Custom Kaniko image (from Google’s debug variant) for Forgejo Actions: build & push container images in CI/CD by just setting env vars—no Docker daemon needed.
https://git.van-hemmen.com/actions/kaniko
This change introduces logging of key environment variables used during the build process, with sensitive values partially masked for security. It also provides clear messaging on whether the build includes a push to the registry, improving transparency and debugging capabilities. |
||
---|---|---|
.forgejo/workflows | ||
build.sh | ||
CODE_OF_CONDUCT.md | ||
CONTRIBUTING.md | ||
Dockerfile | ||
LICENSE | ||
README.md |
kaniko (action)
Custom Kaniko image (forked from Google’s gcr.io/kaniko-project/executor:debug
) for Forgejo Actions.
Build & push OCI-compatible container images in your pipelines without a Docker daemon. Just set a few environment variables.
Highlights
Feature | Benefit |
---|---|
Daemon-less builds | Works in completely rootless, container-only environments |
Debug base | Includes /shell & common tools for troubleshooting |
Registry-agnostic | Push to Docker Hub, GHCR, Harbor, Quay, Google Artifact Registry, etc. |
Small wrapper script | Autodetects credentials and common env-var combos |
Image tags
Tag | Base | Intended use |
---|---|---|
latest |
Google debug executor |
General CI pipelines |
Quick start
# .forgejo/workflows/build.yaml
name: Build & push image
on:
push:
branches: [ main ]
jobs:
build:
runs-on: docker
container:
image: git.van-hemmen.com/actions/kaniko:latest
steps:
- name: Build & push with Kaniko
env:
# --- mandatory --------------------------------------------------------
KANIKO_CONTEXT: git://git.van-hemmen.com/actions/kaniko.git
GITHUB_REF_NAME: ${{ github.ref_name }}
GIT_USERNAME: ${{ secrets.GIT_USERNAME }}
GIT_PASSWORD: ${{ secrets.GIT_PASSWORD }}
# --- optional (only needed when you plan to push) ---------------------
REGISTRY_HOST: ghcr.io
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
REGISTRY_PASS: ${{ secrets.REGISTRY_PASS }}
KANIKO_DESTINATION: ghcr.io/myorg/myapp:${{ github.sha }}
# --- fine-tuning ------------------------------------------------------
KANIKO_DOCKERFILE: ./Dockerfile
KANIKO_VERBOSITY: info
Environment variables
Variable | Required | Purpose | Example value |
---|---|---|---|
KANIKO_CONTEXT |
Yes | Build context (git:// ). |
git://git.van-hemmen.com/actions/kaniko.git |
GITHUB_REF_NAME |
Yes | Branch or tag that is being built. | ${{ github.ref_name }} |
GIT_USERNAME |
Yes | Username with access to KANIKO_CONTEXT when it is private. |
${{ secrets.GIT_USERNAME }} |
GIT_PASSWORD |
Yes | Token/password paired with GIT_USERNAME . |
${{ secrets.GIT_PASSWORD }} |
REGISTRY_HOST |
No (default git.van-hemmen.com ) |
Target registry hostname. | ghcr.io |
REGISTRY_USER |
No* | Registry username. Enables push only if both REGISTRY_USER and REGISTRY_PASS are set. |
${{ secrets.REGISTRY_USER }} |
REGISTRY_PASS |
No* | Registry password/token. | ${{ secrets.REGISTRY_PASS }} |
KANIKO_DESTINATION |
No | Comma-separated list of image references to push (variables like ${{ github.sha }} are expanded). |
ghcr.io/myorg/app:${{ github.sha }},ghcr.io/myorg/app:latest |
KANIKO_DOCKERFILE |
No (default ./Dockerfile ) |
Path to the Dockerfile relative to the context. | ./docker/Dockerfile.alpine |
KANIKO_VERBOSITY |
No (default info ) |
Log level (trace , debug , info , warn , error , fatal , panic ). |
debug |
* REGISTRY_USER
/ REGISTRY_PASS
are only needed when the registry requires authentication.