & push image

on:
  push:
    branches: [ main ]

jobs:
  build:
    runs-on: docker
    container:
      image: git.van-hemmen.com/actions/kaniko:latest
    steps:
      - name: Build & push with Kaniko
        env:
          # --- mandatory --------------------------------------------------------
          KANIKO_CONTEXT: git://git.van-hemmen.com/actions/kaniko.git
          GIT_REF_NAME:    ${{ github.ref_name }}
          GIT_USERNAME:    ${{ secrets.docker_username }}
          GIT_PASSWORD:    ${{ secrets.access_token }}
    
          # --- optional (only needed when you plan to push) ---------------------
          REGISTRY_HOST:   ghcr.io
          REGISTRY_USER:   ${{ secrets.docker_username }}
          REGISTRY_PASS:   ${{ secrets.access_token }}
          KANIKO_DESTINATION: git.van-hemmen.com/myorg/myapp:${GITHUB_SHA}
    
          # --- fine-tuning ------------------------------------------------------
          KANIKO_DOCKERFILE: ./Dockerfile
          KANIKO_VERBOSITY:  info

```

## Environment variables

| Variable | Required | Purpose | Example value                                                  |
|----------|----------|---------|----------------------------------------------------------------|
| `KANIKO_CONTEXT`  | **Yes** | Build context (`git://`). | `git://git.van-hemmen.com/actions/kaniko.git`                  |
| `GIT_REF_NAME` | **Yes** | Branch or tag that is being built. | `${{ github.ref_name }}`                                                       |
| `GIT_USERNAME`    | **Yes** | Username with access to `KANIKO_CONTEXT` when it is private. | `${{ secrets.GIT_USERNAME }}`                                  |
| `GIT_PASSWORD`    | **Yes** | Token/password paired with `GIT_USERNAME`. | `${{ secrets.GIT_PASSWORD }}`                                  |
| `REGISTRY_HOST`   | No (default `git.van-hemmen.com`) | Target registry hostname. | `ghcr.io`                                                      |
| `REGISTRY_USER`   | No* | Registry username. Enables push only if **both** `REGISTRY_USER` and `REGISTRY_PASS` are set. | `${{ secrets.REGISTRY_USER }}`                                 |
| `REGISTRY_PASS`   | No* | Registry password/token. | `${{ secrets.REGISTRY_PASS }}`                                 |
| `KANIKO_DESTINATION` | No | Comma-separated list of image references to push (variables like `${{ github.sha }}` are expanded). | `ghcr.io/myorg/app:${{ github.sha }},ghcr.io/myorg/app:latest` |
| `KANIKO_DOCKERFILE` | No (default `./Dockerfile`) | Path to the Dockerfile relative to the context. | `./docker/Dockerfile.alpine`                                   |
| `KANIKO_VERBOSITY`  | No (default `info`) | Log level (`trace`, `debug`, `info`, `warn`, `error`, `fatal`, `panic`). | `debug`                                                        |

\* `REGISTRY_USER` / `REGISTRY_PASS` are only needed when the registry requires authentication.