Custom Kaniko image (from Google’s debug variant) for Forgejo Actions: build & push container images in CI/CD by just setting env vars—no Docker daemon needed.
https://git.van-hemmen.com/actions/kaniko
Guillaume B.B. Van Hemmen
59791e36bb
Switched the user from UID 1000 to root (UID 0) in the Dockerfile. This change allows for operations requiring elevated privileges during container execution. Ensure any downstream implications of running as root are understood and addressed. |
||
|---|---|---|
| .forgejo/workflows | ||
| build.sh | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
kaniko (action)
Custom Kaniko image (forked from Google’s gcr.io/kaniko-project/executor:debug) for Forgejo Actions.
Build & push OCI-compatible container images in your pipelines without a Docker daemon. Just set a few environment variables.
Highlights
| Feature | Benefit |
|---|---|
| Daemon-less builds | Works in completely rootless, container-only environments |
| Debug base | Includes /shell & common tools for troubleshooting |
| Registry-agnostic | Push to Docker Hub, GHCR, Harbor, Quay, Google Artifact Registry, etc. |
| Small wrapper script | Autodetects credentials and common env-var combos |
Image tags
| Tag | Base | Intended use |
|---|---|---|
latest |
Google debug executor |
General CI pipelines |
Quick start
# .forgejo/workflows/build.yaml
name: Build & push image
on:
push:
branches: [ main ]
jobs:
build:
runs-on: docker
container:
image: git.van-hemmen.com/actions/kaniko:latest
steps:
- name: Build & push with Kaniko
env:
# --- mandatory --------------------------------------------------------
KANIKO_CONTEXT: git://git.van-hemmen.com/actions/kaniko.git
GITHUB_REF_NAME: ${{ github.ref_name }}
GIT_USERNAME: ${{ secrets.GIT_USERNAME }}
GIT_PASSWORD: ${{ secrets.GIT_PASSWORD }}
# --- optional (only needed when you plan to push) ---------------------
REGISTRY_HOST: ghcr.io
REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
REGISTRY_PASS: ${{ secrets.REGISTRY_PASS }}
KANIKO_DESTINATION: ghcr.io/myorg/myapp:${{ github.sha }}
# --- fine-tuning ------------------------------------------------------
KANIKO_DOCKERFILE: ./Dockerfile
KANIKO_VERBOSITY: info
Environment variables
| Variable | Required | Purpose | Example value |
|---|---|---|---|
KANIKO_CONTEXT |
Yes | Build context (git://). |
git://git.van-hemmen.com/actions/kaniko.git |
GITHUB_REF_NAME |
Yes | Branch or tag that is being built. | ${{ github.ref_name }} |
GIT_USERNAME |
Yes | Username with access to KANIKO_CONTEXT when it is private. |
${{ secrets.GIT_USERNAME }} |
GIT_PASSWORD |
Yes | Token/password paired with GIT_USERNAME. |
${{ secrets.GIT_PASSWORD }} |
REGISTRY_HOST |
No (default git.van-hemmen.com) |
Target registry hostname. | ghcr.io |
REGISTRY_USER |
No* | Registry username. Enables push only if both REGISTRY_USER and REGISTRY_PASS are set. |
${{ secrets.REGISTRY_USER }} |
REGISTRY_PASS |
No* | Registry password/token. | ${{ secrets.REGISTRY_PASS }} |
KANIKO_DESTINATION |
No | Comma-separated list of image references to push (variables like ${{ github.sha }} are expanded). |
ghcr.io/myorg/app:${{ github.sha }},ghcr.io/myorg/app:latest |
KANIKO_DOCKERFILE |
No (default ./Dockerfile) |
Path to the Dockerfile relative to the context. | ./docker/Dockerfile.alpine |
KANIKO_VERBOSITY |
No (default info) |
Log level (trace, debug, info, warn, error, fatal, panic). |
debug |
* REGISTRY_USER / REGISTRY_PASS are only needed when the registry requires authentication.